The future's bright...
And, if people don't secure their connected lightbulbs, potentially weaponised.
The script kiddie at the center of the Satori botnet case has pleaded guilty. Kenneth Schuchman, 21, of Vancouver in Washington state, this week admitted [PDF] to aiding and abetting computer hacking in an Alaskan federal district court. In exchange for only having to confess to a single criminal count, and increasing his …
My Christmas lights display will be growing past the 15A limit of a normal US circuit breaker, so I have to split it across two outlets on separate breakers.
Do I attempt to synchronize timers?
Do I use RF master-slave?
Do I go full IoT?
Or do I go old-school with a relay in a box?
I think you know the answer: add a few plugs and some extra wire and one 15A circuit can trigger a 10A one for 25A (x 120V = 3 kW) of wasted light and heat holiday joy. (And no RF or Wi-Fi based vulnerabilities. If the thing has issues it'll only be because I wired it wrong or poorly. Icon for the possible result to the house ---> )
If you live in Canada, specifically the Province of British Columbia which has B.C. Hydro as your main hydroelectric sourced electricity provider, you can request 400 amp at 600 volts AC service at your detached home for 240 000 Watts of power to help blind every neighbour with your massive lighting displays!
You can also use that service to power the electromagnet coils of your DIY cyclotron or linear particle accelerator system!
I personally would use that power to make a beautiful Tesla Coil setup to fry those pesky bugs who keep eating freely out of my veggie garden! :-) :-)
.
.
Its fine, all they have to do is reset them right?
The linked article suggests that he is diagnosed with Asperger's so severe he is on a disability pension. If so, I would certainly hope to see some compassion from the court, and a sentence oriented towards treatment and rehabilitation.
Meanwhile, was the Canadian ISP with 32,000 pwned routers penalised? It was a 0-day, but the routers were from Huawei, and many would say a 0-day was predictable. I don't know about this ISP, but many ISPs have a habit of preventing or making it very hard for their customers to use better-quality routers than the one they supply, all to keep support costs under control while offering the cheapest possible sign-up fees.
However much it would help reducing crime, at present it's still not illegal to leave your doors unlocked when you leave the house. Entering without permission is, though.
The worst that the ISP has to worry about (apart from a massive labour cost fixing it all) is that customers walk, otherwise this hacker would also face further consequential damages.
By the way, people with Asperger's can tell right from wrong too, they don't default to criminal behaviour.
Down vote for equating leaving your doors unlocked with selling door locks that open as soon as you push on them a bit.
Really? As far as I can tell, there would be no substantive difference in mens rea.
You could try to lob a civil case at the ISP arguing duty of care or diligence (if that wasn't excluded by default in the Terms by most ISPs), but as far as I can tell it would not change one iota in the criminal exposure of the hacker.
The guilt of the hacker is not in question here. I'm merely pointing out that there's a big difference between failing in your responsibility to lock your own door and then being broken into and having locked your door but unbeknownst to you the lock being faulty allowing anyone to break in with little more than a firm push on your door.
Whether there is currently any laws that hold manufacturers responsible for such failures is also irrelevant. There was a time when hacking into someone's systems was also legal as there was simply no law prohibiting it yet. It was still wrong to do it even if there was no actual penalty. Likewise in this case, the manufacturer of the shoddy IoT gear might not face any civil or criminal case but refusing to patch vulnerabilities in widely deployed equipment is still wrong.
I think the main point of friction here is the expectation that anything is secure by default. Anyone who has ever been near technology knows that that expectation is pretty much the opposite of what happens in the Real World, and the challenge is to help Joe Average understand this.
Irrespective of any measures that seek to impose this on suppliers, I think it's wrong to create the expectation that suppliers will get it right as that encourages a false sense of security. It's just a far too dangerous an assumption, and provably nowhere close to reality.
"The worst that the ISP has to worry about (apart from a massive labour cost fixing it all) is that customers walk, otherwise this hacker would also face further consequential damages."
Those whose systems got knocked off-line might be interested in claiming for damages. A skiddie might not be worth suing. An ISP on the other hand...
'The Satori malware preyed on a number of poorly secured IoT devices, including home digital video recorders (DVRs), surveillance cameras, and enterprise networking gear.'
Thank goodness this criminal mastermind has been stopped and all the affected gear has been patched. Wait... the gear *has* been patched, right?
I have a feeling he named this botnet after the brilliant "The Satori Effect" book by David Pesci (which is surprisingly hard to find online as -as far as I can tell- it was never released in book form in 2000, only in PDF).
The perp is lucky that the prosecution had clearly not read this story, because that also starts with someone asking very basic things online, thus skilling up and eventually build something dangerous.
If you ever come across this book, buy it, it's worth it.
Interesting how even in the age of the Internet stuff can still disappear without trace. the only two references I can find to this work are:
Author's Life After `Amistrad'
Even his LinkedIn profile doesn't mention it: David Pesci...