There is no one person or class of persons who essentially owns this. The problem is a confluence of a number of factors, and so far all I see is fingerpointing as to whose job it is to clean up this mess.
First you have manufacturers that don't give a crap. Their objective is to turn out crap as cheaply as possible, and they only need to work well enough that the customer won't return it to the store.
You have the retailers. Most of whom don't know much about the items themselves. All they care is that customers not return them for being broken or too hard to configure.
You have consumers. They want cheap shit, and it needs to be totally idiot-proof to get working. Some will go out of their way to purchase directly from overseas e-stores just to save a few bucks. If it is too hard to configure, they will return the item, but they will seldom return something because it has default telnet credentials that the user cannot change.
You have ISPs. They added UPNP to their routers to support lamers and other sorts of devices. And you also have ISPs who have not yet added support for the RFC to control forged addresses. And you have ISPs who strongly believe that their job is to deliver packets, and they want no part in filtering anything that comes from a customer machine.
You have the standards body that came up with UPNP. They assumed that people building the objects would do a halfway decent job, and they blindly open up whatever ports the device behind the firewall asks for.
You have the standards body that decided that DNS should be both TCP and UDP. Yeah, I know it is faster, but it is also far easier to do an attack with a forged sender.
And then you have people who run the networks and machines that are under attack. They bear the brunt of it, but for the most part they don't have much of a role.
Given that nobody wants to take ownership of this, to me it means that we will never have complete cooperation. We will never get all of the ISPs on board. We will certainly never get all of the consumers on board, and we will certainly never get all of the retailers on board.
The manufacturer? They are undoubtedly under pressure to keep the costs as low as possible, and keep the configuration as simple as possible. Make the config too hard, and people return the items to the store.
The retailer? What's their responsibility here? Some like eBay/Amazon are just flea markets selling any crap that the associated merchant wants to sell. There is no "Underwriters Lab" to test some of the basic configuration stuff.
The consumer? They don't care - it doesn't affect them unless they want to get to Twitter or whatever other site is under attack. The consumer's main interest is in low-prices for whatever device they are adding.
The ISP? It isn't their device that is directly causing the problem. And yet they added support for UPNP to their firewall/router to make configuration easy without thinking about what the possible downsides might be.
I see some here and other places argue that the problem is that we just need fatter pipes or more and/or better infrastructure. And while some improvements might be made, this is a cop-out basically because nobody else takes ownership of the problem, and it can potentially cost them lots of money.
All I expect to see is more finger pointing, and ever more attacks. Eventually government is going to step in - maybe they try and force product recalls on the IoT devices? If we are lucky that's all they do.
Look at your router config, and look for UPNP and/or port forwards and see whether any firewall ports have been opened up for these devices.
I would actually advocate disabling UPNP on the router, but I have no doubt that doing so would break some sort of lame device or application, and people would howl about how they just can't possibly do that.
The Russians might have altered some of them before they were leaked, and they got caught doing this in some of the earliest leaks. Unless you can confirm the authenticity somehow, all of them are suspect.
One lesson from this is that if the Note 7 had removable batteries, this all could have been a lot easier for Samsung to deal with.
I am not quite getting how/what it is that they managed to screw up so their batteries keep catching fire. How did this make it through Q/A the first time, and how is it that the so-called replacements are still having issues.
No, you just *tell* them there has been a great catastrophe, and then you have a reality TV show with them down in their bunker. Then wait and see how long it takes before they figure out that they got punked.
But even then - assume they have a private security force. Those people would need food as well - what's not to say that those folks bug out to take care of their own families. In reality one would need to make the bunker large enough to support your security staff and their families.
The whole "bunker mentality" just seems wrong to me - in reality there are very few scenarios where such a thing could actually help you. I suppose a hurricane might be one, but there you have advance notice and just leaving the area ahead of time might be a better choice. An earthquake might in fact damage the shelter itself, and is geographically limited, so people might be inclined to leave and go somewhere else where there is no damage.
Super-volcano or asteroid strike? Yeah, I suppose a bunker might be useful in such a case, but for all of the things to worry about, these two things are pretty far down on the list. You might as well worry about an attack by space aliens.
Back in the 1950's people worried about a nuclear attack - I suppose the idea at the time was that you just camp out until the radiation levels have subsided, but in reality the things were just a bit of theatre to make people feel more secure. If a nuclear attack were to happen today, it is more likely to be a rogue nation or individual, implying a smaller bomb, and a smaller affected area, so just leaving the affected area might make far more sense than trying to camp out underground for an extended period.
I did recently install a Win7 machine from scratch. After the install I installed the August rollup, and then ran windows update. That thing must have run for a full day before it concluded that there were only 24 updates that were required (half of which were.NYET).
Microsoft announced that they are going to do similar rollups for.NYET.
I wouldn;t say that - the size of the attack is beyond anything seen before. They are reporting 665 Gbps. Let the sheer size of that number sink in for a while.
Indeed that seems to be the case, but the information is out there. If they want to shut Krebs up, they will need to take down faceplant and twaddle as well.
It may well be mind-rot, but there is no shortage of people seeking to rot their minds for many hours at a time. Some of the heavy TV watchers remind me of stoners.
If they don't want news, then what do they want? More cat pictures? More pictures of meals about to be consumed? More photoshopped pictures with goofy captions? More pictures of drunks about do something that they wouldn't do sober?
That's pretty much it. The thing sits at 100% CPU the whole time trying to calculate what the heck it needs to do. If the machine runs out of disk space or gets shutdown or rebooted along the way you run the risk that the internal database that it uses has become corrupt and then updates stop working altogether. The status quo is horribly broken. Will this fix it? No idea.
The article mentioned that there will be security-only rollups for enterprise customers. And separate rollups for.NYET, which suits me fine since those things are the most horrible of all in that all.NYET updates are guaranteed to be extremely slow to install.
Slashdot Mirror
There is no one person or class of persons who essentially owns this. The problem is a confluence of a number of factors, and so far all I see is fingerpointing as to whose job it is to clean up this mess.
First you have manufacturers that don't give a crap. Their objective is to turn out crap as cheaply as possible, and they only need to work well enough that the customer won't return it to the store.
You have the retailers. Most of whom don't know much about the items themselves. All they care is that customers not return them for being broken or too hard to configure.
You have consumers. They want cheap shit, and it needs to be totally idiot-proof to get working. Some will go out of their way to purchase directly from overseas e-stores just to save a few bucks. If it is too hard to configure, they will return the item, but they will seldom return something because it has default telnet credentials that the user cannot change.
You have ISPs. They added UPNP to their routers to support lamers and other sorts of devices. And you also have ISPs who have not yet added support for the RFC to control forged addresses. And you have ISPs who strongly believe that their job is to deliver packets, and they want no part in filtering anything that comes from a customer machine.
You have the standards body that came up with UPNP. They assumed that people building the objects would do a halfway decent job, and they blindly open up whatever ports the device behind the firewall asks for.
You have the standards body that decided that DNS should be both TCP and UDP. Yeah, I know it is faster, but it is also far easier to do an attack with a forged sender.
And then you have people who run the networks and machines that are under attack. They bear the brunt of it, but for the most part they don't have much of a role.
Given that nobody wants to take ownership of this, to me it means that we will never have complete cooperation. We will never get all of the ISPs on board. We will certainly never get all of the consumers on board, and we will certainly never get all of the retailers on board.
Add to this - the retailers who sell said insecure devices.
And who then is responsible?
The manufacturer? They are undoubtedly under pressure to keep the costs as low as possible, and keep the configuration as simple as possible. Make the config too hard, and people return the items to the store.
The retailer? What's their responsibility here? Some like eBay/Amazon are just flea markets selling any crap that the associated merchant wants to sell. There is no "Underwriters Lab" to test some of the basic configuration stuff.
The consumer? They don't care - it doesn't affect them unless they want to get to Twitter or whatever other site is under attack. The consumer's main interest is in low-prices for whatever device they are adding.
The ISP? It isn't their device that is directly causing the problem. And yet they added support for UPNP to their firewall/router to make configuration easy without thinking about what the possible downsides might be.
I see some here and other places argue that the problem is that we just need fatter pipes or more and/or better infrastructure. And while some improvements might be made, this is a cop-out basically because nobody else takes ownership of the problem, and it can potentially cost them lots of money.
All I expect to see is more finger pointing, and ever more attacks. Eventually government is going to step in - maybe they try and force product recalls on the IoT devices? If we are lucky that's all they do.
Look at your router config, and look for UPNP and/or port forwards and see whether any firewall ports have been opened up for these devices.
I would actually advocate disabling UPNP on the router, but I have no doubt that doing so would break some sort of lame device or application, and people would howl about how they just can't possibly do that.
But is it the truth?
The Russians might have altered some of them before they were leaked, and they got caught doing this in some of the earliest leaks. Unless you can confirm the authenticity somehow, all of them are suspect.
Just turning off or filtering DNS UDP packets would be a start.
DNS over UDP works fine on an intranet. Just block it on the way out onto the rest of the net.
If you read the article, the guy went to a lot of effort, and I don't see any tangible benefit that he got out of it.
Seriously? Do you have any examples that this has happened any time in the past 50 years? Anecdotes and urban legends don't count.
No, I didn't think so.
Just think of the DDOS that will be possible with a trans-Pacific pipe this large! All for Facebook/Google? Sigh.
One lesson from this is that if the Note 7 had removable batteries, this all could have been a lot easier for Samsung to deal with.
I am not quite getting how/what it is that they managed to screw up so their batteries keep catching fire. How did this make it through Q/A the first time, and how is it that the so-called replacements are still having issues.
Yes, but you would go insane living in isolation like that for such a long time.
No, you just *tell* them there has been a great catastrophe, and then you have a reality TV show with them down in their bunker. Then wait and see how long it takes before they figure out that they got punked.
But even then - assume they have a private security force. Those people would need food as well - what's not to say that those folks bug out to take care of their own families. In reality one would need to make the bunker large enough to support your security staff and their families.
The whole "bunker mentality" just seems wrong to me - in reality there are very few scenarios where such a thing could actually help you. I suppose a hurricane might be one, but there you have advance notice and just leaving the area ahead of time might be a better choice. An earthquake might in fact damage the shelter itself, and is geographically limited, so people might be inclined to leave and go somewhere else where there is no damage.
Super-volcano or asteroid strike? Yeah, I suppose a bunker might be useful in such a case, but for all of the things to worry about, these two things are pretty far down on the list. You might as well worry about an attack by space aliens.
Back in the 1950's people worried about a nuclear attack - I suppose the idea at the time was that you just camp out until the radiation levels have subsided, but in reality the things were just a bit of theatre to make people feel more secure. If a nuclear attack were to happen today, it is more likely to be a rogue nation or individual, implying a smaller bomb, and a smaller affected area, so just leaving the affected area might make far more sense than trying to camp out underground for an extended period.
It would be nice if VMWare were to dump using flash as well. That's the major reason I still have it at work.
I did recently install a Win7 machine from scratch. After the install I installed the August rollup, and then ran windows update. That thing must have run for a full day before it concluded that there were only 24 updates that were required (half of which were .NYET).
Microsoft announced that they are going to do similar rollups for .NYET.
I wouldn;t say that - the size of the attack is beyond anything seen before. They are reporting 665 Gbps. Let the sheer size of that number sink in for a while.
Indeed that seems to be the case, but the information is out there. If they want to shut Krebs up, they will need to take down faceplant and twaddle as well.
My cat will scratch your balls for you, but her claws are pretty sharp.
Who knew..
It brings back bad memories for me that I have tried hard to suppress.
That "Halt and catch fire" is only an expression, and not supposed to mean that the phone should literally explode and burn.
It may well be mind-rot, but there is no shortage of people seeking to rot their minds for many hours at a time. Some of the heavy TV watchers remind me of stoners.
We went all-TiVo ourselves. A good amount of upfront cost, but that's fixed. The only thing we rent is one cablecard for the whole house.
If they don't want news, then what do they want? More cat pictures? More pictures of meals about to be consumed? More photoshopped pictures with goofy captions? More pictures of drunks about do something that they wouldn't do sober?
Just the most recent high-end phones. If you have something slightly older, then no soup for you.
That's pretty much it. The thing sits at 100% CPU the whole time trying to calculate what the heck it needs to do. If the machine runs out of disk space or gets shutdown or rebooted along the way you run the risk that the internal database that it uses has become corrupt and then updates stop working altogether. The status quo is horribly broken. Will this fix it? No idea.
The article mentioned that there will be security-only rollups for enterprise customers. And separate rollups for .NYET, which suits me fine since those things are the most horrible of all in that all .NYET updates are guaranteed to be extremely slow to install.