Researcher Scans All IP Addresses of Austria, Finds a Ton of Things That Shouldn't Be Online (haschek.at)

← Back to Stories (view on slashdot.org)

Researcher Scans All IP Addresses of Austria, Finds a Ton of Things That Shouldn't Be Online (haschek.at)

Posted by msmash on Sunday February 17, 2019 @12:18PM from the how-about-that dept.

Christian Haschek scanned the entire Austrian IP space and found IP cameras, printers, and industrial control systems and a range of other devices that should not be online.

61 of 104 comments (clear)

Min score:

Reason:

Sort:

Annnnd... by LesFerg · 2019-02-17 12:29 · Score: 3, Insightful

IT professionals around the world were shocked by this discovery. Not in the slightest.

--
If I had a DeLorean... I would probably only drive it from time to time.
1. Re:Annnnd... by 93+Escort+Wagon · 2019-02-17 14:51 · Score: 1
  
  I don’t know about you, but I was sure glad I happened to be sitting down when I read this shocking headline!
  
  --
  #DeleteChrome
dotted triple by quenda · 2019-02-17 12:30 · Score: 1, Funny

Austria has 11 million IPv4 addresses. 11.170.487 to be exact

You know you've been in the continent too long when you put periods in the middle of an integer, but not at the end of a sentence.
Sorry to be such a grammar n ... na ... never mind.
1. Re:dotted triple by angel'o'sphere · 2019-02-17 12:50 · Score: 4, Insightful
  
  FYI: in Europe we use periods instead of commas to visually separate long integer numbers into groups of 3 ... a no brainer if you had looked closely and seen he made the "same mistake" twice.
  American way: 1,000,000
  European way: 1.000.000
  Simple, isn't it?
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
2. Re:dotted triple by mschuyler · 2019-02-17 12:52 · Score: 1
  
  Quenda, you just embarrassed yourself and the entire country. Thanks a 1.000.000.
  
  --
  How about a moderation of -1 pedantic.
3. Re:dotted triple by ShanghaiBill · 2019-02-17 13:11 · Score: 3, Funny
  
  American way: 1,000,000
  It is not just America. 70% of the world uses commas as separators with a decimal point. We out number the dot-separators more than two-to-one.
  Of the nine countries with nuclear weapons, seven use commas as separators. So if you want to fight this out, you are gonna lose.
4. Re:dotted triple by Trogre · 2019-02-17 13:15 · Score: 1
  
  That's just one single IP address, and not a valid one at that.
  I just had an image of an entire country accessing the Internet through a single NAT'd interface.
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
5. Re: dotted triple by Jesus+H+Rolle · 2019-02-17 13:23 · Score: 1
  
  Holy fucking whoosh!
6. Re:dotted triple by ShanghaiBill · 2019-02-17 13:31 · Score: 1
  
  Except the UK is part of Europe, and they don't.
  Neither does Ireland.
  Luxembourg and Switzerland use both officially.
7. Re:dotted triple by quenda · 2019-02-17 13:32 · Score: 1
  
  European way: 1.000.000
  Simple, isn't it?
  Doch! (Hope I used that correctly, as we have no English equivalent.)
  It is not so simple. British and other English speakers do not do it that way, so commas should always be used as separators when writing in English.
  England is still in Europe, no? At least for a few more weeks until it gets towed into the Atlantic.
  The number is also funny because, as Trogre said, it looks like a single IP address.
  How do central Europeans write dotted quad notation?
8. Re: dotted triple by phantomfive · 2019-02-17 14:12 · Score: 2
  
  COBOL was created in collaboration between Americans and Europeans, and it nearly broke down over the number seperator, with one researcher emotionally declaring, "I will never use a period as a decimal point!" Eventually they came to a compromise but not before a tombstone was made for COBOL. https://www.computerhistory.or... Next let's tackle the controversy of order of operations! Left to right is of course the proper order.
  
  --
  "First they came for the slanderers and i said nothing."
9. Re:dotted triple by msauve · 2019-02-17 14:34 · Score: 1
  
  Whoooooooooooosh. He knew that.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
10. Re:dotted triple by sjames · 2019-02-17 15:03 · Score: 1
  
  They're trying not to be, but they can't seem to find the Brexit.
11. Re:dotted triple by ls671 · 2019-02-17 16:01 · Score: 1
  
  one thousand would be 1.000,000 in their system so in short it is just like driving to the right or driving to the left. Inverse everything ;)
  Dots become commas and commas become dots.
  1,000.825 == 1.000,825
  I have to agree this is kind of silly that we can't all agree in the same notation. This is far worse than metric vs imperial because it is expressing exactly the same value.
  There is many websites out there (example: Paypal) that force you to enter an amount or a number in a specific way depending on how your locale is set .
  
  --
  Everything I write is lies, read between the lines.
12. Re:dotted triple by ls671 · 2019-02-17 16:30 · Score: 1
  
  So does Canada.
  
  --
  Everything I write is lies, read between the lines.
13. Re:dotted triple by ls671 · 2019-02-17 17:35 · Score: 1
  
  I assume that Austria must have more than 65,535 simultaneous connections needs.
  
  --
  Everything I write is lies, read between the lines.
14. Re:dotted triple by Barsteward · 2019-02-17 19:15 · Score: 1
  
  1,000,000.00 is used in the UK
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
15. Re:dotted triple by DontBeAMoran · 2019-02-18 01:28 · Score: 1
  
  And slashdot helpfully removed the non-breaking spaces that I wrote in the first "1-000-000" of my last sentence. <sigh>
  
  --
  #DeleteFacebook
16. Re:dotted triple by Rockoon · 2019-02-18 01:45 · Score: 1
  
  Of course, if you're programming it has to be 1000000, but still.
  1990 called and wants its issues back.
  
  In modern languages you can even put separators in base-2 notated values
  
  --
  "His name was James Damore."
17. Re:dotted triple by thegarbz · 2019-02-18 04:13 · Score: 1
  
  So if you want to fight this out, you are gonna lose.
  Sure just remember when you fire your nuke we are 8.339 distance units away, and make sure you double check your units with NASA before you fire.
18. Re:dotted triple by grumpy-cowboy · 2019-02-18 05:13 · Score: 1
  
  French Canadian way (we use space separator): 1 000 000
  With decimals: 1 000 000,99
  
  --
  Will $CURRENT_YEAR be the year of the Linux Desktop?
19. Re:dotted triple by munch117 · 2019-02-18 06:45 · Score: 1
  
  Thus disproving "no mistakes can be made" :)
  Oh, and all three ways of writing numbers are totally flawed. The better way is 1'000'000. No one ever misunderstands that, even if they've never seen it before. And /. cannot bungle the formatting, try as it might.
20. Re:dotted triple by Anonymous Coward · 2019-02-18 08:19 · Score: 1
  
  European way: 1.000.000 Simple, isn't it?
  
  You misspelled "stupid".
21. Re:dotted triple by Kernel+Kurtz · 2019-02-18 09:36 · Score: 1
  
  Lets not even get started on expressing dates.........
22. Re:dotted triple by Aighearach · 2019-02-18 10:35 · Score: 1
  
  At this point only Lord Buckethead can save them. The whole rest of the country have their shoelaces stuck somewhere in the middle steps of Barnier's Staircase!
  Hail Lord Protector Buckethead!
23. Re:dotted triple by Aighearach · 2019-02-18 10:37 · Score: 1
  
  How do central Europeans write dotted quad notation?
  They're too poor for that to create any ambiguity. They don't have that many of anything.
24. Re:dotted triple by Aighearach · 2019-02-18 10:40 · Score: 1
  
  That's just one single IP address, and not a valid one at that.
  I assumed it was shorthand for a CIDR address aligned to 8 bits.
25. Re:dotted triple by angel'o'sphere · 2019-02-18 10:59 · Score: 1
  
  Since Java 7 you can use _ as separator in an number literal anywhere you want.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
26. Re:dotted triple by kaatochacha · 2019-02-20 08:07 · Score: 1
  
  I'm imagining world war 3 breaking out over a disagreement over comma versus period number separation.
My former employer did the same by Anonymous Coward · 2019-02-17 12:39 · Score: 1

They hooked up - let us just call it something very large, handling a lot of energy - to the public internet via a ADSL connection.
I went home and demonstrated I had direct read/write access to everything from home without using any of the passwords (and I could just change them.)
They put in a firewall on that site, but making the product secure was out of the question. That was 15 years ago, they have changes to a OS with some security since then.
Why are most humans so damned dumb? by Anonymous Coward · 2019-02-17 12:53 · Score: 1

I used to think that people were smart.
Then came the Internet, and I started thinking that people were getting dumber, not smarter, over time.
Then came Internet 2.0, and the Real Truth finally hit me: people have been dumb as a fencepost all along. The Internet just made it obvious.

Look around you: the utter stupidity of our own species will be our undoing.
HELP STAMP OUT STUPIDITY!
1. Re:Why are most humans so damned dumb? by Anonymous Coward · 2019-02-17 12:59 · Score: 1
  
  Bottom line: You're pretty dumb for not realizing that sooner.
2. Re:Why are most humans so damned dumb? by DontBeAMoran · 2019-02-17 15:49 · Score: 1
  
  Double bottom underline, why the hell does he need stamps? Does he need to mail something? Doesn't he know he can send electronic letters? It's called email.
  
  --
  #DeleteFacebook
3. Re:Why are most humans so damned dumb? by Opportunist · 2019-02-17 22:16 · Score: 1
  
  The word you're looking for is uneducated. Blame the school system (and homeschooling even more).
  We don't teach critical thinking and reward rote learning and saying what the teacher wants to hear. Now what kind of result do you expect from that?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So? by lloy0076 · 2019-02-17 13:02 · Score: 1

In IPv6 every atom (at least - possible even the sub-atomic particles) can have an IP address, right?
1. Re:So? by ShanghaiBill · 2019-02-17 13:37 · Score: 1
  
  In IPv6 every atom (at least - possible even the sub-atomic particles) can have an IP address, right?
  No. IPv6 is 128 bits, which is 3.4e38.
  The number of quarks in the universe is roughly 1e80.
  So you are short by 42 orders of magnitude.
2. Re:So? by Wescotte · 2019-02-17 14:17 · Score: 1
  
  Yeah but you shouldn't put all quarks online anyway... Some are like printers and smart fridges and need to be behind a NAT.
3. Re:So? by LynnwoodRooster · 2019-02-17 15:30 · Score: 1
  
  42. Forty Two. The answer to life, the universe and everything!
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
4. Re:So? by DontBeAMoran · 2019-02-17 15:50 · Score: 1
  
  My algebra is a bit rusty... there's only one quark per atom?
  
  --
  #DeleteFacebook
5. Re:So? by wierd_w · 2019-02-17 19:28 · Score: 1
  
  3 per baryon. (Proton, neutron, etc)
  Take atomic weight, and multiply by 3. Gives average quarks per elemental nucleus. (Not counting highly exotic nuclei with pentaquark configurations.)
Overall, pretty secure by fermion · 2019-02-17 13:27 · Score: 1

1000 or so windows machines exposed in a country of 8 million, with unclear actual security risk.
DNS servers that actually serve DNS requests. Yes DDOS attacks are a problem, but so are DNS servers that don’t d anything. Agian, very few that appear to be a real problem.
Cameras are an issue, but it s pleasantly surprising there are only two public.
A few people have pen printers. One can imagine use cases security by obscurity might be the best option. Who is going to print on a random printer. And the up address for my printer cycles way too often.
It is unclear why a website that answers to get request is a problem. That is what websites should do. A functional website should never return a 404.

--
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
1. Re: Overall, pretty secure by DontBeAMoran · 2019-02-17 15:53 · Score: 1
  
  Option A: Something, something, dark side (of the page).
  Option B: Only black pages? What are you, racist?
  Option C: Did you tell your boss that your co-worker was wasting ink/toner?
  Option D: I am Groot.
  
  --
  #DeleteFacebook
2. Re:Overall, pretty secure by ls671 · 2019-02-17 17:48 · Score: 2
  
  That is what websites should do. A functional website should never return a 404.
  I agree, my web site sends a redirect to the Austrian government when a page isn't found. I get about 10,000 request a day for wp-login.php and I don't host any wordpress sites.
  
  --
  Everything I write is lies, read between the lines.
3. Re:Overall, pretty secure by Opportunist · 2019-02-17 22:19 · Score: 1
  
  Who is going to print on a random printer.
  (paper coming out of your printer, reading)
  Greetings,
  You don't know me, but I have sent this to your printer. Another sheet of paper will be printed shortly, yes, it is a ransom note. You will put this note into an envelope and mail it. Don't contact the police, you and your porn collection would not like what happens next...
  (I leave the rest to the imagination of the reader)
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Overall, pretty secure by Obfuscant · 2019-02-18 14:55 · Score: 1
  
  Who is going to print on a random printer.
  I have people print to the printer I run for my lab, from other places in the building, occasionally.
  And when people learned about the bugs in the HP JetDirect that let people lock them up, assholes went out of their way to do that.
  
  A functional website should never return a 404.
  Uhhh, that's how it tells you you've requested an invalid page. The site is functional. It should tell you when you made a mistake.
Re: Ya don't say! by Anonymous Coward · 2019-02-17 13:34 · Score: 1

Whoosh
Wooow. by DaTroof · 2019-02-17 13:37 · Score: 1

I hope that discovery wasn't shocking enough to give him a palpitation. If he scanned the rest of the world, his heart might shoot out the back of his underwear.
how by phantomfive · 2019-02-17 14:07 · Score: 1

I really wonder how these things end up online, given that most consumer routers don't accept incoming connections by default. Are people really going out of their way to put this stuff on the open internet, or is something else going on here?

--
"First they came for the slanderers and i said nothing."
1. Re:how by AHuxley · 2019-02-17 14:39 · Score: 1
  
  They needed PnP with the internet?
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re: how by DontBeAMoran · 2019-02-17 15:54 · Score: 1
  
  You can test my router all day long if you want to. The I.P. address is 127.0.0.1
  Good luck!
  
  --
  #DeleteFacebook
this is news? by bloodhawk · 2019-02-17 14:20 · Score: 1

Seriously why the fuck is this an article? There are no revelations in this and this is nothing that anyone with half a clue is already fully aware of.
1. Re:this is news? by sjames · 2019-02-17 15:34 · Score: 1
  
  We knew it from statistical sampling, but it's nice to get a comprehensive count from a whole country.
2. Re:this is news? by DontBeAMoran · 2019-02-17 15:55 · Score: 1
  
  As a non-USAmerican, I'm just glad this isn't about Trump.
  
  --
  #DeleteFacebook
3. Re:this is news? by Aighearach · 2019-02-18 10:47 · Score: 1
  
  They didn't have enough dupes to meet the post quota, so we get this.
  Go out and find some news and save us if you don't like it.
Pffft Only one country? by complete+loony · 2019-02-17 15:09 · Score: 4, Interesting

At a defcon talk in 2014 (talk slides) they scanned the whole IPv4 space live, looking for VNC instances. At least, anything that responded to a SYN packet.
Then they took a couple months to connect to each VNC instance, if no password was required, grab a screen shot.
Leading to a series of talks of things that shouldn't be on the internet.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
1. Re:Pffft Only one country? by Gyorg_Lavode · 2019-02-18 02:39 · Score: 1
  
  This researcher must have a good publicist. shodan.io, project sonar (https://opendata.rapid7.com/about/), https://www.binaryedge.io/, https://twitter.com/ErrataRob, and many more scan the entire internet all the time. https://twitter.com/Viss does talks about finding wacky stuff on the internet regularly.
  
  --
  I do security
2. Re:Pffft Only one country? by DCFusor · 2019-02-18 02:41 · Score: 1
  
  Tentler is hilarious. I liked the defcon comedy inception panel version of this (with "and give me a drink" added to the title).
  Normally I'd say "and nothing of value was learned" because most of us know that there are all kinds of things on the 'net that shouldn't be.
  But evidently there are some people behind the curve of the obvious.
  It really got bad, and is getting worse due to the usual "follow the money" issues. Why to I need to use some intermediary for my internet of things stuff? So they can be man in the middle, and maybe either sell your data or just start charging rent to use your own stuff? Why do people fall for it? Could it be that the ipv4 space is tight, competence is low, and this whole scheme profits due to the difficulty of getting your own web presence? It might still be insecure, as there always seem to be debug backdoors in the cheap IoT stuff, which is why my 'stead uses a LAN of things - only.
  .
  As usual, cui bono....
  
  --
  Why guess when you can know? Measure!
Re: Ya don't say! by LynnwoodRooster · 2019-02-17 15:29 · Score: 1

It's OK, the GP doesn't speak Austrian...

--
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Re: Teen Porn by Anonymous Coward · 2019-02-17 20:11 · Score: 1

In prison. Ask for a guy name Ripper. Every prison has a dude like that. And every pedo gets an introduction.
Tell him ole Ollie_Copter sent ya. You'll get a discount on your first five ... eh ... "pics and/or vids", oh and a 100% guaranteed reduction in the length of your prison stay. All free of charge of course because Ripper, he do like that!
Re:illegal? by Opportunist · 2019-02-17 22:13 · Score: 1

Not illegal in Austria.
If you try to use the information, it is. But finding out that there are unpatched, insecure servers isn't per se illegal.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:I'm from Luxemburg, and ... by Anonymous Coward · 2019-02-17 23:45 · Score: 1

French is one of the official languages and in French, the country's name is Luxembourg.