
Port scanning /0 using insecure embedded devices  - steveb
http://internetcensus2012.bitbucket.org/paper.html
======
epoxyhockey
Ethics discussion aside, it is really cool to hear about a massive project
that a single person performed in secret.

I see all of these job listings for "big data" projects with hot startups and
here is 1 guy generating a billion records in 1 hour, for fun.

It kind of reminds me of the MIT students' _Stealing Profits from Stock Market
Spammers_ presentation, because they waited 3 years before talking about it.
Source:
[http://defcon.org/images/defcon-17/dc-17-presentations/defco...](http://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-grant_jordan-
stock_market_spam.pdf) (video is also on the website)

~~~
GFischer
That presentation makes for really interesting reading, thanks for sharing.

------
EvanAnderson
This is technically interesting and clearly a cool hack, but it leaves a
really bad taste in my mouth. It would be one thing to report on the large
number of insecure embedded devices attached to the Internet, but it's another
thing to actually use other peoples' devices without their permission--
especially at this kind of scale.

HD Moore's DerbyCon presentation last year
(<http://www.youtube.com/watch?v=b-uPh99whw4>) showed that scanning the entire
Internet without resorting to using other peoples' devices to perform the
scanning is technically feasible and produces good results. The dataset for
scanning for even a fairly large set of applications isn't tremendously large.

------
joosters
I wonder how many of the 420,000 machines they ran their code on got screwed
up by them?

As anyone who's tried to manage a cluster of machines knows, it's a pain to
get everything working. Even when you have complete control over the hardware,
software and network, distributing code to the cluster and making the cluster
send stuff back is difficult. So much can go wrong and it is easy to take out
servers with what seems like the most trivial of mistakes.

Now try doing this with almost half a million machines, of unknown hardware,
already running unknown software, and operating in network conditions that you
have no idea about. Do you think they did it perfectly and nothing went wrong?

They undoubtedly broke or disrupted many computers and systems here, and they
know it. They can write all the weasel-words they like about how _nice_ and
_kind_ they were, but I am sure they broke a lot of people's systems (some of
them, by their own admission, running important services).

~~~
pixl97
While the researchers have no moral high ground to stand on here, neither do
the 420,000 people (or whatever division of that is owned by separate groups)
that are running insecure devices. I've messed up and put insecure stuff on
the internet before. I'd rather have it go down and break in a fire rather
then having it quietly ship personal information to (feared country of
choice).

If you put an insecure device on the internet, the damage that ensues is your
fault. Ignorance cannot be an excuse. Default passwords and no passwords are
just unacceptable. Yes, by some twisted logic you can blame the hacker, but as
time goes on we see more and more state sponsored attacks. It is their job to
hack in to equipment of other nations for various reasons. It is your job to
keep that from happening.

TL;DR There is no such thing as a trivial mistake on a public network.

~~~
jankins
Someone who leaves his car door open & his car running is obviously practicing
poor security. But it doesn't take "some twisted logic" to show that a thief
is still culpable for the crime if he takes the car. I don't think the analogy
breaks down in any essential way when applied to the current discussion.

~~~
lukeschlather
We're not talking about a thief who took the car. To complete your analogy,
the intruder installed a GPS device and gathered real-time traffic data.
Illegal? Probably. But not theft.

~~~
zeckalpha
No, it is more like they got in and locked the doors so the real thieves
couldn't get in. (Aidra)

I still don't like it.

~~~
marshray
Well to complete the analogy, he stole a tiny bit of the juice from the
battery to charge his mobile phone while he was at it.

------
tlrobinson
This is awesome and terrifying.

What would happen if (when?) someone with more evil intentions decides they
would like a 420,000 device botnet of their own? Or how much damage could one
do by shutting off all these devices simultaneously?

~~~
hcarvalhoalves
> What would happen if (when?) someone with more evil intentions decides they
> would like a 420,000 device botnet of their own?

You think massive botnets don't exist already?

> How much damage could one do by shutting off all these devices
> simultaneously?

The only reason this haven't happened so far is because there's no profit in
this. There's more money to be made keeping a low profile and spamming /
phishing.

------
agnokapathetic
Would be awesome if this was an S3 public dataset
(<http://aws.amazon.com/datasets>)!

------
pak
Isn't this exactly what rtm did in 1988? The only difference is that this worm
took pains to behave more nicely.

Funny to see that the proportion of relatively unsecure devices on the
internet has not gone down since that time.

------
scotty79
USA has strangely different usage patterns. Usage decreases in the evening so
peek seems to be during work hours.

Americans work a lot, I'm sure almost all of that internet use is productive
and they just prefer having fun outside after work.

------
est
[http://internetcensus2012.bitbucket.org/images/clientmap_16t...](http://internetcensus2012.bitbucket.org/images/clientmap_16to9_small.jpg)

Next time if a Chinese IP hacks you, it a botnet node in China hacked you.

------
metalruler
This is a way cool idea. Probably not the best thing to happen to the internet
on a daily basis, but an amazing project nevertheless.

Just waiting for someone to start mining bitcoins on 420,000 slightly
underpowered CPUs...

(Ok, seriously now.) The traceroute data could be used to build an interesting
map of the internet. I'm sure there's lots of cool things that can be done
with what has been released.

------
jbuzbee
Interesting, but let's see. Where have I heard about how the Feds (over)react
to gaining unauthorized access to someone else's computer? Hmm...

[http://www.wired.com/threatlevel/2013/03/att-hacker-
gets-3-y...](http://www.wired.com/threatlevel/2013/03/att-hacker-
gets-3-years/)

------
jervisfm
This is some interesting research. I am wondering though: Does anyone know
whether there are any potential legal issues with scanning devices / networks
that do not belong to you ? Is it possible for you to get into trouble in
engaging in this activity?

~~~
trotsky
It's almost always against the terms of your provider's AUP.

~~~
wmf
That's why you do the scanning from someone else's router. :-)

~~~
taejo
Replacing possible AUP-violation with definite felony.

~~~
DanBC
Isn't some AUP violation a felony, because you're using a computer without
authorisation?

------
joosters
"We had no interest to interfere with default device operation" ... "After a
reboot" ...

How does rebooting someone's computer not count as 'interfering'? Let's hope
none of those machines were doing anything important.

~~~
zerd
They didn't say they rebooted any devices. They said that they didn't make the
binary persist through reboots. They probably installed their binary in /tmp/
or similar which would get wiped if the device happened to reboot.

~~~
joosters
That's unclear. From their use of the past tense, it certainly implies that
the machines had been rebooted.

------
jstanley
Very awesome. I have some concerns about the legality of this. Has anyone
tried to sue you?

------
nonamegiven
Judging from the map it looks like North Korea has managed to protect itself
quite nicely.

------
BoyWizard
Uploading and running executable code on other people's devices without their
permission is absolutely illegal, regardless if it's exposed or not. I would
be _pissed_ if someone did this on any of my devices.

~~~
pixl97
I'd be pissed at myself for running an no password/default password on the
global internet that is connected to nations that we (as in my nation)
consider enemies.

~~~
contingencies
_Nationalism is an infantile disease, the measles of mankind._ \- Albert
Einstein

Pro tip: Get with the post-nationalist, internet-enabled program and give up
on this line of thinking.

~~~
Retric
It's only by growing up in a county that does an amazing job that you end up
with the stupid idea that countries are unemportent. Hint other people want
your stuff and somebody needs to protect it.

PS: Some people where shocked that Greece defaulted ignoring. "Greece faced
economic hardships and defaulted on its loans in 1826, 1843, 1860 and 1893."
Why? Because as nation they can get away with it do why not?

~~~
contingencies
Acknowledging that nations still have political, legal and economic
significance is common sense and is not nationalism.

Worldview from some assumed national perspective = _nationalism_.

For example, viewing the entirety of the global internet in terms of the fact
that certain other countries (that may be nominal enemies of 'your' (hah!)
country) are connected to it.

------
uribs
Interesting, maybe we should revoke IPv4 assignations to Apple, Ford, HP,
Prudential etc. who aren't using anything close to the 16 million IP addresses
they have.

~~~
ISL
It's probably easier to switch to IPv6; then everyone wins.

