Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

And thanks...

"And thanks for all the fish!" Reports say were his final words.

Re:Great

[Joe_Dragon]

it's only about 456 years.

what a maroon

[JustNiz]

so he was bricking IOT devices just to warn people of a potential threat of their IOT devices being bricked. Apparently logic isn't his strong point.

Re:what a maroon

He didn't do it to warn people about a potential threat. He did it to force manufacturers to pay more attention to security. He should be given the key to the fucking city.

Re:what a maroon

[KiloByte]

No, he bricked broken IOT(S) devices to stop them from attacking others. A bricked device is harmless, and there's even hope it gets returned to manufacturer. On the other hand, one that's part of a blackhat botnet is bad for everyone.

Re:what a maroon

[DontBeAMoran]

That's just it though - he doesn't need the key to the fucking city.

Re:what a maroon

IoT == cancer; so he is performing 'Internet of Chemotherapy.'

IoT devices should be banned.

Re:what a maroon

I'd rather have a bricked IOT device than one that is hacked and feeding my information to some nefarious 3rd party.

Re:what a maroon

[BronsCon]

He'll just hack the city's smartlock!

Re:what a maroon

[Narcocide]

That's exactly what my dad told me actually. He used to tell me I was bringing it upon myself by "being different." Of course he used to beat me too, so there is some question as to how unbiased his opinion on the matter really was.

Re:what a maroon

[phantomfive]

If you want to call that hacking. Most likely the telnet port was left open with a root password of 'password'. It could be worse, if it were intel management engine, it would have an empty root password.

Re:what a maroon

feeding my information to some nefarious 3rd party.

Unhacked IoTs are also feeding your information to a nefarious 3rd party -- the manufacturer and and parties it sells your information to. IoT == legal spyware.

Re:what a maroon

He also thinks that the government is going to disappear him in the night rather than arrest him and get themselves a whole bunch of publicity about how they caught an evil hacker too so if anything it paints a picture of someone desperately in need of mental health support. The guy is severely paranoid and desperately seeking attention.

In that context I wouldn't expect logic would be his strong point, he needs help.

Re:what a maroon

[AmiMoJo]

He used publicly known exploits, so if he didn't get there first it was only a matter of time before someone else did.

Since most people wouldn't even know their device was part of a botnet, this is the best outcome. They will return it to the shop as defective or get a software update from the manufacturer.

Re:what a maroon

[hackertourist]

A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.
And he left the owners of those devices with no clue as to what was going on. The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device (let alone divine WHY someone chose to do that).

Re:what a maroon

How on earth did he force manufacturers pay more attention to security? The sheep just bought new devices after he bricked them. He rewarded these companies for their insecure garbage with the sheep's money. And the sheep deserved this?

He's like a guy that comes in and rapes your daughter to teach you that leaving her window open isn't a good idea because someone could get in and rape your daughter. Fuck this guy. You guys are retarded.

Re:what a maroon

A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.

One can only hope the damage is big enough to make the manufacturer start paying attention to security. IoT with no security is a disaster waiting to happen, as they become part of botnets and then are used to DDoS important stuff, which will cause at least as much in damage as you are claiming...

Re:what a maroon

[Kiuas]

A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.

Yes, but that cost needs to be paid for by the manufacturer who has sold you a faulty device with a vulnerability.

nd he left the owners of those devices with no clue as to what was going on. The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device (let alone divine WHY someone chose to do that).

The user doesn't even need to know what was the true cause because this is identical to a serious hardware issue.

I once bought an iPod that suddenly stopped working after some months of use because the hard drive failed. I returned the device and got my money back. In that case it was actually the fault of the seller because it turned out the device was not indeed brand new but a returned device which had been repackaged and sold as new, which is of course illegal. However the point is as a customer I don't care one bit 'what's going on' and whether or not it's faulty hardware or if someone's remotely bricked the device. The only thing I care about is I paid money for something that doesn't work as intended, and it needs to be fixed.

Imagine if you were sold a car for example that had a design flaw in the locking system allowing anyone to remotely unlock the doors with an exploit, or start the engine. Obviously you'd want it fixed, but unless these things are brought to public attention the company could just claim that it's bad luck that your car got stolen and they've nothing to do with it.

That's why it's good that these things happen. Exposing critical vulnerabilities publicly is the only guaranteed way of putting pressure on the manufacturer to fix the vulnerability as they're legally obligated to do.

Re:what a maroon

Most would throw it away and buy a new one and you know it. Rewarding these companies for their crap security.

Re:what a maroon

[hackertourist]

Imagine if you were sold a car for example that had a design flaw in the locking system allowing anyone to remotely unlock the doors with an exploit, or start the engine. Obviously you'd want it fixed, but unless these things are brought to public attention the company could just claim that it's bad luck that your car got stolen and they've nothing to do with it.

This guy "called attention" to the flaw by setting fire to every car with a flaw in its locking system, inconveniencing the owners and NOT INDICATING why he did that. His "cure" was worse than the problem.

Re:what a maroon

A bricked device is not harmless: it has to be replaced. [...] The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device (let alone divine WHY someone chose to do that).

You missed the part of his statement where he said, " and there's even hope it gets returned to manufacturer." I say this because, in your arguing of his point, you say, " The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device" which is exctly the type of thing that people send their shit back to the manufacturer for. Did you just want to argue? Not even care about the point or topoic?

Re:what a maroon

The manufacturer of the unsecured device caused the $100m in damage by being lazy and greedy.

The white-hat that bricked those devices caused inconvenience. Nothing more.

Re:what a maroon

Thank you Ted, that was the joke.

Re:what a maroon

This guy "called attention" to the flaw by setting fire to every car with a flaw in its locking system, inconveniencing the owners and NOT INDICATING why he did that. His "cure" was worse than the problem.

more like the guy caused 'every steering wheel' on those 'cars' to lock in place without anyone being able to drive it - thus 'forcing' a 'recall' or hundreds of angry 'drivers' hating your business.

Re: what a maroon

[Zero__Kelvin]

Apparently your understanding of internet security and well being is non-existent. It wasn't to help the people know they were vulnerable, it was to protect the entire internet from the dangers of said vulnerability. No doubt you would prefer someone use the obvious vulnerabilities to cause damage to the internet while you continue to broadcast your ignorance on Slashdot

Re:what a maroon

I don't follow your logic. Typically when I buy a device and it breaks within a few weeks I file a complaint with the company, if it's quickly enough demand my money back, and then they enter the list of "never buy from them again". I would assume most people would do similar. Why buy products that break super quickly? That doesn't seem like rewarding these companies.

Re:what a maroon

[Doctor+Memory]

One can only hope the damage is big enough to make the manufacturer start paying attention to security.

Right....because consumers are just going to pass those costs right back to the manufacturers...

Or do you have some juvenile fantasy that "word will get around" that $MANUFACTURER's devices are falling over, and refuse to buy any more, thereby forcing $MANUFACTURER to upgrade their security?

Re:what a maroon

This terrorists won’t be given the key to the city just a prison cell.

Re:what a maroon

yeah he's basically plugging millions of security holes in the internet. im conflicted because he is also destroying private property, so he's both a hero and a villain at the same time.

Re:what a maroon

[Ungrounded+Lightning]

It could be worse, if it were intel management engine, it would have an empty root password.

If I recall the reports correctly, the IME didn't have an empty root password. Instead it checked the number of bytes that the code running in the remote browser said were the length of the hashed password - rather than the number of bytes the IME server-side code knew were the length of a hashed password.

So if you entered a zero-length password on the normal web page, you'd fail to log in. But if you hacked up your own version of the page's code that would say the hashed password was zero-length, the IME code would believe it, check zero bytes for match (which always passes), and let you in.

So it didn't get discovered (at least publicly) until a security researcher did that hack and had his WTF moment, years after the broken code was deployed.

Re: Re:what a maroon

[Ungrounded+Lightning]

... if you hacked up your own version of the page's code that would say the hashed password was zero-length, ...

I.e. send a "hashed password" that was zero-length.

Re: what a maroon

[Brockmire]

This is mostly out of warranty shit.

Re: what a maroon

[Brockmire]

No, you fucking idiot. If you find a remote lock exploit in the car, you notify the vendor so they can fix it. You do responsible disclosure, which forces the fix. There's a whole fucking process for researchers to follow. Have you been asleep during the last few years where this happens all the time? You don't just brick a car without first trying to fix the problem. People who don't do the responsible disclosure are assholes.

Re: what a maroon

[Brockmire]

The user is responsible for its security. Fuck people, it's not new that you attach anything on a public IP, you are responsible for changing passwords and firewalling it. If I was a manufacturer, I'd reject the RMA. Things like Mikrotik are sold to professional admins. They've done training and know this. Educate the admins. Then it doesn't matter what a vendor does, the admin of the device and network is responsible. Blaming the vendor for really bad admin is fucking dumb.

Re: what a maroon

[Brockmire]

To be clear, if the user couldn't change password and were hardcoded, that is a valid vendor problem.

Re: what a maroon

[Brockmire]

Wireless infrastructure should be banned? No Internet for you.

Re: what a maroon

[Brockmire]

And you'd rather pick the damaging solution instead of prevention and education? Seriously, fucking logic with you people, as long as it wasn't your device, right?

Re:People like that NEVER retire

Oh, sort of like how creimer still posts despite being at -1, universally mocked, and not wanted here?

Spare us the left-wing lunacy!

[Nutria]

For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

It's 2017, FFS. In the West, that insane drivel stopped the day W left office, and is Putin going to throw you in the Gulag, or have a show trial, and the throw you in (a very nasty, but public) prison.

Re:Spare us the left-wing lunacy!

[b0s0z0ku]

Putin will give you a polonium cocktail with cyanide chaser.

Re: Spare us the left-wing lunacy!

A cyanide pill would defeat the whole point of using polonium dumb ass.

Re:Spare us the left-wing lunacy!

In the West, that insane drivel stopped the day W left office [...]

So far. We'd better hope that Trump doesn't resign, otherwise someone competent might claim the power to do that.

Re: Spare us the left-wing lunacy!

depends on how sure you want to be. who knows if your carrying around a huge syringe full of thiosulfate?

Re:Spare us the left-wing lunacy!

[SuricouRaven]

Do we know what country he is in?

Re:Spare us the left-wing lunacy!

[cdu13a]

I don't think he means vanished into a prison or shallow grave. It's more likely a vanished in the way scientists connected to German weapons programs vanished from Germany at the end of ww2.

aka you don't have a choice you are coming to work for us.

Re:Spare us the left-wing lunacy!

[Nutria]

It's more likely a vanished in the way scientists connected to German weapons programs vanished from Germany at the end of ww2.

Preposterous.

#1 PAPERCLIP scientists were glad to go to the US (the two obvious reasons are "not wanting to be pick up by the Sovs" and "doing what they love in a land of milk and honey, compared to war-destroyed Germany") and continue working on rockets.

#2 Forcing someone to be a secret hacker is guaranteed to get your secret documents sent to the Eneremy.

Re:Spare us the left-wing lunacy!

It's 2017, FFS. In the West, that insane drivel stopped the day W left office...

You mean Obama didn't assassinate people with drones, and Hillary wasn't laying out assassination as means to an end in WH meetings?

Re:Spare us the left-wing lunacy!

[drinkypoo]

It's 2017, FFS. In the West, that insane drivel stopped the day W left office,

Drone strikes on weddings. Extraordinary rendition... Gitmo. Yeah, Obama sure was different.

Re: Spare us the left-wing lunacy!

[tigersha]

Well he is not that stupid is he?

Re: Spare us the left-wing lunacy!

[tigersha]

War is war. If they don't fight by the rules the so be it.

Re:Spare us the left-wing lunacy!

It didn't stop when W left office, you just stopped paying attention because you thought the new guy was cool.

Re:Spare us the left-wing lunacy!

[Nutria]

#1 The drivel by the Left about Americans getting thrown in Gitmo silenced the day W left office.

#2 Provide links to MSM news stories about extraordinary rendition during the Obama reign.

Re:Spare us the left-wing lunacy!

[ls671]

He is obviously in Italy since this is published on it.slashdot.org

Re:Spare us the left-wing lunacy!

[nasch]

I don't know what exactly you would consider "extraordinary"...

https://www.washingtonpost.com...

http://america.aljazeera.com/o...

It sounds to me like rendition continued, but with some attempt to ensure the suspects were not tortured.

Re: Spare us the left-wing lunacy!

[SuricouRaven]

Exactly. He might not be in 'the west.' He may well be in the sort of country where it is reasonable to fear the government may disappear him, or an angry business owner might ask the local mafia to take care of him.

Re: Great

He disabled insecure devices before they could be taken over as part of a botnet.

Re:For all to see

[ShanghaiBill]

Screw jail. This guy needs to be drawn and quartered.

Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

Re:For all to see

He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot. And this guy will probably find out the retiring doesn't mean law enforcement will stop looking for him. And implying he would be "disappeared" is indicative of his warped view of reality. How many people have been "disappeared" for hacking? This guy, and people like him, are also responsible for giving law enforcement the political support needed to attach harsher penalties for these types of crimes.

Yep - public service...

[b0s0z0ku]

(1) He's destroying devices that destroy privacy in themselves
(2) He's destroying devices that are insecure by design ... open Telnet ports

Not crying for the owners of this junk. He's indeed doing the Internet a service...

Re:Yep - public service...

[randomErr]

So he sterilized the devices so the couldn't reproduce the same traits in future generation. Where have I heard that before?

Re:Yep - public service...

[thegarbz]

Not crying for the owners of this junk. He's indeed doing the Internet a service...

I am. Why should the end user pay for a manufacturer's .... I dare not call it a mistake. The world is full of people with wide skillsets in wide areas. You can't expect everyone to be an expert on everything. There are very few people out there with the capability of analysing their own network security.

At the very least these things better be covered by warranty, or fit for service laws.

Re:Yep - public service...

In the agriculture industry which has provided us when a plentiful and reliable food source by making sure desirable traits pass on and undesirable ones are killed off as quickly as possible.

Re:Yep - public service...

[Baron_Yam]

> You can't expect everyone to be an expert on everything.

And even if they are, you can't expect everyone to spend uncountable amounts of time confirming everything from first principles.

We have the lives we have because we specialize and regulate the specialists. I don't have to do destructive chemical and mechanical testing of my car tires to have confidence they are safe. I don't have to test samples of my morning cereal before sitting down to eat breakfast. I generally expect the probability of my smart phone exploding is sufficiently low I can disregard it.

If everyone had to start checking everything personally, most people would die on the third day or so when they had yet to figure out how to confirm water was safe to drink.

Re:Yep - public service...

Who gave him that authority?

No one.

That is like me killing you and justifying it by saying you are an entitled asshole and entitled assholes become murders and rapists.

Re: Yep - public service...

[Zero__Kelvin]

Holy shit. I'm not exaggerating when I say that was by far the most stupid Godwinism I have ever seen in my life.

Re:Yep - public service...

I'm sorry, I must have missed the meeting where network routers become endowed with human rights.

Thank you

[WaffleMonster]

This guy is my hero.

Re:Thank you

No, my good sir, it is you who is the shitty human being.

Re:Thank you

No, it's your self righteousness that blinds you to incivility. A rebel you are, probably just in this one area, how cute.

Re:Thank you

No, the shitty humans are the business execs who decided to produce such poorly-secured products

$100 in damages

[OrangeTide]

Times 10 million devices. A billion dollar lawsuit filed against an individual might break some records.
And no, I'm not playing anything. Just noting something hypothetical here. Personally I want to see every buggy piece of shit IoT removed from the Internet. They can go start their own garbage network to run their shitbox hardware on.

Re: $100 in damages

[tigersha]

My one friend did actually get sued for 200 million USD by his employer but the case was dropped.

Re: $100 in damages

You can be sued for any amount, but at the end of the trial the judge will adjust the damages.

Re:For all to see

[WaffleMonster]

He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot.

I think he should get a gold medal for each bricked device. He deserves it.

Re: For all to see

[rwven]

Wow, .759 people! That's pretty cool. What happened to the .241 of them?

Re:Great

I don't know how you did your basic arithmetic, but ((10,000,000 / 60 ) / 24 ) / 365 is 19 years only not 456.

So in other words

It would have been better if his mother covered his face with a pillow when he was born...

Re: So in other words

Aww is some pedo mad that 10 million internet peeping tom cameras got killed?

I do know they weren't all cameras but...fuck you.

10 million IoT

10 million IoT which is an addition to 44 million metric tons of e-waste reported yesterday. Would've been better if he just patched thosed routers directly by closing those open telnet ports and ssh ports which were wide open to the internet.

Re: 10 million IoT

That was part of the process. It only bricked if that failed.

Re: 10 million IoT

[Brockmire]

Link? I've only found mention of a different hacker group, Hajime, who closed Mirai holes. I've only read brickerbot bricks. Seriously, there's tons of shit that could have brought it offline without damage. He wanted to do this and would have found any reason (his is bullshit). I don't know why people are not assuming he's not financially benefiting. We keep hearing about malware makers after they're caught, they're in it for the money. When hackers takeover a website, they generally deface it, which gets all the security attention required. They don't often delete the entire website.

Some heroes don't wear capes.

[WolfgangVL]

Give this man a fucking prize.

Seriously, IoT devices should come with goddamn warning labels.

This device in known to the surgeon-general of cyberspace to pose a serous risk to your personal privacy, and the personal privacy of those around you. This device may also cause undesired network traffic, communicate with unauthorized systems, and promote the spread of malware to other network connected devices.

Re:Some heroes don't wear capes.

Who made this asshole "surgeon-general of cyberspace" and gave him the authority to destroy people's devices, dickface?

It would appear that he didn't need anyone to give said authority to him.

Re:Some heroes don't wear capes.

[WolfgangVL]

Who made this asshole "surgeon-general of cyberspace" and gave him the authority to destroy people's devices, dickface?

Provide an answer to that which doesn't make you look like an arrogant piece of shit.

He was unanimously approved for the position by the same voters that overwhelmingly support the repeal of net-neutrality. Try to keep up.

Re: For all to see

[war4peace]

I guess those fractions represent missing arms, legs and other appendages.

Re:For all to see

sorry.... did he fuck up you bot-net?

Headline should read: Author of BrickerBot Malware

[Narcocide]

... finally gets a job.

Re: For all to see

[AvitarX]

Just the second period would be enough, we're not that dense.

Re:Great

[AvitarX]

Clearly missing the / 24 part.

Re:For all to see

"Infrastructure" Scary Russians and Chinese.... LOL. Meme day on /.?

Re: For all to see

I would have written it as 9.786.759,0 with the ,0 there to indicate to dumb-ass Americans they are not the only people in the world.

Says the one mindlessly clutching to the losing convention for historical accuracy? tradition? feels? Who knows why. But, good one. You've got your own groove. Get it, stella!

Re: For all to see

[houghi]

You forgot tp mention Mossad and the NSA and all others.

Re:For all to see

Shanghai faggot with the +5 sock puppet self promotion again, what a dumb bitch.

Re:For all to see

He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot. And this guy will probably find out the retiring doesn't mean law enforcement will stop looking for him.

Speaking of public service, three-letter agencies make this guy look like an angel by comparison, and taxpayers fund that fucking evil. He bricked infrastructure with shit security. For fucks sake, he broke into devices configured with default authentication sitting on telnet. I guess you would have preferred the alternative, which would have been many other hackers taking over your shit IoT hardware and fucking with you/spying on you instead.

And implying he would be "disappeared" is indicative of his warped view of reality. How many people have been "disappeared" for hacking?

How the fuck would you know? You personally know the current status of every high-profile hacker on the planet? If they did pass away, it was from natural causes? You can't get any more ignorant if Snowden himself slapped you in the face.

This guy, and people like him, are also responsible for giving law enforcement the political support needed to attach harsher penalties for these types of crimes.

Ah, but suggesting "disappearing" him is somehow too harsh. Perhaps you'll enjoy paying higher taxes so we can warehouse script kiddies for life in prison. Not that harsher sentences will deter jack shit, but you'll somehow feel better with more taxation.

Re: For all to see

Yeah. Very likely the CIA uses European decimal separator...

Re:For all to see

He implied "some government", not necessarily yours. We typically won't hear about "disappearing people", will we?

Or ...

you could say he provied a free global security worth $100 million for us non boneheads that don't want unsecured IOT devices used in our daily lives. The dummies going around with unsecured $10 IOT devices should pick up the tab..

or even a girlfriend!

or finally gets kicked out of the basement.

Re: For all to see

[tigersha]

He deserves to be probed. In the ass. With a sharp stick. Coated with capsaicin.

Re:For all to see

No, he is fucking tool and so are you. You should share his fate and your family too.

Re:For all to see

[JaredOfEuropa]

Sure. Let's have some more guys "probing our infrastructure", by going door to door looking for weak or unlocked doors, then drawing our attention to security vulnerabilities by entering our homes and defecating on the bedsheets, and publishing a list of vulnerable locks and how to break them for other providers of this "public service"

No thanks. No, the only "unpleasant figure" in this story is this criminal.

Re: For all to see

The next time you fail to lock your car door, I will be sure to rob you and leave a note that says "shit security".

Re: For all to see

Then when you do lock your doors, I will be sure to break your windows and leave a note that says "shit security".

Re: For all to see

Then when you put steel around your windows, I will be sure to torch a hole through the steel, rob you, and leave a note that says "shit security". When does it end?

Re: For all to see

He deserves to be probed. In the ass. With a sharp stick. Coated with capsaicin.

But enough of your sexual fantasies...

Re: For all to see

He didn't forget them, they sign his paycheck.

Re: For all to see

9786.759 people have disappeared because of these activities this year alone. Its easy to access this information for yourself, just log on to www.CIA/bagmen/illegal/assassinations.org where the government tracks all of these instances for you.

You sound awfully sarcastic. I'd hate to think you didn't think the CIA has ever killed anyone. If you do - read the following - and know it's not the only record from an 'authoritative' source on the subject:

[The dart from this secret CIA weapon can penetrate clothing and leave nothing but a tiny red dot on the skin. On penetration of the deadly dart, the individual targeted for assassination may feel as if bitten by a mosquito, or they may not feel anything at all. The poisonous dart completely disintegrates upon entering the target. The lethal poison then rapidly enters the bloodstream causing a heart attack. Once the damage is done, the poison denatures quickly, so that an autopsy is very unlikely to detect that the heart attack resulted from anything other than natural causes. Sounds like the perfect James Bond weapon, doesn't it?] http://www.military.com/video/guns/pistols/cias-secret-heart-attack-gun/2555371072001

Re:For all to see

[wardrich86]

No, these IoT manufacturers with half-baked bullshit "security" built into them need to be drawn and quartered.

TRANSLATION: his mom cut off his wifi

cos only an infantile cvnt could possibly be bothered with such vapid mindlessness.

12yo seeks internet glory, becomes laughing stock instead.

total twaat.

Re: For all to see

Then when you put steel around your windows, I will be sure to torch a hole through the steel, rob you, and leave a note that says "shit security". When does it end?

Default passwords left unchanged across thousands of devices. Insecure protocols still being used (fucking telnet?). The kind of stupid shit that vendors have known for decades to avoid. When does it end? When vendors pull their fucking head out of their wallet and invest in sound development practices instead of building hardware with shit security and rushing to be first to market.

Until then, they're going to continue to be a hackers bitch. Retired or not, he sure as shit won't be the last one to make an example out of those who fail to prioritize even common sense security.

Where's the source

[winse]

I am admittedly lazy. Can someone point me at his source. I couldn't find it in a cursory google search. I'm not planning to use it in the wild, just curious about which exploits he used exactly.

thanks

Re:Where's the source

[plloi]

I know this is slashdot, but if you RTFA and click around a bit it's not hard to find.

Re: For all to see

[Zero__Kelvin]

Are you actually so stupid you don't know the difference? When door vendors start selling doors with locks that don't work because there is no financial motivation to add them and your house and 100,000+ others are used by criminals to damage a third party who pays a lot of money to secure their dwelling, then get back to us. Idiots like you are the reason we need guys like this in the world.

Re:For all to see

Not to mention those pesky attacks on credit companies like Equifax or health-care.
It's not pleasant and the industry has a habit of reducing costs and efforts.

Re: For all to see

[petermgreen]

Dumbass mainland Europeans think it's OK to write in English but not follow English numeric conversions resulting in documentation that either makes no sense or worse gives values that are plain wrong.

Re: For all to see

[Doctor+Memory]

Make sure you steal his ECU or otherwise "brick" his car. He shouldn't drive it until it's secured properly.

Re: For all to see

Right, so the solution is to punish the owners by destroying their devices to send a "message" to vendors? How's that working out so far? Are IoT device vendors scrambling to secure their shit so it doesn't get bricked? No?

Fuck, if the ends justify the means why didn't he just start murdering insecure IoT device owners until the vendors agreed to change their ways? It would have been a lot more effective and he would have had just as many morons like yourself riding his nuts.

What's a little collateral damage when fighting the "good" fight?

Re:For all to see

Why wouldn't you add Trump to the list? He inherited Obama's mass hacking agencies.

Re:For all to see

[networkBoy]

Chemotherapy sucks balls, but death sucks worse. News at 11.

Re:Headline should read: Author of BrickerBot Malw

For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant HR person figures out who I am

He was afraid of that already.

Re:For all to see

[I-am-a-Banana]

Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

What?!? So if I am creating an IOT of things with my 7 year old, I don't know a simple weather station just say, and we don't secure it because it is a project for a 7 year old where there is no security risk of leaving it exposed, and it is easier for them to experiment with and this guy bricks it, maybe permanently, how is this a public service?

It is vandalism. It is no different then him walking down the street looking at a weather station attached to a wooden fence post in someones yard and smashing it because, he wants you to know that unless you put a secure cage around it or bring it into your home it is unsafe. This guy should be charged for vandalism for each device he broke and serve time for each. Just a single day for each device I think would suffice.

Interesting Characterization

I don't think it's the "government types" that are unpleasant.

What a tool.

Re:For all to see

[devman]

To clarify the argument (without endorsing this position). It would be like you created an internet connected IOT weather station that because it was unsecured got hijacked to be included in a DDoS swarm.

The problem with poor IoT security is that, even if the device is useful for nothing else to the hacker, if it has a network stack and a connection it can DDoS someone else and there are millions of these devices. If this guy can get in and brick it, than someone else can get in and use it to DDoS

Re:For all to see

[I-am-a-Banana]

That clarifies it but doesn't make it right. It is like walking through a person's yard seeing a pick ax and breaking it to prevent a bad person from potentially finding it and using to murder someone.

Re:For all to see

[BitterOak]

Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

The difference is I choose whether or not to get a flu shot. If someone walked down the street jabbing random people with a hypodermic, I'd suggest harsh penalties for them too.

Re: For all to see

[godel_56]

The next time you fail to lock your car door, I will be sure to rob you and leave a note that says "shit security".

In Australia leaving your car door unlocked when the vehicle is unattended in a public place will get you a fine.

It would be nice if we could get the same sort of treatment for the idiots who code for these IOT devices.

BTW, it seems a lot of his victims were ISPs who are professionals and should know better as to how to set up their equipment.

Paranoid Retard

see title

Re: For all to see

[Brockmire]

How the fuck do you expect for a vendor to set unique passwords for the customer? Are you retarded? The device is sold with a default login so that the operator can configure the device and set the password. It's up to the operator to limit access to it. That's ALWAYS been the case. People bitch when they buy a device and it's not locked down, and others complain the vendor oversteps and belongs to the one who purchased it. You can't have both ways. This is a network administration problem. Super obvious, sunshine. There's already many proper disclosures sent to ISP'S when open resolver DNS servers or SNMP with default community strings are found open. That's the responsible thing and leads to change and educated admins. Damaging property and causing issues on property you don't own is clear as fucking day illegal and this prick will eventually get caught when he steps into the USA. He's a cunt looking for the lulz. Fuck you and your 'you deserve it because you didn't change protocols soon enough', rather than limiting access in the first place as the vendor expects the admin to fucking do.

Re: For all to see

[Brockmire]

That's a stupid law. Although I know Australia started off as a criminal colony, I didn't think you inherently treat your fellow citizens as criminals right off the bat. Gone are the days when you could leave house and car doors unlocked and not have to fear your shit being stolen.

Re: For all to see

[Brockmire]

So if the companies are already increasing security efforts, how is this extra punishment still needed? Responsible reporting could have easily been done, it already has for years. He wrote malware. The malware spread in criminal hands. He causes denial of service attacks. He's a cunt. This is an admin fail problem. Clear as fucking day. There's many IoT devices intended for private use without outside access that doesn't need to spend millions developing a new product. Companies do need to keep selling these devices and there is demand, sometimes there is no replacement product or the company is out of business. WinXP is no longer supported but is still needed for various things in various industries. You don't need to fuck around with spending time and effort changing shit to Windows 10 when you IP limit access or similar firewalling, especially if there is no upgrade path. I worked for a company that forced changing password on first login. ZERO fucking people praised it, but MANY complained when they typo (it's double prompted so they're the same, but doesn't help if caps was on without them knowing), forget passwords, or employees just die. When something is deployed, of course you should change it and record the password safely. That's the fucking admin's job. The botnet fuckers can learn of zero days and infect shitloads of devices regardless of SSH or changed passwords way before a patch can be distributed (scheduled downtime period, people sick, vacations, etc) even by the most responsible vendors. In the end, you need firewall and limited remote access for anything reachable from the public. That's the fucking message, not just "change your passwords", which is not enough.

Re: For all to see

[Brockmire]

So change the password to the MAC address instead. Hard to get remotely, easy with physical access. User learns they fucked up when they go to login and default doesn't work, but it's still operational without permanent damage. Even rebooting it at a specific interval would draw attention. It could be the "4h20 reboot issue" that becomes googleable when it's noticed their devices go offline on this specific time. There's lots of different things this asshole could have done without bricking them. He chose this. In court, the prosecution will present lots of alternative ways of educating the user and the jury will agree he's a cunt and he'll get decent prison time.

Re: For all to see

[Zero__Kelvin]

I didn't read much of your post because your first sentence shows that you are new to the technology world but think you know it all already. Also, you should learn about paragraphs.

Re: Headline should read: Author of BrickerBot Mal

[Brockmire]

I highly doubt he hasn't monetized this.

Beware the ides of IOT!

[Bloxclay]

This shit is a wake up call. Like how Watchdogs 1 and 2 was a wake up call hidden in a game. Lets not end up like the shit hole world like in watch dogs 2 where government and corporations have be come entirely nontransparent whilst your average Joe or Jane is so transparent that those nontransparent Political/Corporate entity can monitor every thing you do + metaphorically have their hand up your ass like a puppet e.g tampering with what you see so as to unfairly bias your vote choose i cite this from the story line of watchdogs 2... and they treat you like products for making money rather than as as actual humans!

Re: For all to see

[Brockmire]

Using Firefox on Android, there's no preview and there's new paragraphs when I submit it, so I only know they're not there afterwards, and there's no fucking edit. Sometimes I'll remember to have two new lines, but not always. Sometimes there's new paragraph and sometimes not. *shrug* Double new line test. I really hate walls of text, too. I guess I should have realized when it happens to others, it's likely the browser or /.

Re: For all to see

[Brockmire]

Fuck you firefox. (Three lines of white space) Or fuck you /.

Re:Headline should read: Author of BrickerBot Malw

He did get a job.
The nation state actors who took him away
in the middle of the night wrote his farewell.
After all, they don't want to scare away
any other job candidates.