
They will find the one responsible, oh yes they will.
An anonymous researcher has taken an unorthodox approach to achieve the dream of mapping out the entire remaining IPv4 internet - and in doing so broken enough laws around the world to potentially put him or her behind bars for thousands of years. To scan the IPv4 address space, billions of pings must be sent to discover all …
Anyone sufficiently intelligent to do something this amazing would have no problems remaining anonymous if they really wanted to and it occurred to them (it's amazing how smart some people can be and still lack common sense). I'm aware of the different ways remaining anonymous can be achieved as an IT professional as will many other reg readers. *coughs* PRINGLES *coughs*
* I would like to add for the record as an IT Professional that I don't endorse anything unethical or illegal in this statement.
Anyone sufficiently intelligent to do something this amazing would have no problems remaining anonymous if they really wanted to...
First of all, this is not that "amazing". A script kiddie could have done this.
Second, ability in one field does not necessarily translate to ability in another. There's no reason to assume an "amazing" physicist would make even a passable geologist, for example. So ability in creating a botnet doesn't necessarily translate to ability to hide one's tracks.
Ahahahah.
You have no idea what you're talking about.
Getting a piece of C to compile for multiple architectures and operating system flavours, especially embedded ones, and run without segfaulting or accidentally breaking something due to someone's insane interpretation of some obscure implementation of "POSIX", that's a challenge that is so far beyond the average script kid these days they couldn't see it with the Hubble Telescope.
"Getting a piece of C to compile for multiple architectures and operating system flavours, especially embedded ones, and run without segfaulting or accidentally breaking something"
Well that's a very good point isn't it. How do we or this "researcher" know he didn't totally fsck up some of the systems he ran his code on.
It'd be interesting to know the number of IPs he was able to log in to which suddenly became uncontactable after his code ran.
I wonder what percentage of those were
a) legitimately switched off
b) changed IP
c) someone or something noticed his code and killed it
d) coincidently had a fault at that time
e) the system broke/exploded due to his code
"Getting code to compile for multiple architectures"
And that's the problem - he had absolutely no way of knowing if what he was doing was going to stop mis-configured hardware working, he also had no way of knowing what the hardware was and what it was doing at the time.
This is an utterly irresponsible act.
"This is an utterly irresponsible act."
Possibly. But what is more irresponsible is putting a device, ANY device out there with not only TELNET enabled, but also with global root access, and either a blank or same-as-username password. THAT'S the utterly irresponsible act.
Just thinking "oh security doesn't matter - this device won't connect to the internet" is bloody stupid... if that were truly the case, then why do the devices have default gateways configured... allowing communication with the outside world.
If this guy really wants to avoid negative legal action, he should send out notifications to the owners of all the IP addresses that he managed to get into to tell them to fire their IT staff!
Sure a script-kiddy could have done this: badly and in such a way that it would have failed to work on half the targeted boxes, or broken them, or made its presence obvious. And they'd also have it all traceable back to their bedroom.
Doing it so no-one noticed, over such a long period. Well it's maybe not brilliance, but evidence of an excellent professional who really knew what they were doing. Ethically however.... dodgy ground indeed.
"Doing it so no-one noticed, over such a long period."
Good point, my first thoughts were why didn't the security companies report seeing traces? or was this something that they saw but because they couldn't get a handle on it, they didn't make any announcements?
Perhaps the main reason for this low profile was the decision to target specific device platforms, although the report doesn't give too many details, I suspect the target OS was Linux -based and the preferred platform was consumer routers and set-top boxes ie. not end-user workstations - since these would typically be sitting behind a router.
Basically, the target systems were those that normally do not run any security software, unlike many Windows workstations, and hence were highly unlikely to detect and report the presence of new code. Additionally, the code was focused on devices directly attached to the Internet rather than via a LAN/private network ie. places where it is possible to monitor network traffic and identify abnormal traffic patterns.
This research also raises a question about the claims that get made about Linux security, as without a security scanner how would you know if a Linux system was running unauthorised code?
Finally what this research also demonstrates is that it isn't only SCADA systems that are in need of greater security (see http://www.theregister.co.uk/2013/03/20/scada_honeypot_research/ ) ...
As one of the first things you do is change the default admin ID and password, and limit the scope of any remote login facility (if you don't disable it completely) you won't need to worry that your router has been compromised by this sort of attack, will you? You did change the ID ... ?
Whilst it is not impossible for a script kiddie to have done this. I've yet to come across any script kiddie who can coherently write up the results of their work; the paper and level of presentation detail strongly indicate that this is the work of a professional albeit one who gets a kick out of what they do - but hey that's the reason why many of us work in IT.
The real problem facing the person behind this research will be keeping quiet!
This research really is something to shout about. If this was a 'normal' research project there is more than enough material for the person to write this up as a formal paper and have it published as the product of a masters project. Additionally, how many people can say that they've built and successfully operated a massive botnet? but that ignores the successful retrieval and collation of substantial amounts data from it and its analysis and interpretation.
So I would expect details to eventually leak out - however, unless people can actually provide evidence that their device was used I would think the researcher is relatively safe from prosecution...
Yes, there is a question of ethics here, but going by the description in the article the researcher in question did everything By The Book when it comes to Gentleman Hacking.
Hell, he even left his contact details right there in the code....
Even so, besides a pretty map the whole project has proven a number of things:
- Linux devices are as secure as their admins. Come on... standard passwords?
- There are other people actively using the same vector for not-so-friendly purposes.
- You cannot stop, nor deter a dedicater Nerd.
The guy should get a medal for this, really.
Name just *ONE* time a government has not done its level best to prove its idiocy? Indeed, over the past decade, many governments seem to try to outdo each other in idiotic acts.
So, I suspect this researcher will end up in prison until the heat death of the universe. :/
This is activity seems to be on the level of "urban exploration". On a bad day you may end up being chased by rats, guard dogs, mafiosi and coppers. Or come too near a radioactive landfill site. Or give an old lady a premature heart attack. On a good day, you come away with a set of nice high-resolution pictures.
There is always the chance that the scan hits the Internet-connected widely open medical device controller, which would be bad. I still wouldn't get into a tizzy over "ethics", which are often just a convenient bullet-pointed-and-ordered-by-priority way of pretending that tradeoffs and fast or dubious decisions don't exist in the real world. Or worse, that one is whiter than driven snow...
- Linux devices are as secure as their admins. Come on... standard passwords?'
Admins?, A quote from the article
'The vast majority of infected systems were consumer routers or set-top boxes'
So, these devices really have no 'admins', per se, and their users probably haven't a clue they run any sort of OS at all. The manufacturers need their arses collectively kicked regarding things like default security of these devices, knowing full well that the average target user of a piece of consumer electronics is just going to plug the bugger in and get on with it without RTFM about security.
What should be more of a worry (though it isn't that surprising) were the
'..Cisco and Juniper hardware, x86 equipment with crypto accelerator cards, industrial control systems, and physical door security systems.'
that they managed to compromise.
From this, I take it, amateur hour isn't quite over yet out there.
I'm pretty sure our router participated. It was decommissioned yesterday but, yes, it was admin/admin and I had no say in the matter. You can have the most knowledgeable security people in the world but it doesn't do jack if management (CEO) sets an idiotic policy.
OTOH, policy set by the new manufacturer created the password from hell, and aside from typos, I'm loving it.
The guy should get a medal for this, really.
Yawn, here we go again. I walked into your house because you left the door unlocked and I'm only surveying the wallpaper in this street - still illegal, still going to jail, still not passing "Go", and still not collecting $200.
So, let me use uppercase because it appears it is needed.
THE REASON FOR WHICH YOU BROKE THE LAW MATTER ONLY INSOFAR THAT THEY CAN AFFECT THE FINE WHEN CAUGHT - THEY DO NOT CHANGE THE FACT THAT YOU COMMITTED A CRIME.
Got that? Good. Read it *again*.
FFS, get this into your thick heads - the only safe way to explore security is by permission, and you damn well should get it in writing - people have a habit of changing their minds when you dig up something embarrassing. Accessing any kind of device without the explicit permission of its owner is in most countries considered a criminal act, for very good reasons (this is the coat hanger they convict the bad guys with as well, and they would naturally claim they were only checking security. This is why you cover your rear end when you report a vulnerability you come across as "it is is possible that"..
Even accessing a public website in a manner different than your normal browser would , can, if proven, get you in trouble.
I've seen plenty of documentaries in which UK policepersons will sneak up on unsuspecting people in railway stations or similar places and take their bag (which they are not watching properly) and wait until the person notices it is missing (usually when then setting off) before advising them of the error of their ways.
It used to be common practice for police on foot patrol at night (OK, I know, I'm nostalgic) to rattle the doors/gates to commercial premises to check they were secure and if not, to pop in to check that all was well and if possible, later advise the owner to apply better security.
Both of the above are laudable, and done with the best of intent. In the latter case there's no reasonable suspicion of an offence other than an unlocked door and in the former there's no crime except that possibly (no permanent deprivation intended so it's not theft but it might be something like "interfering with my stuff") being committed by the officer.
I wouldn't seek to stop either practice but perhaps on examination the actions of the police are a little bit greyer. PC Dixon's not going to do the same to my computer. How, really, do the actions of this researcher in this instance (and I appreciate the danges of setting precedent) differ? I know, I could pay a company to do this but most people aren't going to, in the same way that most people won't engage a security contractor to come and assess their home. You're certainly not going to get such a wide survey done via contractors. Just food for thought.
>>I've seen plenty of documentaries in which UK policepersons will sneak up on unsuspecting people in railway stations or similar places and take their bag (which they are not watching properly) and wait until the person notices it is missing (usually when then setting off) before advising them of the error of their ways.
It used to be common practice for police on foot patrol at night (OK, I know, I'm nostalgic) to rattle the doors/gates to commercial premises to check they were secure and if not, to pop in to check that all was well and if possible, later advise the owner to apply better security.
Both of the above are laudable, and done with the best of intent.
1)Both of those are done by POLICE not VIGILANTEs
2)It's not illegal for me to pick up your bag. I'm not going inside to rummage about and then handing it back. Entering your computer system uses cycles and you cannot guarantee his code is bug-free.
To follow up on JDX
The appropriate phrases around the police checking doors are "policing by consent" and "within a legal framework"
Such activities were with the connivance of the owners and their insurers.
A modern equivalent of trying the doorknob might be to see if a password challenge was issued but no more than that.
Yawn, here we go again. I walked into your house because you left the door unlocked and I'm only surveying the wallpaper in this street - still illegal, still going to jail, still not passing "Go", and still not collecting $200.
In the UK, this would not result in jail time. It's unlikely to even result in prosecution. The only reason it would be against the law at all is because of recent changes to squatting legislation
There are 'white hats', 'gray hats' 'black hats' and ass hats... An ass hat is someone so naive as to believe that they are breaking no laws in their squeaky-clean lives. This gives them the moral authority to proclaim from behind their anonymous coward masks that indeed THE REASON FOR WHICH YOU BROKE THE LAW MATTER ONLY INSOFAR THAT THEY CAN AFFECT THE FINE WHEN CAUGHT - THEY DO NOT CHANGE THE FACT THAT YOU COMMITTED A CRIME.
Well, let me tell you, ass hat... that laundry you are wearing isn't as clean as you think it is...
This post has been deleted by its author
Poppycock.
If someone breaks into my car while I'm on holiday and drives around in it to do their shopping, then washes it and tops up the fuel and leaves a thankyou note, it does not stop it being a crime.
If they break into my house and live there but do no damage it's still a crime.
Please, buy a ticket to the real world. Just because it's the internet does not mean it's OK. It's cool and clever in the same way many crimes are cool and clever but it's still a crime.
Not taking action sends out a message plain and simple that this kind of thing is OK. What happens when 100 people do the same thing and all target the same devices?
This argument again?
1) DEC doesn't exist anymore, it's HP now.
2) Getting a few /8's back just delays the enivitable by a few months. That's it. By the time you force HP to remember their entire internal network just to free the /8 up, it would already be too late.
Instead of trying to take things away from people that they legitimately have, maybe you should start IPv6 enabling your network.
"Instead of trying to take things away from people that they legitimately have, maybe you should start IPv6 enabling your network."
I don't know about everyone else but my networks have been IPv6-ready for several years now. I see precisely zip IPv6 traffic (a bit of IPv6 NTP to a pool server I run, but that's about it). Hell, my log analysis scripts still break on IPv6 and I can't be bothered to fix them for the rare occasions one of those addresses pops up in the logs.
And before we start questioning why home users aren't using IPv6, maybe we should point the finger at places like The Reg itself, or Slashdot, or anyone of the myriad "technical" sites that doesn't even publish an AAAA address at all but yet PUBLISHES ARTICLES about it.
If you really want to get technical, do any of these companies actually need a /8 (some have more than one as well)
006/8 Army Information Systems Center
013/8 Xerox Corporation
015/8 Hewlett-Packard Company
016/8 Digital Equipment Corporation (acquired by Compaq who was then acquired by HP)
017/8 Apple Computer Inc.
018/8 MIT
019/8 Ford Motor Company
021/8 DDN-RVN
022/8 Defense Information Systems Agency
026/8 Defense Information Systems Agency
028/8 DSI-North
029/8 Defense Information Systems Agency
030/8 Defense Information Systems Agency
033/8 DLA Systems Automation Center
034/8 Halliburton Company
044/8 Amateur Radio Digital Communications
048/8 Prudential Securities Inc.
051/8 UK Government Department for Work and Pensions
052/8 E.I. duPont de Nemours and Co., Inc.
053/8 Cap Debis CCS
054/8 Merck and Co., Inc.
056/8 US Postal Service
057/8 SITA
The DoD which has four /8's.
Lastly, there are a number of /8's that have never been assigned:
000/8 IANA - Local Identification
240/8 Future use
241/8 Future use
242/8 Future use
243/8 Future use
244/8 Future use
245/8 Future use
246/8 Future use
247/8 Future use
248/8 Future use
249/8 Future use
250/8 Future use
251/8 Future use
252/8 Future use
253/8 Future use
254/8 Future use
255/8 Future use
There would be some /24's out of 0/8 and 255/8 that couldn't be assigned but others that would be usable.
The real answer is IPv6 as sooner or later you need the additional addresses. When most of the legacy IPv4 blocks were assigned, the address space was used internally. There are institutions that still do that which is just a huge waste of address space.
Probably because there are far, far more of them, most are run by average consumers and they are left running 24x7.
The majority of the commodity hardware sat on the actual Internet or in the DMZ (as opposed to NATed) is running Linux, simply to get a network stack.
ADSL routers, switches, firewall appliances, Internet-webcams - that kind of thing.
Comparatively, there are very few Windows PCs directly on the Internet anymore - it's only really servers these days, and one would hope the admins of the majority are sane and competent.
In most cases the idiocy is probably the device manufacturer, leaving telnet or SSH turned on with a default password.
Very few home users are going to check the security of the WAN port of their home ADSL router, and they aren't going to try SSH or telnet attacks when fitting a webcam to watch the kids from work, they'll just forward the ports or even put it in a DMZ.
Because Windows forces you to choose a secure password - and has far fewer remote exploits than Linux. 99% of Windows exploits require user interaction, whereas 99% of Linux exploits don't. This is why Windows get desktop viruses and Malware, but is far more secure and less likely to be hacked as a server system than Linux is.
Because Windows forces you to choose a secure password - and has far fewer remote exploits than Linux. 99% of Windows exploits require user interaction, whereas 99% of Linux exploits don't. This is why Windows get desktop viruses and Malware, but is far more secure and less likely to be hacked as a server system than Linux is.
----------------
Goodness me! Really? 99%. OH MY GOD.
We need to get those linux servers off the internets. now! Who's with me?? If we each take a datacentre, we can yank the network cables in the space of a few days. We'll save the world!
Oh.. er.. wait...
You made those numbers up, didn't you? well?
"If we each take a datacentre, we can yank the network cables in the space of a few days. We'll save the world!" - well you might have saved Sony a £100 million or so....
http://www.zone-h.org/news/id/4737
1.419.203 websites defacements
Operative System Year 2010
Linux 1.126.987
Windows 2003 197.822
FreeBSD 46.992
Win 2008 15.083
F5 Big-IP* 14.000
Unknown 7.840
Win 2000 6.097
Solaris 9⁄10 2.373
MacOSX 1.038
Citrix Netscaler* 232
Win NT9x 221
Win XP 196
NetBSDOpenBSD 99
HP-UX 73
IRIX 47
SCO UNIX 22
Unix 15
SolarisSunOS 13
BSDOS 12
Solaris 8 11
OpenBSD 8
Compaq Tru64 5
Compaq OS2 5
OS390 3
MacOS 3
AIX 3
NovellNetware 1
AS/400 1
Those are completely meaningless stats.
If that 219,419 Windows defacements was 90% of the Windows-hosted websites, and the 1,126,987 Linux ones were 1% of Linux-hosted websites, which is more secure?
How many were repeated defacement of the same website?
They don't even attempt to give any sense of the actual scale.
Aside from that, a website defacement is highly unlikely have anything whatsoever to do with the hosting server OS anyway. Defacements are almost always about the content management system.
like i said earlier though. There are many users out there who simply buy a box off the shelf plug in and it works. These are average people with no IT skills other than plug in, it works.
Perhaps routers should FORCE people to change the default password on first use? Expecting the average joe to do this voluntarily though is not practical. It is akin to leaving your front door open and hoping you dont get burgled but there are still places like that around, many small villages I used to visit in scotland still had their external doors open and porch internal door shut. Doesnt excuse the crimes.
"Most routers I've come across only provide a ssh login on the internal interface."
Eh ?
How would you get in from outside then. I have mine set-up to port forward ssh to an internal server for the purposes of remote access and reverse proxy use. Nothing wrong with ssh as long as it's up-to-date and has sufficient security - the real problem is exposing telnet or web interfaces to the outside by default with weak usernames/passwords
"How would you get in from outside then"
He's not talking about port forwarding SSH, he's talking about the router's configuration interface, be it SSH, HTTP or anything else should only be accessible on the internal network facing interface and not the Internet facing interface.
That way consumers who just plug and play aren't exposed to default password threats as that is what this guy has exploited. You're saying SSH is perfectly secure "as long as it's up-to-date and has sufficient security" - the point is, it wasn't sufficiently secure because manufacturers used default passwords.
This post has been deleted by its author
This isn't going to work as methodology to find unused IP addresses. Many of those IP addresses will be behind firewalls, no attempt to contact them is going to get through, but they may still be able to see out, and then there are lots of addresses hidden behind firewalls using valid IP addresses but which can't see out. OK, many of these could be moved to using private addresses, but no one is in a position to force their owners to do so and free up the addresses blocks they're hoarding.
Jan 0, English has offered a choice between singular them and epicene him to refer to a person of indeterminate sex for at least five centuries. Why do you laud Iain for his choice? It seems a bit like congratulating someone on his* preference for of one of wrath, anger, or ire.
* — Yes, that’s an epicene his.
...for people who can't live within the laws of society. You can call yourself a "researcher" and "grey-hat" or a$$nonymous or whatever makes you happy, but the truth is that these people are unscrupulous criminals falsely believing that can do whatever they feel like. Judicial systems around the globe are proving that these clowns are wrong.
"It's really upsetting to quite a few Americans to be called Yanks or Merkins (you do know what a Merkin is, don't you?) particularly the ones who live "over here"."
Yes, most people do. That is why they use the term with such particular relish. It doesn't start to make up for the hearing damage, but it's a start.
Yes, yes, American is not a race, but Pakistani is not a race either, you wouldn't say the P word, so don't use other similar names for the people of other countries.
I'm sick of supposedly intelligent. liberal people who would never consider saying anything about people who are a different colour spouting off about "fucking yanks". It's about time it stopped.
This post has been deleted by its author
"I'm sick of supposedly intelligent. liberal people who would never consider saying anything about people who are a different colour spouting off about "fucking yanks". It's about time it stopped."
Is it? Why, precisely? Because of manifest destiny? Crazy gun fetishes? Weirdly prevalent religiosity?
You, sir or madam, need to grow a pair. It happens. Whining about it just makes people dislike you more. Other nations do it to each other all the time, try being Swedish in Denmark, or English in Glasgow.. or not from within about a mile of where you are within Yorkshire. It's part of life's rich pageant.
It has been happening since long before your newly-minted novelty nation existed. Adolescents are often unwittingly hilarious, and squeaking "I hate you, you're not even my real parents" tends not to impress anyone, making it harder to suppress giggles.
Chilling out may be the best idea. In time, you might learn how banter works. Don't take everything so very personally.
Thanks for playing, Yank. Come back when the majority of your countrymen consider the use of "faggot" as a pejorative completely unacceptable.
(If I had a dollar for every time that I've heard "are you some sort of British faggot?", I'd have have a few more dollars to put towards living somewhere with fewer guns and god botherers)
That's the thing, I'm not American, I'm English, but I have American family and friends. Some over here, some over there. I've never been treated with anything except utmost respect and hospitality when in America, sure their society is different to ours but I've never had a bad experience. That I cannot say for my family and friends over here, who have to put up with being called "fucking yanks" in the pub, by people who've never met them before or sometimes generally abused in the street. People "jokingly" asking my sister why she married an American - it's not a joke when it's happened for the umpteenth time, you would never, ever, get this in America.
As an American, I’m impressed by the nearly exclusive contributions of Anonymous Cowards to this exchange.
Anonymous Coward, I have to agree with Anonymous Coward; Yank, Merkin, and whatever the P-word might be aren’t racist names (unless one considers Pakistanis to comprise a single “race”); “statist” would be closer to the mark, although this use of that word might initially confuse some libertarians. I’ve never met an American who was offended by the term Yank. I have known some, though, mainly from our southern tier, who would be offended by the term Yankee. We don’t hear Merkin, septic tank, &c. too often over here, so it doesn’t get our itchy trigger fingers twitching.
Anonymous Coward, are you saying that those British actors who willingly take on villainous rôles in Hollywood films are somehow not responsible for signing on the dotted line? Aren’t those the parts that are supposed to be the most fun to portray?
Anonymous Coward, that’s something that’s so ironic that even I can detect it — an Anonymous Coward telling another Anonymous Coward of the “need to grow a pair”. I agree with the rest of your post, though, and I plan on manifestly destinising your intellectual property rights to the term “newly-minted novelty nation” in describing the land of my birth, by working it into conversations whenever opportunity permits.
Anonymous Coward, depending upon your sister’s sense of humour, she could respond to those who ask her why she married an American that she heard something down the pub about “fucking Yanks”, and she mistook the adjective for a gerund. ;*)
Dear Irony Deficient,
Please feel free to steal, repurpose or even leverage the phrase “newly-minted novelty nation” (establishing best practise for key stakeholders across the piece)- with my blessing.
By the by, I don't think not being an AC makes anyone more or less brave, unless "Irony Deficient" is your given name.. I shall refrain from speculating upon possible names of your siblings, were this the case. Having a silly handle around here doesn't really identify you, it just seems to allow people to clump up into slightly silly cliques or tree house gangs. Because I am a massive misanthrope, I obviously prefer to obviate the danger of becoming part of any sort of clique, brr.
Anyway, I salute you, and even mostly agree. I'd offer you a pint of something character forming, but sadly this is but one of those Interwebulator forum thingies..
"People "jokingly" asking my sister why she married an American - it's not a joke when it's happened for the umpteenth time, you would never, ever, get this in America."
I'm American, and this is correct. I flat out can't imagine it happening - maybe if it was someone French, but even then it would be pretty poor form.
The thing that gets me is that this guy got *four downvotes* just for *describing his personal experience*. Do the downvoters figure he's just delusional or something? Or do they think it's intrinsically unreasonable to say you've experienced hospitality while in the US? Or that if you're saying something nice about an American you must be lying?
It's bizarre.
I suppose that regardless, it's kind of a show of support - he got slagged off on just for *politely saying* that his family gets slagged off on. There's hardly a better way to illustrate the point...
Perhaps you mean xenophobic.
Or perhaps not, as Xenophobia implies hatred of all that is foreign, whereas a healthly dislike for the gung-ho self-righteous attitude displayed by what is, although probably not a representative, certainly a vocal portion of our transatlantic cousins, is quite understandable.
Or, to put it simply, we call you 'yanks' and 'merkins' because, in general*, you are loud and obnoxious, and we don't like you. It's meant to be offensive. Enjoy.
*Yes, this is a generalisation, ther are plenty of Americans who aren't morons. If you object to me making such generalisations, then you aren't one of them.
So if I notice your car keys on your table through your window. I can break the window to get your keys to take your car, because otherwise you would not have windows in your house for easy access.
Yes my example is ludicrous but I am afraid so is your statement.
I'm sorry, but people that don't secure their systems from this level of attack are part of the problem.
Because when your system is compromised, it starts whacking my web servers and then it becomes my problem.
You aren't leaving the front door to your house unlocked, your leaving your Low Orbit Ion Cannon unlocked outside the school gates with the engine running.
I'm sorry, but people that don't secure their systems from this level of attack are part of the problem.
And I'm sorry to tell you that in the real world not everyone using the net is a geek or highly qualified IT professional. If you design or implement IT systems you need to understand that and act accordingly. The alternative is to ban anyone who doesn't have the requisite qualifications from using the internet. It'd make for a safer online world but it'd be a lot quieter as well :(
>I'm sorry, but people that don't secure their systems from this level of attack are part of the problem.
Which is why, in my area, it is ILLEGAL to leave your car keys in your car when you are absent.
Note that it is NOT illegal to leave your house unlocked. Cars are different. We can argue about which catagory computers should be in.
If I don't lock my front door, is it illegal for my neighbour to pop in with a flask of home-made soup, because they know I'm feeling poorly. "We didn't ring the bell because we could see you were asleep on the sofa".
It happened to my Mum he other day. She was very grateful. She didn't call the police!
@ Colin Wilson 2
Technically yes, still illegal unless you'd agreed in advance that they were allowed access or it was allowed by the law (police/fire department/court order etc.). Doesn't matter who they are, friend, family or stranger, or why they were going into the house, it's still an illegal act. As mentioned above, the purpose for entry only effects the punishment, it doesn't change that fact that the law was broken.
Besides your analogy is flawed, you have a neighbour you know walking in, this is a complete stranger. How would you feel if you woke up to find someone you didn't know just wandering about the house? Even if they had soup, wouldn't you be a little suspicious of it's contents and their motives?
No, your analogy is not actually any better. Principally because what you describe is not, in the UK at least, illegal, but also because it doesn't accurately mirror what the researcher in question has done.
A better analogy would be finding someone's front door open, and popping your head round the door and asking if anyone is home, before going on to pour yourself a glass of water in the kitchen. It's certainly very rude, and you wouldn;t like it if someone did it to you, but is on the 'not illegal' side of things, although only just.
Perhaps I'll not bother locking my door in future, it's a hassle having to take the key with me and it would be illegal for anyone to go in anyway. I bet you lock yours though, and I bet you are smart enough not to leave default passwords on your kit.
I think the actual act of using a default username and password would not in itself constitute hacking; although depending upon the context it could be regarded as suspicious and potentially indicative of intent. For example, I knock on my neighbour's door and get no response so I try the handle as I think there might be someone inside, is a different scenario to me walking down the street and repeating the same sequence of actions with every house.
However, having gained access, it is what you do next that would be used to determine whether hacking has or hasn't taken place.
Remember on many end user systems a warning message is presented that effectively say if you are not the authorised user to log off immediately. Such messages started to appear after some early hacking cases and people pleading that there was no warning that they were trespassing etc.
So with respect to the research, the initial random testing of default credentials could be argued as not constituting hacking, however the systematic testing of devices for usage of default credentials would be considered differently particularly as the intent of the systematic access was to install and execute code on the third-party devices.
But having said that, the Internet Census 2012 is a stunning piece of research!
"He purposefully designed it to eat the fewest cycles possible."
And therein lies the problem. S/he was using a resource that someone else has to pay for, without their consent. If I take money from you and say 'But I was only taking your smallest banknote' would you accept that as fair?
Personally I don't have an issue with what this person did - I see the value in the results and a lack of malicious intent. But others will simply see it as immoral/illegal. The law is on their side.
I won't argue over the legality, that's for the courts to decide, but there is a major difference between a "harmless" piece of code sitting and ping a network before disappearing completely and physically depriving someone of a banknote (whatever the size).
@JDX: May be I'm a minority, but I fail to see how eugenics is unethical, assuming consenting participants. Murdering people who's genes you dislike is unethical, and only vaguely related to eugenics (as I assume that's what you were referring to). Or denying non-consenting people the right to breed. Both of those add a definite unethical action.
"Probably lots of malicious malware is written to be efficient too"
Which is exactly my point: malicious. His code likely went entirely unnoticed without leaving a trace of its presence, which is exactly what I meant by "intent".
Had it scrapped network traffic or garbled config files, yes, unethical; but it did (reportedly) none of those things.
<weak metaphor>
It's akin to seeing the front door of a house open and sticking your head in and shouting "hello, did you know your door was open?". Is that unethical?
</weak metaphor>
Your arguments are entirely bogus:
>> How is it unethical? The ethics are in the intent
Are they? So it's not unethical to secretly use eugenics with the intent of making the human race better?
>>He purposefully designed it to eat the fewest cycles possible.
Probably lots of malicious malware is written to be efficient too so it doesn't get noticed as easily, and can spread better.
If I joyride your car but stay under 30mph does that make it OK?
That's different, your still using the network as intended, and network admins can set their systems to not respond to the requests if they wish. Your just asking them to respond to a request for information, they can respond or not, their choice. Also it's not giving you access to the systems themselves.
That big corporations and government institutions horde and hog huge address blocks for no apparent reason and they should be fined and their IP addresses revoked.
That the authorities who assign addresses don't do a good job at allocating address space, the entire ipv4 map is very fragmented.
That a lot of people run devices with default credentials or easy to guess credentials.
This post has been deleted by its author
I used to get bored some evenings and port scan addresses on my local subnets, you'd easily find at least 10% of the devices totally unprotected and connected directly to the live net connection. You'd find printers, lots of FTP and webservers, the odd NAS box all with default passwords still left in place, modem/routers with wide open configs that would given the time allow you through into the networks behind. It's no wonder these botnets take off, you don't need to waste time messing about hooking people thorugh iffy webpages, just port scan like this person did and "Bob's your Auntie's live in lover"!
( I'm one of those who believe people should have a license to be able to use the internet! )
I remember years ago when the first broadband Internet rolled out round my area (UK), this was a cable service provided (local cable TV operator, NTL). With heady speeds of 64kbs, later upgraded to 128kbs (compared to dial-up of course, which was typically around 40kbs, this was fast, and low pings too, good for gaming).
Turns out it wasn't actually a direct Internet connection, unlike say ADSL, it was a NAT connection, so you were effectively on a local LAN with all the other NTL customers. This then went via a router to the internet itself.
The connection itself was fine, but those early cable models didn't have anything in them, effectively just a modem, so no Firewall or other security etc. (no options at all in fact, they were locked down, just plug and go).
So unless you were running a local Firewall, it meant you could be seen on the NTL network, and back then, few people had firewalls installed (pre-XP days, so not even the basic built in OS one either). So you could literately just browse the Network with Windows Explorer and see other peoples PC's, browse their shares, plus all the default admin shares and such.
A few friends of mine were also on NTL (now owned by Virgin), so we just set up shared folders and could just use Windows Explorer to drop off and pull files from each others PCs! No need for FTP etc.
It's an interesting map - but illegal. In the UK accessing a computer without permission is illegal.
www.legislation.gov.uk/ukpga/1990/18
Computer Misuse Act 1990 CHAPTER 18 - An Act to make provision for securing computer material against _unauthorised access_ or modification; and for connected purposes.
Also section 9 - British citizenship immaterial. Doesn't matter here where you're from - they'll get you.
Technically, it could be argued that using a default password on a public-facing device is authorisation; the auth protocol itself hasn't been circumvented via a flaw or back-door, so the act of logging in as admin:12345 is potentially not illegal. Of course, IANAL, so I wouldn't recommend trying this one out, and the reasearcher is certainly taking a big risk by doing so. You might also be able to argue that a router isn't a computer, any more than a washing machine is, that no access has been gained to anything other than the public facing device, and that no material has been secured from that device. They might well fall foul of the 'modification' part, which could reasonably be seen as being a bit naughty. Again, it's not a risk I would be prepared to take myself, but if it happened to me, I'd take steps to properly secure my router rather than prosecute the perpetrator.
"Technically, it could be argued that using a default password on a public-facing device is authorisation"
There is absolutely no way you would ever get away with that, you would also not be able to argue that a router isn't a computer, it's been tried and it fails every time. The router has been logged on to and instructed to perform an operation, which it's owner in no way gave permission for it to run, it's a clear cut breach of the computer mis-use act.
How you gained access isn't relevant. You still accessed the system without the owners permission, therefore it's still illegal.
As an analogy, it doesn't matter if the door was closed, closed and locked, or wide open, the simple act of walking through the door is illegal. How you got through only changes the level of punishment, it doesn't change the illegality of the act itself.
Any access to any computer system, whether a PC, a server, an embedded controller, a mobile device and so on and so on, if you don't have explicit permission from the owner of that device, then accessing that device is illegal.
This was aimed at embedded and infrastructure equipment and there are very few architectures in use there. Remember that this wasn't mean to be exhaustive and VERY few admins people change the passwords, even in digital phone systems.
If you can avoid the need for driver modules then you aren't looking for a particular kernel version.
Add to that the information that the Trojan was given the lowest priority possible so it didn't affect performance this is someone who knows what they are doing.
To be honest, I'd rather know if I had an open door onto the internet. I'm not disgusted by what this researcher has done, the reason it's shocking is they could do it.
Penalising them would be silly - it's not going to make anyone's systems more secure. Acting on their results and getting people to configure their connections securely and making sure manufacturers provided equipment that was secure at startup would be far more productive. FWIW my router has a non-default password when it was supplied, thank god. I was less impressed by the support person who said I could reset the password to nothing when I needed to update a setting under their advice...
Illegal? Yes (in most of the Western World anyway).
Unethical? Meh, a bit, but then arguably it's simply not practicable to conduct such research on this scale following normal consent guidelines. Maybe a BOINC project could work but even that's going to be '000s of nodes, not 00,000s.
But hey, no harm no foul. I'd hope any action by authorities would be to build on this research to go after the less benign individuals who it seems are already using this vector for malicious purposes.
As a taxpayer that would seem to be a much better use of resources than going on a witch hunt after this researcher for the heinous act of going "Hey, look at this!"
While the individual states he did not intend to interfere with the devices, it's hard to argue against the fact that what the person did is in fact illegal. I have to say the quotes from the paper in the 3rd and 4th paragraphs say a lot about the person's state of mind.
I noted the person posted to seclists.org (http://seclists.org/fulldisclosure/2013/Mar/166) and has uploaded the research to three sites:
http://internetcensus2012.bitbucket.org
http://internetcensus2012.github.com/InternetCensus2012/
http://census2012.sourceforge.net/
All of which include a hidden div tag with a counter from supercounters (but it says account terminated if you unhide it from developer tools in Chrome).
As someone pointed out the config.log does indicate (hadoop0 was the hostname and /bin/hadoop was in the PATH) they are using hadoop but it was mentioned in the paper that it was used to analyse the data. There's other info on the OS and kernel versions but little else that I noticed straight off the bat.
I didn't see an email in the README file (the only emails I can see so far are from copyright notices and changelog info for nmap source code and other libraries used in the code).
...this just proves that someday, our only defense will be "The Galactica Maneuver", which is to say the only way we can keep ourselves safe from this kind of invasion is to not network anything.
Hell maybe Sir Arthur will be proven right in his godawful 3001 novel...way may need a munitions dump on the moon for "the world's worst computer viruses."