
Internet Chemotherapy - signa11
https://ghostbin.com/paste/q2vq2
======
megous
So, given that he might have prevented more damage than he caused, if even the
part of the recent DDoS reduction can be attributed to his activity, what to
make of it? It can be more of a judgement on society if this person ends up in
jail, while IoT makers keep making hefty profits being rewarded for their
negligence, and ISPs keep making profits being rewarded for lying to their
customers when shit happens and causing more damage than he ever could
overall.

It all seems to start and end with technical ignorance of the typical
customer. There are popular shows that help pepople choose better food, by
exposing shenanigans food makers engage in. Perhaps there could be something
similar for tech in the future. Something where a hacker comes on TV and makes
a total ridicule of some IoT crap device, and the show uses it to constatntly
repeats the basics, like changing default credentials, etc. Same schema that
works with food shows, expose someone as an example and add some generally
useful advice. Perhaps this might become feasible when IoT is more popular.

~~~
joe_the_user
_It can be more of a judgement on society if this person ends up in jail,
while IoT makers keep making hefty profits being rewarded for their
negligence, and ISPs keep making profits being rewarded for lying to their
customers when shit happens and causing more damage than he ever could
overall._

Masked comic book vigilantes aren't ever going to be a reality on the mean
non-virtual streets of cities but on the Internet it seems we're confronted
with something pretty much equivalent.

So here can consult all the old issue of Marvel and DC for a compendium of
moral dilemmas and result.

~~~
icelancer
>>Masked comic book vigilantes aren't ever going to be a reality on the mean
non-virtual streets of cities

Unbelievably, this is actually the case in Seattle.

~~~
goldenkey
TIL:
[https://en.wikipedia.org/wiki/Phoenix_Jones](https://en.wikipedia.org/wiki/Phoenix_Jones)

------
indigochill
Mudge mentioned on his Twitter account
([https://twitter.com/dotMudge/status/941373739681189888](https://twitter.com/dotMudge/status/941373739681189888))
that a project like this had been requested in the DoD but was held back by
politics.

Victor Gevers is cited by Bleeping computer
([https://www.bleepingcomputer.com/news/security/brickerbot-
au...](https://www.bleepingcomputer.com/news/security/brickerbot-author-
claims-he-bricked-two-million-devices/)) as saying there are better ways of
solving the problem than forcibly disabling/bricking devices. I'm curious what
those are, though, since IoT manufacturers (speaking broadly) don't seem
motivated right now to take even basic security precautions with their
devices. I know some groups use sinkholes to redirect compromised devices, but
while that can be useful for research it doesn't seem like it has the same
motivational impact for change.

~~~
FLUX-YOU
So the DoD wanted to brick devices instead of just declaring companies making
these devices a threat to national security, banning their products from sale,
and setting a good precedent?

:|

Would the intel community really need a botnet like this to operate?

~~~
wybiral
The thing is that the largest consumers of these devices aren't within the US.

Many of them are from Chinese companies and are being sold throughout
Southeast Asia and South America.

------
mentos
[https://www.deccanchronicle.com/technology/in-other-
news/171...](https://www.deccanchronicle.com/technology/in-other-
news/171217/how-addictive-is-minecraft-it-led-people-to-create-the-mirai-
botnet-for-business.html)

"Paras Jha, Dalton Norman and Josiah were also a part of this normal Minecraft
server entrepreneur game until they decided to force players from other
servers on to theirs by clogging their networks. Therefore, Mirai came into
existence and started performing for them very well. However, Mirai started
outperforming the creator’s expectations, affecting the Internet outside
Minecraft badly."

"The creators of Mirai found potential in the botnet and therefore went on to
fine-tune it to improve its abilities. They even started leasing Mirai to
other cybercriminals, who used them around the world for their own vested
interests."

[https://en.wikipedia.org/wiki/Mirai_(malware)](https://en.wikipedia.org/wiki/Mirai_\(malware\))

"Upon infection Mirai will identify "competing" malware and remove them from
memory and block remote administration ports."

From an evolutionary perspective its an interesting example of 'fitness'

~~~
zaarn
Malware can be reasonably described using evolutionary mechanism (similar to
Memetics), AVs and best practises create a evolutionary pressure in which only
the fittest and most aggressive malware can win out. A lot of things in
computer science and/or on the internet behave in ways not to dissimilar to
evolution

------
zokier
My main feeling about all this is that "let it burn" probably is the only way
to deal with the mess. It must have been pretty obvious from quite early on
that trying to fight blackhats on level field as a single individual is not
sustainable, and the time that he has been buying is in no way enough to
employ the major cultural shift needed to improve the landscape. Attempting to
suppress the attacks seems just to make people complacent, so it might be
better just to let the attacks to do their damage and hope that those spur
some improvement.

~~~
rbanffy
This is how the forests of California dealt with fires before humans started
fighting them.

As humans fought fires, there was a buildup of flammable material in the
forests, making each successive fire incrementally worse.

~~~
nautilus12
I was using this exact same analogy to explain this to someone earlier,
although I have to admit that I agree with the person above. Going out and
starting forest fires in national forests without official government
sanction, even if your intention is to create controlled burns and prevent a
bigger fire will still land you with a verdict of arson.

~~~
chii
If there weren't any forest rangers/firefighters organization to back-burn,
then the lone person trying to do some good may be the only way forward. But
for forest fires, such an organization does exist, and no-one should be
burning by themselves.

There is no such organization for the internet. So we are left with lone
white-hats who risk personal safety to do some good. I wish there's a better
way.

------
xwvvvvwx
If it's true then this is fantastic work. Should really be the responsibility
of the government. If a device is compromised it should be disabled.

It could also set up a pretty nice incentive structure. If a device is bricked
due to a vulnerability, then the manufacturer should have to either repair or
refund the device. Corporations will not respond properly until it impacts
their bottom line.

~~~
wybiral
> If it's true then this is fantastic work. Should really be the
> responsibility of the government.

Imagine the public backlash there would be if people knew that the government
was scanning and hacking devices for the purpose of national security...

As backwards as it seems I think people like the story of a rogue hacker more
than the government protecting them.

~~~
FooHentai
>Imagine the public backlash there would be if people knew that the government
was scanning and hacking devices for the purpose of national security...

/s ?

If so, chortle chortle.

------
javajosh
This guy is a hero. He bricked vulnerable device before they could be used for
DDOS, or worse. And he did it at great risk to himself. I say well done.

The one point I disagree with is _blaming the consumer_. The simple truth is
that security protocols have terrible UX, and until that improves nothing will
change. Personally, I think it's time IoT was regulated and, in particular, we
require a secure protocol at the time of deployment: IoT devices must be
provably wiped, and then put into physical contact with an "owning" device
before deployment. This, in turn, requires that people start using what I call
a "Home Brain", a device who's primary purpose is to coordinate and secure all
other devices that you physically own. I imagine simple versions to be as
sophisticated as a router, and hackers might want to put together their own,
something like a little home theater box. I suppose in a pinch your smartphone
could work, too.

------
hi-im-mi-ih
Do not execute the random, obfuscated python code linked to from this paste.
This could be bait, and could PWN you. This must be audited first before
anyone runs it.

~~~
lucb1e
Obfuscated python, asking everyone to run it? Hah. Good one. Perhaps if you
run it in VMWare which runs in Virtualbox which runs in Qemu... and even then.
Never run such stuff bare on a machine you intend to still use afterwards.

The irony, if running code from a post from the Brickerbot author would brick
your laptop...

~~~
AlexCoventry
Just spin up an aws t2.nano...

------
geofft
From
[https://twitter.com/GossiTheDog/status/941462338233946112](https://twitter.com/GossiTheDog/status/941462338233946112)
:

 _Before anybody else sends me the “Internet Chemotherapy” link or retweets it
- it appears to be a wonderful piece of fan fiction. Deutsche Telekom suspect
was arrested earlier this year, key details wrong, TR069 modem stuff was bad
implementions crashing devices etc._

(I haven't confirmed this myself)

~~~
lawnchair_larry
Wrong person, those are different incidents

~~~
cjbprime
Can you elaborate?

------
peterwwillis
There are technical solutions for these problems, but nobody will adopt them.

There are political solutions for these problems, but nobody will vote for
them.

There are social solutions for these problems, but nobody wants to take
responsibility.

Personally I'm waiting for a power plant to explode after someone runs a
fuzzer on the internet. And for the inevitable law making security research
illegal. And propaganda claiming foreign nations or terrorist organizations
instigated the attacks (instead of bored 14 year olds, the more likely cause)
used to support new pointless wars. And the intellectually flaccid xenophobic
public, clamoring for more jobs and Internet-dependent TVs, fervently
supporting it.

But it could be worse.

------
wybiral
I do regular scans myself and the number of these vulnerable DVR devices,
printers, and routers you find exposed out there is mind-boggling!

Run just a single instance something like this [1] (which isn't even well
optimized) and within minutes you'll find vulnerable devices. It shouldn't be
that easy to build a botnet.

[1] [https://github.com/wybiral/dex](https://github.com/wybiral/dex)

~~~
lucb1e
Your readme doesn't say much. Looking at the scanner.py code, it appears you
just send a GET HTTP/1.0 request and see what comes back. How do you determine
vulnerable devices, response headers with versions?

~~~
wybiral
The response headers are kept in a SQLite db that you can perform regex
queries on. It's surprisingly easy to find particular devices based on the
headers.

And, yes, it's just making basic HTTP requests on port 80 so it's overlooking
tons of devices. But I run this from my own devices and doing blast scans of
ports other than 80 can look a bit suspicious.

------
dang
This made a brief previous appearance:
[https://news.ycombinator.com/item?id=15931325](https://news.ycombinator.com/item?id=15931325).
You guys will have to figure out what to make of it.

~~~
sguav
And I'm still wondering why that got flagged while this got 100+ comments so
far...

~~~
dang
Who can fathom the mystery. That sort of wondering is an async call that will
never be called back.

------
djsumdog
If what this person says is true, this kind of stuff is really dangerous and
can get you in jail, even if your intent was just to show potential exploits.
I wonder if this person's real identity is one anyone's radar currently.

------
WillReplyfFood
Im sure free market man is going to save us. Any second he will plunge through
the clouds, his invisible fist coming to save us all..

~~~
jodrellblank
Free market man isn't out to save people, he's out to adjust the market to be
most profitable. Suffering is more profitable than not-suffering.

------
tzahola
This is the situation we put ourselves in by constantly complaining that we
can’t move _fast enough_ and hiring “talent” straight from coding bootcamps.
Brace yourselves, the time to eat your own dogfood is coming! :^)

~~~
twic
The devices in this story - routers, cheap IoT devices, etc - aren't products
of bootcamp-hiring buzzword-spouting Silicon Valley companies, though. They
come from a long tail of decades-old mid-sized electronics businesses with,
AIUI, low margins and cultures that don't value software highly. It's not
about JavaScript hipsters (for once!); this is much more related to the
situation with terrible automotive software.

------
orliesaurus

        I'm sorry to leave you in these circumstances, but the threat to my own 
        safety is becoming too great to continue. I have made many enemies. If 
        you want to help look at the list of action items further up. Good luck.
    

This sounds scary - like it came straight out from a movie

------
angel_j
that's a lot of text; could be be used to analyze the authors writing style
and match it to public {github, twitter,...} profiles

~~~
gldalmaso
Aren't people specially concerned to keeping anonymity already keen to this by
now?

The author can be deliberately mimicking style or going through translation in
order to avoid this kind of analysis.

------
nautilus12
What evidence is there that this really is the person responsible for
brickerbot?

~~~
eximius
Someone with more knowledge may be able to corroborate events, or verify the
authenticity of the payload he posted.

For what its worth, the name rang a bell and I found this:
[https://gizmodo.com/this-hacker-is-my-new-
hero-1794630960](https://gizmodo.com/this-hacker-is-my-new-hero-1794630960)

The writings seem similar, for what little thats worth.

~~~
putinontheritz
It’s the same person.

~~~
nautilus12
You're saying this editor is the hacker or that he fabricated this text? Would
he really know enough to sound that credible? If not someone on here should be
able to see right through it

------
carapace
Pretty much the only important part of this (tremendous!) message is the bit
at the end:

> "The real point is that if somebody like me with no previous hacking
> background was able to do what I did, then somebody better than me could've
> done far worse things to the Internet in 2017."

One person.

~~~
gspetr
Yeah, that gave me a pause too.

Then again, he might not have a "hacking background" but might have a strong
embedded/networking background so he knows where to look, considering how he
found exploits that blackhats missed.

So either he's that good or blackhats are two-bit[0] criminals.

[0] No pun intended.

------
nautilus12
If you aren't a doctor and you start poisoning your friend with cancer's food
does it really count as chemotherapy?

~~~
rdiddly
This is a question of credentials only. Which I don't mean to sound like I'm
dismissing it at all - It's actually the whole reason this guy's effort got
stranded.

Chemotherapy is essentially controlled killing, to mitigate or prevent
uncontrolled killing. Just like (as someone said elsewhere in this thread)
controlled burning is done to mitigate or prevent uncontrolled burning. And
here we have controlled hacking to mitigate uncontrolled hacking.

Society doesn't support anybody killing, burning, or hacking, unless there's a
way to know and recognize, that the person knows what they're doing. Which
(the knowing and the recognizing) is a credentialing problem. It's the only
difference between (doctors, police, firefighters, cybersecurity experts) and
(quacks, vigilantes, arsonists and some-unknown-hacker), respectively. A guy I
don't recognize as a surgeon, is just a masked man coming at me with a knife,
_even if he actually is a surgeon._

If your intentions are good, you should take the trouble to get some kind of
credentials, which can take many forms. (If your intentions are not-so-good
then it makes a lot more sense to bypass that, but also for the public to put
you in the "untrusted" basket.) This guy bypassed credentialing, and that
places him in the realm of those who are not trusted no matter what kind of
good they do. Now he can't continue. Instead of that, imagine there was a
public debate about the relevant issues and this or a similar effort had
actual public consensus and resources behind it.

Now of course I'll grant there are numerous problems with the political
process and consensus-building and all the rest of it. It takes a long time to
get anything done, and learning how to hack is actually the easy part. Good
news: This is actually not the emergency he claims it is. What's the worst-
case scenario, the whole internet goes down tomorrow? Well, it's only the
internet. There are ways of getting food, water and shelter without using a
network at all. Nobody has forgotten how to use pen & paper. Even blankets
will still work without an internet. (Not if these IoT clowns have their way
of course.) Whatever, don't listen to me, I'm older and I lived almost half my
life quite happily in a world where nobody had the internet, yet still
everything got done.

Anyway, the other thing is, a "state of emergency" is how all sorts of
atrocities and shitty decisions are justified by governments, so it's not
something to emulate. The attendant issues deserve to be publicly recognized,
debated, decided and then tackled. Maybe it's wishful thinking to demand that
much from people today.

~~~
nautilus12
> This is a question of credentials only.

And credentials are merely a way to build consensus around what is due process
and who can determine it. The net effect is the same, but the process for
achieving it is without consensus. This is another example of no proper
channels existing, and individuals taking matters into their own hands.

~~~
chii
> individuals taking matters into their own hands.

aka vigilantism. Sometimes it's required, but it signals that a proper channel
should exist for such purposes.

~~~
TremendousJudge
but they don't. Would it be better if this person just tried to negotiate with
notoriously unhelpful bureaucrats while blackhats run amok?

~~~
nautilus12
I actually agree with you to some extent. Its unfortunate this person has to
become an outlaw though.

------
AlexCoventry
> You can download the module which executes the http and telnet-based
> payloads from this router at
> [http://91.215.104.140/mod_plaintext.py](http://91.215.104.140/mod_plaintext.py).

Link's not working. Anyone got a copy?

~~~
pdkl95
just found this:
[https://github.com/JeremyNGalloway/mod_plaintext.py](https://github.com/JeremyNGalloway/mod_plaintext.py)

edit: I would recommend extreme caution with that file. I'm still reading, but
strings like this are worrying:

    
    
        'busybox cat /dev/urandom >/dev/sda &'

~~~
laretluval
Fascinating.

What's up with all the stuff like "if 81 - 81: ..."? Won't that just evaluate
to false and never run?

~~~
marten-de-vries
Exactly. It's there to (very mildly) confuse you.

------
Fej
We as humans are pretty bad at responding to threats proactively. It takes
some damage before we'll take action. In this case, IoT devices are going to
have to take down some major infrastructure before we start regulating them.

------
matthberg
The site either went down or was removed, is there an archive anyone knows of?

~~~
alkyl
[https://archive.fo/RTVpt](https://archive.fo/RTVpt)

------
jhiska
This guy knows he's in trouble for what he's done and decides to rewrite
history to make himself out to be a "good criminal". Re-framed bragging about
his criminal exploits and hilarious (in his mind) escapes from detection
ensue.

Frame it as ISP "conditioning" or as "criminal attack", fact of the matter is
he committed crimes and now he's feeling the heat so he's putting out re-
framed confessions to get the jump on his accusers and try to save his skin.

Then again, people can be more complicated than I give them credit for, and he
might actually be a good hacker. It has happened before. I don't know. Let the
investigators find out the truth. We have no reason to trust him.

------
aalleavitch
Any tools someone can recommend for de-obfuscating this?

~~~
megous
There's no noteworthy obfuscation, aside from weird names of variables.

~~~
nEuralNetS
What's the point of obfuscating then?

~~~
pdkl95
Clean exploit code could be used maliciously (or accidentally) by people that
might not understand the true nature of the program. There is a tradition when
releasing exploit code to obfuscate it or introduce obvious errors that make
the code safe{,er}. This prevents script kiddies from immediately using it,
while anybody who _should_ be reading the code should be able to see through
the obfuscation/errors.

~~~
aalleavitch
I suppose a better question might be, then, does anyone have any resources for
gaining a better understanding of how this exploit works?

~~~
megous
Most of the value is in the data (common login credentials). The bulk of
obfuscated code is probably stuff doing the network communication and perhaps
some other mundane stuff, that you can do manually (over telnet, or whatever)
if you like and don't care about creating a botnet.

------
baybal2
I suspected something like that from the beginning

------
yipopov
> his/her/hir

Stopped reading there.

------
rixed
So apparently I am the only one who think that device manufacturers shipping
unsecure devices is not an excuse for an unrelated third party to damage it?

The same as the fact I did not lock my door do not allow anyone to rob my
home, that I did not replace my fire detector batteries is no excuse for
anyone to set it alight, etc.

To me good security starts by catching this guy and if he had done the damage
he claims he had then make him pay for it.

Only when one had been hold accountable for what he has done should we go
after companies for negligence, no?

"I discovered this security hole then proceeded to exploit it and damage some
random system/workflow for the sake of demonstration" should not be
acceptable.

~~~
zbr
I want to add that I am not sure yet what my position on this is. But I think
your analogy is not correct - and please feel free to correct me if I am
wrong!

Imagine the following scenario: Manufacturer's sell weapons cabinets to
people. Only weapons cabinets are not hidden in your home, instead they are
put out on the street. And now comes the dangerous part: These weapon's
cabinets do not lock. Because the manufacturer decided that locks are not
necessary. If someone comes along, should he just ignore this or should he
make the weapons unusable? Because that is what these devices will be used as:
weapons.

~~~
Tepix
My analogy would be he is welding them shut.

------
mhils
From the linked document:

> Deutsche Telekom Mirai disruption in late November 2016. My hastily
> assembled initial TR069/64 payload only performed a 'route del default'
> [...]

AFAIK this is not what happened. Deutsche Telekom had one major incident on
November 27th 2016, but that incident was caused by a denial of service attack
[1]. Given that the routers in question don't even run Linux, 'route del
default' is not really an option anyways, making the first claim of the story
likely to be fabricated.

This seems to be a good fictitious story, but nothing else.

[1]
[https://comsecuris.com/blog/posts/were_900k_deutsche_telekom...](https://comsecuris.com/blog/posts/were_900k_deutsche_telekom_routers_compromised_by_mirai/)

~~~
eyeareque
Linux isn’t the only is with ‘route’

------
HIPisTheAnswer
The Host Identity Protocol (HIP) is the answer to this, and many more
problems. We do not need to disable the dangerous devices if we can have an
_identity based network_ which allows us to whitelist the nodes we allow to
interact with our devices. HIP would also allow mobility to work properly, and
would render the network too opaque to efficiently spy upon. The Internet is
incomplete: It is missing an Identity layer ... HIP!

