×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Search Engine More Dangerous Than Google

Soulskill posted 1 year,10 days | from the or-perhaps-a-catalog-of-people-doing-dangerous-things dept.

Security 210

mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

210 comments

Oh yeah, here it is my homies (-1)

Anonymous Coward | 1 year,10 days | (#43405221)

First Post for Jesus

Keepin it real with JC in the hizzouse

Got to give him some props. Tip of the cap to him for this first post.

dangerous? (3, Insightful)

schlachter (862210) | 1 year,10 days | (#43405225)

Is google dangerous? Sure, it can be used to do bad things. But that's like saying we've discovered a liquid more dangerous than water.

Re:dangerous? (5, Funny)

The MAZZTer (911996) | 1 year,10 days | (#43405255)

Dihydrogen Monoxide is no laughing matter.

Re:dangerous? (0)

Anonymous Coward | 1 year,10 days | (#43405517)

The proper, IUPAC-suggested name is o x i d a n e !
Some people will never learn >.

What is wrong with you mods!? (2, Insightful)

Anonymous Coward | 1 year,10 days | (#43406159)

He states, and I quote:

no laughing matter.

And you go ahead and mod him "Funny"

Re:dangerous? (0)

Anonymous Coward | 1 year,10 days | (#43406365)

The leading cause of death for sailors.

Re:dangerous? (2)

interkin3tic (1469267) | 1 year,10 days | (#43405295)

But imagine if someone googled "how to clone hitler"!!! ~

Re:dangerous? (1)

Anonymous Coward | 1 year,10 days | (#43405833)

But imagine if someone googled "how to clone hitler"!!! ~

It would pull up pictures of job and George bush

Re:dangerous? (3, Insightful)

poetmatt (793785) | 1 year,10 days | (#43406029)

Google isn't dangerous. People being asinine with computers is dangerous, as any search engine can clearly indicate.

Obligatory (2, Funny)

Anonymous Coward | 1 year,10 days | (#43405237)

L-L-Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors.

Re:Obligatory (0)

firex726 (1188453) | 1 year,10 days | (#43405483)

I miss SS2, Bioshock is just too dumbed down.

Re:Obligatory (1)

Anonymous Coward | 1 year,10 days | (#43405891)

I think more than the console-friendly design choices, the atmosphere of these games suffers from the excessive violence brought on by going after the "action genre" rather than "horror". Bioshock and Bioshock infinite have some very interesting and imaginative worlds that get smothered by combat as a filler between the actually interesting portions of the game. I wish Irrational had the mandate to make these games as adventure games instead while holding onto their budget, so that I could interact with this interesting society in forms other than shooting the bejeezus out of it.

Re:Obligatory (1)

Zargg (1596625) | 1 year,10 days | (#43405757)

grrr, I just got goosebumps from reading this and hearing her voice in my head. Time to dig up the cd...

Re:Obligatory (0)

Opportunist (166417) | 1 year,10 days | (#43405807)

As if Xerxes' announcements were any less scary, not to mention that face. Then again, it was her all along, so...

astounding that defaults are not tougher (1, Insightful)

swschrad (312009) | 1 year,10 days | (#43405251)

I mean, how hard is it to ship new devices with something tougher than admin and 1234?

Re:astounding that defaults are not tougher (5, Funny)

Em Adespoton (792954) | 1 year,10 days | (#43405285)

I mean, how hard is it to ship new devices with something tougher than admin and 1234?

they should at least change the account name from "admin" to "luggage"....

Re:astounding that defaults are not tougher (1, Interesting)

Joce640k (829181) | 1 year,10 days | (#43405505)

They could keep "admin" but print a unique password on the router.

Re:astounding that defaults are not tougher (2, Interesting)

Anonymous Coward | 1 year,10 days | (#43406203)

They could keep "admin" but print a unique password on the router.

Admin and Root are so commonly used across so many different hardware platforms and software applications that it's best to default to something else and immediately treat any login attempt by either as a hostile intrusion attempt.

But as for why hardware ships with such easy defaults, it's because it's a default and as such, you should assume that damn near anybody on the planet who wants it, will get it eventually. So unless you're going to ship a different login/pw with every last unit, there's not really much of a point. And doing that is a sheer nightmare from a technical support perspective, and frankly isn't worth doing unless you have a very limited list of customers.

It's better to go with an easy default and some kind of mechanism that will constantly bother the user until it gets changed.

Re:astounding that defaults are not tougher (0)

Anonymous Coward | 1 year,10 days | (#43406147)

That's funny, I use the same combination for my air shield.

Re:astounding that defaults are not tougher (5, Insightful)

Hatta (162192) | 1 year,10 days | (#43405289)

Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.

Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.

Re:astounding that defaults are not tougher (5, Insightful)

Attila Dimedici (1036002) | 1 year,10 days | (#43405439)

You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).
The fact of the matter is that a lot of these devices are going to be things which are infrequently accessed, so even if you file the credentials away in a "safe, secure" location by the time you need them again you may have forgotten where that was.

Re:astounding that defaults are not tougher (2)

tlhIngan (30335) | 1 year,10 days | (#43405699)

You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).

If resetting the device requires physical access. then just engrave the default password on the case like you do the serial number and other vital details. That way, when you reset the box, the details to log in are there on the case.

If you manufacture it right, the reset button will be above the details of that device (serial number MAC address, etc) and the technician need only to look further down for the password.

No cards to lose, even if it's dirty it's still readable, no sticker to fall off, etc.

Re:astounding that defaults are not tougher (2)

gbjbaanb (229885) | 1 year,10 days | (#43406349)

I have a new netgear router, the username and password was printed on the bottom along with the serial number (which I assume is unique). If they can do this, then making a random default password of 2 or 3 words concatenated together (as is the case with the netgear password) can't be too hard.

In the case of a truly lost password, like the serial number sticker was damaged or stupidly removed for "safekeeping", then you could always re-flash the firmware with an update, last I remember you only need physical access to the emergency reset pinhole on the device (after all, sometimes the device is unwilling to let you logon even if you do know the password - I've had this happen to me after a power blackout)

Besides, you think the companies won't be happy with a policy of "we're sorry, but you need to purchase another one, here's a link to our online store".

Re:astounding that defaults are not tougher (1)

Anonymous Coward | 1 year,10 days | (#43405455)

Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.

Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.

Not that any of this bullshit matters anyway, as evidenced by the very existence of the search engine we're discussing, and the thousands of devices found with the default password...

Re:astounding that defaults are not tougher (1, Interesting)

bbcisdabomb (863966) | 1 year,10 days | (#43405533)

Instead of making the manufacturers print a unique card for each device, how about people change their credentials and print their own cards? Complex machenery in secure locations can be well served by a laminated card with the credentials printed on it.

Re:astounding that defaults are not tougher (2, Insightful)

Anonymous Coward | 1 year,10 days | (#43405963)

Instead of making the manufacturers print a unique card for each device, how about people change their credentials and print their own cards?.

That happens to be the way it's done already. Ask Shodan how well it's working out.

Re:astounding that defaults are not tougher (0)

Anonymous Coward | 1 year,10 days | (#43405581)

Or use all or part of the device serial number, mac address or ESN as the password. Which are typically printed on the device anyway. Just change the quick start guide to let the user know what number on the device to use.

Re:astounding that defaults are not tougher (2)

swb (14022) | 1 year,10 days | (#43405601)

For network devices, what about some compromise that combined some part of the serial number and last 3 bytes of the MAC address? Most devices have the serial number machine readable and presumably the MAC address is as well.

This would make guessing far more complicated, especially if there was some effort made in production to "randomize" serial number and MAC address relationships so they didn't march in linear lockstep.

These values should be easily found on the equipment if there was any question as to what they were, and the ROM could be configured in such a way that any "factory reset" would use this combination automatically.

This wouldn't be perfect security -- brute forcing attacks would probably be less hard as the MAC and S/N space would be known, but with a non-linear association between serial numbers and MACs it might still be time-consuming -- a 12 character password of even known value ranges but semi-random relationships would still be time-consuming.

Re:astounding that defaults are not tougher (1)

AvitarX (172628) | 1 year,10 days | (#43406031)

They could program it (in ROM) that a blank password meant to check against any of the mac addresses.

this would mean local access setup CDs would be easier to use, and that nobody outside of LAN would know the default password. This would make sure the types that use setup CDs have it even easier, and would not require burning a unique password into Rom for a hard reset to still match.

Re:astounding that defaults are not tougher (1)

greg1104 (461138) | 1 year,10 days | (#43406071)

Most of the broadband modem/router devices I see now have a little sticker with unique information like the SSID, MAC address, and WPA key printed on them. You could usefully improve things just by making the default router password be the WPA key. People you've given the WPA key to would then also be able to reconfigure the router in the default config, but that's basically how it works now. When I visit someone non-technical and they invite me to read the WPA key from the router, invariably once I'm on the network I find I can then administer the router using its default, shared by every model password.

It would be nice to have a separate admin password printed on the sticker though. The main problem with using one derived from information the client computers know is that trojans on those clients can still be smart enough to hack into the router they're behind, and then open up the whole network from there.

Re:astounding that defaults are not tougher (0)

Dr. Sheldon Cooper (2726841) | 1 year,10 days | (#43405303)

1 2 3 4 is no less secure than 4 t & q, mathematically speaking.

Re:astounding that defaults are not tougher (0)

Anonymous Coward | 1 year,10 days | (#43405791)

Sheldon, if you were forced to choose one of these two for your master password, which would it be, mathematically speaking?

Re:astounding that defaults are not tougher (2)

PSVMOrnot (885854) | 1 year,10 days | (#43405799)

1 2 3 4 is no less secure than 4 t & q, mathematically speaking.

Only in the naive combinations case, when we discard the priors.

In other words, the probablility of 1234 being the password is not just 1/num_possible_combinations, but also the probability of 1234 being the default chapter AND the default password not having been changed.

Re:astounding that defaults are not tougher (0)

Opportunist (166417) | 1 year,10 days | (#43405845)

Mathematically speaking, the lottery numbers 1 2 3 4 5 6 should net you the same reward in case of them being picked, too. Welcome to the human factor.

Re:astounding that defaults are not tougher (0)

Anonymous Coward | 1 year,10 days | (#43405885)

Actually 1 2 3 4 is far less secure than 4 t & q because the character set present in the second is much larger.

Re:astounding that defaults are not tougher (4, Insightful)

WindBourne (631190) | 1 year,10 days | (#43405887)

I will pay u a dime for every system that currently has 4t&q for password, if u pay me a penny for those with 1234 password. Deal?

Re:astounding that defaults are not tougher (2)

retchdog (1319261) | 1 year,10 days | (#43406111)

mathematically speaking, they're incomparable until you define a probability space.

Re:astounding that defaults are not tougher (4, Funny)

jeffmeden (135043) | 1 year,10 days | (#43405321)

I mean, how hard is it to ship new devices with something tougher than admin and 1234?

We tried using "12345" as the default but that turned out to be a bad idea, too.

Re:astounding that defaults are not tougher (0)

Anonymous Coward | 1 year,10 days | (#43405329)

My router has a unique default password per device that's printed on the label of the machine. This would be a major inconvenience if that label ever got damaged or I transplanted the innards into another shell.

Re:astounding that defaults are not tougher (1)

Joce640k (829181) | 1 year,10 days | (#43405565)

They could have a unique default but a special uber-reset that sets it to '1234'.

Re:astounding that defaults are not tougher (3, Insightful)

femtobyte (710429) | 1 year,10 days | (#43405349)

So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

Re:astounding that defaults are not tougher (5, Interesting)

jeffmeden (135043) | 1 year,10 days | (#43405433)

So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

To that end, the best option (but scarcely used on hardware interfaces) is to force someone to login as the admin before the device is functional, and during that login to force them to set a new password (with certain password rules prohibiting foolishly simple passwords). Do this, and the problem almost goes away, but the new problem of constant password recovery questions flooding tech support will commence. Most companies, sadly, choose the less secure/less pesky route of just letting it run with the default perpetually.

Re:astounding that defaults are not tougher (3, Insightful)

cstdenis (1118589) | 1 year,10 days | (#43406097)

Too expensive in lost sales.

"I want to return this device. I plugged it in and it doesn't work"

Re:astounding that defaults are not tougher (0)

Anonymous Coward | 1 year,10 days | (#43406259)

Yep, this is the fundamental problem with security in consumer grade hardware.

Consumers aren't capable of maintaining secure hardware, so in order to sell enough to be worthwhile you need to make the system hilariously insecure (usually by adding easy bypasses to whatever security systems you added because marketing wanted the checkbox on the package).

Re:astounding that defaults are not tougher (4, Insightful)

sinij (911942) | 1 year,10 days | (#43405435)

No default password could be secure. The only way is to force password change on first use.

Re:astounding that defaults are not tougher (2)

Opportunist (166417) | 1 year,10 days | (#43405863)

Fine with a "real" computer, not really doable with a router. I don't even want to know how many of them are used without ever anyone having connected to them.

And no, setting them up in a way that they don't "just work" out of the box is not really a solution either. Then the box is "too complicated" and people stop buying them in favor of a competitor's product, try to get that past marketing.

Re:astounding that defaults are not tougher (1)

sinij (911942) | 1 year,10 days | (#43405971)

You really think something like redirect to "type in a new password" page on first use would kill sales? Most people understand that you need to have wireless password or your neighbors use up your megabytes, is adding router password such a stretch?

Re:astounding that defaults are not tougher (1)

Opportunist (166417) | 1 year,10 days | (#43406131)

Where do those "Most people" live and can I move there? I'd love to live in a neighborhood with a hint of a clue. Then again, I don't, I'd lose my free WiFi access.

Trust me, "most people" don't even understand why to have a password on their WiFi. And more than a few have no WiFi because their router/AP combo needs to have that configured before use and they couldn't figure it out, but the router "worked", so they stick with wired.

Yes, I'm fairly sure such a requirement would label your routers as "complicated", compared to those "easy to use", insecure, ones. At the very least, you should prepare for a lot of incoming support calls.

Re:astounding that defaults are not tougher (2, Insightful)

HCase (533294) | 1 year,10 days | (#43405463)

That would be a bad idea.

1. A default password is a default password, and should be assumed to be public knowledge.
2. A complicated default password will accidentally trick user into thinking it is more secure than admin/1234. For example, you have already been tricked.
3. If the device is reset to factory default, the password won't be easily remembered, so a device may be stranded in a default or even unusable state until the owner can find the password via documentation, help-desk, or internet database of default passwords.

A partial fix that is sometimes used, is to give each individual device a separate password, and include this password inside the packaging or attached via sticker. This is somewhat more secure but can lead to problems itself. The user may keep the password, and the password may not be truly unique, or may be guessable. If the password is damaged/lost, the device may be rendered unusable if reset to its default state.

Re:astounding that defaults are not tougher (1)

Rogue974 (657982) | 1 year,10 days | (#43405611)

I was going to make your point #1 and agree with you #2 and #3.

You last paragraph though is a HUGE problem. If you loose that piece of paper because it was separated from the packaging, or got wet while sitting in the warehouse and maintenance pulls it off the shelf to install it and it is useless, then the manufacturer gets a huge ear full because the facility was down because they were stupid enough to write the unique password on a slip of paper that was tossed with the packaging.

In the world of instrumentation, as your first point said, the defaults are well known and if you want to find them out, all you have to do is google the name of the device + manual.

Re:astounding that defaults are not tougher (1)

F. Lynx Pardinus (2804961) | 1 year,10 days | (#43405859)

A partial fix that is sometimes used, is to give each individual device a separate password, and include this password inside the packaging or attached via sticker. This is somewhat more secure but can lead to problems itself. The user may keep the password,

I believe this is what Verizon FIOS does with their routers--there's a sticker on the side with a (looks like random) WPA key and admin password. I assumed that it would be fine to just leave it as is--is there a downside to not changing the info?

Re:astounding that defaults are not tougher (1)

gthazmatt (1454399) | 1 year,10 days | (#43405481)

No, defaults should be as easy as they are. However, you should be forced to change the default password before connecting to your ISP.

Re:astounding that defaults are not tougher (1)

Opportunist (166417) | 1 year,10 days | (#43405915)

Then your box will sit like lead on the shelf because your competitor's box "just works" while I'd have to actually know something to use yours.

Hell, did Apple really teach us nothing? They don't sell 'cause of the shiny, they sell because they "just work". That's what people want and that's what they'll buy, to hell with security.

Doesn't say that I agree with that, far from it. But when ease of use competes with security, ease of use will win. Every single time. Unless you can make that box somehow pop up a window on the user's PC where he has to do NOTHING but enter some kind of password and then it just works, people will not accept it.

Re:astounding that defaults are not tougher (1)

scubamage (727538) | 1 year,10 days | (#43405925)

I have to agree with you. A number of MSO's supply routers and modems whose default username/password are based on the mac address, so every device has a unique combination.

Re:astounding that defaults are not tougher (1)

EZLeeAmused (869996) | 1 year,10 days | (#43406047)

I mean, how hard is it to ship new devices with something tougher than admin and 1234?

No doubt. They should ship new devices with the default loginname "ImAnIgnorantFool" and the password "andEveryoneKnowsIt"

Dangerous? Hah (3, Interesting)

GameboyRMH (1153867) | 1 year,10 days | (#43405287)

There are some more dangerous than this that don't put silly search limitations on their users and are geared specifically for black hat use.

Re:Dangerous? Hah (1, Funny)

Anonymous Coward | 1 year,10 days | (#43405937)

Any specific ones? I'm not trying to sabotage a water park or anything, just curious...

Internet of things (3, Insightful)

Hentes (2461350) | 1 year,10 days | (#43405309)

But that's the next big thing, haven't you heard? Giving net access to unsecured hardware is the way forward!

Shodan (0, Insightful)

Anonymous Coward | 1 year,10 days | (#43405315)

"Look at you, Hacker. A pathetic creature of meat and bone. Panting and sweating as you run through my corridors. How can you challange a perfect, immortal machine?"

Great resource (0)

Max DollarCash (2874161) | 1 year,10 days | (#43405355)

Its a great resource to find exploitable machines specific to your exploit version. The paid model does make it a bit less accessible for general public. They also offer a nice API that allows you to to query for IP's directly from within your exploit, allowing you to build scanners for automatic exploitation. Its a powerfull tool but with great power comes great resonsibility

Great research, but two nitpicks (1)

jeffmeden (135043) | 1 year,10 days | (#43405375)

How many of these are clever honeypots deployed by whitehats? Probably not a significant proportion, but certainly some are.

And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place? Could the threat from internet connectivity be overstated? Surely if a service doesnt need to be on the internet at large, it shouldn't be. These kinds of reports presume that every system is vulnerable (and that's an appropriate assumption if you are in the security business) but is it the reality? Past performance would suggest otherwise. How often do traffic lights go haywire?

Re:Great research, but two nitpicks (2)

F. Lynx Pardinus (2804961) | 1 year,10 days | (#43405909)

And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place?

Well, there's lots of unprotected, highly critical, easily discovered people and places in the US, but real-world havoc is also relatively uncommon. Probably for the same reasons--most people aren't evil, and there are harsh consequences for those who are.

Old news (0)

Anonymous Coward | 1 year,10 days | (#43405403)

This is outdated news... wasn't it 2 DEFCON's ago they had Shodan on display?

Though, yea.. it is interesting watching the security cameras that are set up in my local police department. Big Brother is watching you.. who is watching Big Brother? Me.

Slashdot brings you yesterday's news today (1, Insightful)

damn_registrars (1103043) | 1 year,10 days | (#43405461)

I was reading this same CNN article yesterday. I considered submitting it here but figured people had already read it... guess not. Glad I can still come here to find yesterday's news, though.

Re:Slashdot brings you yesterday's news today (-1)

Anonymous Coward | 1 year,10 days | (#43405649)

Well done.

Re:Slashdot brings you yesterday's news today (0)

Anonymous Coward | 1 year,10 days | (#43405815)

I was reading this same CNN article yesterday. I considered submitting it here but figured people had already read it... guess not. Glad I can still come here to find yesterday's news, though.

You must be new here.

Re:Slashdot brings you yesterday's news today (2)

Daniel Dvorkin (106857) | 1 year,10 days | (#43406009)

Believe it or not, we live in a world in which interesting stories often take more than twenty-four hours to play out, and are still worth discussing some time after the CNN blurb appears.

Re:Slashdot brings you yesterday's news today (0)

damn_registrars (1103043) | 1 year,10 days | (#43406127)

Believe it or not, we live in a world in which interesting stories often take more than twenty-four hours to play out, and are still worth discussing some time after the CNN blurb appears.

Believe it or not, but slashdot used to be a site that got tech news before it broke in the mainstream outlets. A story being featured on slashdot used to be an accomplishment for a story, showing it was important to geek culture. Now, slashdot just fishes old headlines from drudgereport, breitbart, fox news, and occasionally CNN.

L-look at you, Hacker... (1)

Andrio (2580551) | 1 year,10 days | (#43405475)

...panting and sweating as you browse through my indexes.

Re:L-look at you, Hacker... (0)

Anonymous Coward | 1 year,10 days | (#43405905)

Third redundancy!! Isn't anyone reading before moderating? REDUNDANT, motherfuckers, learn it! This exact comment was posted THREE TIMES yet you mod it up.

Server Down (0)

Anonymous Coward | 1 year,10 days | (#43405485)

I think the \. community just took down the server :)

Re:Server Down (1)

wierd_w (1375923) | 1 year,10 days | (#43405567)

But SHODAN uses fractal data storage technology! She will just regenerate the damaged nodes, then fire the mining laser at earth, just like she promised to!

Fools left its control systems using the default passwords!

(Giggle)

Particle accelerator - may not be so bad (1)

joe_frisch (1366229) | 1 year,10 days | (#43405531)

The mention of a "cyclotron particle accelerator" control system sounds scary, but may not be. At least here at SLAC there are several levels of control systems, and the ones involved in life safety required physical access to locked areas. Even if someone somehow broke both electronic and physical security machines like this are not very dangerous, similar risk to a typical factory.

I expect that nuclear reactors are far more secure. The "command and control" system may not actually control the reactor, but just provide monitoring.

Re:Particle accelerator - may not be so bad (1)

Tablizer (95088) | 1 year,10 days | (#43405897)

"Click here to create mini black-holes that will eventually swallow Earth."

Andromeda is already printing Earth's Darwin Award.
   

Re:Particle accelerator - may not be so bad (0)

Anonymous Coward | 1 year,10 days | (#43406017)

Sorry about that, this is my get-punched-in-the-face-over-internet experiment. Feel free to use it, but I suggest staying away from "not the face" setting, it is kind of glitchy. Cyclotron particle accelerator was my last project and I didn't get around to renaming.

Shodan ... (0, Redundant)

dougmc (70836) | 1 year,10 days | (#43405577)

"Look at you, hacker. A pathetic creature of meat and bone. Panting and sweating as you run through my corridors. How can you challenge a perfect immortal machine?"

So ... many ... great ... quotes! [wikiquote.org].

Shodan was one of the best computer game villains ever!

Signup needed (2)

MindPrison (864299) | 1 year,10 days | (#43405739)

You need to sign up and register if you actually want to use it.

Which technically will hold you liable for anything you search for, smart - and yet useless.
Services doesn't work, constantly fails, down for maintenance etc...

shoddy'an...

You Know What They Say About Obscurity... (0)

Anonymous Coward | 1 year,10 days | (#43405777)

Security through obscurity is not security at all.

Even scarier (4, Interesting)

Beorytis (1014777) | 1 year,10 days | (#43405847)

Even scarier is that if you follow one of the Shodan search results and login with admin:1234, you might end up in federal prison.

Re:Even scarier (0)

Anonymous Coward | 1 year,10 days | (#43406053)

Even scarier is that if you follow one of the Shodan search results and login with admin:1234, you might end up in federal prison.

and make Shodan's owner an accomplice to the crime

I would sue

The new FiOS routers ship with a random pass (1)

eksith (2776419) | 1 year,10 days | (#43405883)

Also a random SSID and has remote login disabled. Of course, they had other issues with UPnP and stuff, but at least this makes remote attacks a little bit harder since they're more difficult to discover (still security through obscurity; if they have a dumb device that responds outside NAT, it's still game over). Nothing will stop people from making devices that should be private available publicly for the sake of convenience though.

Don't blame the internet (1)

sl4shd0rk (755837) | 1 year,10 days | (#43405917)

because you are lazy, inept or hungover. Default passwords or "admin:admin" is braindead. You're a terrible admin if you do this, and you should feel terrible if you get cracked.

Of course this happens. (4, Interesting)

wilson_c (322811) | 1 year,10 days | (#43405953)

This is not at all surprising. We contracted a major premises security company to build out the entry-access systems in our company's new buildings a few years ago. Just to be clear, these control the locks to every door into all of the buildings as well as higher security areas within the buildings. The installers insisted that the control boxes for every building needed to have fixed public IP addresses and could not be behind a firewall in order to work. With little understanding of what they were actually asking, they would only enable service if we provided exactly that to them. Do I even need to mention that they left all of these control units running with default username and password?

Needless to say, once functioning service had been established, I immediately moved everything behind a firewall with no forwarding whatsoever to the NAT private address range. Of course, everything works just fine. I later double-checked the installation guide, which allowed for even wider flexibility in installation, with no real network restrictions of the sort that the installers demanded. I'm sure, however, that if they had ever consulted that document, they would not have understood anything about the network installation instructions.

A big part of the problem with things like this is that the systems are installed by people with next to no real network knowledge. They see their job as alarm, plumbing, cabling, construction, or whatever. So when they get to the networked component, they install it in the simplest, most straightforward manner that has been prescribed by someone only slightly more knowledgeable than they are. They are instructions designed to work in every situation for the dimmest of installers, making it possible to complete the contract as possible, even when the client has no one with network knowledge available. The installers, not understanding networks, see them as impenetrably cryptic and therefore secure from intrusion. In most situations there is no one whose job it is to assess security of these connected devices at the completion of the contract, much less tell the customer that they've left them with a risk.

Sadly, the only real advice for these situations is to make companies (the client companies, I mean, not the vendors) understand that they need to be responsible for their own security. If they don't have the necessary expertise on staff, then they absolutely *need* to hire someone - no, not the damn Geek Squad - to check that any network connected device is secure. If they don't then they own the resultant problems. I suppose, in the long run, that insurance companies will require some sort of compliance if potential risk is to be insured.

Only used for good. Yeah right! (1)

Platinumrat (1166135) | 1 year,10 days | (#43406027)

From the article.

"The good news is that Shodan is almost exclusively used for good. ... Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. "

Like Law Enforcement can be considered to only use this for good. And whose law enforcement...(USoA, China, UK, France, ....)? Will they follow due process and obtain warrants, where necessary. I think not.

slashdotted? (1)

houghi (78078) | 1 year,10 days | (#43406043)

From what I see on the site by clicking on the link in the summery:
This page (http://www.shodanhq.com/) is currently offline. However, because the site uses CloudFlare's Always Onlineâ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...