
Shodan: The scariest search engine on the Internet - cpeterso
http://money.cnn.com/2013/04/08/technology/security/shodan/
======
tptacek
Eagerly awaiting the moment someone at CNN finds out about Metasploit. I'd
like to think of it as a kind of "Dark Firefox".

~~~
larrys
Love this:

<http://www.metasploit.com/about/penetration-testing-basics/>

"You can become a penetration tester at home by testing your own server and
later make a career out of it."

Sounds like the old style correspondence school ads - a bit hokey.

<http://www.thefreedictionary.com/correspondence+school>

I would have rewritten that as:

"Many people have actually made a career out of being a penetration tester by
first testing their own home server"

~~~
tptacek
You can absolutely learn to do penetration testing on your own time with your
own servers. We have a script we give people to do the same thing. If you feel
like you have a knack for systems programming, being a good systems programmer
is 1/2 the hard part of appsec; the other 1/2 is literally "taking pleasure in
finding creative ways to break things", and you can find out if you have that
personality streak in just a couple hours of trying attacks.

~~~
larrys
Agree. Fully understand the ability to self learn (and have done that with
almost everything I've ever made a dollar on despite going to one of those
good business schools which is why people think I make money rather than other
qualities).

My comment strictly related to the style of what they were saying (and how I
might rewrite that) I think it's a great idea.

------
achillean
I apologize for the downtime/ delays, this was a big surprise this morning and
I clearly wasn't prepared for the full on-slaught of CNN etc. If you have any
questions about Shodan I can try to answer them here.

~~~
oelmekki
It would kill your business eventually so it may me a naive question but : do
you need volunteer work to help identify and warn those insecure networks ?

~~~
lucb1e
I guess you should feel free to do so. It takes away lots of fun for
highschoolers though :P

~~~
oelmekki
Also, sorry for highschoolers, but this is for their own good :)

I had my own "let's see what we can do" youth, and sure thing it is very
insightful. If we were talking only about business damage, I would say :
"well, they desserve it". But we're not.

What do you think would happen if tomorrow, news headline was : "Massive oil
truck crash kills 10, caused by hacker tempering with traffic lights." ?
Repressive laws against any kind of computer toying would become even harder,
and our highschoolers may go to jail for simply trying to have fun.

------
anigbrowl
+1 for the System Shock reference :)

<http://en.wikipedia.org/wiki/System_Shock>

~~~
gtaylor
Gah, still get creeped out watching the System Shock 2 intro.

<http://www.youtube.com/watch?v=MXPn6wcsUmk>

Let's hope this Shodan isn't as intelligent and psycho as System Shock 2
Shodan! Oh, and no zombies.

~~~
notjustanymike
"Lo- lo- lo- look at you hacker.."

I've beaten this game at least 4 times, including co-op a couple times. Such a
great piece of gaming history.

------
ari_elle
mhm sorry as i don't know so much about this, but how is this different from
google?

meaning that with a specific search in google i can find for example all kinds
of cameras or systems one shouldn't find, e.g.:

-) <http://preview.tinyurl.com/34959u>

Maybe Shodan "focuses" on that, but they can't possible index more of those
things than Google already has...

Can you find one single thing over Shodan you can't with a specific Google
search? (maybe you find such things more easily with Shodan...)

EDIT: More information on Shodan:

-) Defcon Presentation [pdf]

[https://www.defcon.org/images/defcon-18/dc-18-presentations/...](https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18-Schearer-
SHODAN.pdf)

-) Secanalysis.com

<http://secanalysis.com/a-brief-analysis-of-shodan/>

JoshuaRedmond beneath also provided interesting links

~~~
IheartApplesDix
Crazy idea, if you don't know what you're talking about, shut the hell up.

~~~
btilly
I used to be able to tell people like you to go back to Reddit. Unfortunately
the quality of HN has declined far enough that your content-free insulting of
a decent question is not immediately recognizable as something with no place
here.

I consider that fact a sad commentary on how far HN has fallen.

~~~
wjamesg
I'm a relatively new HN reader (~1 year) and have taken much away from my time
here (much reading, few comments). I understand where you're coming from with
concerns about quality; however, I resent the fact that I may be considered
part of the increased readership responsible for "HN's decline"

~~~
mpyne
I've been lurking HN for awhile now, and complaints about HN's decline were
going on even years back when I was first introduced to the site...

~~~
laumars
That's how all communities work though. As a community grows and attracts new
members, the old guard moan about how it was better when they were noobs.

In fact this is true for real -"offline"- life as well.

------
dmiladinov
For similar coverage about finding barely-secured devices that shouldn't have
ever even been connected to the Internet, check out the Security Now! podcast,
episode 396 - The Telnet-pocalypse:

<http://www.grc.com/securitynow.htm>

Transcripts are available in several formats:

<http://www.grc.com/sn/sn-396.htm>

<http://www.grc.com/sn/sn-396.txt>

<http://www.grc.com/sn/sn-396.pdf>

------
neeee
<http://youtu.be/5cWck_xcH64> is a really good presentation about what you can
find on shodan.

------
vecinu
_But he added that cybercriminals typically have access to botnets -- large
collections of infected computers -- that are able to achieve the same task
without detection._

What do botnets have to do with crawling the web for unsecured devices? I'm
not sure I understand the correlation.

~~~
laumars
Funny enough that question was answered in a rather public way just a few
weeks ago: <https://news.ycombinator.com/item?id=5404642> (Researcher sets up
illegal 420,000 node botnet for IPv4 Internet map)

~~~
vecinu
I did read this article a few weeks ago but seem to have forgotten its link to
my question.

Thank you for the reminder.

------
Nowyouknow
From Wikipedia: SHODAN (Sentient Hyper-Optimized Data Access Network) is a
fictional artificial intelligence and the main antagonist of the cyberpunk-
horror themed action role-playing video games System Shock and System Shock 2.

<http://en.wikipedia.org/wiki/SHODAN>

Kinda cool they chose that name.

------
chm
Hardware manufacturers should ship their devices with a piece of paper printed
with a unique UID and password. Not "admin/1234".

The owner would have the ability to change these at will, and resets would
revert to the original UID/pw combination.

Lost your piece of paper? Send the device back. No more trivial hacks.

~~~
afreak
That would make the devices more costly to produce and would raise prices. I
know that ISPs do this with their devices sometimes, but some companies will
cheap out and will just ship with a generic username and password since they
only have to flash one single ROM image.

~~~
r00fus
It shouldn't really. I mean, it's not like devices don't come with at least 3
or 4 unique IDs for different purposes. Just using one of those for the
default password or adding a new ID shouldn't be that big of a task.

I know that this is how some of the router/modem combos from french DSL
providers worked - the admin and WPA passwords are two seperate UUIDs printed
on the device.

~~~
afreak
The gateways provided by the cable ISPs here in Western Canada tend to have
unique passwords. It would be prudent on the part of the device manufacturer
to just create a scheme for creating default passwords based on the unique
serial that the device has and then just print labels for each and have the
default ROM just sort it out upon it being powered up for the first time.

------
speeder
I wonder, why noone turned off traffic lights or something like that to do
mischief?

Also, why no terrorist yet used those security failures to do terror?

Once a random dude managed to log into ISS controls... Ever wondered what
happens if some terrorist crash ISS into New York?

~~~
GFischer
At least over here, traffic lights fail and turn off on their own, no need for
hackers :) . Now, fixing them (for example setting up a "green wave"... hmm
that could be a more interesting use :)

<http://en.wikipedia.org/wiki/Green_wave>

~~~
VLM
I'd like to see the local lights reprogrammed to follow the legal guidelines
instead of short yellows to maximize traffic ticket revenues.

~~~
rcfox
Consider yellow to mean "stop", and the length of it becomes irrelevant and
the roads become a little bit safer.

~~~
noonespecial
For each given stop light, speed limit, and vehicle configuration, there is a
rubicon that is crossed where it is impossible to stop before entering the
intersection. Set up your camera and creep the yellow light time down past
this limit and profits just start rolling in.

~~~
VLM
Exactly. There's uncountable number of stories easily google-able across the
country where intersections with red light cameras magically coincidentally
have their yellow light interval dropped by 1/4 to 1/3 vs intersections
without red light cameras, to increase revenue.

~~~
hysterix
Yep.

And then the red light cameras start magically getting bullet holes in them.

[http://www.knoxnews.com/news/2007/dec/12/police-man-shot-
cam...](http://www.knoxnews.com/news/2007/dec/12/police-man-shot-camera-after-
it-shot-him/)

[http://www.nj.com/news/index.ssf/2012/08/shoot_out_the_red_l...](http://www.nj.com/news/index.ssf/2012/08/shoot_out_the_red_lights_2_tra.html)

------
DangerousPie
" The good news is that Shodan is almost exclusively used for good.

Matherly, who completed Shodan more than three years ago as a pet project, has
limited searches to just 10 results without an account, and 50 with an
account. If you want to see everything Shodan has to offer, Matherly requires
more information about what you're hoping to achieve -- and a payment. "

How does the fact that he charges for it mean that it's "almost exclusively
used for good"? I would argue there is very little incentive to pay for
something like this unless there is a monetary gain.

~~~
achillean
Actually, a lot of companies use Shodan data for research! For example, if you
want a training set for your new webapp fingerprinting software then loading
Shodan might be a good start. Or if you want to create whitepapers for your
business, to drive sales for a specific product/ service, then Shodan can
provide some empirical data to back up your claims. As was demonstrated with
the Internet Census 2012, for people with bad intentions it's easier and much
less attention-getting to just use a botnet (plus you don't need to go through
the typical business agreements as you would with me). I hope that clarifies
it a bit!

------
Apocryphon
"Shodan searchers have found control systems for a water park, a gas station,
a hotel wine cooler and a crematorium. Cybersecurity researchers have even
located command and control systems for nuclear power plants and a particle-
accelerating cyclotron by using Shodan."

How can there be any conceivable reason to connect these systems to the
internet? Do they WANT an attack right out of a technothriller novel or the
latest James Bond film?

~~~
alecdibble
Many embedded systems run Linux and are frequently attached to the netword for
remote control. The root passwords aren't usually changed on these Linux
boxes, so they are a wide open security hole.

Many companies pay attention to this sort of thing and make an effort to
isolate these kind of devices to the local intranet. For every company that is
it good about it, there are probably 10 that aren't even aware of the issue.

------
aashaykumar92
This is awesome, I never knew such a thing existed! But it's also quite
alarming that so many devices are connected to the internet/computers that
probably shouldn't be.

So my big question is: Is there a way to solve this 'security failure'? And if
so, what is it/is it feasible? For someone with malintentions, Shodan seems to
be golden.

~~~
justincormack
It used to be fairly costless to ship products without security. It still is
but the more attacks there are the more incentive there is to fix stuff. But
there are so many more online devices shipping...

~~~
smacktoward
Part of the problem too is that when a particular product is compromised, most
people stop at "Product X sucks" and don't ask themselves if the same
vulnerabilities are present in products they themselves use.

As an example, take WordPress. I talk to people all the time who say "oh,
WordPress isn't secure" even though the reasons most WordPress sites get
hacked are due to practices that would make you vulnerable no matter what CMS
you run -- not keeping up with security patches, running unneeded services on
the server, not putting the admin area behind SSL, etc. But there's lots of
people who move from WP to, say, Drupal and think that's made them secure,
even as they continue doing all those same practices.

------
svag
A nice article regarding the deep web is this one from fravia
<http://search.lores.eu/deepweb_searching.htm>. It's from 2008 but I guess
there is still some information there that is useful and relevant with Shodan.

------
D9u
More sensationalistic headlines? Shodan is nothing new, and I find nothing
"scary" about it.

------
iuguy
I've been playing with the data from the Carna botnet output[1]. Basically
someone scanned a massive portion of the Internet using broken routers as
bots. There's some interesting finds in the data but analysing it is quite
awkward given the size. Shodan is interesting but unless you take up a
subscription is pretty limited.

[1] - <http://internetcensus2012.bitbucket.org/paper.html>

~~~
achillean
Actually, more than 90% of the website's services are completely free! There
are only 2 services that I charge for: HTTPS and Telnet. All of the new stuff
for the past year I've added and made available for free. And with the
Developer API you can easily access the data from within your own scripts.

Oh, and I've seen this in a few locations now but: NO SUBSCRIPTION REQUIRED.
All of the stuff that's sold on the website is a one-time charge. There are no
subscriptions on the website :)

~~~
iuguy
That's interesting and I stand corrected, I was under the impression for some
reason that subscriptions existed. As an aside, have you had a look at the
Carna botnet output, and if so how does it compare to your data?

------
jstanley
This is incredible! Unfortunately, Shodan itself appears to be down at the
moment, presumably due to traffic from CNN. Awesome nonetheless.

~~~
jcfrei
could anyone register for a new account? all I get is a 405 not allowed.

~~~
achillean
That problem has been fixed! I made an error in configuring nginx for
memcached and it ended up treating certain pages as static (which prevents
them from getting POST requests).

------
MWil
which brings up the legal question (based on the ATT 3 year jail sentence):

When is a admin/password login not acting as a admin/password login at all?

------
bifrost
They also missed ERIPP, which does something similar. This is all old news
though, these things are constantly mentioned in other security reports. Even
the government knows these things exist, which means that CNN is not scouping
anyone :)

~~~
achillean
ERIPP is cool (I spoke to the author years ago), but to my knowledge it hasn't
been updated in a while. And I cover 20+ services at the moment, so it's not
just HTTP.

~~~
bifrost
ERIPP v2 coming out in a (maybe) few weeks, and even though its current data
is oooooold its been written up in the last month or two.

In general, It is pretty humorous that these things still catch people by
surprise :)

------
IgorPartola
Looks like it's down: <http://imgur.com/TqeYX95>

Wonder if that's just because of the publicity, or is someone DoS'ing them.

~~~
achillean
It's a variety of factors that is causing downtime at the moment. The main
culprit is the network itself at the moment, and I'm still trying to put out
fires to hopefully make the website a bit more stable.

------
tibbon
Even scarier is how fast their servers fall over :)

------
bobx11
Authorization is hard, so why bother doing it at all?

------
rocky1138
OT: CNN broke the back button in Chrome on Windows.

------
dsfasfasf
I could be wrong but the article reads like a paid for PR piece[1] to get
publicity for this search engine.

[1] <http://www.paulgraham.com/submarine.html>

