Researcher Scans All IP Addresses of Austria, Finds a Ton of Things That Shouldn't Be Online

Christian Haschek scanned the entire Austrian IP space and found IP cameras, printers, and industrial control systems and a range of other devices that should not be online.

Annnnd...

[LesFerg]

IT professionals around the world were shocked by this discovery. Not in the slightest.

Re: Annnnd...

I clicked the link to read more, asked myself âoe..why did I do that?â, saw your post and laughed, backed out, then came back to agree. lol

Re:Annnnd...

Exactly. It is the legacy of ID-1-ot "managers" insisting on having a "panel" they can view on their Blackberry / iPhone. IT cellar people have to oblige to survive the next round of "annual job reviews."

Re:Annnnd...

[93+Escort+Wagon]

I don’t know about you, but I was sure glad I happened to be sitting down when I read this shocking headline!

Re:Annnnd...

[The+Original+CDR]

I had a network scan report last year that showed garage door openers for the underground garage on the General VLAN. Didn't surprise me at all. Still waiting to see coffee pots, microwave ovens auto flush toilets to pop up on a scan report.

Re:Annnnd...

yes we can then follow the scans of blocked toilets and we can retrace your path in the building chris

remember when you thought sharing this was a good idea

https://science.slashdot.org/c...

you must make new friends easily with stories like that

Re:Annnnd...

Hi Chris!

Apparently, we will be able to send you to Mars after all, without a space elevator!

This is really heavy-metal!

link:
https://slashdot.org/comments....

Then, you can maybe forget about your YouTube venture long tail revenue stream.

Sad, so sad...

dotted triple

[quenda]

Austria has 11 million IPv4 addresses. 11.170.487 to be exact

You know you've been in the continent too long when you put periods in the middle of an integer, but not at the end of a sentence.
Sorry to be such a grammar n ... na ... never mind.

Re:dotted triple

[angel'o'sphere]

FYI: in Europe we use periods instead of commas to visually separate long integer numbers into groups of 3 ... a no brainer if you had looked closely and seen he made the "same mistake" twice.

American way: 1,000,000
European way: 1.000.000

Simple, isn't it?

Re:dotted triple

[mschuyler]

Quenda, you just embarrassed yourself and the entire country. Thanks a 1.000.000.

Re:dotted triple

[ShanghaiBill]

American way: 1,000,000

It is not just America. 70% of the world uses commas as separators with a decimal point. We out number the dot-separators more than two-to-one.

Of the nine countries with nuclear weapons, seven use commas as separators. So if you want to fight this out, you are gonna lose.

Re:dotted triple

The OP knew that, as he commented specifically on the European way of doing things... and pointed out that the writer also forgot to include a period at the END of a sentence (where even European writers put one).

This led to an amusing unbalance of periods... which is why the OP posted.

To people without a sense of humor, the OP may have been to difficult to understand. But that's OK, someday the stick may come out of your ass, and you'll learn what it's like to laugh and enjoy yourself.

By the way, are you German?

Re:dotted triple

[Trogre]

That's just one single IP address, and not a valid one at that.

I just had an image of an entire country accessing the Internet through a single NAT'd interface.

Re:dotted triple

Except the UK is part of Europe, and they don't.

Re: dotted triple

[Jesus+H+Rolle]

Holy fucking whoosh!

Re:dotted triple

[ShanghaiBill]

Except the UK is part of Europe, and they don't.

Neither does Ireland.

Luxembourg and Switzerland use both officially.

Re:dotted triple

[quenda]

European way: 1.000.000

Simple, isn't it?

Doch! (Hope I used that correctly, as we have no English equivalent.)

It is not so simple. British and other English speakers do not do it that way, so commas should always be used as separators when writing in English.

England is still in Europe, no? At least for a few more weeks until it gets towed into the Atlantic.

The number is also funny because, as Trogre said, it looks like a single IP address.
How do central Europeans write dotted quad notation?

Re: dotted triple

hehe

Re: dotted triple

[phantomfive]

COBOL was created in collaboration between Americans and Europeans, and it nearly broke down over the number seperator, with one researcher emotionally declaring, "I will never use a period as a decimal point!" Eventually they came to a compromise but not before a tombstone was made for COBOL. https://www.computerhistory.or... Next let's tackle the controversy of order of operations! Left to right is of course the proper order.

Re:dotted triple

[msauve]

Whoooooooooooosh. He knew that.

Re:dotted triple

[sjames]

They're trying not to be, but they can't seem to find the Brexit.

Re:dotted triple

FYI: in Europe we use periods instead of commas to visually separate long integer numbers into groups of 3 ... a no brainer if you had looked closely and seen he made the "same mistake" twice.

American way: 1,000,000
European way: 1.000.000

Simple, isn't it?

No, not really. Does "1.000" mean "one thousand" or "one, with a precision of three decimal places?"

Re:dotted triple

[DontBeAMoran]

Both ways of writing numbers are totally flawed.

1.000.000

Did I just write "one million" or "one thousand as a float with a precision of three decimal points"?

1,000,000

Try using that format in parameters, coordinates, etc. It's going to be a mess.

1000000 is just plain easier to read and no mistakes can be made. Of course, if you're programming it has to be 1000000, but still.

Re:dotted triple

[ls671]

one thousand would be 1.000,000 in their system so in short it is just like driving to the right or driving to the left. Inverse everything ;)

Dots become commas and commas become dots.

1,000.825 == 1.000,825

I have to agree this is kind of silly that we can't all agree in the same notation. This is far worse than metric vs imperial because it is expressing exactly the same value.

There is many websites out there (example: Paypal) that force you to enter an amount or a number in a specific way depending on how your locale is set .

Re:dotted triple

[ls671]

So does Canada.

Re: dotted triple

1.000,000

Re:dotted triple

[ls671]

I assume that Austria must have more than 65,535 simultaneous connections needs.

Re: dotted triple

I just draw little penis heads for seperators:

1(')000 - one thousand
0(,)25 - a quarter of a 1

Re: dotted triple

no, this is wrong.
the correct way, if you should ever go to war and need working logictics and accurate trajectories is:
1'000.00 (thousand)
100'000.00 (hundred thousand)
1'000'000.00 (one million)
543'387.23
comma is for sentences. dots for stuff less then one and to end a sentence.
now get off my lawn.

Re:dotted triple

naah, you'll just fall into a coma sooner than the rest of the world.

Re:dotted triple

[Barsteward]

1,000,000.00 is used in the UK

Re:dotted triple

Someday another interplanetary lander will fall to this inconsistency. Comma, I mean period; or was that Period, I mean comma... *crunch* .. oh, nevermind.

Re:dotted triple

[DontBeAMoran]

And slashdot helpfully removed the non-breaking spaces that I wrote in the first "1-000-000" of my last sentence. <sigh>

Re:dotted triple

[Rockoon]

Of course, if you're programming it has to be 1000000, but still.

1990 called and wants its issues back.

In modern languages you can even put separators in base-2 notated values

Re: dotted triple

As a Canadian, I was taught to separate orders of magnitude with spaces, but unofficially nobody in this country gives a crap about that and in practice we all use commas.

This is the first time I've seen that particular notation, but damn it, I *LIKE* it! I gotta admit, it's the most readable compared to periods, commas and spaces. We should all be switching to this.

Re: dotted triple

I donâ(TM)t normally take an anti-Europe side, and I slash the letter Z and the number 7 when I write them.
However, commas for each 3 digit group, and period for decimal point make sense in terms of common grammar. A sentence can have multiple commas, some more, some less, but gets one period.

The commas separate internal phrases, but do not make it a new sentence.

Of course, the world has lots of different ways to denote large numbers. Try lakh and crore in India.

Re:dotted triple

[thegarbz]

So if you want to fight this out, you are gonna lose.

Sure just remember when you fire your nuke we are 8.339 distance units away, and make sure you double check your units with NASA before you fire.

Re:dotted triple

Nerd test, you failed ;). Only way it works in slashdot's limited markup is to use code tags.

1 000 000

Re:dotted triple

[grumpy-cowboy]

French Canadian way (we use space separator): 1 000 000
With decimals: 1 000 000,99

Re:dotted triple

[munch117]

Thus disproving "no mistakes can be made" :)

Oh, and all three ways of writing numbers are totally flawed. The better way is 1'000'000. No one ever misunderstands that, even if they've never seen it before. And /. cannot bungle the formatting, try as it might.

Re:dotted triple

European way: 1.000.000 Simple, isn't it?

You misspelled "stupid".

Re:dotted triple

[Kernel+Kurtz]

Lets not even get started on expressing dates.........

Re:dotted triple

[Aighearach]

At this point only Lord Buckethead can save them. The whole rest of the country have their shoelaces stuck somewhere in the middle steps of Barnier's Staircase!

Hail Lord Protector Buckethead!

Re:dotted triple

[Aighearach]

How do central Europeans write dotted quad notation?

They're too poor for that to create any ambiguity. They don't have that many of anything.

Re:dotted triple

[Aighearach]

That's just one single IP address, and not a valid one at that.

I assumed it was shorthand for a CIDR address aligned to 8 bits.

Re:dotted triple

[angel'o'sphere]

Since Java 7 you can use _ as separator in an number literal anywhere you want.

Re:dotted triple

There are more than a few countries in Europe.

The Swiss use apostrophes: 1'000'000
Most of us use spaces though: 1 000 000
(hey, spaces are the SI standard too!)

Here's a pretty decent overview.

Re:dotted triple

[kaatochacha]

I'm imagining world war 3 breaking out over a disagreement over comma versus period number separation.

illegal?

but if its done in the name of "research'?

Re:illegal?

but if its done in the name of "research'?

No, I don't believe it is (but IANAL) as long as you just connect to it since the services are 'public' even though the owners might be unaware of it.

If you go further, it quickly becomes greyer though. A screenshot might be accepted, but if you change settings or print something you are passing into the dark regions.

Re:illegal?

[Opportunist]

Not illegal in Austria.

If you try to use the information, it is. But finding out that there are unpatched, insecure servers isn't per se illegal.

Re: illegal?

Thank goodness I am a lawyer, so I donâ(TM)t have to say that I ANAL. :)

Ya don't say!

You'd think they'd be more careful, ya know, with all them dingos eating the babies and stuff

Re: Ya don't say!

Build that wallaby!

Re: Ya don't say!

And have New Zealand pay for it!!!!

Re: Ya don't say!

At the risk of a whoosh, it says Austria not Australia.

Re: Ya don't say!

Whoosh

Re: Ya don't say!

[LynnwoodRooster]

It's OK, the GP doesn't speak Austrian...

My former employer did the same

They hooked up - let us just call it something very large, handling a lot of energy - to the public internet via a ADSL connection.
I went home and demonstrated I had direct read/write access to everything from home without using any of the passwords (and I could just change them.)

They put in a firewall on that site, but making the product secure was out of the question. That was 15 years ago, they have changes to a OS with some security since then.

Spent weeks researching

Then someone told him about Shodan.

shh.

Why are most humans so damned dumb?

I used to think that people were smart.
Then came the Internet, and I started thinking that people were getting dumber, not smarter, over time.
Then came Internet 2.0, and the Real Truth finally hit me: people have been dumb as a fencepost all along. The Internet just made it obvious.

Look around you: the utter stupidity of our own species will be our undoing.
HELP STAMP OUT STUPIDITY!

Re:Why are most humans so damned dumb?

Bottom line: You're pretty dumb for not realizing that sooner.

Re:Why are most humans so damned dumb?

[DontBeAMoran]

Double bottom underline, why the hell does he need stamps? Does he need to mail something? Doesn't he know he can send electronic letters? It's called email.

Re:Why are most humans so damned dumb?

The fact it took you so long to realise what was has been a fact since the dawn of man makes me suspect you are part of the problem. The average person is not smart, not informed/educated. Churchill said it best. "The best argument against democracy is a five-minute conversation with the average voter.", It has been obvious to anyone with half a brain long before the internet was ever conceived.

Re:Why are most humans so damned dumb?

Fake News exists because it WORKS!
nigerian prince scams offering you 10% of their billions exist because it WORKS
Political slogans and catch phrases that are all blatantly obvious bullshit exist because they WORK
people are in general gullible, easily influenced, highly uneducated and deeply biased. It is scary it took you so long to see this.

Re:Why are most humans so damned dumb?

[Opportunist]

The word you're looking for is uneducated. Blame the school system (and homeschooling even more).

We don't teach critical thinking and reward rote learning and saying what the teacher wants to hear. Now what kind of result do you expect from that?

So?

[lloy0076]

In IPv6 every atom (at least - possible even the sub-atomic particles) can have an IP address, right?

Re:So?

[ShanghaiBill]

In IPv6 every atom (at least - possible even the sub-atomic particles) can have an IP address, right?

No. IPv6 is 128 bits, which is 3.4e38.

The number of quarks in the universe is roughly 1e80.

  So you are short by 42 orders of magnitude.

Re:So?

[Wescotte]

Yeah but you shouldn't put all quarks online anyway... Some are like printers and smart fridges and need to be behind a NAT.

Re:So?

[LynnwoodRooster]

42. Forty Two. The answer to life, the universe and everything!

Re:So?

[DontBeAMoran]

My algebra is a bit rusty... there's only one quark per atom?

Re:So?

[wierd_w]

3 per baryon. (Proton, neutron, etc)

Take atomic weight, and multiply by 3. Gives average quarks per elemental nucleus. (Not counting highly exotic nuclei with pentaquark configurations.)

Overall, pretty secure

[fermion]

1000 or so windows machines exposed in a country of 8 million, with unclear actual security risk.

DNS servers that actually serve DNS requests. Yes DDOS attacks are a problem, but so are DNS servers that don’t d anything. Agian, very few that appear to be a real problem.

Cameras are an issue, but it s pleasantly surprising there are only two public.

A few people have pen printers. One can imagine use cases security by obscurity might be the best option. Who is going to print on a random printer. And the up address for my printer cycles way too often.

It is unclear why a website that answers to get request is a problem. That is what websites should do. A functional website should never return a 404.

Re: Overall, pretty secure

When somebody at work 'shared' their desktop printer, I sent a bunch of black pages to it.

Re: Overall, pretty secure

[DontBeAMoran]

Option A: Something, something, dark side (of the page).
Option B: Only black pages? What are you, racist?
Option C: Did you tell your boss that your co-worker was wasting ink/toner?
Option D: I am Groot.

Re:Overall, pretty secure

[ls671]

That is what websites should do. A functional website should never return a 404.

I agree, my web site sends a redirect to the Austrian government when a page isn't found. I get about 10,000 request a day for wp-login.php and I don't host any wordpress sites.

Re:Overall, pretty secure

[Opportunist]

Who is going to print on a random printer.

(paper coming out of your printer, reading)

Greetings,
You don't know me, but I have sent this to your printer. Another sheet of paper will be printed shortly, yes, it is a ransom note. You will put this note into an envelope and mail it. Don't contact the police, you and your porn collection would not like what happens next...

(I leave the rest to the imagination of the reader)

Re: Overall, pretty secure

Black pages? What a wasted opportunity!

Re:Overall, pretty secure

[Obfuscant]

Who is going to print on a random printer.

I have people print to the printer I run for my lab, from other places in the building, occasionally.

And when people learned about the bugs in the HP JetDirect that let people lock them up, assholes went out of their way to do that.

A functional website should never return a 404.

Uhhh, that's how it tells you you've requested an invalid page. The site is functional. It should tell you when you made a mistake.

Wooow.

[DaTroof]

I hope that discovery wasn't shocking enough to give him a palpitation. If he scanned the rest of the world, his heart might shoot out the back of his underwear.

how

[phantomfive]

I really wonder how these things end up online, given that most consumer routers don't accept incoming connections by default. Are people really going out of their way to put this stuff on the open internet, or is something else going on here?

Re: how

Unfortunately a lot of routers default their firewalls off. They must be manually enabled and most folks don't know how. Even the ones that are on by default usually also have upnp enabled which completely defeats the purpose of the firewall. I have yet to see a truly sane default router setup.

Re:how

[AHuxley]

They needed PnP with the internet?

Re: how

[DontBeAMoran]

You can test my router all day long if you want to. The I.P. address is 127.0.0.1
Good luck!

this is news?

[bloodhawk]

Seriously why the fuck is this an article? There are no revelations in this and this is nothing that anyone with half a clue is already fully aware of.

Re:this is news?

[sjames]

We knew it from statistical sampling, but it's nice to get a comprehensive count from a whole country.

Re:this is news?

[DontBeAMoran]

As a non-USAmerican, I'm just glad this isn't about Trump.

Re:this is news?

[Aighearach]

They didn't have enough dupes to meet the post quota, so we get this.

Go out and find some news and save us if you don't like it.

Pffft Only one country?

[complete+loony]

At a defcon talk in 2014 (talk slides) they scanned the whole IPv4 space live, looking for VNC instances. At least, anything that responded to a SYN packet.

Then they took a couple months to connect to each VNC instance, if no password was required, grab a screen shot.

Leading to a series of talks of things that shouldn't be on the internet.

Re:Pffft Only one country?

[Gyorg_Lavode]

This researcher must have a good publicist. shodan.io, project sonar (https://opendata.rapid7.com/about/), https://www.binaryedge.io/, https://twitter.com/ErrataRob, and many more scan the entire internet all the time. https://twitter.com/Viss does talks about finding wacky stuff on the internet regularly.

Re:Pffft Only one country?

[DCFusor]

Tentler is hilarious. I liked the defcon comedy inception panel version of this (with "and give me a drink" added to the title).
Normally I'd say "and nothing of value was learned" because most of us know that there are all kinds of things on the 'net that shouldn't be.
But evidently there are some people behind the curve of the obvious.
It really got bad, and is getting worse due to the usual "follow the money" issues. Why to I need to use some intermediary for my internet of things stuff? So they can be man in the middle, and maybe either sell your data or just start charging rent to use your own stuff? Why do people fall for it? Could it be that the ipv4 space is tight, competence is low, and this whole scheme profits due to the difficulty of getting your own web presence? It might still be insecure, as there always seem to be debug backdoors in the cheap IoT stuff, which is why my 'stead uses a LAN of things - only.
.

As usual, cui bono....

Any kangaroos or koalas?

I am an American. Geographically challenged.

Re:Any kangaroos or koalas?

Nope - no kangaroos or koalas, in this case only a lone lost Sherman tank wandering the streets of Vienna, caught in a time warp and trying to shoot Mr Hitler between his beady little Austrian eyes before he could subvert Germany.

Open resolvers???

IT Professionals should know better.

It isn't the open DNS that causes the problem, (attack vector, attacker sends query to DNS with faked IP address, DNS sends back large packet of data 100 times bigger than query to faked IP, denial of service attack on faked IP address)... it's lack of DOS protection on the receiving IP address.

Open DNS is a good thing and should be encouraged.

I'm from Luxemburg, and ...

We definitely only use the 1.000,000 (=1000) variant.

Also, our country name is written Luxemburg (or Letzebuerg with two dots above the e, in our native language). Not Luxembourg!

You have to understand our history to know why you can also use the other variant.
See, we are a tiny country that always was the firs to get overrun by enemy forces. And then we started hating them and bannning everything related to them.
And the last ones happened to be the Nazis. Which drove us a bit into a schizophrenic situation. Since we ourselves are a germanic country that just happened to not become part of Germany because it always used to be a tax haven, even back in the times of kings and queens.
We picked French as our new beloved dominant language and culture. Which is also silly because the French were what we hated before the Nazis, since Napoleon had invaded is before them.
But for those "reasons" we had French dominating here for decades. In parliament, i the press, in court, and at the supermarket checkouts.
It only started to get better in the late 80s. But French still dominates courts and is generally very fashionable and upper class. So of course the upper class likes everyone to use the French spelling of our country's name and the French decimal symbol and so on.
But in reality, every actually luxemburgish person on the street is still speaking a germanic language called luxemburgish (letzeburgesch). And English is of Germanic origin too. So we all should and do use the germanic version, no matter what the officials say.

Oh and fun fact: We have 50% immigrants now(!!!), and our country is working fine, with everyone getting along. Also if you have any clue as a company, you can manage to pay zero taxes, yet the budget is positive.
So it's not those things per se that ruin a country. It's how you deal with them.

Re: I'm from Luxemburg, and ...

So that's how Luxemberg keeps its independence. Once one of them gets started talking, nobody can get them to stop again before hearing about the country's history. It's like a country full of everyone's Scottish great granddads...

https://youtu.be/YKRFlNryaWw

Re:I'm from Luxemburg, and ...

French is one of the official languages and in French, the country's name is Luxembourg.

Re: Teen Porn

In prison. Ask for a guy name Ripper. Every prison has a dude like that. And every pedo gets an introduction.

Tell him ole Ollie_Copter sent ya. You'll get a discount on your first five ... eh ... "pics and/or vids", oh and a 100% guaranteed reduction in the length of your prison stay. All free of charge of course because Ripper, he do like that!

Researcher uses shodan, news at 11

Researcher uses shodan, news at 11

Fuck Off APK

Fuck Off APK. No one wants to see a life size reproduction of your dick

We were doing this in the mid 90's

These faggots seem to be at least 25 years behind the curve. These neophytes think they actually contributed something useful hahahaah

TRYING & FAILING @ "FRAMING ME", loser?

TRYING & FAILING @ "FRAMING ME", loser? That's not I you replied to but you KNOW that you pussy ass little freak punk, don't you!

* You're a SAD little nobody loser & you STALKING me by UNIDENTIFIABLE anonymous proves it.

APK

P.S.=> You're lucky I can't get ahold of you in the REAL WORLD fucker - you'd be one sorry fuckhead... apk

Fuck you you stalking little cunt... apk

See my subject: I'll kick YOUR FUCKING ASS for stalking & harassing me you unidentifiable little cowardly cunt - tell me your REAL name, address, & phone # so I can verify it's REALLY you & we can settle this once & for all, fucker...

APK

P.S.=> Everyone SEES you constantly stalking & harassing me bitch, so WHO ARE YOU FOOLING but yourself - & IF I ever get to you? You'll WISH you were dead cocksucker... I shit you not! apk