Ethics discussion aside, it is really cool to hear about a massive project that a single person performed in secret.
I see all of these job listings for "big data" projects with hot startups and here is 1 guy generating a billion records in 1 hour, for fun.
It kind of reminds me of the MIT students' Stealing Profits from Stock Market Spammers presentation, because they waited 3 years before talking about it. Source: http://defcon.org/images/defcon-17/dc-17-presentations/defco... (video is also on the website)
This is technically interesting and clearly a cool hack, but it leaves a really bad taste in my mouth. It would be one thing to report on the large number of insecure embedded devices attached to the Internet, but it's another thing to actually use other peoples' devices without their permission-- especially at this kind of scale.
HD Moore's DerbyCon presentation last year (http://www.youtube.com/watch?v=b-uPh99whw4) showed that scanning the entire Internet without resorting to using other peoples' devices to perform the scanning is technically feasible and produces good results. The dataset for scanning for even a fairly large set of applications isn't tremendously large.
I wonder how many of the 420,000 machines they ran their code on got screwed up by them?
As anyone who's tried to manage a cluster of machines knows, it's a pain to get everything working. Even when you have complete control over the hardware, software and network, distributing code to the cluster and making the cluster send stuff back is difficult. So much can go wrong and it is easy to take out servers with what seems like the most trivial of mistakes.
Now try doing this with almost half a million machines, of unknown hardware, already running unknown software, and operating in network conditions that you have no idea about. Do you think they did it perfectly and nothing went wrong?
They undoubtedly broke or disrupted many computers and systems here, and they know it. They can write all the weasel-words they like about how nice and kind they were, but I am sure they broke a lot of people's systems (some of them, by their own admission, running important services).
While the researchers have no moral high ground to stand on here, neither do the 420,000 people (or whatever division of that is owned by separate groups) that are running insecure devices. I've messed up and put insecure stuff on the internet before. I'd rather have it go down and break in a fire rather then having it quietly ship personal information to (feared country of choice).
If you put an insecure device on the internet, the damage that ensues is your fault. Ignorance cannot be an excuse. Default passwords and no passwords are just unacceptable. Yes, by some twisted logic you can blame the hacker, but as time goes on we see more and more state sponsored attacks. It is their job to hack in to equipment of other nations for various reasons. It is your job to keep that from happening.
TL;DR There is no such thing as a trivial mistake on a public network.
Someone who leaves his car door open & his car running is obviously practicing poor security. But it doesn't take "some twisted logic" to show that a thief is still culpable for the crime if he takes the car. I don't think the analogy breaks down in any essential way when applied to the current discussion.
thief is still culpable for the crime if he takes the car.
Unless the thief is in a country that neglects, ignores, or rejects your law. This is where the analogy breaks down. Unless you fool the person to come to your (or another friendly) country they can hack you with impunity, that said there has been examples of hackers dumb enough to come to the U.S. after the fact.
A better way to look at this instead of the criminal method is the insurance method. Your insurance company is going to be unwilling to pay for your loss because you were stupid and left your car open and running where Russian gangsters could steal it with impunity.
We're not talking about a thief who took the car. To complete your analogy, the intruder installed a GPS device and gathered real-time traffic data. Illegal? Probably. But not theft.
But honestly it would be pretty hard to break it beyond what a reboot would fix. Most of those embedded devices probably don't have a persistent /tmp directory and even if they did the only chance of really screwing it up would be if that 45 - 60 kb binary took up enough space to break something. It seems pretty unlikely and even then I'd consider it a net positive because then someone notices the device with root exposed to the world.
(some of them, by their own admission, running important services)
It sounded like the author targeted only the most common hardware configurations, so it's likely that these were TV set-top boxes and ISP-issued routers. At any rate, if there was a massive spike in worldwide equipment failures between June and October of 2012, we probably would've heard about it.
What would happen if (when?) someone with more evil intentions decides they would like a 420,000 device botnet of their own? Or how much damage could one do by shutting off all these devices simultaneously?
> What would happen if (when?) someone with more evil intentions decides they would like a 420,000 device botnet of their own?
You think massive botnets don't exist already?
> How much damage could one do by shutting off all these devices simultaneously?
The only reason this haven't happened so far is because there's no profit in this. There's more money to be made keeping a low profile and spamming / phishing.
> What would happen if (when?) someone with more evil intentions decides they would like a 420,000 device botnet of their own?
If you read into the details, you'll realize someone else already did: the Aidra botnet. The author spotted them pretty quickly, and took some steps to prevent their spread.
This is a way cool idea. Probably not the best thing to happen to the internet on a daily basis, but an amazing project nevertheless.
Just waiting for someone to start mining bitcoins on 420,000 slightly underpowered CPUs...
(Ok, seriously now.) The traceroute data could be used to build an interesting map of the internet. I'm sure there's lots of cool things that can be done with what has been released.
This is some interesting research. I am wondering though: Does anyone know whether there are any potential legal issues with scanning devices / networks that do not belong to you ? Is it possible for you to get into trouble in engaging in this activity?
It's legal to port scan networks you don't own (from a US perspective), though logging in and/ or performing changes to the device are definitely not. As another person has mentioned, you will get a lot of abuse emails but there's nothing illegal about port scanning by itself.
As someone who has scanned e.g. all of 24.0/8 from a work machine, you do get angry emails to abuse@<your-reverse-dns-name>. I don't think there are legal issues here -- these are all public services on the internet. But installing software like the author did is legally problematic.
They didn't say they rebooted any devices. They said that they didn't make the binary persist through reboots. They probably installed their binary in /tmp/ or similar which would get wiped if the device happened to reboot.
Uploading and running executable code on other people's devices without their permission is absolutely illegal, regardless if it's exposed or not. I would be pissed if someone did this on any of my devices.
I'd be pissed at myself for running an no password/default password on the global internet that is connected to nations that we (as in my nation) consider enemies.
It's only by growing up in a county that does an amazing job that you end up with the stupid idea that countries are unemportent. Hint other people want your stuff and somebody needs to protect it.
PS: Some people where shocked that Greece defaulted ignoring. "Greece faced economic hardships and defaulted on its loans in 1826, 1843, 1860 and 1893." Why? Because as nation they can get away with it do why not?
Acknowledging that nations still have political, legal and economic significance is common sense and is not nationalism.
Worldview from some assumed national perspective = nationalism.
For example, viewing the entirety of the global internet in terms of the fact that certain other countries (that may be nominal enemies of 'your' (hah!) country) are connected to it.
Interesting, maybe we should revoke IPv4 assignations to Apple, Ford, HP, Prudential etc. who aren't using anything close to the 16 million IP addresses they have.
Sure, NAT and a few more blocks will help. For a while...
With the recent IPv4 address burn rate — the allocation rate the last remaining addresses block were issued — reclaiming a half-dozen /8 blocks would be a rearguard action at most, and an effort and a hassle that would detract from IPv6.
For data, select the column with the IANA date sort here:
and then consider how long a few more added /8 blocks would really last. By my count, fourteen /8 blocks since 2009. And the rate that network-connected devices are arriving isn't slowing.
In some cases those addresses are used but they are NATed behind different public IP addresses. (No, we can't use 10/8.) But now that each /8 is worth almost $200M, just wait for a slow quarter and those addresses may find their way to people who need them.
I see all of these job listings for "big data" projects with hot startups and here is 1 guy generating a billion records in 1 hour, for fun.
It kind of reminds me of the MIT students' Stealing Profits from Stock Market Spammers presentation, because they waited 3 years before talking about it. Source: http://defcon.org/images/defcon-17/dc-17-presentations/defco... (video is also on the website)