
Ex-CIA Agent Raises $40M to Find Every 'Thing' on the Web in Just One Hour - rbanffy
https://www.forbes.com/sites/thomasbrewster/2017/08/31/qadium-massive-internet-scans-in-an-hour/#72a3d8ea72c4
======
ipsum2
Shodan ([https://www.shodan.io/](https://www.shodan.io/)) been doing this for
over 5 years, with a similar tagline: Shodan is the world's first search
engine for Internet-connected devices.

~~~
JoblessWonder
From the article: "It's comparable to Shodan, a search tool for connected
devices, but turbo charged and closed to the general public, Junio's
previously said."

I think their big thing is speed. They are scanning the entire IPV4 space in
60 minutes which... is kind of impressive? I haven't thought about it but
doing a port scan on my public network takes a little bit of time and I'm only
dealing with couple dozen IPs.

~~~
anfractuosity
ZMap claims to scan the IPv4 space in 45 minutes (although you would need some
fancy hardware for that ;)

~~~
teamhappy
> although you would need some fancy hardware for that

You only need 1 Gbit/s upstream and a laptop to hit the 45 minute mark. On
fancy hardware zmap needs less than 5 minutes.

One of the people behind the project presented it a 30C3 a few years back
(including a live scan) in case anyone is interested:
[https://media.ccc.de/v/30C3_-_5533_-_en_-
_saal_2_-_201312281...](https://media.ccc.de/v/30C3_-_5533_-_en_-
_saal_2_-_201312281245_-_fast_internet-
wide_scanning_and_its_security_applications_-_j_alex_halderman)

~~~
anfractuosity
Oh neat, I thought it was a 10G card they were using. Wow, 5 mins is amazing
with 10G.

I'm just browsing their website some more, they seem to have lots of
interesting libraries too, like
[https://github.com/zmap/ztag](https://github.com/zmap/ztag)

"ZTag processes ZGrab output and annotates raw scan data with additional
metadata such as device model and vulnerabilities."

------
Willson50
"Right now, Qadium can reach every connected device in the IPv4 space -- made
up of the the millions on millions of IP addresses of web devices"

So can my phone?

~~~
JoblessWonder
They literally just described the internet.

------
Spivak
> That massive-scale scanning (or what Junio prefers to call web-scale
> sensing)

At what point does tech become a parody of itself?

~~~
samstave
I prefer to call it machine-vision infused cyber-fabric deterministic
detection

~~~
sogen
Thanks, guess they'll add that to the homepage in 60 minutes

------
giarc
I think the key quote is "The ultimate aim of the service is to help companies
determine if there are vulnerable devices on their network that could be
exploited by malicious hackers, who could then pivot and compromise the whole
organization."

I believe the founder was on Recode podcast within the last year. It was a
great listen and really sold the product value prop. I work in healthcare and
in my office alone we have 2 or 3 printers connected that IT isn't aware of
because we couldn't get approval.

~~~
dx034
And with their speed they could probably run it every hour so that IT can act
immediately on potential vulnerabilities, not just testing it every few
months.

------
runjake
For those who it matters:

He wasn't a case officer (AFAICT), he was not an agent (somebody an officer
recruits to spy), he was an analyst.

The distinction is important.

------
anfractuosity
What's the advantage over Shodan out of interest, or Zmap?

------
primeblue
This sounds like nothing new, other than a new way to take money from ignorant
executives.

~~~
RachelF
Yes, but it is new to ignorant executives. There is always a business selling
an old thing with extra marketing.

------
robterrin
I learned about Qadium last spring. Not sure how under the radar they were
then, but I heard about it through a referral of a referral working on cyber
risk.

If they are able to credibly provide a baseline for number of connected
devices and percentage that are vulnerable, it won't be a huge step up from
zmap, but it could provide some interesting data for security pros, regulators
and insurance. Not sure how they get to the part about vulnerability of
devices.

The cyber kill chain provides a nice jumping off point for a hierarchical
model, but the kind of data necessary to really flesh it out is just so damn
hard to find at the quality levels necessary.

------
microwavecamera
It's nice Peter Thiel found a new hobby other than testing hepatitis
treatments in low income countries that is illegal in the US. Even though this
is a scam and as many other people pointed out, something anyone can do, it's
actually one of the less shady things Peter Thiel has done. Good job Peter.
Way to be somewhat less shady.

------
mrguyorama
Am I correct in understanding that this just pops off a list of IP addresses
reachable from whatever "point" you start the "scan" from?

Is there more info into "how"? How is this something that doesn't already
exist? Other's have referenced Zmap, how is this an improvement over it, or
even just a patient person with Nmap?

------
matchagaucho
_" Junio is particularly proud that none of his customers were infected with
WannaCry, the ransomware"_

Uhmm.... so, it detects WindowsXP installations?

~~~
throwawayj29j2
The majority of infected computers form WannaCry was windows 7, its a common
misconception that windows xp was the most hit. But never the less I don't see
how this scanner could of prevented that unless he added EnternalBlue etc to
the scanner once smb was found to be open.

------
jjeaff
Am I correct in assuming that this becomes a total waste of $40m the moment
people start finally transitioning to IPv6?

~~~
b4ux1t3
Eh, not really, it's just going to require an exponential increase in
computing power. They already have the platform, in theory it would just be
about scaling.

That said, it's kind of a huge scaling problem. If it really is a matter of
throwing more hardware on it, and they currently use, say, 100 servers,
they're going to need 429496729600 servers to get the same times they are
getting now.

~~~
dadrian
IPv6 is 2^96 times larger than IPv4. You'd need 100*2^96 servers. That's not
tractable with a brute force method.

~~~
trapperkeeper74
Maybe not that many, but still a lot more, if you first looked at BGP, and
only brute-forced networks that were routable, rather than the entire search
space.

Basically, before scanning, query and iterate all ASes advertisments and union
present ranges, then feed that to zmap or something that can scan IPv4 and/or
IPv6.

------
ge96
Does it not get worse the larger it gets or no?

~~~
giancarlostoro
If you google the number of Possible IP (v4) addresses you get an answer that
kind of gives you more context for your question:

IPv4 uses 32-bit IP address, and with 32 bits the maximum number of IP
addresses is 232—or 4,294,967,296. This provides a little more than four
billion IPv4 addresses (in theory). The number of IPv4 available addresses is
actually less than the theoretical maximum number.

So you would need to be prepped to hit 4 billion approx devices.

~~~
samstave
It would be good to know how many companies are using reputable addresses
internal, unreachable from the open internet based on deduction

------
imsofuture
So nmap? Okay...

~~~
stevekemp
[https://zmap.io/](https://zmap.io/) is the tool of choice for scanning IPv4
space quickly. If you have good connectivity and the correct hardware you can
scan a lot of space very very quickly.

------
fooker
So, build Google's index from scratch under an hour.

Good luck!

