Slashdot Mirror
Massive Mirai Botnet Hides Its Control Servers On Tor (bleepingcomputer.com)
"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.
Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.
Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.
Something satisfying about that.
They just have to block Tor traffic.
The IOT is a buzzword. There are many devices compromised by this hack that really do belong on the internet, albeit with additional security. Cameras, routers, etc... this is not only a virus of light bulbs.
Additionally, having command and control servers hiding on TOR is likely a vector to be taken by future bot-nets.
So you want to also ban internet connected DVRs and cameras as well? Good luck....
"Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.
Once you find the .onion address, DDOS it.
Of course, that would
* be illegal, unless of course you are the law or have the blessings of the law
* hurt the Tor network itself, which in the short term does more harm than good
This kind of thing should be punishable by death. No, I'm not kidding. Death, or 20 years with no chance of parole.
When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.
And worse yet, these things will only get more powerful...how long until the US is seriously plagued by one or more of them fucking up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?
Most of you reading this would lose your jobs if the net was crippled for a month or two by one of these fucking botnets, and what happens when 5 or 10 of 50 players, some funded at the state level, all get involved?
Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?
Just cruising through this digital world at 33 1/3 rpm...
So we ban routers? After all a big chunk of that botnet consisted of hacked DT routers, and those are "things" too. Instead of outlawing the IoT, we should refrain from casually using the term IoT. To some it means sensor networks, to some it means autonomous machine to machine interactions, to some it means connected smart home devices like toasters, light bulbs and IP cameras, but others would exclude the cameras from that list.
So when another bone-shatteringly ignorant reporter mentions "botnet of IoT devices", smack him around the head with a large trout until he mentions which devices were actually compromised. Types and brands of devices, devices running a certain kind of OS or firmware, or using a specific iOt platform / board / chip. And if you tell us that the IoT is a stupid idea, please enlighten us and let us know which "things" should be kept off the internet.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
You didn't even read the blurb, did you? 900,000 routers. Should we ban routers now?
We already have IPv6 which is incompatible with the real internet. Just outlaw dual stack.
It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.
If you want to allow your thermostat to talk to a specific external host then punch a very narrow hole in the firewall to allow it.
Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.
This will require industry cooperation:
* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer
* ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off. If you use one of these new routers, it's much less likely that bad things will come out of your network."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
*yawn* Its Hockey Night In Canada!
Force all their internet through a proxy that routes everything to goatse for the next 20 years to life.
I can almost hear them screaming:
"My eyes, they burn, kill me now, please kill me now."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Not a problem. They don't stop people from breaking into your house, or committing crimes, so they just give a false sense of security.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Why not ban crappy routers? It gets p0wned, it gets fried. Spend more on a better one next time.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
You didn't even read the blurb, did you? 900,000 routers. Should we ban routers now?
Absolutely yes. Any router that is easily p0wned should be banned. How could you be against that?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Result ? Among others the DMCA. Various individuals were sued into bankruptcy by the music industry, just to show people what the risks were (remember single mother Jammie Thomas ? See: https://en.wikipedia.org/wiki/...) . Some were driven to suicide (see https://en.wikipedia.org/wiki/... ).
What shouty nerds tend to forget is that (like it or not) they are part of a society that can (and does) sets certain limits on their behaviour. Which can be enforced. With or without their consent.
Tor routers can be a force for the good (avoiding censorship, protecting human rights activists, protecting investigative journalists) but they really _can_ be eradicated, given sufficient incentive.
Just outlaw the servers, force ISP's to scan all Internet traffic for TOR servers, log any connections and isolate / report them as soon as they're detected. Send a SWAT team to visit anyone who connects to a TOR server to seize their computers pending investigation. Set penalties sufficiently high to pay for all that and publicly sue a few tens of offenders into bankruptcy.
Should cow 99% of all TOR users, right? The 1% who aren't cowed are probably up to no good anyway.
A bit like China. Not pretty, and people won't like it, but it really can be enforced.
The detection and tracking part is already in place. Just consider the raft of deep-packet inspection routers that has been installed already (see https://en.wikipedia.org/wiki/... ).
I'm not saying I'd like to see something like that (I wouldn't). All I'm saying is that stupid and venal abusers like this a**hole botnet operator make it that much more likely that something like that will occur. Whether we realise it or not. To the detriment of us all.
The "Internet of Things" was a stupid idea, so why not just ban it once and for all?
Overall, I think the idea is sound, although the lighting example you gave is a silly consequence of marketing gone awry.
A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage and the consumer could operate their devices when power was cheapest.
Unfortunately, the implementation of these devices so far has been horribly botched. Anything network-facing should be build with security in mind first, and functionality to follow. That's not what happens. Marketing sells features, not bugs, so what gets implemented is the bare minimum functionality that was sold, and security be damned.
It's "pwned," you idiot! You sound like a damn fool when you say it wrong.
Beware of the Leopard.
Why not ban crappy routers?
Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.
Hold the producers liable for such sloppy security programming. The reasoning isn't that different from building regulations: bad construction can cause serious harm to others.
There are lots of ways to violate code. Yet somehow the construction business doesn't look like North Korea, and somehow the code doesn't say that there should be NSA bugs in every interior wall in a house.
So, any site that handles email without a "postmaster" or which has a "do-not-reply" address should be booted off the Internet?
The network itself may have a pretty good track record of never totally falling over, but there is no guarantee at any given moment that there will be connectivity where you are, right now. Networks and entire countries can be cut off, and an emergency responder had best assume in a SHTF scenario that data service will be intermittent to completely unavailable. What happened to the radios in the cars? Those won't just stop working (unless it's an EMP attack, but what good is a network connection if all your gear is bricked?) and were the state of the art not that long ago. If they don't want to maintain a radio network in addition to the Internet-reliant communications, then they're going to have to pass out handhelds when it happens. If they aren't keeping any backup plan in place at all, they're complete idiots because this doesn't require buying more gear, it just means maintaining the gear they owned before. (Or someone higher up forced them to do so, for self-serving and/or malicious purposes.)
The internet being unavailable should not be a life-threatening emergency, except possibly to the degree that hospitals will be unable to access patient files who are there for treatment after whatever actually went wrong that day. Even that could be avoided if hospitals all had to mirror the host every so often, but any /. reader will know how incompetent healthcare IT has proven to be.
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
We already have time-of-day electrical pricing to shift demand, without needing any IoT crap, and it works just fine.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
And you look like a damn fool for not knowing the original spelling way back when. Bite me.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
The various government levels do in fact decide what consumers get. Or would you rather not have standards for manufacturing and operating airplanes, cars, trains, drinking water systems, food safety, etc? That's 3rd world, not America.
Same thing with consumer protection laws, other laws, the courts, etc. Or would you rather your local 3rd-world warlord dictate the law according to their whim?
BTW - the FCC already dictates router specs.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
You still need to remove the routers from the network, the sooner the better. It can take years for a lawsuit involving bad construction to work it's way through the courts.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Decades ago some cities had houses with 2 electric meters.
One fed the hot water heater (the kind with a tank) but the power company would turn off the electricity for, say, 15 minutes at a time on a "rolling" basis during peak usage. In exchange, the "hot water heater" electricity rate was lower than the regular rate.
Since hot water stays hot for a long time, you wouldn't notice it unless everyone in your house was taking a long shower at the same time the power was cut.
Oh, and since this was decades ago, it was in a time when the power grid was managed almost completely by "analog" devices, including "analog computers."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
One of my jobs in the past, was crisis potential utilization.
we didn't generate a crisis. But we noted where potential problems existed, then take actions 3 steps removed to influence other pieces to get closer. Say you find a mop closet storing petrol, ether etc. having people work there who are inclined to be lazy & not be thorough or safe is a good start. having it appear as a convenient spot to smoke is a good next step. Whatever happens next, the only real job is to clean up the situation, discredit all people close to the event, then institute sweeping changes, programs, new groups to deal w/ problems.
for the TL; DR; crowd, don't worry about it, everything is fine go back to your food trough & watch more cat videos.
for the rest of us, the title says it all. This will be the opening gambit in a new war. Not the watershed moment, but a very good one for historians to hang their hats on.
Why not ban crappy routers?
Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.
I already have a Nightly Snoring Asshole in my bedroom...
Silence is a state of mime.
It'll potentially help to identify weaknesses in Tor whereas previously it was government contractors doing the code review and keeping its security vulnerabilities to itself. If we have the private security entities that target malware doing the review we have a better chance and finding out about a vulnerability in Tor that may not have otherwise been exposed publicly.
It's illogical to try and shut down Tor. The problem is not Tor. It's crappy security on IoT devices and computers. Anonymity networks are already designed to hide so outlawing them doesn't stop them from existing. At best it just becomes a cat and mouse game with the anonymity networks getting better and better.
We do need to keep funding projects like Tor, i2p, and Freenet. We also need to come up with appliances and use cases for wider adoption. If only the 'bad guys' use Tor then its easy to pick out the activists, governmental adversaries, and persons being persecuted by governments for which Tor is primarily intended. I know people don't like the fact people run file sharing software over Tor or any number of other things. However the argument for it is simple. If we don't do these things then those who need these tools can more easily be identified and targeted. If a Tor user is more likely to be some innocuous user than a person the government is after that government is going to bear less fruit by targeting Tor users.
1) No botnet actually hijacked 900k CPEs of DT, at the moment there are rougly between 10k-40k zyxel ones across the world. The outages were caused by the increased 7547 scan traffic crashing routers of other vendors.
2) Zyxel SOAP RCE probes died down rapidly past 2 weeks. There is still some traffic (wget vizxv.pw/a if you're curious, note that you need actual wget user-agent), but the botnet is relatively small at this point.
3) As for general IoT botnets using telnet, running a simple cowrie honeypot will tell you that C&C method of current largest botnet is not Tor based, but bittorrent DHT based. The codebase appears to be unrelated to mirai, too.
All of the above can be fact checked using pretty simple tools - for TR-069 exploit simply listen with netcat, for telnet/ssh bruteforce use cowrie. Botnet size can be gauged accurately by sampling scan probes (mirai codebase sends 160 probes/s).
No. The internet is not crucial to life and health. And if someone makes it so, then *they* should be put to death. Srsly. 20 years after the internet becomes mainstream and suddenly you want people put to death over it? Give me a break. If it's come to this then we need to cut our dependence.
Go fuck yourself, both of you are dipshits.
Think of all the US job that could be created in making CCTV, toasters, ovens, refrigerators, cars, outdoor and sports equipment that needs to connect to the a cloud, local subscription services or needs ongoing support fees.
Thats trendy new inner city "internet" jobs in the USA supporting US device and products.
Its not the fault of the small US start ups teams trying to get their products and rental services online.
To fix the IoT networks just get the vast majority of AV brands to test local networks and every device on it, modem and everything behind it.
If the device responds to admin, pass or password or some other weak junk US consumer grade crypto then the AV software should tell the user every scan.
The user can then alter the default password to something stronger or ask the brand for support or an upgrade.
AV brands could then keep lists of devices and good brands that are secure or that will always report back weak junk settings.
Domestic spying is now "Benign Information Gathering"
Time of day pricing shifts demand. The IoT portion is what allows us to shift use. I can't run home from the office at 3pm to start the clothes dryer because power suddenly gets cheap. But it could start itself based on current prices. Historically our use shifting was crude. Middle of the night was cheaper so just put stuff on a delay. But with the advent of renewables the curve is much more complicated.
It's "pwned," you idiot! You sound like a damn fool when you say it wrong.
Guess the GP didn't drink his Pwn Tang this morning.
This space unintentionally left blank.
Sorry. Should have been her, not his. Didn't catch the error in time.
This space unintentionally left blank.
I guess that was GP's point:
A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage
So the appliances you mention might be able to respond to "please conserve at these times" messages from the power company.
Or if the washing machine is programmed to run at 4-7am, it can let them know.
My fridge stays cool for a looong time without power, a few hours off is no problem. Unless you want some instant icecube dispenser to work or something.
But if it "knows" in advance when it should conserve power, before that it can run extra cool to bridge the gap, or say "no" to the network.
Perhaps it can make things easier for the power company to deal with supply/demand differences, reducing the need for batteries/fossil to augment renewables.
(PS: not saying all this is a good idea, that's another discussion)
No, they don't. The FCC provides rules for operation and emissions, but nothing about specs.
You truly are one dumb mother fucking troll with one bad idea after another.
You think quality and/or security is correlated with price. Seriously, you are a fucking troll and your Internet access should be limited and supervised.
Modern America just isn't so hot. Lots of **lead paint etcetc**. Norway is not - no lead paint cause lots of things are banned ! And the Norwegian woman are smarter & better fucks and the salmon run harder faster longer. It's the law !
LOL Norwegian farmed salmon is toxic, google it. IT is being banned ;)
Why not ban crappy routers?
Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.
How about enumerating the simple spec criteria that if the device is ever found malfunctioning in a way that is materially damaging someone else's network, and the device manufacturer is unable or unwilling to fix the problem, the device owners shall be entitled to the development materials needed to fix the problem themselves presuming they have an ordinary CS/whatever education and the willingness to invest the necessary time and effort. I know that is a pipe dream, but I actually think it would accomplish the goal.
"Any router that is easily p0wned should be banned."
This isn't necessarily known until the vulnerability is found, are routers to be banned on the basis of whether they have the latest firmware update? If you ban a router that doesn't have the latest firmware update then it's potentially much harder to then download the firmware update.
What would an ISP do, disconnect all of it's customers the moment a vulnerability is found in their routers? Doesn't seem like a good idea to me.
If the vulnerability is in a IOT-device then how does the user know when said device is banned, are they supposed to check a register of thousands of banned devices every day?
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Maybe the guy will turn some of those hacked devices into TOR nodes and actually do some good for the world.
The "internet of Things" was a stupid idea, so why not just ban it once and for all?
What makes you say that?
Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch.
Oh right. Ignorance made you say that.
The world would be a better place either way.
False. Maybe look at what IoT actually is in the grand scheme of things instead of just assuming it's your internet connected kettle and shitty lights that change colour before you talk about banning something.
We already have time-of-day electrical pricing to shift demand, without needing any IoT crap, and it works just fine.
Er no. No it doesn't. It barely works. Fine is not a metric anyone in the energy providing industry would use right now.
That sounds more like isolating them rather than banning them (maybe you mean ban as in "banned from a discussion board" rather than "banned from sales"). That would be fine.
The other day I got a notification from the domain registrar that also hosts email for my domain: "Account X on your domain has been used to send loads of spam through our SMTP server, so we are suspending your access to that server until you resolve the problem". Bad news, but good that they actually monitor this server and notify owners of compromised accounts. Turns out one account was using a rather weak password; I changed it and was back in business. I would be ok with ISPs doing something similar, cutting off (or severely limiting outbound traffic of) known compromised subscribers.
What I would really like to see is a good, very restrictive but easy to configure firewall for home use.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Back in the days of dial up modems for access an ISP would be very proactive about spammers or people cuasing trouble. When I first started my ISP if I could track spam from my mail server to your PC I would cut your service (deny your login) until you called tech support and you downloaded a free virus scanner to remove it.
But now a days ISPs are just lazy, or don't enforce their own TOS even though most include some sort of written policy against spamming.
We, via the ISPs, have made it clear that we will tolerate garbage on the network as long as things 'generally' work.
Having a enterprise level 'scan' of hardware, a PROACTIVE ISP that cuts your service until the issue is remediated and kicking off ISPs at peering points that don't comply is the only way to sanitize the network.
Haha, does that guy seem like the sort of guy who would eat a farmed salmon? And if you are eating farmed salmon, you need to stop, but it sounds like you got that memo.
This just keeps getting better :D Giggidy!
let us know which "things" should be kept off the internet.
To prevent Mirai, things with default passwords. Any (accessible) Linux device with a common user/password will be infected within minutes of being connected to the Internet.
Time to come up out of the basement and have your milk and cookie - it's nearly bedtime, don't make momma angry.
If you could fuck off trying to shove the "market" into commodities, that would be swell. I don't WANT a "best price" for power, because that inevitably means I either pay too much or its quality drops so low that I better build my own power plant.
Capitalism is a failure.
That's not exactly right.
The public decides who they trust to make the decision for who makes decisions who make decisions for them. Then you get America.
America is a republic with democratically elected officials.
Just to note, pure democracy has largely been recognised universally as unworkable.
At the end of the day it's about a balance, not black and white. Extreme left and extreme right are both extremists.
The "internet of Things" was a stupid idea, so why not just ban it once and for all? Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch. The world would be a better place either way.
When I was a kid in the 1960's, we had this extraordinary AI system to turn off the lights: You didn't have to say a word, or press a button, you simply clapped your hands, and the lights magically turned off! Clap again, and the lights came back on! For the life of me, I canna recall the name of this Star Trek-like product.
But, then, why should the government ban "something" if all thing are created equally. Lead is a good wood preservative in most applications, just you should not eat or drink it. It anti bacterial, anti viral, and paint able. Does that mean no painted toothpicks? For kids?
See subject - Blocking communication w/ it's C&C servers:
HARDCODED INTERNAL TO BOTNET CODE:
0.0.0.0 zugzwang.me
0.0.0.0 tr069.online
0.0.0.0 tr069.tech
0.0.0.0 tr069.support
DGA GENERATED:
0.0.0.0 vmdefmnsndoj.tech
0.0.0.0 xpknpxmywqsr.tech
0.0.0.0 lvfjcwwobycj.tech
0.0.0.0 nympompksmfx.tech
0.0.0.0 kedbuffigfjs.online
0.0.0.0 bwhrdaumwuvn.online
0.0.0.0 bpmsfckfkrpr.online
0.0.0.0 oornduuwjli.tech
0.0.0.0 qjqubpciajoc.tech
0.0.0.0 exvdaajegjur.online
0.0.0.0 poorcetnmjfc.online
0.0.0.0 vtrndmhsgada.online
* BOTNET NO LONGER USES DGA THOUGH
"the DGA feature had been removed" FROM https://www.bleepingcomputer.com/news/security/security-firms-almost-brought-down-massive-mirai-botnet/
(TOR DOMAINS != LISTED BUT CAN BE BLOCKED ONCE DETERMINED)
APK
P.S.=> For the best custom hosts file creator? APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk
Let's look at one example - remote managing of a tank farm. It's been proven that all you need to do to take the complex over is a device plugged into the local network. Since there's nobody around to see suspicious activity (and don't start with the whole IP TV cameras bs - even if you saw someone doing something, the response time would be a lot longer than someone on site, so inherently not a deterrent.) So, take control of one of the pumps, fill up a tanker, disconnect and drive off. All the remote location would see is that one pump is down, schedule a maintenance call.
It's the same with home monitoring systems. You know that if you break in you have a delay during which the owner is supposed to enter a code, and only then is an alert sent to the monitoring station, who then has to call the home to verify that it wasn't a false alarm before calling the police (municipalities got fed up with responding to false alarms, so big fines, disconnects, and refusals to respond to ANY call from the monitoring company ensured compliance). So you have a couple of minutes before the cops are notified. There are videos of people stealing the whole camera setup, including the dvr connected to the internet. Even a dog is a better deterrent, because the cops take time to get there once the local monitoring company calls them, and it's not a high-priority call because the cops know that the thieves will be gone by the time they get there, and no lives are in danger. In two minutes, they've got your big screen tv removed from the wall mount and they're gone, leaving behind a damaged door and wall. With a dog, you're more likely to still have your tv, your door and wall.
Nothing replaces a set of ears and eyeballs on the ground. Plus, a human can call the police directly, and the cops will respond quicker, not only because of the lack of time wasted by the monitoring company, but because there's a person potentially at risk.
Just ask the London police how ineffective their CCTV cameras and 2-way speakers are in stopping a crime in progress.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Well, maybe you don't have electrical meters that allow for it, and offer it as a customer option, like we do here. A reduced rate all summer and whenever the outside temperature is above -12C, and a (much) higher rate when the outside temperature goes below -12C. People shift doing their laundry (hot water, electric dryer) to take advantage of off-peak rates. After all, who wants to pay double or more when they can delay it until the daytime when it gets warm enough for the rate to go down?
By the same token, people lower the heat at night because it saves $$$ if you're on the dual-energy rate plan. Maybe you just need to get to where we were 2-3 decades ago.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
If the product is known to have more holes than a slice of swiss cheese, why not an outright ban? Once manufacturers learn the hard way that customers are going to avoid their crappier products and demand refunds, they'll either get out of the business or fix the problems in future products. Either way, problem solved.
That's supposed to be how the invisible hand of the market is supposed to work.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
You clapped your hands, which is why it was called "The Clapper." :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
These entries in your custom hosts file also block more MIRAI botnet C&C servers (+ other communications parts):
0.0.0.0 timeserver.host
0.0.0.0 securityupdates.us
0.0.0.0 srrys.pw
0.0.0.0 l.ocalhost.host
0.0.0.0 tr069.pw
0.0.0.0 mziep.pw
* FROM - https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/
APK
P.S.=> That's in addition to my original post's list of C&C servers MIRAI botnet utilizes here https://it.slashdot.org/comments.pl?sid=10009063&cid=53507971/ ... apk
I have them determined & blocked in my custom hosts file for ZEUS variants just as I have blocked MIRAI's current crop of C&C servers hardcoded + other networked systems it uses here https://it.slashdot.org/comments.pl?sid=10009063&cid=53507971/ & here https://it.slashdot.org/comments.pl?sid=10009063&cid=53508081/ so I am awaiting the .onion TOR domains to block once they're determined - as is, I've got this thing corralled & nullified via hosts files usage.
APK
P.S.=> Use of .onion by this "bestbuy" GOOF (anyone doing botnet crap's an a-hole imo) isn't what he says it is quoted "Try to shut down .onion 'domains' over Tor," BestBuy boasted FROM https://www.bleepingcomputer.com/news/security/security-firms-almost-brought-down-massive-mirai-botnet// BECAUSE YOU'RE CORRECT & THOSE .onion DOMAINS GET REVEALED JUST LIKE ANY OTHER C&C + OTHER NETWORKED PARTS ALWAYS DO - hosts block them easily! apk
Even better? How about Pwn Tang provided in their own tea bags? The ultimate gamer geek victory drink. :D
(And yes, I am aware I am totally murdering the rules of sentence structure and punctuation this morning. But as we say in the Duchy of Don't Give a Shit though; at least when we are posting first thing in our waking day while still working on that first cup of coffee, "Frankly my dears, I don't give a shit.") ;)
This space unintentionally left blank.
Please get at least basic facts right in stories: It crashed these routers, but it did not get in, as the vulnerability exploited was not present. A DoS vulnerability remained unfortunately, and the port the service was running on was globally reachable. Bad, but not nearly as bad as being vulnerable to "hijacking".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Indeed. Tor is not the problem here. Anybody running a bot-net can already implement command-insertion in such a way that a command can be sent to any member-note and then gets distributed. That is basically untraceable if cover-traffic is also added. It takes a tiny bit more effort in implementing this though.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.
No matter what kind of encryption used you can characterize streams by various types of signature. Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery. Finally one can also always introduce lag.
So to track who is talking to any server you characterize the stream. Then through a command and control server of their own introduce various inconspicuous amounts of lag at all ISP's for all the streams that match the characterization signature. Add in a binary search and you can track any connection back to it's source in under a minute. It also can also identify all proxies within it's borders and the order they are used according to the lag propagation. Even using a neighbors WIFI will not necessarily hide you.
Well, maybe you don't have electrical meters that allow for it, and offer it as a customer option, like we do here.
Oh no we most definitely do. Variable pricing, peak / off peak times, on / off peak circuits. We got all that. It is barely working. The change it has made on the broad industry has been minute at best because it is behavioural and ultimately still manual. People don't dedicate a lot of time for minimal savings and cry for regulation when the expenses become too high. A true smart grid can offer so much more which is primarily why it is industry driven as a solution to the very real problems they are facing.
Jesus Christ. Just admit that you don't understand what the internet is and how it works and move on with your pathetic life. Only an ignorant moron would run around spewing the ridiculous drivel you have been spewing in this thread.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That's the dumbest idea I've heard yet for a solution to this. You can't ban something from the internet on an application basis, (and yes, IoT is just another application as far as the internet is concerned) otherwise that sets a precedent for banning practically anything that governments or whoever doesn't like. The MPAA for example would be able to justify banning things like youtube and bittorrent.
The "internet of Things" was a stupid idea, so why not just ban it once and for all? Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch. The world would be a better place either way.
are you trolling or serious as I'm not sure? Just because you don't see the appeal of something isn't a reason, it is an opinion, and doesn't help much anyway since if you need enough sec news you'd see smart things are a very small portion of that iot botnet numbers. Iirc webcams where one of the biggest in the latest analysis. The actual issue is many vendors have no incentive to secure their products. I don't mean they are not properly hardened I mean they don't do ANYTHING to even try to.
The vendors need ot be given incentive to want to invest time and money on it or fear it'll fuck with their bottom line. Secondly consumers need to be given incentive to both care as the issue does affect them, although they link in chain as ignorant enablers albeit not the direct cause and help them to put demand on vendors to meet that rather than make the customers liable instead of the companies which is doomed to fail too never mind unfair. Consumer pressure to meet a requirement etc works in other industries. Hard to know what to do as it is multiaspect issue and not straightforward but sort of good suggestion I read from commenter on Schneier's blog a while back would possibly work which was to notify owners and hold them legally liable for what the devices are used for if they repeatedly ignore or ignore after time period of first confirmed notification and force consumers to demand vendors of webcams, most provided by isp routers and other stuff to secure their stuff.
You'd need to do similar like open vendors to legal challenges ffrom consumers if they don't try to secure their product properly (or at all). Another issue is the isp's don't give a shit as they gain from the increased traffic thus they have been sitting on their hands in many cases and it has been pointed out more than once by industry people so you need to deal with that too. Same goes for governments who also don't necessarily want to find a "fix" for things than can be utilised by them should they ever wish to. Complex issue like I say, understand now? Alternately we could just ban every iot device like you suggest including routers although it means no more reading oversimplified comments from clueless people so there is some merits to that.
Elsewhere I mentioned other IoT product that are flawed, such as DVR video security systems with remote monitoring (thieves will be gone before the cops get there), remotely-administered fuel pumps (already hacked), and a few other things. IoT is fundamentally flawed.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Elsewhere I mentioned other IoT product that are flawed, such as DVR video security systems with remote monitoring (thieves will be gone before the cops get there), remotely-administered fuel pumps (already hacked), and a few other things. IoT is fundamentally flawed.
Don't get me wrong I totally agree they are flawed, and for all my sarcasm my own opinion is very similar but that doesn't mean there isn't value in it for others. I personally feel most of those things add more problems than they solve and are net connected for the wrong reason.Jjust connecting things to the net that don't need to be, and where the wireless is necessary and you need smart versions keep it on intranet would work for most the applications. However my feelings wont ever fix the issue, just like complaining about carbon emissions from planes doesn't do anything to stop people taking flights.
...." and I have a big "ohhhh" moment and then it makes sense. Some IoT may be a godsend for niche uses, people with a disability and so on and really be more than just because we can kind of things. Sure we can spot the flaws in "some" applications but there will be valid uses too. An of the none essential use people still have a choice and we can't dictate that. What does indeed need fixing is the actual issue though, sadly it will likely come to severe shtf time before sensible action is taken (note the sensible as I'm sure there will be bad "fixes" before the issue is resolved. UK government is rather fond of that approach).
Sometimes I've complained about shit being silly until someone has corrected me on "our business uses that silly functionality for
If the biggest companies decide what consumers get, you end up with America.
FTFY
Stop pretending there's a free market.
So your plan is to pay a homeless person minimum wage to sit and keep an eye on your TV.
Sounds much more expensive than just having insurance and buying another TV.
Maybe investigate training the dog to call the cops.
So your plan is to pay a homeless person minimum wage to sit and keep an eye on your TV. Sounds much more expensive than just having insurance and buying another TV. Maybe investigate training the dog to call the cops.
Never said that, so don't put words in my mouth. A dog on the premises is cheaper and better, and works for table scraps and dog food. Also, dogs can hear someone before you can, and can tell just by the sound of their walk if it's a friend or not - and growl accordingly as required.
Place I was working at, they had 2 German Shepherds that roamed the premises at night. A former employee broke in to rob the place, they let him get in, no problem. Then they made sure he didn't leave unto someone showed up.
IoT security systems wouldn't have been nearly as effective. The guy would have walked away instead of getting 2 black eyes - I mean slipped and hurt himself.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I think we can specify an enumerated criteria as not persistently sending out harmful/malicious traffic to the public internet. I don't care if YOUR network gets hacked, but when your network attacks my network, it's my problem. At that point, I think you can justify some intervention (not necessarily government, maybe ISP, but something). If a PBX (private telephone exchange) got hacked and started making hundreds of calls to 911, you can bet people would get on that rapidly, instead of the nonchalant attitude about routers being hacked.
I realize my definition might be too broad or vague for your comfort, but once an actual attack begins, the traffic pattern, profile, or signature will be apparent. Then go to the ISPs and say, "This is coming from your network. Stop it." Make the ISP own it. That includes making sure ISPs block traffic attempting to leave their network that claims to be from outside their network. Not sure if consequence is lawsuit by the victim of the attack, the government cutting off the ISP that doesn't make a good faith effort to shut it down, or something else. However, I'm pretty sure it would be better than what we have now.
Or, you know, you could end up with a:
https://en.wikipedia.org/wiki/Aston_Martin_Vulcan
A sports car (not a race car) that's not legal for the road. I could live with one of those.
Neither countries look like good options at this moment. Besides, you might want to consider the little grey area in between North Korea and the US?
TMI. Readers don't care.
That includes making sure ISPs block traffic attempting to leave their network that claims to be from outside their network.
How would that work? Most of the big ISPs are transit providers, they can't block that traffic at the border. I suppose they could block it at the home portion of the network, but that would cause them to have to process rules on massive amounts of traffic, making the routers 10x the price, over the entire network.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?