
Hackers say Friday's massive DDoS attacks were just a dry run - cpncrunch
http://www.cbc.ca/news/technology/hackers-ddos-attacks-1.3817392
======
LinuxFreedom
The elephant in the room is:

Probably these attacks would not be possible if all the money put into
governmental surveillance activities would have been invested in building a
secure and resilient internet.

This attack is the logical answer to the governmental attacks on all networked
infrastructure.

The root cause for these problems is a primitive way of thinking that is a
wrong recipe for the path humanity has to take to not destroy itself.

Competition, dominance, control, surveillance, fear vs. cooperation,
consistency, trust, freedom, love.

This is not about ethics or morality. It is about the fact that this way of
primitive thinking just does not work - it is a stupid recipe for complicated
problems and just fails.

Neanderthalers that like to imprison themselves into hierarchies and dominate
the whole world should be put into mental hospitals, but never into
governmental institutions or positions.

We must stop the domination and hierarchy adoring primitives with their non-
working and self-destroying ideas to find an appropriate way to prepare for
the future and its challenges.

An important first step is to put the military dog back on the chain and show
it the place where it belongs to and never ever allow it to infiltrate
politics.

Military solutions must only be the last step of self-defense that we need to
use when all politics failed.

A society that allows military thinking to penetrate or even dominate
political ideas will be destroyed in the long run, as destruction is the only
solution that militarism knows.

Again this is not about ethics or morality, it is about logic. If you throw a
stone into water, it will make waves.

~~~
formula1
First off, putting a negative spin to competition already tells me you have
either a very narrow view or see something I dont. When iojs forked from
nodejs, it was a competitor. Linux is a competitive landscape. Browsers are a
competitive landscape. The idea that cooperation and consistancy leads to the
best possible product is only as accurate as who is trusted to be the leader.
There are some pretty dumb leaders out there but convincing enough to be
trusted with millions of dollars.

Second off, the government didnt force all devices to be vulnerable. "Agile"
development practices which we trust so much are what led us here. Build
first, worry about security later. The fact that a persons information is
valuable to the creator of these devices and they provide a direct gateway so
they could be accessed by a third party. And the fact that consumers ignore
any possible issues that may arise because they see the benefits.

You talk about logic, well logically we wouldnt have computers or any of this
if it wasnt for competition abd the desire to evolve. And logically trust and
freedom allowed these vulnerabilities to ho unchecked because the software is
not open source and companies are free to do whatever they want since its up
to the consumer to judge whether its worth it or not.

I understand why you want to make this political and pro-love because arguably
any problem can be answered by pro-love. But logically, you should think
before you dpeak and attempt to frame your argument with a consistant locigal
tree than start blaring out hatred for the capitalist system

~~~
mhurron
> "Agile" development practices which we trust so much are what led us here.
> Build first, worry about security later

Hardly. It's not like everyone stopped caring about security once they moved
to Agile flows. The industry never cared about security.

This last attack on Dyn appears to be Mirai again, so devices with
unchangeable default username/password combinations. The same poor practices
that have existed since there were engineering practices at all.

~~~
bogomipz
>"This last attack on Dyn appears to be Mirai again, so devices with
unchangeable default username/password combinations"

The credentials can't be changed on these? Ouch. I didn't know this. Has Mira
released any kind of firmware upgrades for their set top boxes and IP cameras?

~~~
mhurron
Many, if not most, can not. Sometimes even if the user thinks they have.

[https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-
powe...](https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-
todays-massive-internet-outage/)

'That’s because while many of these devices allow users to change the default
usernames and passwords on a Web-based administration panel that ships with
the products, those machines can still be reached via more obscure, less user-
friendly communications services called “Telnet” and “SSH.”

...

“The issue with these particular devices is that a user cannot feasibly change
this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password
is hardcoded into the firmware, and the tools necessary to disable it are not
present. Even worse, the web interface is not aware that these credentials
even exist.”'

------
Animats
Some things to do right now:

\- If you don't have a very well defined need for a short DNS time to live,
set your time to live to a large value, perhaps a day. Then, as long as
someone can get at least one DNS request through, they can reach your site all
day. (Ycombinator.com, why do you have a TTL of _12 seconds?_.)

\- Get multiple DNS services now. Not just two. Get four or five, some of
which are not widely used.

Those two things will probably get you through future DNS attacks.

~~~
ryantownsend
Can anyone comment on the best way to run multiple DNS services?

Is this as simple as setting up the same records on multiple providers and
updating your nameservers to point to the different providers? Or is there
more involved?

Are there any providers which will replicate records from your 'master'
provider, or is this going to be manual?

~~~
cpach
DJB suggests using rsync over ssh: [https://cr.yp.to/djbdns/tcp.html#intro-
axfr](https://cr.yp.to/djbdns/tcp.html#intro-axfr)

But I guess this excludes many of the popular DNS services that are used
today.

~~~
kchoudhu
I have an ansible script that ships all my zone files around. Functionally
equivalent, I suppose.

~~~
cpach
Smart!

------
wes-k
Ignorant thinking out loud here. Is it feasible for certain infrastructure
providers to team up and collect the ip addresses of the requests. This gives
us a list of IPs with bots. THEN google, Facebook, Twitter, etc (major web
properties) use this list to notify any of its users that one or more of their
devices have been compromised and point them to a how to guide for securing
it. Or more simple a script to patch it.

My thinking is that the only way to stop this is to get users to lock down
their insecure devices.

A constant banner would annoy most people to action. Especially if it was
really easy to issue a fix. Download and run. Script determines the actual
device causing the harm and patches it. Possibly asking for a new password
from user. I guess this assumes that a script could be written to issue a
patch for the majority of cases. If not, then how is this device connected?
Script could detect router and apply fix at that point.

So we need:

1\. IP addresses for the sources of the attack load.

2\. A way to distribute patches for those IP addresses.

I propose:

1\. Those suffering the attacks can provide this.

2\. Notify users via websites coordinating on displaying an alert with tools
to patch.

Alternative solution to #2:

Can some part of the ISPs that connect these IPs be patched to detect and
block malicious attacks?

~~~
ddalex
This is an attack over UDP. The source address is likely spoofed. Simply
blocking an IP will do nothing but banning somebody not related to the attack
at all.

~~~
qeternity
I don't think you understand how spoofing works. And no, this attack was not
spoofed. It was just hundreds of thousands of IoT devices each pushing a small
amount of traffic (0.5-1mbps).

~~~
niij
I don't believe this Mirai IoT attack is using spoofing. But on the topic of
spoofing: if an ISP doesn't follow BCP38 and allows spoofed packets to leave
their network, then there is truly no traceability in where a packet came
from. See this talk from Strangeloop about how spoofed packets are a problem
[0]

[0]: [https://idea.popcount.org/2016-09-20-strange-loop---ip-
spoof...](https://idea.popcount.org/2016-09-20-strange-loop---ip-spoofing/)

------
wokky
Imagine if all those IP cameras, routers, NAT boxes and what-have-you had been
designed with one simple policy: the internet port doesn't work until the user
sets a password.

Even very lame passwords might be expected to reduce the effectiveness of this
attack approach by an order of magnitude or two.

~~~
stephen_g
I was just saying to a friend yesterday that this would be a great policy. I
think it would go a long way.

But the problem remains that these devices, more often than not just don't get
updated. So in a year or two, there will probably be a handful of exploitable
issues that won't ever get patched...

~~~
madeofpalk
Given that all these devices were 'hacked' using just the default credentials,
exploits in the software aren't as relevant here.

~~~
andrewflnr
Today they aren't. Once the fruit lying on the ground is exhausted, they'll
get serious about the low-hanging software exploits

------
rdtsc
This DoS attack kills the Internet Of Things as a cool new phrase.

There is already
[https://twitter.com/internetofshit](https://twitter.com/internetofshit) of
course. But that is more whimsy and fun "Oh look my toaster is tweeting,
that's silly".

This attack is more like "Oh-oh, my toaster killed Twitter".

So even though as a thing IoT is here to stay, I think the phrase itself will
sound negative and will be avoided.

~~~
newmanships
There's also a subreddit of the same name that has some good articles from
time to time.

------
mortdeus
What's most concerning to me is that as hackers get more sophisticated with
regards to tech, the US judicial system isn't and this is providing a lot of
low hanging fruit for said hackers to use draconian laws like the Computer
Fraud Act against innocent Americans by pwning their PC's and utilizing
torrenting against them.

I have a friend that is pretty much being persecuted by the state of Oklahoma
for this very thing right now because the DA, OSBI (oklahoma state bureau of
investigations.) and defense attorneys didn't understand how somebody can
coincidentally be innocent of the illegal torrenting that appears to being
going on from their IP, albeit said activity being totally unbeknownst to
them.

------
blazespin
Maybe someone should create an exploit to brick all of these IoT devices. Than
perhaps people would wake up to the problem..

~~~
clarry
My experience from talking with non-techies suggests that they'll never
understand the problem is the lack of security in their devices & network. All
they do is act victim and get enraged about hackers. The thought that they
should demand security from the companies who sold them the vulnerable devices
doesn't cross their mind, and if try to sell them such an idea, they will
protest and call for justice on the principle that it is the hackers who are
being criminal and it's not the victim's or his devices' responsibility to
keep themselves safe. Just as they don't expect to have to live in a bunker
with inpenetrable locks to stay reasonably safe from burglary.

~~~
JoeAltmaier
Many locks in real life are symbolic. Interior doors for instance are hollow
and can be breached with no trouble. They serve mostly to keep the law-abiding
from snooping casually, and to provide evidence of theft (forced entry).

A pity we can't have digital locks that 'break' when used, leaving some
fingerprint from the perpretrator.

------
WalterBright
It's kinda silly to make a dry run like that, because people in charge of the
attacked systems will harden them and the attack is much less likely to work
next time.

~~~
astockwell
Not at all the case with IoT. See Bruce Schneier's recent article on the
matter, where he makes the case that government regulation is the only
feasible remedy at this point, as "The market can't fix this because neither
the buyer nor the seller cares." [1].

[1]
[https://www.schneier.com/blog/archives/2016/10/security_econ...](https://www.schneier.com/blog/archives/2016/10/security_econom_1.html)

~~~
WalterBright
I meant the servers being attacked. The owners of them definitely care.

As for the IoT, the appliances could have their firmware in ROM instead of
flash. Then, the malmare would not survive a reboot. Many customers are large
scale enough (Microsoft, Google, governments, etc.) that they can demand it of
vendors and vendors will deliver. Really, how often do you desire to update
the firmware on your hard drive, your USB stick, etc.?

(Another way to do it is to have the write-enable line controlled by a
physical switch or jumper.)

The only thing I can figure is everyone has forgotten what ROM is.

~~~
psybin
If there's a ROM with non-editable software it will just get instantly
compromised as soon as it comes back up. For your standard "internet of
things" device there is no room, physically or in the bill of materials, for
things like connectors for people to physically deliver updates.

~~~
WalterBright
This is not a difficult problem to solve. The ROM cannot be overwritten -
hence it can be designed so that malware cannot run.

Also, jumpers are cheap. Just set the jumper to enable writes, and download
the update.

Are you happy with it being unknowable which of your appliances are
compromised or not? Would you pay $1 more for a disk drive with firmware in
ROM? I would. If you were running a banking system, would you pay extra for
code in ROM that cannot be compromised?

~~~
TeMPOraL
You would. But you're not the market - 99.99% of other people, who don't even
know what a "jumper" is, are the market. So your preferences don't matter.
Yes, even in most technology products.

As for IoT devices, I can't imagine average Joe or Jane prying off their smart
whatever, destroying the pretty plastic casing it's hidden in, and manually
setting jumpers to flash firmware.

~~~
WalterBright
Isn't it ironic that the means of updating firmware to prevent installation of
malware is the vector for installing malware?

I don't think the current scheme is working very well. Even worse, there is no
way to tell if your appliance has been compromised or not. There are a lot of
companies that care whether their machines are infected or not.

------
dimino
Is there any evidence whatsoever actually linking the people who claimed
responsibility with the person/persons who actually perpetrated the attack?

~~~
rms_returns
I think its just the good old 1990s scenario repeating itself, only this time
with IoT, rather than usual IT.

First, a mad rush towards the IoT where every startup and their dog wants to
setup their business on IoT. Then comes fear as the hackers try to exploit
every hole in IoT devices. And finally, once people realize the importance of
keeping with the software upgrades, the market will settle somewhere in
between.

~~~
jacobsenscott
The thing is there will be no upgrades for the IoT. Just look at all the
Android phones abandoned by their manufacturers. Do you think Phillips is
going to pay someone to produce patches for a 5 year old light bulb, or smoke
detector, or whatever?

~~~
detaro
If it becomes to bad and people start to pay attention, yeah. If there were
more malware doing (edit: very visible) stupid shit around, people would learn
quite quickly (instead of malware that tries to hide and do things that don't
effect the device owner), this way we'll see where it goes.

~~~
psybin
Most compromises in things like this are going to be invisible almost by
accident. Unless your light bulb is maxing out your upload for extended
periods of time, or the police come knocking on your door when your light bulb
does something very illegal and very loud, nobody is ever going to notice.

~~~
detaro
I meant "stupid shit" that's intended to be noticed. The equivalent to malware
of olden days that would intentionally bluescreen your machine, display a
stupid image or something. Brick devices, turn all lightbulbs into disco mode,
replace video camera images with static or porn, de-auth all WLAN devices
around...

But nowadays malware is less about "hijinks" and more about criminal
enterprises that profit from staying hidden, so pressure on device owners and
makers is going to have to come from somewhere else: ISPs, governments, ...

------
snarfy
Default passwords need to be made illegal. We all try to think of
technological solutions to these problems but this really is a problem of
policy not technology.

The factory default setting should require a password to be set before the
device functions.

------
lordnacho
So does this mean there's a huge cloud of IoT devices that will be usable as a
DDOS monster, forever?

It sounds like they never get patched, and if you have some camera or small
device, how likely are you to throw it away?

~~~
snarfy
I wouldn't say forever. Technologies become outdated and people upgrade to
new, more powerful IoT devices with default passwords.

~~~
gorbachev
I would say forever. What kind of devices do you think they're being replaced
with?

The people buying these things aren't buying quality or security minded
devices. They're buying the cheapest device they can find. Their next device
will be the same.

------
TekMol
How do these devices make themselfes reachable from the public internet in the
first place?

As far as I know, my router does not forward incoming traffic. How would it
know which device to forward it to anyhow?

~~~
mike-cardwell
UPNP

------
elchief
Or maybe it was a distraction while they did some nasty stuff we'll hear about
(or not) on Monday... Big linux vuln announced day before, right?

------
CN7R
Ok so I don't know that much about how DDoS attacks work besides that it's
basically a large influx of input that makes it impossible for 'legitimate'
users to get through.

But in a block chain, a Sybil attack—imagine voter election fraud, where
numerous fake IDs are made to vote for a candidate—is blocked by making the
cost of generating hash values (government ID is pretty hard to counterfeit)
extremely high.

Can the same methodology be applied to blocked DDoS attacks?

Like using Dyn to find a domain is similar to making a phone booth call to
yellow book call center, why not just raise the price of calling from 25c to
$1.00?

~~~
kevingadd
Because the whole internet would become unusable if DNS lookups cost you a
dollar.

In the first place, the requests are being made by owned IoT devices. So
making the requests more expensive (in time, bandwidth, or actual money) would
just hurt the owners of those devices. The people operating the botnet
wouldn't care, they'd just get a larger botnet.

~~~
CN7R
I don't mean an actual dollar cost but computing power.

Is there a way to enforce a limit on requests from IoT, or a way to increase
costs of running a botnet but not have that cost transfer to the owners of
IoT?

~~~
kevingadd
IoT botnets are a problem because they're massively distributed. Even if a
single device could only issue one request per second you'd just need to own
more devices. There are millions and millions of vulnerable boxes out there,
sometimes dozens in one home or office.

~~~
psybin
Things get crazier once you have one compromised hole-punched device that is
behind your NAT/firewall too. You can end up in a situation where you have a
local C2 server on your light bulb, controlling a sub-botnet of your fridge,
washing machine, and wifi controlled doorbell. It's not unreasonable to think
that this could compromise orders of magnitude more devices than the original
botnet itself, considering how many things are just saved by their interface
not being routable or accessible from the wider internet.

Something I've wondered is how much of an impact large botnets have on other
systems they rely on. If you had a million compromised CPUs in a small
geographic area suddenly jump from a low power state into doing a massive
amount of work, could it cause localized brown outs? Some napkin math says
probably not, but it's not something I've heard considered much before.

~~~
akiselev
A few hundred megawatts is well within the amount of power peaker plants can
produce and the vast majority are idle >> 90% of the time. You'd need millions
of air conditioners to cause a brownout. Most states fine utilities heavily
for any disruption of service (to the tune of $10s or 100s of millions per
company per incident) in exchange for a govt granted monopoly so they all have
extensive capacity built out, capable of providing for huge extended spikes in
consumption.

~~~
inferiorhuman
What about other countries?

------
an_account
Could someone connect to all the vulnerable cameras/iot devices and lock them
down so that they can't be used in botnets in the future?

~~~
cft
presumably when Mirai botnet compromises them, it changes the passwords.

~~~
scurvy
A lot of the passwords can't be changed. They're fixed from the factory.
That's one of the really difficult things about dealing with this.

I bet that a greyhat will find a way to brick a lot of these cameras.

~~~
pimlottc
> I bet that a greyhat will find a way to brick a lot of these cameras.

A chaos monkey for internet security - now that's an interesting thought!

That could actually work. Market forces aren't strong enough currently to
force manufacturers to get security right, since the average user doesn't
really care that much about it. But if it became common for any poorly secured
product to turn into a brick as soon as you connect it to the Internet, users
would pretty quickly figure out what brands to buy and bring some serious
pressure to bear on the others...

------
gremlinsinc
Couldn't they create a completely separate IOT protocol, so only connections
expecting to receive connections from that protocol would receive it--so
essentially a IOC device could only ping specific IP's that use a different
spec like 255.255.255.255.255 or something.. Essentially a separate internet
that can't mess up networks on the main internet? It could still use the
internet as a gateway, but would give ddos' protection more ability to block
things.

~~~
zeven7
What about a special set of bytes that are standardized that all IOT machines
should send in every request. Some sort of IS_IOT signature. That way if
there's a huge influx, all messages containing the signature could be
filtered.

~~~
willglynn
RFC 3514 seems appropriate here:

    
    
        1. Introduction
    
           Firewalls [CBR03], packet filters, intrusion detection systems, and
           the like often have difficulty distinguishing between packets that
           have malicious intent and those that are merely unusual.  The problem
           is that making such determinations is hard.  To solve this problem,
           we define a security flag, known as the "evil" bit, in the IPv4
           [RFC791] header.  Benign packets have this bit set to 0; those that
           are used for an attack will have the bit set to 1.
    

[https://www.ietf.org/rfc/rfc3514.txt](https://www.ietf.org/rfc/rfc3514.txt)

~~~
kccqzy
This RFC was published on April 1.

~~~
willglynn
Quite correct, but nonetheless, that RFC _does_ explore the topic of "why not
just mark the traffic?" One basic objection which detaro pointed out is that
there's nothing to stop attackers from clearing such marks.

As Wikipedia puts it:

> The evil bit has become a synonym for all attempts to seek simple technical
> solutions for difficult human social problems which require the willing
> participation of malicious actors

[https://en.wikipedia.org/wiki/Evil_bit](https://en.wikipedia.org/wiki/Evil_bit)

------
throw2016
Sometimes it feels we are being herded. If Brian Krebs a single person can
identify so many dubious operators and script kiddies in the US then how come
significantly larger and massively better equipped government teams known to
be using sophisticated surveillance do not have any clue or response while
leading US companies go offline.

Just the other day Cisco announced a partnership with a company in the UK to
detect and disable copy protected streams in real time all over the internet.

Surely if they can pull something like this off there would be some serious
solutions and proposals by the networking industry on how networks themselves
can mitigate massive ddos attacks.

The whole focus on IOT and client side devices seems to be a deflection of the
real problem because any attempt to solve this client side is likely to
introduce serious controls and constraints on machines joining the network
apart from the fact you end up in a never ending cycle to 'wack a billion
moles'

------
sakopov
I spent the last 4 years integrating with various hardware vendors (non-iot
market but the problems are the same) for my employer's Saas offering.
Hardware companies are great at making reliable hardware but they have very
little to no understanding of security or heck, even software in general. Most
of the time we find that their hardware engineers are writing software and and
the entire protocols are wide open usually without any built in security
mechanisms. Some transmit sensitive information completely in the open. If we
ever come across a vendor who understands SSL that's about as good as it gets.

------
x0ner
Suggested targeting:

"...attacks were merely a test, and claimed that the next target will be the
Russian government for committing alleged cyberattacks against the U.S.
earlier this year."

~~~
ComodoHacker
What a BS. When you target Russian government you don't test on completely
unrelated infrastructure it doesn't use.

------
user5994461
* 24 days since the release of the botnet source code.

* 3 days since the latest major DDoS attack.

No device has been bricked so far. No counter attack yet. Waiting for the next
news...

------
ComodoHacker
Is there a better source? The whole article seems sucked out of a single tweet
with no link to it.

Also hilarious:

>Anonymous didn't respond to a request for comment via Twitter

------
Fej
How can I test a device I own to see if it's vulnerable? Just telnet in and
try passwords?

~~~
itsmeaaron
I have the same question. Countless articles explain these attacks are being
carried out via IoT devices but I've seen no mention of specific
brands/models. Are there worst offenders? Are common devices like Nest, Wink,
etc vulnerable?

------
petre
Too bad this will lead ISPs to blocking ports 23, 22, breaking telnet and ssh
to those ports.

~~~
inferiorhuman
IMO it's already a bad practice to have SSH listening on a publicly accessible
interface on port 22.

~~~
petre
Yeah? Then privision a new box and try to ssh to it with port 22 blocked. I
could of course run fail2ban or a firewall rule in order to block at 3 failed
attempts to connect and still run on port 22. Or use port knocking.

~~~
inferiorhuman
Or just use an alternate port. There are, what, 65533 alternate ports
available?

> Then privision a new box and try to ssh to it with port 22 blocked.

Shouldn't be a problem if you've got your provisioning stuff set to configure
ssh on an alternate port.

> I could of course run fail2ban or a firewall rule in order to block at 3
> failed attempts

A good idea, but still an additional step beyond simply using a different
port.

> and still run on port 22

And you'll still end up on the receiving end of more malicious traffic than if
you'd not used port 22.

> Or use port knocking.

Not necessarily a bad idea, but still far more complex than simply using a
non-default port. Same reason that many ISPs (including Amazon) place more
restrictions on port 25 than other ports commonly used for SMTP traffic.

------
asddddd
[http://www.anonintelgroup.com/2016/10/21/twitter-down-its-
no...](http://www.anonintelgroup.com/2016/10/21/twitter-down-its-not-the-
russians-its-the-new-world/)

~~~
ComodoHacker
Perhaps this should be the source link instead of CBC.

Worth noting:

>we are in Russia

Also their website default page looks like DDoS UI.

------
jonshariat
When is someone going to make a robin hood malware that helps resolve these
issues and fights off other malicious tools trying to use these insecure
devices?

~~~
kimburgess
The Mirai source is up on GitHub if anyone's considering doing this:
[https://github.com/0x27/linux.mirai](https://github.com/0x27/linux.mirai).

Regardless of any good intentions, it'd be a pretty grey area to deploy a tool
that cleaned and then protected against future attacks on a device. The
exploit (well, at least the one currently drawing attention) is targeted at
devices running BusyBox that are compromised over telnet with a embarrassingly
small dictionary attack. If you could clean any existing instances, the
protection for future exploits is simple - set a randomly generated password.

The downside is doing this (without approval) to remote devices would likely
break device functionality. The majority of users/owners of these devices are
likely completely unaware they have been compromised today as it has little to
no effect on anything they can see. Sure, a robing hood malware could clean up
this mess pretty effectively, but the little side effect of stopping devices
from, you know, working is probably undesirable.

~~~
pimlottc
> I bet that a greyhat will find a way to brick a lot of these cameras.

It's draconian, but it would sure make users sit up and take notice of which
manufacturers are slacking on security.

------
ommunist
I think these statements are bogus. Russian government is a much smaller
target than Twitter. Besides, it does not rely on the Internet to function.

~~~
ZenoArrow
> "I think these statements are bogus. Russian government is a much smaller
> target than Twitter."

It's not about the size of the infrastructure, it's about the size of the
political statement. Targeting larger infrastructure first appears to have
been a move to demonstrate the power of their botnet.

------
msimpson
"Anonymous wants DDoS attacks legalized as form of protest."

Yet protests aren't comprised of participants who have been forced into
attendance.

------
michwill
Since the exploit is known: I wonder, is it possible to hack all these devices
and let them DDOS localhost?

~~~
petre
It would be almost useless since localhost doesn't even generate outside
traffic. It will only drive up the electricity consumption and heating the
device. One could run a fork bomb and temporarily brick or permanently damage
the device (due to overheating) or disable networking altogether.

~~~
kps
Not local _host_ : have the device make a nuisance of itself on the local
network.

------
hellofunk
How are all these iot devices and their ip address found by hackers?

~~~
Kalium
IP space is limited. If you have a botnet already, you can scan all of IP
space.

Also, a lot of them expose web interfaces that Google has already found...

------
ryanlm
Who are these people init'ing the attacks? They seem like talented folks.

------
chiefalchemist
The USA elections are right around the corner. Nuff said.

~~~
lappa
The article said they would be targeting Russia.

~~~
ommunist
After Madonna delivers her pre-electional promise.

------
gandolfinmyhead
Crackers _

------
rezot
Hackers?

~~~
Just_Another
> Meanwhile not much is required in the way of resources or skill to mount a
> botnet attack...

You mean they don't qualify?

~~~
eveningcoffee
This was a claim (according to the article) of specific group who goes by the
name _New World Hackers_.

The word _hackers_ has very wide meaning and this title can be considered to
be insulting to multiple subgroups who like to think of them as hackers in a
good sense.

~~~
jacquesm
That is a passed station at this point.

~~~
idlewords
Just don't call them painters.

------
bitwize
Mr. Robot? Is that you?

------
nickpsecurity
Just bring it, hackers! Drop 100Tbps on every critical service to show them
what's up! Hit all of them with everything you got!

I've been waiting for a good illustration to regulators of why POTS, leased
lines, and satellite must continue to get investment & kept separate. On top
of the small cases I have. All these people's shit is going down whereas the
people using dial-up to BBS's or leased lines between critical sites are still
doing just fine. I mean, they do gripe about speed or pricing more than the
rest of us but that's the kind of problems they're used to living with. ;)

Note: The major attacks will also get regulators' attention to IoT risk. I
have recommendations of techniques and existing products ready for that, too.

Note 2: I think someone will see this saying, "OMG! He's encouraging crimes
and damage to happen! WHY!?" Actually, apathy by consumers and suppliers is
why it happens and will get worse regardless of what I say. I'm just waiting
for the inevitable as an opportunity to improve the situation.

~~~
ccvannorman
"Due to increased DDOS attacks, the U.S. and European nations' governments
felt their hand was forced. Swift and sweeping legislation was passed to 'keep
you safe' online, including deep tracking and identification of every activity
taken online. The number of personnel hires for citizen monitoring increased
tenfold in the pursuit of catching hackers, in a new global program that
governments are calling, 'no stone unturned'.

Private contractors were swift to step in with their offer, providing ever
more efficient and penetrating tools to get this job done. Citizens never felt
so safe!"

~~~
Samis2001
I was expecting that to be a quote from a book or a story and was surprised
that it wasn't. Good job, it's scarily plausible. Especially in the UK.

