×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Botnet Uses Default Passwords To Conduct "Internet Census 2012"

Unknown Lamer posted 1 year,26 days | from the neat-hack dept.

Botnet 222

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

222 comments

So this is what? (3, Interesting)

Anonymous Coward | 1 year,26 days | (#43224585)

267 months in federal prison?

Re:So this is what? (5, Insightful)

Hatta (162192) | 1 year,26 days | (#43224605)

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

BitTorrent (1, Redundant)

kramer2718 (598033) | 1 year,26 days | (#43224845)

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

Or if you use BitTorrent for completely lawful purposes.

Re:BitTorrent (-1)

Anonymous Coward | 1 year,26 days | (#43225059)

Yep, and both of those users are pissed about the bad rap they are getting from the other several million users who are not using it for lawful purposes. And yeah, I know there are legitimate uses for BitTorrent just like you know that the overwhelming majority of BitTorrent use is for downloading copyrighted material.

Re:BitTorrent (0)

Anonymous Coward | 1 year,26 days | (#43225127)

Yep, and both of those users are pissed about the bad rap they are getting from the other several million users who are not using it for lawful purposes. And yeah, I know there are legitimate uses for BitTorrent just like you know that the overwhelming majority of BitTorrent use is for downloading copyrighted material.

A bad reputation does not a criminal make...

The founding fathers of the US rightly observed that it is better to watch 9 guilty men go free than convict one single who is innocent. Bittorrent must stay legal for the few who use it legally even if it means that there will certainly be those that use it illegally.

That, or you hate freedom and the terrorists have already won. 'MERICA!

Re:BitTorrent (1)

Farmer Pete (1350093) | 1 year,26 days | (#43225521)

I agree that it's better to watch 9 guilty men go free than convict one single man who is innocent, but that argument is flawed. Given the opportunity, I would come up with a new system to convict the 9 guilty men and let the one innocent go free. Or in this case, if BitTorrent is 95% used for illegal activity, there is no reason that bittorrent can't be made illegal, as long as a suitable replacement for the 5% legal use of Bittorrent.

Re:So this is what? (0)

Anonymous Coward | 1 year,26 days | (#43224681)

more like "until the sun goes cold"

Re:So this is what? (4, Interesting)

juancn (596002) | 1 year,26 days | (#43225105)

He did 420000 intrusions, it's probably a lot more than that. In NY it would be up to 420000 years just for unauthorized computer use I believe.

Still, really cool hack (in the classic sense), it is conceptually similar to a Von Neumman probe [wikipedia.org].

correction (1)

slashmydots (2189826) | 1 year,26 days | (#43224595)

All data gathered during our research is released into the public domain for further study

More like: All data gathered during our research is released into the public domain for further getting the researchers arrested for unauthorized access and usage of computers systems. It adds up to almost 1 million years in prison if it's under current US law (I used that high school teacher who loaded a folding @ home calculating screen saver onto all school computers as a rough basis for the math. He was on the hook for like 300 years in prison).

Re:correction (4, Funny)

ls671 (1122017) | 1 year,26 days | (#43224811)

So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

Mar 19 14:08:29 myhost sshd[15477]: Failed password for root from 58.247.50.59 port 33203 ssh2
Mar 19 14:08:26 myhost sshd[15475]: Failed password for root from 58.247.50.59 port 60725 ssh2
Mar 19 14:08:24 myhost sshd[15473]: Failed password for root from 58.247.50.59 port 59984 ssh2
Mar 19 14:08:22 myhost sshd[15471]: Failed password for root from 58.247.50.59 port 59254 ssh2
Mar 19 14:08:19 myhost sshd[15469]: Failed password for root from 58.247.50.59 port 58527 ssh2
Mar 19 14:08:17 myhost sshd[15465]: Failed password for root from 58.247.50.59 port 57790 ssh2
Mar 19 14:08:16 myhost sshd[15463]: Failed password for root from 58.247.50.59 port 57082 ssh2
Mar 19 14:08:13 myhost sshd[15461]: Failed password for root from 58.247.50.59 port 56363 ssh2
Mar 19 14:08:11 myhost sshd[15459]: Failed password for root from 58.247.50.59 port 55647 ssh2
Mar 19 14:08:09 myhost sshd[15457]: Failed password for root from 58.247.50.59 port 54922 ssh2
Mar 19 14:08:06 myhost sshd[15455]: Failed password for root from 58.247.50.59 port 54195 ssh2
Mar 19 14:08:04 myhost sshd[15453]: Failed password for root from 58.247.50.59 port 53487 ssh2
Mar 19 14:08:01 myhost sshd[15449]: Failed password for root from 58.247.50.59 port 52734 ssh2
Mar 19 14:07:59 myhost sshd[15447]: Failed password for root from 58.247.50.59 port 52018 ssh2
Mar 19 14:07:57 myhost sshd[15445]: Failed password for root from 58.247.50.59 port 49218 ssh2
Mar 19 14:08:38 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12700 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 19 14:08:32 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12699 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 19 14:08:29 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12698 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Re:correction (5, Interesting)

Lumpy (12016) | 1 year,26 days | (#43225121)

After 1 attempt for ROOT I blackhole the ip address for 90 days Nobody should ever try to log in as root, so any login attempt should black hole that IP forever. 3 minutes of script writing is all it takes to do that.

Re:correction (1)

ShaunC (203807) | 1 year,26 days | (#43225155)

I doubt it. Most of these are automated scanning from compromised machines in general, not this guy's one project, and from what I gather, the "census" was more polite about the number of login attempts. I've been getting random scans for years and I don't foresee them stopping anytime soon.

Re:correction (0)

Anonymous Coward | 1 year,26 days | (#43225213)

So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

Unless you set up your sshd to listen on port 23 and added support for plaintext authentication, the answer is "no, it was not this guy,".On the other hand, if you did all that, you re-invented telnetd.

Ahahahaha (horrormirth) (2)

inode_buddha (576844) | 1 year,26 days | (#43224597)

I don't know if it's hilarious or frightening that they did this with default words. I *do* wonder if they;re going to get into some trouble for doing this tho. You could make some serious money off a botnet like that.

I can see where this is going (5, Insightful)

Daetrin (576516) | 1 year,26 days | (#43224599)

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed.

They're so going to jail. [slashdot.org]

Re:I can see where this is going (1)

AvitarX (172628) | 1 year,26 days | (#43224739)

To be fair, they uploaded files and used the resources of the devices.

Talking about it is super ballsy. I personally am curious what the density f used addresses is though, as we're running low.

Re:I can see where this is going (1)

jeffmeden (135043) | 1 year,26 days | (#43224975)

It was included in the very interesting report... 400 million or so that replied to pings (about 15% of all the possible valid addresses). That suggests either a LOT of the IPV4 space is blocking pings, or that a lot of it is poorly allocated (I bet it's a little of the former and a lot of the latter). Many huge blocks are allocated to groups that couldn't possibly use them, such as developing nations or specific institutions with a relatively small number of users/servers.

Re:I can see where this is going (1)

0123456 (636235) | 1 year,26 days | (#43225497)

That suggests either a LOT of the IPV4 space is blocking pings, or that a lot of it is poorly allocated (I bet it's a little of the former and a lot of the latter).

I believe you'll find that Windows 7 defaults to blocking pings now. None of our Windows 7 machines respond to them.

Re:I can see where this is going (1)

Virtucon (127420) | 1 year,26 days | (#43224751)

That's what I was thinking, if the CFAA doesn't apply in this case, it needs to be retooled or scrapped altogether. They've now made their findings public, which strangely enough is just the kind of case the DOJ has been going after.

Re:I can see where this is going (5, Insightful)

Anubis IV (1279820) | 1 year,26 days | (#43224795)

If you're an ethical researcher wanting to run a distributed scan of the 'net, the proper way to do it is to use something like PlanetLab [planet-lab.org], which has been designed for uses like that and is freely available for research use. It's what everyone else uses, and it works great. Either that, or go and use your grant money to provision yourself appropriately for a job like this, which is what we did when I was in grad school. Commandeering routers and other devices for personal use is inexcusable.

Honestly, my first thought was, "What research ethics committee gave him the go-ahead?" My guess: the researcher didn't ask, because none of them would ever let him do it. Besides consuming bandwidth for tens or hundreds of thousands of Internet users without their consent (some of whom were likely capped), he's also loaded code onto their machines: code which they have no guarantee will work as expected in all circumstances. In fact, for all they know, they may have bricked tens of thousands of devices without realizing they did so, then taken their lack of response later as a simple incompatibility with his code.

When I was in grad school, we were doing web crawler and search engine research that was considered to be a bit on the edge of what was permissible (and our work resulted in serious threats of lawsuits aimed at our university), but we would never consider doing something like what they did. No credible conference or journal would publish this sort of work either, which is as it should be. Researchers have a responsibility to act responsible, and this anonymous one didn't.

Also, you've said it was useful research, but it really wasn't. These vulnerabilities are widely documented, and those researchers were not only able to publish earlier, they were also able to do so without engaging in gross ethical violations.

Re:I can see where this is going (2, Insightful)

Anonymous Coward | 1 year,26 days | (#43225015)

Beauty of the internet: you don't need the cooperation of a responsible conference or journal to get published.

Re:I can see where this is going (4, Insightful)

Baloroth (2370816) | 1 year,26 days | (#43224903)

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed. They're so going to jail. [slashdot.org]

Of course. They used broke into others computers, uploaded and executed binary files on them, without their permission, for their own purposes. That is both illegal and unethical. They should be punished for that.

The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime). The ends do not justify the means. Breaking the door of a house down to tell the owners their door is easily broken down is still breaking and entering.

Re:I can see where this is going (1, Informative)

DarkOx (621550) | 1 year,26 days | (#43225103)

I would be willing to entrain the argument if your device is set the the manufacturers default published password with no banner making it clear the service is supposed to be publicly accessible; its not very analogue to breaking and entering.

Its much more like you have locks on your house but don't use them; and someone lets themselves in, has a look around does no harm and does not remove anything. No its still not allowed, you can't just march around someones private property with no expectation you would reasonably be permitted and wanted there. That said its not a serious crime either, its simple trespassing.

That is really all this amounted to here. Everyone here getting so bent about it needs to get a sense of proportion.

Re:I can see where this is going (4, Insightful)

mcgrew (92797) | 1 year,26 days | (#43225317)

No, they left binaries on the devices and took data. That's more analogous to someone going into your unlocked house and trading your copy of LOTR with a candy bar wrapper left on the floor. Much more than simple trespass, it's trespassing, littering, vandalism, and theft.

Re:I can see where this is going (0)

Anonymous Coward | 1 year,26 days | (#43225495)

But, but, they were only implementing ipscan@home ... kind of ... but they had everyone's implicit permission because they never changed their passwords ... and everyone knows that if you don't do everything you possibly can to protect things then it's your fault that something happened ... and they even 'pinky swore' that they didn't do anything bad and only had the best of intentions.

Surely this is the fault of the device owners (for not changing their passwords), the device manufacturers (for installing default user/pass sets that weren't unique by device), and even those guys who invented the internet (for making it so easy to script this kind of thing). Won't someone think of the hackers, um, researchers?

Re:I can see where this is going (0)

Anonymous Coward | 1 year,26 days | (#43225195)

The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime).

It would be relevant to sentencing, because when that time comes if it's obvious you broke the law to be an asshat and say you'd do it again and want a huge sentence, you shouldn't be surprised if you get 41 months.

Re:I can see where this is going (1)

ak3ldama (554026) | 1 year,26 days | (#43224965)

My question: he posted his PGP public key, is that enough evidence to try to find and bust him? If I was him, i wouldn't care at all if someone else wanted to claim credit.

Just in case someone else tries to take credit for my work: My PGP public key

Re:I can see where this is going (0)

Anonymous Coward | 1 year,26 days | (#43225061)

It's not enough to find the "researcher" but if they find someone who has the corresponding private key on one of his or her machines it will be incredibly incriminating.

Re:I can see where this is going (1)

Hentes (2461350) | 1 year,26 days | (#43224999)

They deployed a botnet using other people's machines for their research. While I find it cool at some level, it's also definitely illegal.

Re:I can see where this is going (0)

Anonymous Coward | 1 year,26 days | (#43225391)

They should go to jail, because no matter what their intent was they broke many laws in many countries.

If you think they shouldn't be punished for these actions answer this question: what if a government or large company had done this but claimed they did it for the same reasons as this "researcher"? Would you still think it wasn't outrageous behavior and that someone shouldn't be held accountable?

Good tester , A+++++ (1)

alphatel (1450715) | 1 year,26 days | (#43224611)

Thanks for your test of the internet devices. Although I do not know what this means we have been able to determine that you have committed several criminal acts, and should expect at least a few years of jail time. Don't worry though, it's all for the greater good.

Uhm.. you probably broke the law (0)

Anonymous Coward | 1 year,26 days | (#43224623)

Despite your noble intent, this might lead to trouble for you. I would contact a criminal defense attorney.

Door (0)

SJHillman (1966756) | 1 year,26 days | (#43224639)

I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked. There are a lot of places where that will get you shot.

Re:Door (0)

Anonymous Coward | 1 year,26 days | (#43224735)

You don't like the idea of this because
1.) you are afraid of what the person(s) testing the doors would do if one was open?
2.) you don't want other people to know that certain doors are left unlocked?

If it's 1.) then they found some open doors and recruited the inhabitant of the house to come help knock on other doors.
If it's 2.) then whoops someone (not me) is right now running the same scan and is uploading a binary which will "fix" the default password problem for fun and for profit

Re:Door (5, Interesting)

NeutronCowboy (896098) | 1 year,26 days | (#43224815)

Man, some people are a paranoid bunch. If someone leaves a flyer on my door that says "You had 2 open windows and one unlocked door", and a similar flyer is on everyone's door, I'll actually thank the good Samaritan. If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to. If he's friendly and forthcoming, I'll thank him and send him on his way. If he's belligerent, then maybe I'll start to consider self-defense.

But to shoot someone just because they are walking around the neighborhood, surveying every house? Yeah, the US doesn't have a gun problem. We have a response problem.

Re:Door (1)

Eunuchswear (210685) | 1 year,26 days | (#43225029)

If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to.

He's a double glazing salesman. Shoot first!

Re:Door (2, Insightful)

berashith (222128) | 1 year,26 days | (#43225081)

They did slightly more than look to see what was open. This is more like, "you had 2 open windows and one unlocked door, so I left some yogurt in your fridge and took pictures of your wife while she was sleeping. I will be posting the pictures to the world as proof, you are welcome for the yogurt. Enjoy!"

Re:Door (3, Insightful)

NeutronCowboy (896098) | 1 year,26 days | (#43225419)

Except he did not activate any webcams or gathered any data beyond what ports were available and whether he was able to install his rootkit. Why didn't you extend the analogy even further to raping my daughters and defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem? Does your post also mean that you would shoot the writer of this study, if you found out who he was?

And I feel again confirmed that the US doesn't have a gun problem, but a response problem: you conflate one thing with something vastly different, then determine response based on the emotional reaction you have to the vastly different thing.

Re:Door (4, Informative)

malakai (136531) | 1 year,26 days | (#43225163)

This wasn't a simple port scan. I RTFA, so let me help you out.

He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).

For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.

Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.

This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.

Re:Door (2)

NeutronCowboy (896098) | 1 year,26 days | (#43225461)

The end-result was a list of ports that I may have open on my router/computers. Yes, the process used was illegal. Big fucking deal, so are a lot of things that are ok among civilized people. See for example betting on sports. But there was zero impact while his scan was on-going, and there was zero footprint left behind.

As for your comment that know a script kiddie has a list of unsecured IPs: that's my problem if my IP is on that list. He did a trivial scan, and if I take my security seriously, I should not be on there. If anything, it should be a test whether I can even talk about security in my own house, and I should be thankful for it.

Was it all clear, and would I have liked to get a heads-up? Sure. But if he did find my network, it's an incentive for me take a closer look at security. Not to shoot the guy.

Re:Door (1)

mjr167 (2477430) | 1 year,26 days | (#43225215)

Since testing doors and windows requires trespassing... Besides, I am allowed to leave my door unlocked and still have the expectation of random people not opening it.

Public Internet ends at your router (0)

Anonymous Coward | 1 year,26 days | (#43225389)

Testing doors and windows is only equivalent if your house stands right on the public pathway (no front garden), so the testing can be done while standing on public property.

Electronically, the public Internet extends all the way to your router, it doesn't end on the public path outside, so the door analogy isn't really a good one.

Re:Door (0)

Anonymous Coward | 1 year,26 days | (#43225235)

If someone leaves that flyer on your door and then you come home to a house with 2 open windows, one open door, and no personal property left inside then you might change your tune.

A better plan would be to put a piece of paper in the mail slot in the door or mailbox so that it is most likely that only the owners would be informed of the insecurity of the house. That said, regardless of intent, a stranger walking around touching all the doors and windows in a neighborhood would most likely be getting... "interviewed" by the police shortly thereafter.

Re:Door (1, Insightful)

tqk (413719) | 1 year,26 days | (#43224817)

I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked.

Ah, the ostrich plan. Don't run away; don't protect yourself; just stick your head in the sand, or put on the Beeblebrox safety glasses.

If he can do this, *please* imagine what a true black hat could do with it. FFS!!!111

BTW, seeing if a doorknob turns != opening the door.

Re:Door (0)

Anonymous Coward | 1 year,26 days | (#43225123)

Doesn't the ostrich plan involve leaving your rear end out in the open while keeping your eyes unawares of who's raping you from behind?

Re:Door (3, Interesting)

mark-t (151149) | 1 year,26 days | (#43225519)

Ostriches do not stick their heads in sand or ever try to simply ignore danger.

Ostriches are not cowardly, they will definitely put up a fight when they believe they have a good chance of winning. If you have ever seen an ostrich close up, you probably realize that they are big-ass birds that could easily wipe the floor with a good percentage of other creatures in the animal kingdom. If they encounter a situation that they cannot mitigate, however, then they will run away... being exceptionally good at it (they are the fastest running creature on two legs).

If, and only if, they have nowhere to run to, and they cannot mitigate the danger themselves, then they will lie very still, presumably in the hope that they will be ignored. They do not pretend that the danger is not there, however... and will generally resort to fleeing at the first opportunity. Their practice of lying still is where the myth that they stick their head in the sand comes from, and it's ironic that what is actually a very atypical behavior for that type of bird ever got to be somehow associated as something that they generally practice.

Re:Door (0)

Anonymous Coward | 1 year,26 days | (#43224847)

Only in third world countries where they allow anyone to have firearms in their houses.

Paperboy (0)

Anonymous Coward | 1 year,26 days | (#43224981)

This brings back fond memories of being a paperboy in the mid-80s. My route was small, about 80 customers IIRC. In that small sample there was one person who routinely fell asleep in front of the TV with the door ajar. On any given morning there could be keys left in any door. I knew who the drunk drivers were. I was in their front yard before they moved the car from its telltale catty-corner position in the driveway. Habitual drunk drivers had tire tracks in the grass next to the driveway.

Of course I never "tested" any of the doors. I suspect that if I had it would have revealed even more opportunity for theft.

I was the last youth carrier providing service to the door. After me they went to immigrants using cars, who always wrapped the paper whether it was raining or not, and tossed it into the driveway. I think that guy covered 500+ on his route.

"researcher"? Hardly. (1)

Anonymous Coward | 1 year,26 days | (#43224665)

"Anonymous researcher" indeed.

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".

Re:"researcher"? Hardly. (3, Funny)

plover (150551) | 1 year,26 days | (#43224699)

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".

And how do you know he didn't conduct these scans from his underground lair? For all we know, he may even own a Persian cat!

Re:"researcher"? Hardly. (2)

tqk (413719) | 1 year,26 days | (#43225071)

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world) ...

What "infection" did this researcher transmit to his "victims"? Isn't this more like someone offering free susceptability tests? They're on the net, meaning they're open to the offer. The net's always a potentially dangerous place if you're connected to it. Researcher tests to see if they're in any way vulnerable. Shazam, they are. Where's the story?

Re:"researcher"? Hardly. (2)

malakai (136531) | 1 year,26 days | (#43225233)

He uploaded a binary to 'insecure' devices, to run his code and build his own 'ethical' botnet.

This isn't just checking ports and default logins and reporting back.

enitre (1)

1u3hr (530656) | 1 year,26 days | (#43224753)

"scan the enitre IPv4 address space."

Slashdot "editors".

Otherwise, this seems even more blatant than the case a few days ago: 41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses [slashdot.org]. And these guys actually cracked passwords, despite them being trivial defaults, that still crossed over a legal line.

Re:enitre (1)

SJHillman (1966756) | 1 year,26 days | (#43224769)

If they scanned the entire (or enitre) IPv4 space, I wonder if they found an unsecured router at 192.168.1.1. That's where I usually find one.

Re:enitre (1)

Nadaka (224565) | 1 year,26 days | (#43224809)

ha, mine is at 192.168.1.2, good luck cracking that one open!

Re:enitre (0)

Anonymous Coward | 1 year,26 days | (#43224891)

ha, mine is at 192.168.1.2, good luck cracking that one open!

The IPv4 test is coming from 192.168.1.3 ... GET OUT OF THE HOUSE!!!

Re:enitre (0)

Anonymous Coward | 1 year,26 days | (#43224831)

And these guys actually cracked passwords

While your correcting the editors, let me correct you.

They did not "actually cracked passwords", they used DEFAULT passwords on the devices.

Try reading, it actually helps.

Re:enitre (2, Funny)

Anonymous Coward | 1 year,26 days | (#43224887)

Yeah, but what about the all the people who actually *chose* those passwords?

Re:enitre (0)

Anonymous Coward | 1 year,26 days | (#43225159)

Well, its like real life, where if you leave your car with open with the keys in it, its your fault for a thief stealing it. The guy gets to keep the car, and also if the keys to your house are in there he gets to move in and take over your family. We applaud these noble "car security researchers" for walking up and down the street, then opening car doors, and using your car for ramming other cars and seeing if they too are locked. Nothing should happen to them ever, and if you didn't lock the car you need to get spit on and punched directly in the mouth.

This is a crime (0)

Anonymous Coward | 1 year,26 days | (#43224763)

The author just admitted to "several hundred thousand" counts of unauthorized access to a computer (or whatever the crime is technically called; I think I'm close)

ARIN (0)

Anonymous Coward | 1 year,26 days | (#43224823)

Probably just ARIN updating their records.

As a tax payer, don't waste my money (2, Insightful)

Anonymous Coward | 1 year,26 days | (#43224835)

If no actual harm was done then chasing after the researchers for prosecution is a waste of public money in my opinion, speaking as a tax payer.

And I mean actual harm, not the made-up harm of "unlawful use of computer equipment" or similar ones which are just infringements in principle, without actual harm done.

There are so many really bad guys out there to chase that this researcher should be way down on the priority list for enforcement, or using a bit of commonsense, not on it at all. And if he is identified then all he really deserves is a rap across the knuckles just for being unethical.

Re:As a tax payer, don't waste my money (1)

TheSkepticalOptimist (898384) | 1 year,26 days | (#43224947)

Oh buddy, if you only new how much of your taxes were wasted you would die several hundred deaths from apoplexy. This would be a drop is a very very large bucket.

Re:As a tax payer, don't waste my money (2)

RandomFactor (22447) | 1 year,26 days | (#43225327)

If s/he was truly careful enough that no systems showed issues and noone noticed, it is entirely possible law enforcement won't pay much attention (no complaints, bigger fish). Just needs to be careful not to fall into their laps.

Still, I wouldn't be surprised if some of the security research community doesn't take at least a passing look at things to see if they can track back to the author.

This is all very bad (4, Insightful)

houghi (78078) | 1 year,26 days | (#43224849)

Postings all go about how this is illegal and not about the technical situation.

It is sad times when people are more worried about the legal thread and ruining their lives and not about the technical implications.

How many people do not dare to bring solutions because they might be punished?

Re:This is all very bad (1)

byeley (2451634) | 1 year,26 days | (#43224949)

I don't see any surprising or useful technical implication. Do you?

Re:This is all very bad (0)

Anonymous Coward | 1 year,26 days | (#43225187)

Sure there's prolly blackhat uses for the info and someone wants it all archived somewhere public so it doesn't have to be gathered every time they want access to it. Also public so it doesn't look suspicious to be accessing it, plausible deniability n such.

Re:This is all very bad (1)

malakai (136531) | 1 year,26 days | (#43225253)

Only new technical implementation is via the Torrent link, you can download his database which has the responses for different Ports. With a simple query of his DB, you can tell the vulnerability of an IP address...

Takes the guess work out of it really... That's something new, in the sense that the every day script kiddie didn't have this prior to this research release.

Re:This is all very bad (-1)

Anonymous Coward | 1 year,26 days | (#43225175)

why don't you just try and open every door on every house around where you live.... i'm sure you'll find many are unlocked.... so, let yourself in, take a shit on their kitchen floor, leave the faucet running, and then publish a map of every door you found to be open.

you're an idiot.

re: not about the technical situation (1)

King_TJ (85913) | 1 year,26 days | (#43225279)

I have to disagree with you on this....

First of all, I'm not sure there's really that much useful gained from such a project? An Internet Census for 2012 made with questionable code loaded onto all sorts of devices in unknown states without anyone's permission? How much validity can I put into those results? (How many devices didn't perform as intended while doing the port scans due to all sorts of possibilities outside the control of the people doing this research? Anything from people having firewalls blocking results from coming back on some of them to people realizing something was wrong when their bandwidth was consumed for no known reason and shutting the devices down would affect the information.....)

Beyond that, it's not even something all that original.... Plenty of people have attempted to estimate the number of IP addresses in use and who has which IP blocks, etc. Plenty more have looked at all of these studies, shrugged,and said "Who cares?" After all, the Internet is so dynamic, any tallies taken are but mere snapshots in time of a rapidly changing landscape. How many people will it really affect to know the approximate number of users/devices out there as long as they know it numbers in the "many millions" or more?

Re:This is all very bad (0)

Anonymous Coward | 1 year,26 days | (#43225541)

Let me put it this way ... would you want someone logging into your (mistakenly) open networked devices and running their code on them? How would you react?

If it's not illegal it sure is unethical. And if it's not unethical, I sure as hell wouldn't want someone doing this on my network. Also, the technical implications are obvious: a lot of people need to improve their security and new equipment/software installs shouldn't ship with default *dumb* passwords (i.e. constant and predictable ones) or none at all. What else is new?

After a reboot ...original state (1)

Dareth (47614) | 1 year,26 days | (#43224851)

"After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore."

How do you calculate damages for lost uptime?

Re:After a reboot ...original state (5, Interesting)

malakai (136531) | 1 year,26 days | (#43225041)

They didn't force the reboot. So they don't need to calculate for lost uptime.
But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.

What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.

That said, your test environment is rarely a perfect simulacrum for the real world.

It's a very scary grey hat project. I thought this finding was interesting though:

So, how big is the Internet?
That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.

Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.

I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...

Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....

Inoculation can kill though...

Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.

Guy deserves any jail time he gets (2)

byeley (2451634) | 1 year,26 days | (#43224909)

While I personally support this kind of research,

The author is presumably an academic or industry professional (based on the formatting). As such, he knew what he was doing was illegal and had a significantly detrimental effect on low-resource systems. Furthermore, he can't blame a conviction on over-zealous prosecution or recent anti-hacker sentiment because he's obviously emulating Robert Morris (who received three years jail time for the Morris worm - convicted in 1990).

I also question how useful his scientific contribution is. While arguably more complete than other sources of data, there are a multitude of other projects offering data of similar(if not better) accuracy.

What are all these devices? (0)

Anonymous Coward | 1 year,26 days | (#43224935)

Home routers with factory defaults (linksys, netgear, etc)? Something else? Like single board computers in the desert collecting rainfall data?

If these were WINDOWS machines (0)

Anonymous Coward | 1 year,26 days | (#43224957)

If these were WINDOWS machines and not linux, y'all would be saying: "See! Windoze is teh Evil!!"

But since these machines mostly ran Linux, you don't blame Linux.

Re:If these were WINDOWS machines (1)

characterZer0 (138196) | 1 year,26 days | (#43225435)

Windows machines compromised via remote exploits in Windows: Windows sucks!
Windows machines compromised via stupid users who install anything? Windows users suck!
Linux machines compromised via default passwords: Administrators suck!

Some other variants of this project (0)

Anonymous Coward | 1 year,26 days | (#43224973)

How about using this trick to determine how unique Mac addresses really are?

Which is why (4, Funny)

Overzeetop (214511) | 1 year,26 days | (#43224987)

Which is why I always use admin/root for username and password on my systems. You'd think these people would learn not to be so careless. :-)

Expand this into survey research (2, Interesting)

coldsalmon (946941) | 1 year,26 days | (#43225023)

Have a team go door-to-door during working hours, when most people are not home. If they find an empty house with an unlocked door, go inside and use the phone to call a bunch of people and conduct your research. As long as you publish the addresses of all of the houses for academic purposes, nobody should mind.

Why are there no counter attacks? (2, Interesting)

TheSkepticalOptimist (898384) | 1 year,26 days | (#43225051)

I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.

Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.

Re:Why are there no counter attacks? (0)

Anonymous Coward | 1 year,26 days | (#43225227)

I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.

Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.

Who says they haven't?

Re:Why are there no counter attacks? (1)

_bug_ (112702) | 1 year,26 days | (#43225275)

The problem of launching a counter attack isn't technical, it's legal. A user broke into my system, they've broken the law. If I retaliate and break into their system, I'm now guilty of the same offense.

Could a case for self-defense be made? Maybe, but IANAL and I don't think a court would consider it in the same way they would a physical confrontation.

Re:Why are there no counter attacks? (0)

Anonymous Coward | 1 year,26 days | (#43225455)

Even for a self defence argument the court will expect you to explain why you didn't run away instead. There are lots of reasons you might have, but if asked you've got to persuade a jury that you reasonably believed running away wasn't an option, wouldn't make you safer, whatever. Except in "Stand your ground" states where the law is bonkers and frankly it's a wonder anyone's lived through that.

So there is no virtual equivalent, you always have the option to run away, switch things off, shut things down if you don't like what's happening.

Re:Why are there no counter attacks? (2)

Stuarticus (1205322) | 1 year,26 days | (#43225335)

I have a program that will do all this and make the hackers computer explode, email me $500 to buy it.

Re:Why are there no counter attacks? (1)

Anonymous Coward | 1 year,26 days | (#43225445)

Think about this for a minute, the chances are good that you are being attacked via someone elses comprimised system. What is the advantage os DOSing some random residential user that is only involved because they picked a bad password? What are the risks of attacking a (comprimised)corprate entity that has the resources to sue you and/or launch its own retaliatory strike? To make a lose analogy its like bombing the AA headquarters after 9/11.

xkcd (1)

tippe (1136385) | 1 year,26 days | (#43225079)

Way to go xkcd, you've been referenced in a legitimate research paper!

To get a visual overview of ICMP records we converted the one-dimensional, 32-bit IP addresses into two dimensions using a Hilbert Curve [wikipedia.org], inspired by xkcd [xkcd.com].

Re:xkcd (1)

Kurast (1662819) | 1 year,26 days | (#43225255)

Way to go xkcd, you've been referenced in a legitimate research paper!

To get a visual overview of ICMP records we converted the one-dimensional, 32-bit IP addresses into two dimensions using a Hilbert Curve [wikipedia.org], inspired by xkcd [xkcd.com].

There, I am fixing it for you: illegitimate paper

You can't do this (0)

Anonymous Coward | 1 year,26 days | (#43225107)

You can't break into someone's house in the middle of the night and then say you were simply being benevolent in calling a security vulnerability to their attention.

These people are criminals and deserve to go to prison for what they have done.

Jail (0)

Lawrence_Bird (67278) | 1 year,26 days | (#43225313)

This is blatant unauthorized access and he went further than just "checking the door knob". He went into the house and left a gift behind too. Seriously, this guy should face charges. I'm pretty libertarian when it comes to most things but this is just over the top.

Re:Jail (1)

characterZer0 (138196) | 1 year,26 days | (#43225489)

What should the punishment be? A fine? Prison? Banned from the Internet?

He should be punished. Jail time is expensive for the taxpayers and harsh for somebody who, however misguided, was trying not to hurt anybody. I would suggest lots of community service.

Fiction (1)

Lost Race (681080) | 1 year,26 days | (#43225385)

I'm pretty sure this story is a very elaborate piece of fiction. That makes way more sense than somebody clearly so smart going to so much trouble to earn themselves a life sentence in prison.

Maybe last year we could expect someone to do this for real, but not this post-1/11 world.

Announced a free DDOS engine (1)

mattr (78516) | 1 year,26 days | (#43225397)

The only result I can see from this guy's "research" is to announce to the world the existence of a low barrier to entry DDOS platform.
What could possibly go wrong...
I'm tired of seeing people jailed who are curious about security. But he needs a clue. Guys like this are why I expect Bill Joy wrote his treatise. One man's Epic h4ck is another man's Epic FAIL.
Of course his ethics are canted at an angle to reality, but if he had just gone a bit farther off the deep end and actually fixed all the password vulnerabilities he might have made history. Not that I am recommending anyone do it.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...