Reaper Botnet

It's based on the Mirai code, but much more virulent:

While Mirai caused widespread outages, it impacted IP cameras and internet routers by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead. It's the difference between checking for open doors and actively picking locks­ -- and it's already enveloped devices on a million networks and counting.

It's already infected a million IoT devices.

EDITED TO ADD (11/14): Brian Krebs on Reaper.

Posted on October 24, 2017 at 6:01 AM • 41 Comments

Comments

MarkOctober 24, 2017 8:02 AM

Know what I can't stand about reading this stuff?

It's 99% journalist garbage and 1% information. This article and others like it will scream the sky is falling. A few weeks from now someone else will write an article there's nothing to worry about, it's a non-issue. It's like quantum computing and it's impact on encryption. It's the End of the World. Oh wait, no it's not. Who told you that? There's nothing to worry about (see.. my boss told me to write something about QC and make sure it's different than the others). If someone read Wired, then read Atlantic, then WSJ, you wouldn't have the foggiest idea what to believe. And they wonder why some people are skeptical of Climate Change.

IoT is no different.

fredOctober 24, 2017 9:01 AM

This is seriously spiraling downward. The consumer’s lust for the new shinny tech toy while having no clue as to its negative connotations and cyber security risks are bad enough. Add to that corporation’s lust after prying into your private life to sell “analytics” and you end up with a TJX, Equifax, DOD leak(s) disaster. (@Mark, these were not non issues)

https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html

Mean time the other bad guys are exploiting the IoT devices because of their ease to hack

https://www.youtube.com/watch?v=B8DjTcANBx0

My advice (that nobody asked for or wants) corporations need to spend more time and money on security and less on Big Data. This will only happen if consumers value reputations and privacy again and stop being sheep.

Dare to dream I guess.

Who?October 24, 2017 9:22 AM

We cannot stop people from choosing weak passwords for their personal devices, but default passwords are an aberration. Each time an Internet-reachable device is first started, or each time it is reset to its default settings, it should be re-enabled by setting it up. A management username/password should be one of the questions to be answered before it even tries to reach Internet.

I agree in most cases botnets exploit user mistakes and misconfigurations, but manufacturers have a responsibility. Not giving users default user accounts is one of them, even if those accounts are not reachable from external networks.

Nombre No Importante'October 24, 2017 9:40 AM

@Fred right there with ya. And its not a dream, it what must happen. The fools(Congress) will bring us right to the edge of distaster before they interceed with the nessassary regulation, which by the time it takes to be implemented will be too late. Get yer popcorn ready.

Nombre AgainOctober 24, 2017 9:46 AM

At least Mudge has a non regulatory solution in place. If peer pressure was applied to conform to Mudge's project findings, do you think that would be sufficent to forstall or delay until reform can be implmeneted?

FrankOctober 24, 2017 10:38 AM

Cyber security is a critical part of almost every sect from government, financial, defense industry to everyday life. Traditional password is a weak link in cyber security, hackers use this weak link to break into digital systems.

Problems with traditional password :

[1] Too weak ?
[2] Too short ?
[3] Need to add special characters ?
[4] Prone to peeking / interception ?
[5] Prone to phishing ?
[6] Prone to dictionary attack ?
[7] Too many restrictions that you can't even remember your own password ?

Traditional password has been in existence for thousands of years. Weak passwords make systems vulnerable, yet strong passwords make you forget. Is there a way to keep the passwords simple and yet still make the system strong and secure ?!

Yes, there is ! 21st century technology is finally sophisticated enough to fix the weaknesses of traditional password.

It is called : Graphic Access Tabular Entry [ GATE ], an interception-proof authentication and encryption system and method.

The newly patented GATE system overcomes the weaknesses of traditional password. Special characters are part of the GATE design. The GATE system generates tokens to let user select and enter user pins from preset passcode, each token the server generates has several symbols, some randomly selected user pins are included in these tokens. It is impossible to tell which symbols in the tokens are valid user pins, which are non-user pins, thereby increasing password strength exponentially. Some user pins might not even appear in the tokens, in that case user can and must enter random tokens in place of those pins, and this uncertainty makes guessing your passcode much harder.

With GATE you no longer have the password restrictions [ uppercase, lowercase, numbers, special characters ... ], besides, you are not afraid that you are being watched or intercepted when you enter passcodes.

Recently there are 2 articles about hackers stealing user passwords :

https://www.csoonline.com/article/3215189/security/russian-hackers-used-nsa-s-leaked-eternalblue-exploit-to-spy-on-hotel-guests.html

https://www.yahoo.com/finance/news/bluetooth-vulnerability-hack-phone-ten-212250463.html

But the good news is : the GATE system can defeat that, including peeking, wiretapping, keylogging and phishing.

I was invited to write on Peerlyst, a professional cyber security site, and there are a lot of details there about password protection :

https://www.peerlyst.com/posts/introducing-a-cyber-security-innovation-to-protect-passwords-graphic-access-tabular-entry-gate-min-frank-ni?trk=wall_page_activity_feed

https://www.peerlyst.com/posts/using-gate-graphic-access-tabular-entry-as-a-stronger-method-for-authentication-min-frank-ni?trk=wall_page_activity_feed

The GATE system can be used for both human to machine and machine to machine authentication.

Here is a short demo : https://www.youtube.com/watch?v=5tAGemIvUeI

Here is a long demo : https://www.youtube.com/watch?v=518p2cIbynY

More details are available at : http://nmjava.com/gate

Feedback welcome ^_^ !

meOctober 24, 2017 10:50 AM

@Who?
i agree; i don't gett all that opt-in/opt-out.
what about just "opt" (take a choice).
for eaxmple instead of having a default (bad) passowrd, and (maybe) advice to change it, they could give a prompt:
"write a password for this device to continue."
same for cookies and other things. they always say that they are collecting data with your explicit consent, i don't think so.
they should write "do you want cookies click yes OR click no".
there is no default, no preselected option.

ArclightOctober 24, 2017 11:06 AM

I absolutely refuse to put any camera, DVR or similar IoT device on the Internet with port forwarders. Basic hygiene calls for a VPN connection for any type of incoming access. Even if it's just PPTP, it greatly reduces the attack surface, forces all connections to be brokered by a purpose-built device with regular updates, and makes a saved high-entropy password practical.

fredOctober 24, 2017 11:19 AM

@Frank
are you on commission? "it can't be defeated"? Wait long enough, you'll find out if you're right or not. History would say any tech will be defeated.

barking up the wrong treeOctober 24, 2017 11:50 AM

Except the sky never seems to fall. All the epic breaches and heavyweight DDoSes that occupy our attention? Joe Sixpack doesn't care, if he even knows about them. As long as he can get to Facebook and his Alexa keeps ordering stuff for him, it's all just background noise.

Seriously, until large numbers of people start losing their retirement savings and physical burglaries are committed using "smart home" weaknesses, none of this will change.

Just my cynical $.02.

IggyOctober 24, 2017 12:34 PM

@barking up the wrong tree • October 24, 2017 11:50 AM

Except the sky never seems to fall. All the epic breaches and heavyweight DDoSes that occupy our attention? Joe Sixpack doesn't care, if he even knows about them.

And not just Joe Sixpack. A shocking number of banks take the business posture that all risks to conduct transactions with them are borne entirely by the livestoc-- er, the customer. They insist on treating the "last four of your social" as a sufficient pass code.

Even post-Equifax data spill. They won't do the right thing when their customers ask, repeatedly ask, so, they end up forcing us to pass a law.

If companies want us to stop subjecting them to regulation after regulation, then stop doing the right thing for just yourselves ("hoard cash as fast and long as possible"), and do the right thing for your customers, too (guard their money and info as if your own). Not just in your little unilateral minds, but as a result of negotiation with them.

As we know, negotiating skills vary wildly person to person. Our Congresscritters are supposed to be at high-skill end of that scale such that the citizens always get their rights and interests protected.

But nooooo......

David RudlingOctober 24, 2017 12:40 PM

I had been giving some thought to Bruce’s earlier question about a Plan B for dealing with cybersecurity in relation to the IOT. The potential worst case waiting to happen when Reaper and its successors are unleashed prompted me to consider who has most to lose from a protracted and widespread loss of internet connectivity and therefore who should logically be most interested in driving the changes required to prevent it - the individual, business, government(s)?

I suspect that there have been serious academic studies conducted to address the question but a rather superficial internet search didn’t turn up much except of course for business related studies. Any studies of the general question of who has most to lose don’t seem to have been very well publicised. I probably just didn’t search hard enough but it left me to produce the following thoughts.

The individual arguably has least to lose. Sure he/she will have considerable inconvenience without the internet but unless that person is hopelessly hooked up on internet usage there will be alternatives available for most important purposes.

Business has much more to lose. Some organisations such as Amazon, Google, Facebook, etc. will stop working altogether. Amazon in particular could be in serious financial difficulty quite quickly without its revenue stream of internet sales. Other primarily internet sales organisations of all sizes would be similarly affected. Google would survive longer unless advertisers lose patience quickly. I have never quite understood Facebook’s revenue stream but protracted loss of the internet could ultimately be fatal to all these organisations. Airlines and the travel industry rely substantially on internet booking although telephone bookings could prevent catastrophe. Banking would be severely disrupted and with it bill payments by individuals to very many companies who would suffer, in consequence, severe cash flow problems.

Government(s) would suffer considerable inconvenience in advanced countries but the main effects would be felt by their citizens in areas such as banking, travel arrangements, possibly aspects of healthcare, etc. As stated for individuals above there are generally alternatives for citizens however. Substantive government-by-internet is not yet a reality hence presumably their rather relaxed attitude.

On balance it seems to me that it is business with most to lose. That being the case the instinct of self-preservation suggests that business should be taking the lead in planning to mitigate the effects of the impending IOT cybersecurity disaster. Short-term disaster recovery planning is one thing and most business now takes this seriously but long-term disaster avoidance planning in relation to the IOT is a completely separate issue. Is there any evidence of this? Are they pressing individually and collectively for the sort of measures in commerce that The IoT Cybersecurity Improvement Act of 2017 has suggested as a minimum starting point for the US Government? I see no evidence of it. If others have found the evidence that I could not please post links to it.

JohnnySOctober 24, 2017 1:26 PM

@David Rudling

"Business has the most to lose". Agreed 100%!

However, there's a problem. Business as practiced here in NA is both short and narrow sighted: The only important date is three months out, and the only important aspect of other companies is scheming to commoditize your complements.

So we see business working very hard to lay off their own workforce to maximize profits and stock prices in a race to the bottom, forgetting that the very people they are laying off are their customers eventually. They simply assume that other businesses will all still keep people employed so they can sell to those workers.

This is an environment where senior leadership assumes that "Shadow IT" is a Good Thing because it leads to short-term improved profits, and (As we saw with the Equifax Smith ex-CEO) that senior leadership will continue to successfully blame serious breaches and egregious security failures on "human error" with the subtext "this could happen to anyone so why blame me?".

In such an environment, there will never be a serious effort by business to clean up this mess. It will always be blamed on "incompetent underlings" or "it's just business as usual" no matter how seriously and thoroughly they have avoided taking responsibility.

http://www.commitstrip.com/en/2017/06/19/security-too-expensive-try-a-hack/

albertOctober 24, 2017 1:33 PM

@David,
"...On balance it seems to me that it is business with most to lose....".

Perhaps, but when you say 'business', aren't you ultimately referring to the CEO, or in rare cases, the BOD? Unlike the individual workers, they, as individuals, have only their reputations to lose; -they- won't become homeless. In general, CEOs are notorious for their lack of vision beyond the next quarter profits/stock prices. I wouldn't expect this to change anytime soon.

Obviously, regulation isn't going to happen. With the total lack of morality and ethics in business, only incarceration of the principals is left. When companies like Wells Fargo can repeatedly engage in fraud and still remain in business, what hope is there?

Retribution isn't law enforcement, but may be the only thing these people understand.

What we can do as individuals is to vote with our wallets, cut up our credit cards, and take our business away from these people.

. .. . .. --- ....

RooterOctober 24, 2017 2:08 PM

There's an easy way to fix this. Simply make the IoT manufacturers liable for damages. Oops, I forgot. That's never gonna happen because lobbying firms write 80% of the bills which go through Congress and the "Tech" lobby will not allow it. Oh, by the way these are the same lobbyists which want to make sure good strong privacy-rights legislation (like GDPR) is never introduced in the U.S.. What good does it do when capitalism creates the #1 Uber-consumer society on earth, if you can't data-mine everything about each citizen?

handle_xOctober 24, 2017 3:15 PM

"Obviously, regulation isn't going to happen."

Not under the current sellout deregulation Congress, but eventually it will happen.

The alternative is financial meltdown and lack of confidence, black monday redux writ large.

handle_xOctober 24, 2017 4:28 PM

@who

"A management username/password should be one of the questions to be answered before it even tries to reach Internet."

I like it, that's a solid idea.

Unfortunately there's no subgroup that would be able to enrich themselves by mandating it, so there's no capital for lobbyists to throw around to bribe our representatives into representing the common sense. It's only when folks LOSE enough money as a result of IOT botnet chaos that anyone will actually do anything about it, if even then.

Schrodinger's regulations, completely dead until well after needed, then who knows.


Anonymous cowardOctober 24, 2017 4:59 PM

No mention that this makes "active defense" with arbitration impossible?

ReaderOctober 24, 2017 9:56 PM

Where do you report stuff if you want your report to be a positive influence only?

Clive RobinsonOctober 25, 2017 2:56 AM

From the report we have,

    The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead

Let's be honest, who did not think this was going to be the next stage after Mirai made it obvious to all what poorly designed IoT could do?

This is a problem that is only going to get worse, a lot worse as time goes on.

But it will almost certainly get considerably more covert for some attackers. Lets face it many of these IoT devices are physical securiry devices like CCTV and alarms, and others like voice activated personal assistants and entertainment systems that the likes of Amazon are shipping to you. Access to the data streams from those would be highly prized by some. After all not all countries national security agencies can hit Amazon and co with an NSL for stored data.

It probably won't happen "today" but is almost odds on certainty as more of us install such equipment.

And this sort of "phone home" device will carry on being developed. There are a couple of reasons for this.

Firstly who does not want a system which would give you a "Smart House" that you just use your voice to control. At the very least you stop worrying which cushion the remote is hiding under.

Secondly such data has value very real value if collected and wrapped up in an easy to use form for the likes of entertainment producers for ratings purposes. Similarly for selling advertising time and marketers etc to give you more creepy personalised adds etc. So the IoT device manufacturers are going to want a slice of that action so will go to almost any chicanery to get it. Have a look at the lengths Microsoft went to to try to force Windows 10 one every home user and the nasties that came with it.

Intel gathering is the name of the game these days for the state level attackers as this article indicates,

http://www.zdnet.com/article/hackers-are-attacking-power-companies-stealing-critical-data-heres-how-they-are-doing-it/

As part of that is the "gather as much intel first". The fact the state level attackers go to such lengths to get not just user credentials but information on the user should be a wake up call.

In the past states identified "key players" in the opposition for various "black bag" and "wet work" jobs. Spying on their homes and family, finding out any vices or routes they take to work etc is all part of the Standard Operating Procedures.

Just think how much of a help these IoT devices will be to do this.

George Orwell might have got the date wrong with "1984" but most of the rest of it he got right to now. Iot will help bring the rest of his ideas in that and other books to life...

CassandraOctober 25, 2017 3:02 AM

@Rooter

Re: Making IoT device manufacturers liable for damages

I'm afraid that idea, attractive as it may seem, is a non starter. What would happen is that each production run of IoT devices would be manufactured by a different shell company with minimal assets, so that the money available for damages would be the least possible. What you may also find is that the manufacturer is foreign, so it is the importer/distributor that has product liability, and they too have minimal assets with which to cover damages.

This is the whole point about the 'limited' in limited liability companies.

If you want to effect change, then in my opinion, a possible solution would likely need the market to be regulated, as Bruce has said. You would probably want a different set of regulations to those used to regulate the market in medical devices that use software, as that tends to produce expensive solutions. It is as well to bear in mind what the Sage of Baltimore said

...there is always a well-known solution to every human problem — neat, plausible, and wrong.

The problem of IoT security is not a simple one, and I suspect any solution will be complex and multi-faceted.

ItsastickupOctober 25, 2017 3:16 AM

If we accept that much of the problem is a lack of regulation then this is principally a high-school education problem. Education is fixated on subjects such as science, maths, english, geography etc etc, instead of civil wisdom, political systems, relationships, personal finance, markets etc etc. People are extraordinarily ignorant.

So just as few people know the difference between classical democracy and liberal democracy (and so why anti-discrimination laws are the end of liberal democracy, or that 'public accommodation' pierced and killed the private domain), so very few seem to understand that capitalism that isn't humanised with intelligent regulation inevitably results in massive mega-corporations or monopolies, and on the micro-scale, a race to the bottom in quality of products due to competitive pressures, resulting in short-lived products and mountains of waste.

Even many degree level students are mesmerised by the quasi-anarchic libertarianism that can only end with feudal empires and not the liberty they believe in.

If people were properly educated with a genuine higher education in high-school, instead of an education only good for employment and consumerism, then there would be acceptance for and demand of level-playing-field regulation that's needed to compensate for the downsides of market competition, and hard limits on the activities of the private monopolists. Or as Hayek effectively said: legislation isn't enough, the private monopolist must be actively fought.

A conservative capitalism, employing those distinctly human qualities of constraint and restraint that humanises life, elevating us away from mere appetite satisfaction.

Clive RobinsonOctober 25, 2017 3:54 AM

@ Cassie,

The problem of IoT security is not a simple one, and I suspect any solution will be complex and multi-faceted.

Except one...

The one at the end of the film where the NORAD "W.O.P.R. (War Operation Plan Response)" computer realises that "global termonuclear war" is "a strange game" in which "the only winning move is not to play" and offers chess instead.

However the "don't play" option automaticaly gives rise to the "wish thinking" "lost opportunities" argument of "If we had done this then the world would be XXX". Where XXX is the individuals wish.

As humans are realy realy bad at predicting the technical future even a couple of years out then the chances are the argument would be wrong and XXX would not have happened at all unless truly dystopian. The "Internet can not be censored" argument is an example of "wish thinking" in this vein.

handle_xOctober 25, 2017 4:27 AM

"A conservative capitalism, employing those distinctly human qualities of constraint and restraint that humanises life, elevating us away from mere appetite satisfaction."

Too bad conservative capitalism doesn't exist now I guess?

I won't get political, I'll just watch the oceans evaporate.

handle_xOctober 25, 2017 5:15 AM

https://www.bleepingcomputer.com/news/security/duhk-crypto-attack-recovers-encryption-keys-exposes-vpn-connections-more/

-Stolen from slashdot, but then I was born breathing other people's air.

What an interesting bug? Engineered or accident, who can crack this nut?

'The issue at the heart of the DUHK attack is a combination of two main factors. The first is the usage of the ANSI X9.31 Random Number Generator (RNG). This is an algorithm that takes random data and generates encryption keys used to secure VPN connections, browsing sessions, and other encrypted traffic/data. The second factor needed for a DUHK attack is when hardware vendors use a hardcoded "seed key" for the ANSI X9.31 RNG algorithm. When these two conditions take place, an attacker can brute-force encrypted data to discover the rest of the encryption parameters and deduce the master encryption key used to encrypt web sessions or VPN connections. In a research paper published today, researchers said they found 12 vendors that sold hardware/software products with hardcoded X9.31 seed keys. This issue is widespread because ANSI X9.31 is very widespread. Up until January 2016, the algorithm was on the list of U.S. government (FIPS) approved RNG algorithms. ANSI X9.31 remained on the list until 2016, even if US NIST deprecated the algorithm in 2011, and scientists warned that the algorithm could be broken if the seed key ever leaked way back in 1998.'

My takeaway is RSA = whoa, hey

CassandraOctober 25, 2017 5:35 AM

@Clive

Unfortunately, I don't think we have the option not to play. Too many people see great promise in IoT deployment (an XXX wish). It took GCHQ to influence the roll-out of 'smart' meters - note: influence, not stop - because, according to a paywalled report in the Financial Times:

The agency built in additional security measures for the UK metering system after discovering glaring loopholes in meter designs in use abroad that it believed could pose a national security risk if rolled out in Britain.

The communication channel between each meter and the utilities operating them was designed to be encrypted. But the encryption key — the code used to unscramble the data each meter sends and receives — was the same for all of them.


I believe this is the flaw that afflicted a rolled-out network of 'smart' meters in Spain.

In response GCHQ have published their security approach: "The smart security behind the GB Smart Metering System"

So even if you, personally, do not wish to play, you may well be dependent on other people/services who have decided to use IoT devices.

A very large amount of time and money is being put into doing smart metering correctly, and yet nasty flaws are still being identified. The average vendor of WiFi enabled light-bulbs or Internet-enabled video baby-monitors is putting, by comparison, far fewer resources into securing their IoT devices. This is concerning.

JonKnowsNothingOctober 25, 2017 11:50 AM

Advancing down the path some...

If we presume that someone actually manages to secure their IDIOT devices properly. They actually manage to set "good practice" diceware passwords, They avoid MIRAI and REAPER and the soon-to-be follow-ons from "non state actors" while doing it and have everything 100% clear.

All it would take is a new item, a replacement item to be installed in the network.

  • A failing light fixture.
  • A borked door lock that has to be returned to the mfg for an exchange leaving the door closed by the ever so useful duct tape.
  • That auto-car-start app which is intended to warm up car engines for those living in artic conditions is not used to commit lethal acvities by having the engine running while that borked door lock has also blocked your garage door.
  • That Amazon Key Door App you opted for so you can have your deliveries placed inside your abode, isn't hacked borked or otherwise rendered public which given its an app, means total strangers can now access your abode even if you manage to get your door lock reinstalled.

So if we presume that none of these occur and our use case remains 100% secured by the end user who practices perfect forward security.

Consider:

It has been reported that Pen Trap and Trace orders (USA) can be implemented by trusted telecom contractors who install the devices anywhere needed and for the right incentives forget to remove them when the order expires.

State actors can always arrange to impersonate or pay for access to bork said installation.

If State actors can figure out how to bork your nice new secure system, Other actors can too.

Even the mfg of said IDIOT devices will break the system with an "over the air" software/firmware update. Or as has been reported, the planned obsolescence of a product line (LEDs with timed self-destructs).

Tech devices generically have such short life cycles (2 years) and in some cases even faster decay rates, there is little chance that even a "well secured" system will stay that way.

When such IDIOT devices are installed in great enough numbers, when items like MIRAI and REAPER are turned on by NON-State Actors, imagine what happens when they are commandeered by State Actors.

The path isn't forward at all ...

Ouroboros

ht tps://en.wikipedia.org/wiki/Ouroboros
(url factured to prevent autorun)

Clive RobinsonOctober 25, 2017 1:20 PM

@ Cassie,

A very large amount of time and money is being put into doing smart metering correctly...

And at the end of the day it will be insufficient and the meters will be cracked long before their planed product life is at an end.

I can say this because an energy/water meter should be good for thirty five years. But we have not had any crypto algorithm last anywhere near that long...

I've discussed in the past what needs to be done to sort this problem but I suspect the chances are about as close to zero as makes no odds that they will not do what is needed...

The labour cost of replacing a meter is going to be in the order of 20-50 times the actual meter value, and the cost of labour and meter with 100-200% profit will be extracted out of customers one way or another.

Then of course there will be the "consumer data" to be sold. The smart meters should be able to send three readings a second back to those who "bill" and they will find a way to extract information from the meter readings that can be sold etc...

Yes I appear to have a quite bleak view of the technology future. This is due in part to experience, but also because of the old saw "Hope for the best but plan for the worst". So far I've not been wrong on "plan for the worst" thinking...

CassandraOctober 25, 2017 2:06 PM

@Clive

Oddly enough, planning for the worst is regarded by those around me as overly pessimistic.

PeaceHeadOctober 25, 2017 5:18 PM

While not deeply related, I simply wish manufacturers and developers would seriously stop pushing and including BlueTooth (of any shape or form). I heavily dislike BlueTooth because of it's security weaknesses as well as it's total lack of need and drain on system resources. Whether phone or computer or other electronic device, I just hate it.

Is some operating systems BlueTooth components are installed by default and aren't even necessarily listed for removal or update. They are just sitting there, waiting to be used (unless you search for them and destroy them).

But yeah, this relates directly to the acticle in terms of the invasive culture of eye candy which is quite irresponsible and even hostile towards security/privacy/stability.

Thankfully, not everybody is drinking from that spiked punch.

Clive RobinsonOctober 26, 2017 12:31 AM

@ cassie

Oddly enough, planning for the worst is regarded by those around me as overly pessimistic.

Surely you mean "optimistic" ;-)

I'm an "optomistic pessimist" I know the worst is going to happen --it's called entropy-- in the mean time things can go the other way so enjoy it when it does.

What I hate is the "glass half empty/full" argument, mine is much simpler "My glass was full, now it's empty, am I thirsty, yes lets get another, no lets go have fun".

Clive RobinsonOctober 26, 2017 2:27 AM

@ Anura,

What does it matter? The glass is just going to break eventually.

I spot a proto-pessimist ;-)

It matters beceause whilst it's not broken you can enjoy it's benifits.

In the UK it rains a lot it's why we talk about the weather all the time, so much so other countries talk about it...

Because farmers need to feed animals over the winter they need a good crop of hay to feed them. However harvesting grass for hay when wet tends to ruin it and may even cause it to catch fire...

So as always we have a saying,

    Make hay when the sun shines

This of course "spreads it's meaning" so "Fill your glass whilst you can and have fun" ;-)

meta.x.gdbOctober 26, 2017 7:17 PM


I'm actually not as hopeless as most security experts are. People eventually got the idea that cell phone security is an important feature. The iPhone gets to charge a premium partly because Apple has made it a point to defend the device from intrusion, both of malware (with the Walled Garden) and state subversion (like in the San Bernardino investigation and the government's request for a skeleton key). Almost everyone is aware of how bad a cell phone compromise would turn out for them (at least, those who actually use their PDA/phone for a significant part of their life). Non-Google Android phones have to sell at a discounted price partly because people are aware that Google phones get patches and other vendors, even with functionally-equivalent hardware, are known procrastinators.

Most ISPs take the time and effort to scan their customers' machines for known exploits and educate users on patching and security or literally take control away from consumers be forcing their own hardware and patching protocol.

Most routers and modems today ship with generated unique passwords.

None of this was litigated, or legislated. That's good because those two remedial paths are severely broken these days.

Which brings us to IoT. We are still in the early years where experts are raising the alarm, industry and government are aware of a problem, and a minority of tech-savvy media consumers are aware of the problem but unsure what to do. Currently the industry is in denial. So, like any addiction, they are going to have to experience some real lows. Some DVR companies have to sell their product at a discount right now, but that is not a bottom, the world has amnesia for that scale of scandal.

Given the number of digital cameras that are swept up in this, I think ransomware is going to upgrade to blackmailware. A person will pay much more than 0.05 bitcoin to stop their home porn from showing up on various amateur porn sites. Celebrities will go much higher. It doesn't even have to be pornographic content. photographs and video are classic blackmail fodder. Camera security will then be part of the value proposition.

As with routers and phone, it won't be perfect. There will always be a market for people of limited means wanting/needing the better hardware and willing to take (or ignorant of) the risks.


I'm a little worried about gaming consoles. Very powerful processing, huge attack surface, fat pipe to network.

Oyvind OlsenOctober 27, 2017 3:19 AM

If the problem is not possible to fix (i.e. weak passwords, weak IOT devices), then let's make it a fixable problem.

Use legislation to put the responsibility to detect and remove devices that is used in attacks where it is fixable, force ISPs to only allow minimum traffic from a "possible toxic" device until it is verified OK.(802.1x "style"

Won't stop devices from being infected, but it should stop devices from participating in DDoS attacks, preventing communicating with well known C&C, and in some cases reduce the ability to infect others.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.