"You can become a penetration tester at home by testing your own server and later make a career out of it."
Sounds like the old style correspondence school ads - a bit hokey.
I would have rewritten that as:
"Many people have actually made a career out of being a penetration tester by first testing their own home server"
My comment strictly related to the style of what they were saying (and how I might rewrite that) I think it's a great idea.
"By and large, Management agrees that there is but one adequate solution to the problem ... a solution that can be applied only by Management itself."
I had my own "let's see what we can do" youth, and sure thing it is very insightful. If we were talking only about business damage, I would say : "well, they desserve it". But we're not.
What do you think would happen if tomorrow, news headline was : "Massive oil truck crash kills 10, caused by hacker tempering with traffic lights." ? Repressive laws against any kind of computer toying would become even harder, and our highschoolers may go to jail for simply trying to have fun.
Let's hope this Shodan isn't as intelligent and psycho as System Shock 2 Shodan! Oh, and no zombies.
I've beaten this game at least 4 times, including co-op a couple times. Such a great piece of gaming history.
As a tribute, my workstation and laptop are names xerxes and shodan.
Apparently it works well under wine, too.
If you can get it to run, you should check out the Thief games as well. They use the same engine.
meaning that with a specific search in google i can find for example all kinds of cameras or systems one shouldn't find, e.g.:
Maybe Shodan "focuses" on that, but they can't possible index more of those things than Google already has...
Can you find one single thing over Shodan you can't with a specific Google search? (maybe you find such things more easily with Shodan...)
EDIT: More information on Shodan:
-) Defcon Presentation [pdf]
JoshuaRedmond beneath also provided interesting links
It's run by our very own achillean: https://news.ycombinator.com/threads?id=achillean
(Today,) that's just cruisin' for a bruisin'.
 - http://erratasec.blogspot.co.uk/2009/12/shodan-scares-me.htm...
 - http://www.zdnet.com/blog/security/shodan-search-exposes-ins...
The entire rest of the Internet? Google is great at crawling HTTP and HTTPS, but the Internet is more than the web.
If most think my comment is worthless, the voting system will make it enter the void. If others think it isn't it will be upvoted. That's how this site works.
Just responding with "Shut up" adds nothing to the discussion and is something i am shocked to see on this site :(
I consider that fact a sad commentary on how far HN has fallen.
Tossing in a belittling jab at another website to boot doesn't help either.
I suspect that new users follow something like an 90/10 rule. 90% of them are good to have around, and contribute more than they detract. New blood is good. But 10% contribute junk that is like virtual cholesterol, it builds up, clogs the system, and if left untreated eventually will be lethal to the community. of that 10%, perhaps 10% are simply toxic waste that you want to get rid of, and 90% just need encouragement to fit in better.
I sometimes comment on egregious comments by the 10%. You've reminded me that I should more often acknowledge the existence of the 90%, and on my hope that the 10% I'm looking at are part of the redeemable 9%.
There is an observation that goes back centuries, which applies here. The observation is that if you pack a barrel of apples and there is even a single bad one, the whole barrel will spoil. But if every apple is good, the barrel will remain good for the entire winter. Thus, "don't let a few bad apples spoil the barrel". We want the apples, but none of the bad ones.
Unfortunately the advent of refrigeration has caused us to forget the original wisdom and the saying is currently used as the exact reverse of its original meaning ("oh, it was just a few bad apples").
An interesting mechanism I think. Before looking that up I would have suspected a biological transmission of infection or something, not a chemical transmission.
In fact this is true for real -"offline"- life as well.
Also saying reddit doesn't have quality discussion is a bit unfair to the minority of subreddits that do.
Transcripts are available in several formats:
What do botnets have to do with crawling the web for unsecured devices? I'm not sure I understand the correlation.
1) Botnets give you a ton of bandwidth to run port scans or crawling searches.
2) They also allow you to "map" port scans or searches over thousands of computers (e.g. one computer in the botnet scans one specific port times ten thousand ports), obscuring the fact that a scan is even occurring.
Thank you for the reminder.
Kinda cool they chose that name.
The owner would have the ability to change these at will, and resets would revert to the original UID/pw combination.
Lost your piece of paper? Send the device back. No more trivial hacks.
2) Even if we lived in a world where netgear was doing all this for MAC addresses on SoCs anyway often in computing the question isn't why something isn't done now, but why it was done that way the first time someone wrote it. Build systems, factory processes and other legacy cruft build around a certain way of doing things and often those ways become the way even if new technology makes other ways more simple later.
I know that this is how some of the router/modem combos from french DSL providers worked - the admin and WPA passwords are two seperate UUIDs printed on the device.
Also, why no terrorist yet used those security failures to do terror?
Once a random dude managed to log into ISS controls... Ever wondered what happens if some terrorist crash ISS into New York?
And then the red light cameras start magically getting bullet holes in them.
you're also assuming no one has done it - I have no idea wether or not someone has used shodan for malicious purposes, but that certainly doesn't mean it hasn't happened.
More info on the book: https://www.kirkusreviews.com/book-reviews/louis-charbonneau...
ISS has some engines, crashing on earth is very simple, you can just thrust in the opposite direction that you are going (thus falling into the planet, although slowly and probably astronauts can find the attacker and put it back into orbit before anything serious happens) or you can trust in a diagonal of sorts, to slow your speed AND toward the planet (if you just accelerate toward the planet is more probably that you will only create a elongated orbit, and if you insist, you will slingshot out of orbit).
Matherly, who completed Shodan more than three years ago as a pet project, has limited searches to just 10 results without an account, and 50 with an account. If you want to see everything Shodan has to offer, Matherly requires more information about what you're hoping to achieve -- and a payment. "
How does the fact that he charges for it mean that it's "almost exclusively used for good"? I would argue there is very little incentive to pay for something like this unless there is a monetary gain.
I guess a university security researcher is looking for monetary gain in the form of grants, though.
How can there be any conceivable reason to connect these systems to the internet? Do they WANT an attack right out of a technothriller novel or the latest James Bond film?
Many companies pay attention to this sort of thing and make an effort to isolate these kind of devices to the local intranet. For every company that is it good about it, there are probably 10 that aren't even aware of the issue.
So my big question is: Is there a way to solve this 'security failure'? And if so, what is it/is it feasible? For someone with malintentions, Shodan seems to be golden.
As an example, take WordPress. I talk to people all the time who say "oh, WordPress isn't secure" even though the reasons most WordPress sites get hacked are due to practices that would make you vulnerable no matter what CMS you run -- not keeping up with security patches, running unneeded services on the server, not putting the admin area behind SSL, etc. But there's lots of people who move from WP to, say, Drupal and think that's made them secure, even as they continue doing all those same practices.
 - http://internetcensus2012.bitbucket.org/paper.html
Oh, and I've seen this in a few locations now but: NO SUBSCRIPTION REQUIRED. All of the stuff that's sold on the website is a one-time charge. There are no subscriptions on the website :)
When is a admin/password login not acting as a admin/password login at all?
In general, It is pretty humorous that these things still catch people by surprise :)
Wonder if that's just because of the publicity, or is someone DoS'ing them.