Deploying millions of devices with fixed passwords that dumb is clear evidence of gross negligence on the part of IoT device manufacturers. If this gets to court, some lawyer is going to enter that list as evidence and read it to a jury.
"That's the kind of combination an idiot would have on his luggage!" - Spaceballs
I've been getting cozy with Shenzhen-based hardware accelerators for the past year as part of a personal side-venture and I have not seen a group so pressured to deliver a product as fast as possible with security being a casual afterthought. To get a decent taste of what it's like, I wholeheartedly recommend WIRED's Future Cities documentary on Shenzhen and the companies that dwell there. Their struggles for ephemeral market-share are endemic of the entire community that's taken over embedded hardware for the past few years.
The saddest aspect of it all is that this market competition isn't benefiting the consumer. IoT devices are coming out of the factories poorly engineered, badly maintained for far too short of a time, and as we've learned from this attack, being used as vectors for network intrusion and distributed censorship. Even arduino founder Massimo Banzi's widely-lauded IoT Manifesto fails to approach any comprehensive statement regarding a dev's responsibility to build in some level of security to their devices.
It just isn't part of the fast-and-loose culture that has been bred by trend-setting companies with unlimited budgets making bad decisions from the very start. In addition, the if-you-can't-beat-'em-join-'em attitude the West has taken towards churning out hardware devices as fast as they can before jumping to the next IoT piece of junk before the ripoffs can hurt them is really disappointing as it prevents any considerable effort from going into a device pre-and-post release.
All in all, the IoT community is not going to change their priorities unless someone very powerful forces them to and it can't happen soon enough.
 https://www.youtube.com/watch?v=SGJ5cZnoodY (This is over an hour long but very worth it)
 https://techcrunch.com/2014/01/06/nest-4-0-firmware-battery-... & again in 2016 http://www.nytimes.com/2016/01/14/fashion/nest-thermostat-gl... I'm not going to even touch the dropcam and IoT smoke detector.
I hate this phrase. It's not like a bunch of people gathered and said "let's make shitty IoT stuff!". It's not a "community", there aren't groups around advocating against security best practices.
If anything the actual community around IoT stuff takes security more seriously than most HNers.
The problem is the companies and manufacturers that aren't part of the community.
And I take issue with your . That has nothing to do with security. It was a glitch, and it happened, and I personally don't like Nest as a company very much and think they make pretty shitty products, but they take security seriously, and in a discussion about IoT security linking a non-security related software bug serves no purpose. Everything has bugs, that doesn't mean it's absolute shit when something goes wrong.
Your  is also incorrect. The Arduino IoT Manifesto's second point is that a dev should make sure their product can be updated, and even if it's abandoned it should be able to be repurposed in something else, or updated by someone else.
From the full mirror linked below
Question for the C folks. The author seems to have reimplemented functions such as strlen, memcpy, and atoi in 'bot/util.h' instead of using the stdlib. Anyone know why?
i586 mips mipsel armv4l armv5l armv6l powerpc sparc m68k sh4
I have five cameras set up with NAT port holes. My passwords are (I believe) secure. But even if they were on the list, how could that be used to generate outbound traffic to DDoS someone? Presumably, only by a further vulnerability in the firmware.
In all the media / HN coverage, even with the release of Mirai source, I have yet to see a concrete example of a brand/model of camera/DVR who's firmware is exploitable. Let alone a list of models that are.
One exception: The D-Link DCS-930L has a known vulnerability.
Edit: Okay, if you can get in on telnet, then nevermind; you're p0wned. But if you're a webcam on port 8080, what is the attack vector?
Or maybe this is a greybeard hacker?
It seems to me that destroying the vulnerable devices would solve the DDoS problem and gives a big kick in the face of the affected manufacturers plus a good press coverage.
Is there a reason this can't be done? (Other than a legal reason, which hackers don't tend to care too much about.)
This explains how it's used, etc.
Since there is no way to police this and 'wack a mole' for billions of devices is not a practical strategy this security focus on IOT devices while nice does not address the core problem of vulnerable networks and ddos. It distracts and diverts from it.
In other words, it could have been anyone?
"Mirai" is a rather generic name; for a moment I was wondering if it was related to the https://en.wikipedia.org/wiki/Toyota_Mirai ...but it did make me click to find out.
I assumed (guessed) it was the last name of the "father of the internet" on Japan.