Department of Commerce Report on the Botnet Threat

Last month, the US Department of Commerce released a report on the threat of botnets and what to do about it. I note that it explicitly said that the IoT makes the threat worse, and that the solutions are largely economic.

The Departments determined that the opportunities and challenges in working toward dramatically reducing threats from automated, distributed attacks can be summarized in six principal themes.

  1. Automated, distributed attacks are a global problem. The majority of the compromised devices in recent noteworthy botnets have been geographically located outside the United States. To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work closely with international partners.

  2. Effective tools exist, but are not widely used. While there remains room for improvement, the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives

  3. Products should be secured during all stages of the lifecycle. Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.

  4. Awareness and education are needed. Home users and some enterprise customers are often unaware of the role their devices could play in a botnet attack and may not fully understand the merits of available technical controls. Product developers, manufacturers, and infrastructure operators often lack the knowledge and skills necessary to deploy tools, processes, and practices that would make the ecosystem more resilient.

  5. Market incentives should be more effectively aligned. Market incentives do not currently appear to align with the goal of "dramatically reducing threats perpetrated by automated and distributed attacks." Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates. Market incentives must be realigned to promote a better balance between security and convenience when developing products.

  6. Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.

[...]

The Departments identified five complementary and mutually supportive goals that, if realized, would dramatically reduce the threat of automated, distributed attacks and improve the resilience and redundancy of the ecosystem. A list of suggested actions for key stakeholders reinforces each goal. The goals are:

  • Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  • Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  • Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.
  • Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world
  • Goal 5: Increase awareness and education across the ecosystem.

Posted on July 11, 2018 at 6:08 AM • 56 Comments

Comments

AlejandroJuly 11, 2018 7:04 AM

My IoT IP surveillance cams are always trying to phone home, or someplace. One of them to three different places: China, USA, Korea. The only way to stop them (impossible with settings) is to block them at the router by preventing all WAN access to the assigned LAN ip address. (The stream is then fed through a separate and protected LAN server address.) Even then, I am not 100% sure it works all the time.

If you aren't looking for stuff like this, it seems quite invisible and thus harmless.

But, is it?

My sense of it is, the cams are live broadcasting a feed to multiple governments and corporations all over the world, and they are all in on it but staying mum. Of course it's not just my cams, it's ALL of them.

Just because they can.

Vesselin BontchevJuly 11, 2018 7:28 AM

I run a honeypot that listens to Telnet and SSH and masquerades as an ARM-based IoT with an easy-to-guess password. It is attacked averagely once every 1.2 seconds. I wish I could post the images from my visualization here...

Impossibly StupidJuly 11, 2018 9:12 AM

What a load of rubbish. We don't need to "work closely with international partners", because they are not our partners, they are the attackers! This is a problem that could be solved today if everyone simply took action to cut off insecure networks from the rest of the Internet. But even big "cloud" players like Amazon and Google don't give a damn when their services are used for abuse, because those abusers are their paying customers and having to deal with victims is an unwanted expense. It's all pointless rhetoric until we start hearing serious talk about disconnecting those who casually (or for a profit) abuse the Internet, and compensating the victims for their losses.

CallMeLateForSupperJuly 11, 2018 9:23 AM

@Vesselin Bontchev
"My [ARM-based IoT w/ easy-to-guess password] is attacked averagely once every 1.2 seconds."

In a narrow sense, that is funny-pathetic. The earnest little bots feverishly and mindlessly aggressing upon what appears to be a castle but is really a mountain of solid stone with no interior, all the while observed with casual disdain by the lord, from afar. :-)

I think this would make a good Wizard of Id.

MikeAJuly 11, 2018 10:28 AM

"Secured during all stages of the lifecycle"? If IOT follows the practices of computers and phones, this will translate as:
"A mandatory update for your device to protect against the [vanishingly small] risk of something bad. Bundled with an "upgrade" to your OS that blocks access to any documents produced before 2017, slow operations on media we did not get a cut of, and post the titles of everything you access on all social media. But remember, this is for your good, and is mandatory"

Yes, there are real risks, and real fixes to them, but why do they always seem to be bundled inextricably with privacy violations and monetization-enhancments?

vas pupJuly 11, 2018 10:49 AM

"To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work closely with international partners."
@impossibly stupid: there are NO permanent ubiquitous partners - there are only interest of all parties involved. The more areas countries cooperate on the basis of respect of international law and recognizing the fact all have their own interests. That will build solid base line for trust and mechanisms for verification. To assume that ALL should comply with YOUR interests only - is counterproductive and (pardon me) stupid to the core. Cooperation should be based on compromise on all sides involved, Otherwise - it dictatorship.

aaaaJuly 11, 2018 11:15 AM

Ad 1.

USA can start with itself. Tons of botnets use IoT that is shitty and full of holes and released with idiotic promises.

Latest was the smart Taplock which promised 'military grade AES' but ended up being MD5 hashing the public MAC of the device and using that as the key. This one wasn't online so it couldn't be used for a botnet but it shows the attitudes, and the impunity with which tech in USA works.

There are first world (non-communist, non-authoritarian) countries where you can't just throw shit together and sell it under any name you want.

But here it's destruction of enterprenuership and literally communism to have regulations, apparently. And freedom of speech means you can just lie. Parts of SV crowd literally say that to get funding you need to lie a bit.

Even the GDPR from EU caused thousands of shitposts to be written about how horrible it is, with one true freedom lover on some portal saying "China is better than EU because they don't bother others with their censorship" (because privacy disclaimers not buried in 10 pages of pseudo legaleese == censoring governmental abuse, totally).

And every time there is an attack words China, North Korea and Russia (and sometimes others) get thrown around. Disgruntled Sony employees - must be North Korea. Equifax - China (because a Chinese tech blog translating news translated the Struts hole so "the Chinese knew"). Mirai - must be state attack (turns out to be a bunch of smart kids using all the IoT shit that is freely put online).

State funded attacks or some hacks in third world can't even begin to compare to the fact some Americans now have anywhere between 5 to 10 internet connected (why?) 'smart' devices with poor security that get owned non-stop and then used as part of a botnet (and can't easily be filtered off as coming from abroad).

USA routinely bullies countries (see Ecuardor baby formula WHO thing), topples governments, causes or supports or funds wars and civil wars and now it wants 'partners'? Third world countries or outright hostile nations like Russia, China and Iran will not police their entire countries and national intranets just so a bunch of SV hipsters can not care about anything ever while drinking their fair trade $20 soy lattes as they put 10 more IoT with outdated on launch Linux with default credential on it.

echoJuly 11, 2018 11:27 AM

This topic is essentially a template for so much effective positive action which often dissolves away in the politics. One high level decisions have been made it can often take decades to overturn mustakes by which time established players will fight tooth and nail as can be seen within the discrimination field but ultimately change is possible. We now live in an age where ignorance is no excuseso hopefully the change Bruce argues for will happen sooner rather than later because ultimately this is where the sustainable money is long term.

Tim SpellmanJuly 11, 2018 12:08 PM

A down-the-block neighbor has a house alarm that tends to sound, sometimes for hours at a time, on weekends. I am not sure what good that does, as whatever burglar there might have been is likely long gone. I asked my wife if we should call the police to report it as a disturbance of the peace, but she said he is a policeman, so the police likely already know about it.

This is similar to point 4. Awareness and education are needed. My neighbor clearly does not know how to manage his house alarm. Whose responsibility is it to educate him? Likewise, if a nearby-on-the-internet neighbor has an infected IoT device, whose responsibility is it to even identify the issue, let alone educate them?

PeaceHeadJuly 11, 2018 1:08 PM

Article(s) and it's introduction acknowledged.
I am reading it now.
Thanks.

I won't spam your site,
don't worry.

Peace be with ya, Mr. Bruce & others, near and far.

P.S.-what are your thoughts on the current state of Watermarking?

P.P.S-if anybody wants to get rid of residual noise within a digital image container, NeatImage Standalone (program) is a great tool. It can almost take the digital aliasing out of some JPEGs too. With effort, sometimes a bad copy can be made to look more like the original due to less noise. Enhance the colors afterwards, and save as lossless file, and it's convincing at times.

TatütataJuly 11, 2018 2:14 PM

@Grauhut

Is that really the ultimate solution?

How about this:

User buys IoT device, and configures his router to prohibit all WAN inbound and outbound traffic.

So far, so good.

But the IoT device contains malware that performs a /24 network and port scan, recording all visible IP and MAC addresses. When a neigbouring device eventually goes offline, the IoT thing simply impersonates it, on the assumption that this machine could have unrestricted access to the outside world.

I think that this could work in a number of router and LAN switch setups, unless the user is extremely paranoid and savvy.

IsmarJuly 11, 2018 5:37 PM

In one of my my previous jobs I did some development of what was effectively an FTP server uploading images from hundreds of video cameras from building sites to keep track of the build as well as to minimise vandalism.
Most (if not all of the cameras) were Chinese made and a basic username/ password type authentication which had to be manually set for each camera. This resulted in the passwords being a simple derivative of each camera name and as such relatively easy to guess. In addition, to the best of my knowledge there were no limits or locking out of the cameras based on some predefined number of incorrect logins.
In addition, as we were experiencing some technical issues with missing some of the images under heavy load conditions ( when each camera is setup to upload an image say every 10 secs) I started investigating the network side of things and discovered that at least someone of the cameras were phoning home to China on a regular basis.
I discussed this with my boss who was also the Company owner and very tech savvy showing him the screenshot of the connections and the mapping of the IP address which clearly indicated the location of the cameras manufacturer in China.
Needless to say no action was taken to do anything about it . Thinking about it now , what could my employer do - he already invested heavily in purchasing the cams and in developing the system and integrating them with the rest of his software suite and could not afford just starting from scratch again.
This is probably a very typical scenario that applies to other IoT based projects out there and it outlines some of the root causes of the luck of Security in IoT and everything that comes as a consequence.

Jon (fD)July 11, 2018 5:51 PM

This being, of course, why this planet needs a world government. When the problem(s) (and/or corporations) are bigger than any one country someone even bigger needs to step in with enough clout to tell them to knock it off, and back their instructions up, possibly with force.

Treaties are not going to do it, especially given certain governments' willingness to throw out babies along with the bathwater.

O well. Jon (fD)

uh, MikeJuly 11, 2018 6:25 PM

"Market incentives should be more effectively aligned."
Fat chance.
Market incentives eschewed seat belts, shoulder belts, air bags and anti-skid.
Sorry, this is going to take some government. Don't hold your breath.

echoJuly 11, 2018 7:58 PM

@uh Mike

Didn't the Tucker car have all the whiiz bang safety features before his marketing exec said he couldn't install seatbelts because it would send the signal people might die? Daft I know but.

On the Brexit issue Rees-Mogg is trying to pull a Trumpenfart and call on Brexiters to join the Tory party and change it from within. It's this kind of point scoring driven marketing which dismays me because in politics words have consquences and sometimes those consequences are dead people. This is all the more worryign as the same party just voted to legislate away animal rights in the face of the science saying animals can feel pain and do have feelings, and for what reason? The wholly irrelevant blood sports lobby.

At least Bruce has a plan and pretty much every major rights movement began at this point too.

Impossibly StupidJuly 11, 2018 8:53 PM

@vas pup

The Internet fundamentally is a collection of dictatorships. You have absolute control of the machines and network ranges you own. If you use them to attack someone, or allow them to be so insecure that others can use them in an attack, you need to be bounced off the Internet. No cooperation is needed to make that happen, but it's a measure that definitely is more effective if each dictator agrees that an attack on anyone is an attack on everyone. And as long as that's not going to happen (and it isn't, because countries don't want to give up that power and companies don't want to give up their profits) this is all just a bunch of lip service to the problem.

Jon (fD)July 11, 2018 9:13 PM

@Impossibly_Stupid

See above in. re. a planetary government. Jon (fD)

Thomas SewellJuly 12, 2018 1:58 AM

Here are two basic legal solutions, which could also be used in a mixture:
1. A tort law allowing the victim of an attack to recover damages from the manufacturer of a device which attacked them without the knowledge of the owner. Alternately, ability to easily sue the device owners, but include a provision for the device owners to class-action sue the manufacturer.
2. A standard method for complaining to the owner of record for a source IP range about an attack, wherein if they don't stop the attack from exiting their network within X time, they become liable for any future damages.

Both of these provide incentives to the people who can actually do something about threats, because they have the control and the technical knowledge. Rather than mandating some "standard" set by a central body, each group can do what seems reasonable to them knowing they're going to become responsible for the final results.

HmmJuly 12, 2018 2:44 AM

"If you use them to attack someone, or allow them to be so insecure that others can use them in an attack, you need to be bounced off the Internet."

There should be no legal protection for anyone who leaves their car running with the keys in it either.

But there are! That's how you know society is doomed to fail. I gave up long ago.

Jon (fD)July 12, 2018 5:07 AM

@Hmm

I've left many of my cars running with the keys in them (they wouldn't run without them!) several times, and I did not expect to have them stolen. And indeed, none were (although one was without the keys).

It's called 'unlawful taking'. Technically, if you find a $1 bill on the ground, pick it up, and take it away you have committed a crime. You knew it was of value, you knew it did not belong to you, and yet you picked it up and took it away anyhow.

So what if you do know how to hotwire cars? Should you just assume that all cars are there for the taking? How about bicycles? If they're not locked up, should you just take them? How about fences, topsoil, potted plants and garden gnomes in someone's garden - They're just left there, so why not just take them?

Hello, property rights.

Society is doomed not because people leave things out there - it's because louts like you believe that things left out there are fair game for you.

Jon (fD)

Sancho_PJuly 12, 2018 5:11 AM

First I stopped reading the report after the first line:
>“A Report to the President“>

So they address the croc, the AI-enhanced doomsday machine.
[Sorry, I don‘t remember who (Anis Shivani ?) brought up the brilliant idea to understand our lobbied turbocapitalism as the mother of artificial intelligence, e.g. with the goal to „lncrease our (e.g. tomatoe) production“, which in effect will end mankind to increase the area under crops]

But after reading the comments here I‘ve decided to go back, only to find they mean the technical part of botnets, not the Russians meddling with the elections.

Botnets and DDoS are one of my pets.
It is not complicated to stop DDoS, on the contrary:
Regulate the powerful guns, not the stupid device (which would be impossible).
Yes, limited international concordance would be necessary.

But the comments here focus on protection of privacy, which I haven‘ found in the report so far?

GrauhutJuly 12, 2018 8:03 AM

@tatütata "Is that really the ultimate solution?"

There are no ultimate solutions in a dynamic world.

But the Internet would be a better place if every ng firewall would tarpit spammers, scanners and ddos bots, whereever possible, instead of just blocking them. A bot is a client and there are just max 64k open client ports possible per device. Resource exhaution would stop them quickly.

This is less intrusive than hackback and imho its fair to hold connections of bulls...s open als long as possible. They try to play games with me, ok, but i choose the ruleset. :)

Impossibly StupidJuly 12, 2018 9:33 AM

@Hmm

There should be no legal protection for anyone who leaves their car running with the keys in it either.

That's too extreme. There should be some protections in place, as well a protections for rented vehicles, etc. At some point, though, a person who keeps having their vehicle misused will stop being able to get insurance.

The same sorts of rules should apply to Internet access. The problem right now is that nobody wants to take responsibility for attacks (IoT botnets or otherwise). As long as their are no major consequences for continued online abuse, the problem will keep getting worse. I can drop insecure networks into my own firewall, but I should not be the only adult in the room.

HmmJuly 12, 2018 12:58 PM

@JonFD

"Society is doomed not because people leave things out there - it's because louts like you believe that things left out there are fair game for you."

Wait a second, did you just call ME a lout in polite discussion? Are you feeling alright Jon?
No mental impairments? No issues with your vision going south on you?

I never said anything touching God's ground was free for the taking. Never implied it either.

Obviously the thief is responsible for the thief's actions. But the thief is not the sole party.
There is a public interest in not making theft or abuse easier for thieves or abusers.
Basic stuff so far, still with me Jon?

It's because of louts who read, parse and paraphrase incompetently that I must explain the metaphor I guess, in noting there are no penalties (or hardly any) for people who leave their vehicles running with keys in them, inviting theft and giving opportunity for malice, (the obvious metaphor being IOT's with default credentials/keys) - and on the internet noting those IOT "cars" ARE stolen AND abused, and it's because of the naivete or 'good nature' of the owner leaving it wide open like that such consequences ensue.

Theft and abuse require opportunity. We have systems to reduce that in some areas where feasible.
There are laws against leaving loaded guns lying around in public, for example.

On the IOT front it's a reversed paradigm, there are no consequences for incompetent irresponsibility.
Like leaving keys in a running car - incompetent irresponsibility by abject "louts" indeed.
There's no compelling need to do that, no excuse justifies it or convenience absolves it.

If you provide an unlocked and running vehicle to a thief intentionally or not, "right to do so" or not, indignant ignorant irresponsible justifications or not, the thief gets the car either way and is responsible for their actions thus - but YOU are responsible for YOURS, and that's the preventative angle.

*Because thieves are NOT RESPONSIBLE PEOPLE, while you MIGHT choose to be proactively so.*

The responsibility for removing opportunities for theft/abuse lies with the responsible party.
Lamenting the thief's morals isn't going to solve the problem. It serves no further purpose.
(Maybe it makes you feel good, who knows, but it accomplishes nothing)

Turn the car off, remove your key, lock it, then go about your business. Laziness is not a virtue here.

If the aim is to reduce theft and abuse your rhetorical concept of "right of irresponsible ownership" offer little actual cover in the real world. Taking basic proactive measures like locking a car or having secure credentials (or denying remote access over default creds, say) are and should be expected from reasonably responsible parties.

YMMV, Jon. But don't go around calling people names just because you don't really understand what they're saying or disagree with them, that's a bit churlish in any context.

MaspalioJuly 12, 2018 1:26 PM

@Sancho_P

The talk you are referring to is probably "Dude, you broke the future!" from Charlie Stross.

HmmJuly 12, 2018 1:29 PM

@ImpStu

My initial "no protections" was too harsh, that's true. I think we agree on the merits.

"At some point, though, a person who keeps having their vehicle misused will stop being able to get insurance."

That's basically the metaphorical angle I was getting at in regards to IOT.

The idea is to prevent 'louts' from leaving keys in running vehicles they aren't watching,
and the IOT version of that being default credential devices kept off the public internet.

Because they're basically ownerless and insecurable, defacto, without those credentials.
That's dangerous and preventable ongoing with a societal interest in limiting it.

To connect analogies further, it'd be like leaving keys in a running car unlocked... and then thieves are able to REMOTELY instantly steal them and crash them into crowds of people, gas stations, etc, trivially causing real-world damage without much risk or effort on their part and because of the complete irresponsibility of the owner catered to by the manufacturer, as regulators throw their hands up in the air.

It makes no sense to ALLOW remote access/control by default in uncredentialed systems.
IOT manufacturers cater to a lowest-tech consumer base, but that's no defense.

The only way I can see this being feasibly accomplished is regulating how they implement their default security to prevent lock-less default-credential "cars" from starting at all.

Default credentials should never see the public internet. Low lying fruit, trim that limb first.

Jon (fD)July 12, 2018 8:37 PM

@Hmm - As a fellow lout, I think my reading comprehension is just fine.

"I never said anything touching God's ground was free for the taking. Never implied it either. "

Actually, yes, that is exactly what you implied. When you said:

"There should be no legal protection for anyone who leaves their car running with the keys in it either. "

You said that a car left running with keys in it should have no legal protection. This means that there is no legal recourse if stolen, and therefore no punishment for anyone who does so. Without punishment, it is implied that anything is indeed free for the taking.

Many things (garden gnomes, for example) don't require keys to move around. Should we then laugh at everyone who has a garden gnome stolen because they didn't lock it up?

You will note (or should) that in every legal jurisdiction I'm aware of, the penalty for stealing a car does not depend upon where it was left, whether it was running at the time, or had keys in it. The crime is always the same, and the car has the same legal protections in every circumstance. I believe those legal experts who wrote those laws may have thought this through a bit further than you.

As far as reading comprehension goes, I might add you said,

"Obviously the thief is responsible for the thief's actions."

and added:

"Because thieves are NOT RESPONSIBLE PEOPLE"

Which strikes me as a bit of a contradiction.

Anyhow, my point earlier was that we require a government capable of deterring those who would be deterred and punishing those who would not. It is the government's duty. At the moment, we have no government that can do that, because of problems with international jurisdiction with regards to crimes like botnets (apparently we do w/r/t facilitating copyright infringement - See Kim Dotcom).

It is not a matter of removing opportunity. There will always be opportunities. People have already discovered that stealing cars these days is often easier by just hijacking the driver. Should we remove legal protections for drivers who don't drive armored cars and carry loaded weapons? Why not? Just by going out and driving unprotected they've made themselves a target, no?

It's a matter of removing the thieves.

Should we remove legal protections from people who get drunk in fraternity houses, too?

There's more, but that's enough for now.

Jon (fD)

PS - It ain't God's ground. He doth not pay either the property tax nor the mortgage around here. J.

Sancho_PJuly 13, 2018 5:42 AM

@Maspalio, re AI and corporations

Good shot! Great talk, even more focussed on our future fun with AI, thanks.

However, my thinking was more abstract: The croc, itself product of uncontrolled capitalism, now being the out-of-control head of uncontrolled capitalism.
A parody of absurdity.
So likely my starter was „Capital as the cutting-edge AI app“ (Dec 2017?):
https://thebaffler.com/salvos/oculus-grift-shivani

TheHulkJuly 13, 2018 6:41 AM

Off the top of my head I can think of 2 federal laws that ought to exist but apparently don't:

  1. It should be illegal to place private data online if it doesn't need to be online
  2. It should be illegal to place private data on a portable device unless it is robustly encrypted
Can anyone tell me why these two obvious laws have not been passed? They seem sufficiently enforceable, and the impracticality of them cannot hold a candle to the usefulness of them.

echoJuly 14, 2018 8:55 PM

@TheHulk

In the US at least there seems to be some legal crossover between personal data and trade secret which gives scope for people who wish to litgate to protect their personal data. (In the EU privacy law is fairly robust.)

HmmJuly 14, 2018 9:47 PM

@JonFD

"This means that there is no legal recourse if stolen, therefore no punishment for anyone who does"

Nope, in fact what I said actually doesn't mean that at all. That's entirely wrong.
You jumped the as-stated stated logic like a shark.

I never said theft wasn't a crime, obviously lol. Read it again if your eyes are tired.
Nowhere did I say the thief has zero responsibility, that's entirely your addition.

Renumeration is civil, not criminal law. Entirely different concepts, areas of law.

So before you assume and call names based on your own assumption, think twice if able.
Your first round was assumptive garbage from your own flawed unfiltered extrapolations.


[ As far as reading comprehension goes, I might add you said,
"Obviously the thief is responsible for the thief's actions."
and added:
"Because thieves are NOT RESPONSIBLE PEOPLE"
Which strikes me as a bit of a contradiction. ]

Actually again, there's no actual contradiction there, despite your attempts at confusion :

Thieves may be HELD ACCOUNTABLE for their actions, aka held RESPONSIBLE.

They are not "RESPONSIBLE PEOPLE" in the traditional upstanding societal definition.

Obviously "responsible" can have two meanings. Surely even you can follow this, right?

Any other pointless invented trifles of yours I can clear up without calling you names?
Good, sorted then. Sin no more - or at least, think twice before you do.

It's sometimes difficult for people to admit they made a mistaken assumption and were rude.
YMMV, better luck biting the bullet next time.


HmmJuly 14, 2018 10:00 PM

"It is not a matter of removing opportunity. There will always be opportunities."

And yet we hold people who leave loaded guns lying around accountable, because they create opportunities for disaster through their incompetence and lack of accountability.

When you leave your car running unattended you do a similar thing, illegal or not locally.
You create an opportunity for disaster that didn't exist, and are partly responsible for it.

When you leave unsecured IOT default creds on the public internet, you create opportunity similarly.

There are common basic mitigations and you ignored them, allowing xyz consequence.
If you did that intentionally it would be "furnishing" or "accessory" perhaps.

That's independent of the law's response. You created the local problem exploited by a bad actor.
If you do any of those, you are defacto partly responsible for the outcome regardless of law.

It's so basic you might miss it, lol. But don't call names just because you don't get it, Jon.
We're older than that, aren't we?

WeatherJuly 14, 2018 11:21 PM

@hmm what is the skills level of the bad actors, maybe you should ask some people to login to the device, and when they ask what the password is (it was in the booklet they sent with the device) oh that...

HmmJuly 15, 2018 1:41 AM

@weather

Default configuration of a car, the key is not in it and it's not running.

A default p/w on a sticker on the actual device for initial setup like they do now.
Each HW unit instance has that individualized default password in the ROM.

Boot, put that in, complete setup with proper security - the network stack then works.
Not before. Remote access with default password is not available. Ever. Hole closed.

Forget password? Reset PRAM-etc, network access disabled as before until setup complete again.
It's really not complicated or tough to implement on any level.

The complication comes with realizing the utility of basic security and in fact necessity to enforce that in new devices sold, with associated costs therein, because security on the public internet thoroughfare should at least be on a similarly level legal playing field with the rights of security-derelict manufacturers to sell lemons that blow things up trivially without requiring authentication.


WeatherJuly 15, 2018 2:24 AM

@hmm
It's type of being done before and wasn't easy, they was a home wireless router that had a random 16key per device, someone worked out that it ended up being 6-7key length at 36^7, even a worm can work out how to crack that, or CnC updates, check with the server if it detects a device to infect, get the code to make the table.

HmmJuly 15, 2018 2:37 AM

The bad guys need nothing but a few bits of info and they have a botnet effortlessly.
It's not a crack at all. It's an engineered weak point being trivially exploited.

Some defenses beat none. This is a logical flaw, not a crypto one.

WeatherJuly 15, 2018 3:11 AM

I get what you're saying and it makes sense, just the home user I'm thinking about, has have been a technician awhile.

Say a LoT device connects to the router and sets up its own password, they all do that, and to manage the device you log in to the router and configure them all from there?

Clive RobinsonJuly 15, 2018 5:13 AM

@ Hmmm,

When you leave your car running unattended you do a similar thing, illegal or not locally.

The legal term you are reaching towards is "attractive nuisance", it's usual example is of a child drowning because the owner of a swiming pool did not put a sufficient barrier to stop the child.

For some reason that is actually not valid many think it only applies to children as victimes, it does not. It also applies to adults who might reasonably be expected to be not fully in control of their faculties.

The problem of course is both "sufficient" and "reasonably" are at best subjective and usually argued with hindsight after a tragic event.

That is if a persons loved one is run over by a drunk driver who has just slalomed their car out of a bar carpark who can be reasonably be blaimed?

The victim for not paying enough attention?

The drunk for knowingly driving whilst under the influance?

The bar keeper for alowing the drunk to get into that state?

The beverage maker for making overly alcoholic beverages?

The car manufacturer for not fiting adiquate safety devices?

The car manufacturer for building in to much power / acceleration?

The owners / maintainers of the road for various reasons?

The list goes on and each can have part of the blaim for a loved one being injured or killed in what is a fairly predictable manner.

But it's neither logical or sensible to pursue all parties for various reasons.

Which leaves us with a problem because sometimes an entity that realy should be not just blaimed but punnished repeatedly gets away with it, such as those poorly maintaining the road or not correcting dangerous bends etc.

Also you get a perverse logic come into it. In London Transport for London (TfL) has responsability for some roads and the attached pavements and walkways/pavements, including traffic calming and accident prevention such as barriers between the road and pavement. In certain areas where accidents are fairly frequent they are not just reducing traffic calming measures encoraging more dangerous driving but also removing accident prevention / reduction barriers. The reasons given are wooly but appear in part to be to reduce legal fees etc. However the owner of a house that has just recently had a car smash into the front of their house making it uninhabitable, has noted that the road is dangerous there and that on quite a few occasions when there had been slower speeds and crash barriers cars had been mangled in the barriers to the point of needing emergancy services to free the drivers and passengers. Their point clearly being that they had come to significant harm by the quite deliberate reduction in traffic calming measures and the removel of the protective crash barriers by the authorities...

HmmJuly 15, 2018 5:10 PM

@Clive

Blamed. Blaimed isn't a word in English, either side.


"The victim for not paying enough attention?" -Can contribute to an accident, of course...

"The bar keeper for alowing the drunk to get into that state?" -OF COURSE WE DO HAVE LAWS THERE.

"The car manufacturer for not fiting adiquate safety devices?" -WITHOUT QUESTION YES, IF APPLICABLE.
(*ADEQUATE.)

"The owners / maintainers of the road for various reasons?" -It has happened.

"The drunk for knowingly driving whilst under the influance?" -Are you even asking this really?

It's as if you don't understand and won't accept that more than 1 person can be responsible for an outcome beyond the principal. That's a very strange position logically and legally both.

I don't know how to break this to you but yes, it's logical to go after people who are provably negligent on several items on your list, and we do that as a basic course of law every day.

Consider it self-debunked. Incredibly thoroughly considering you didn't mean to, I assume...
Are you feeling alright? Handle any suspicious foreign bottles lately?

Clive RobinsonJuly 16, 2018 1:20 AM

@ hmm,

It's as if you don't understand and won't accept that more than 1 person can be responsible for an outcome beyond the principal.

For some reason you are trying to put a 180 on what I said.

If I was of the viewpoint you are trying to pretend I have I would not have been able to produce the list, nor point out that others who should be blamed are getting away with it.

So your 180 viewpoint again says things about you that perhaps you should not air in public.

But to re-iterate as I've had to do with you on repeated occassions when you do such things as above,

The question is not who or who is not morally responsible, but how far society can be expected to take action without harming society in some way.

In short it is a dilemma that more often than not gets dealt with pragmaticaly unless there are other usually political reasons to do otherwise.

But there is an unpleasent side to it as well that is becoming more visable with time. Which is why some in society deliberatly take actions that clearly harm society then expect to get away with it. Often these people are in "official positions" payed for from the public purse. They appear to believe they are exempt from responsability for their actions, which most others would agree is wrong.

HmmJuly 16, 2018 1:56 AM

Of course Clive, I'm twisting your arguments into prison chainlinks, 180's, any shape you like.

"The question is not who or who is not morally responsible"

I was actually discussing that which makes a situation possible and is "responsible" on that level.

If you leave a loaded gun lying around it's not only a "moral" responsibility obviously.
If someone uses it / something bad happens, it's a LITERAL responsibility, then a legal one.

Morality is a very distinct layer of abstraction and it's relative, weighed by individuals.

(For example I'd question the morality of your thin-to-baseless conspiracy theories
being spread as if equal to the historical record, but you find no problem doing so. It's cloudy at times.)


"nor point out that others who should be blamed are getting away with it."

They don't. A bartender who serves someone to excess causing a fatality can/will be charged.
It has happened, it does happen. YOU are the one rhetorically letting them off the hook.
Do you not see that?

A manufacturer that makes a provably unsafe product can be held liable even by a drunk driver.
A city/county that fails to maintain a road to a provable degree can be found liable also.
This happens constantly based on the circumstances.

When people provably leave loaded guns, or dangerous animals, materials, etc in negligent ways and things happen to go wrong outside of their control, they STILL ARE RESPONSIBLE.

The courts OFTEN find people other than the primary "bad" actor play a role, and there are laws to discourage and punish that behavior. Even if the courts do NOT go after them due to unprovable burdens, they still may have played a provable and defacto role in the events that play out - and on that defacto level, they ARE still responsible for it whether or not the law gets it right in the end.

The original idea before your lists and 180's was to remove the opportunities for bad actors.
That's the bedrock argument here: IOT devices with default credentials = loaded guns essentially.
You can scroll up and confirm that for yourself, nobody hid it from you.


Impossibly StupidJuly 16, 2018 7:54 AM

@Clive Robinson

The question is not who or who is not morally responsible, but how far society can be expected to take action without harming society in some way.

No, the real on-topic question is what things are inherently dangerous, and what can society do to limit the damage they do. There's no need to draw any analogies with guns or cars, and long rants on those topics alone really should be deleted by moderators. The topic for this article is botnets and IoT devices. Those things, as with many modern uses of technology, most definitely are inherently dangerous. And people generally have no real understanding of the technologies they use, which is why my position is that the Internet is better off if those people get disconnected when any device on their network is part of an attack.

HmmJuly 16, 2018 1:46 PM

"the real on-topic question is what things are inherently dangerous, and what can society do to limit the damage they do."

Exactly right, but the metaphors are just to contrast similar everyday dynamics for comparison.
Guns and cars and IOT aren't really 1:1:1, true. But the law must handle all three,
so it's sometimes interesting to look at how similarities apply or do not.

justinacolmenaJuly 17, 2018 5:57 PM

Market incentives should be ...

Stop right there. Bruce, this is where you and other "policy-makers" fail to impress. Need to take a college course on basic economics. Market incentives are what they are, based on total common aggregate supply and demand, not what you or other policy-makers think they should be or ought to be.

Get some basic law and order in place. Make crime unprofitable. Beyond that, you fellows are simply not minding your own business with all that central planning, micromanagement, and excessive regulation.

AnuraJuly 17, 2018 6:07 PM

@justinacolmena

Capitalism is predicated around the idea of using the economic system to influence human behavior. That's why we have things like copyright and patents, and that's the justification for our property laws in general - to create market incentives to influence investment. In some areas we require insurance, which also creates market incentives. Externalities create market incentives, and regulations against externalities create market incentives. Rules that create limited liability corporations are about create market incentives. Tax and welfare laws are generally written around creating market incentives to influence behavior.

RatioJuly 17, 2018 6:15 PM

@Anura,

Capitalism is predicated around the idea of using the economic system to influence human behavior.

Influencing human behavor is neither central to nor required for capitalism.

AnuraJuly 17, 2018 6:27 PM

Pretty much all arguments in favor of private ownership of the means of production are about things like economic rewards influencing behavior. Other than some moral arguments presupposing that private property ownership is an inalienable right, there aren't many arguments in favor of capitalism.

Jon (fD)July 17, 2018 9:39 PM

@Hmm - No, you did not say that. However, it is a perfectly logical implication, which I note the discussion thereof you have carefully omitted.

""This means that there is no legal recourse if stolen, therefore no punishment for anyone who does"

Nope, in fact what I said actually doesn't mean that at all. That's entirely wrong.
You jumped the as-stated stated logic like a shark."

I followed the logic. What you claim I did bears very little resemblance to what I actually did.

"I never said theft wasn't a crime, obviously lol. Read it again if your eyes are tired."

No, but that's completely irrelevant. Thanks for throwing that in.

"Nowhere did I say the thief has zero responsibility, that's entirely your addition."

Here we may have something to talk about. When you said (admittedly a bit extremely) was that those who own cars should have no legal recourse if they're stolen if left running with the keys in it - (I did that with my truck this afternoon) and what do you think is 'legal recourse' aside from having someone convicted and punished for the crime?

"Renumeration is civil, not criminal law. Entirely different concepts, areas of law."

Stealing cars is criminal law. So what?

"So before you assume and call names based on your own assumption, think twice if able.
Your first round was assumptive garbage from your own flawed unfiltered extrapolations."

You specifically stated 'implications'. So I did what was "implied".

And this is too long already. There's more - just ask God!

Jon (fD)

HmmJuly 18, 2018 2:20 PM

@Jon

Is it just semantic arguing for its own sake? I'm fine with that, just let's be clear.

"was that those who own cars should have no legal recourse if they're stolen if left running "

Actually you're wrong because you're not quoting properly, at least in part.

What I said was they should have no PROTECTIONS. I never said no recourse. It's dithering perhaps but there is a distinction there and certainly in the way I meant it -
I wasn't initially clear enough using such a broad word, but the word wasn't recourse.

I was referring to protections from responsibility in outcomes, including "their/your" OWN legal responsiblity. That's both a criminal and civil concern. If you leave a car running with the key in it and a child comes along and puts it in gear, YOU OUGHT BE HELD RESPONSIBLE whether or not it's codified in criminal law and remedied thus. This isn't insane, it happens every day. It's called suing, civil law. Think OJ Simpson.

Someone said that was overbroad to remove all protections and I agreed, In retrospect didn't mean "all" protections. They still have some recourse under the law, I just didn't think they should be absolved of THEIR responsibility going forward just because they're "the victim" of their own created opportunity, in that negligence. The two can both exist.

The obvious analogy is to IOT devices with the "keys in them" already and script kiddies.

" and what do you think is 'legal recourse' aside from having someone convicted and punished for the crime?"

Civil law. I am assuming you've heard of it. If not, that might be the confusion here.

Nobody said it's OK to steal. Nobody said thieves should not be punished. Not at all.
You seem to have misunderstood what I said, I was initially overbroad or unclear and I clarified.

If you don't want to accept my clarification and want to misquote me instead, there's not much to be gained from that and I would hesitate to call that debate.

Somehow this seems way too important for you to get the last word in for some reason.
What exactly caused you to call me a name and then engage in this knitting contest?
I think I've maintained my position as politely as I can considering. Disagree if you like.

In the future, quoting someone verbatim can help make your point. Paraphrasing is abstraction.

Jon (fD)July 19, 2018 3:46 AM

@Hmm - This will be my last post on the matter. If you choose to respond, you will get in the last word.

Thank you for a cheerful and reasoned argument. I did indeed call you a name, and for that I apologize. I still think you're wrong, though.

I am amused by your last remark, "In the future, quoting someone verbatim can help make your point." because that is exactly what I have been doing.

"" and what do you think is 'legal recourse' aside from having someone convicted and punished for the crime?"

Civil law. I am assuming you've heard of it. If not, that might be the confusion here."

And what is punishment? Isn't being made to pay a punishment? And what is a protection against such things in the future but the apprehension of the criminal that they might get caught at it and have to return some recompense?

So the fact remains that even cars left running with their keys in them should not be stolen. Stealing cars is a crime, running or not.

Now I'm going to be overbroad, and recall some of my earlier arguments that inviting crime does not justify crime, or even mitigate it. A woman wearing a low-cut dress and getting drunk in a bar does not invite rape, and if she does get raped, she bears no responsibility for it whatsoever.

I think that's where the major disagreement is. You're welcome to your opinion.

Jon (fD)


HmmJuly 19, 2018 12:02 PM

"I did indeed call you a name, and for that I apologize. I still think you're wrong, though."

Apology accepted, you're entitled to think what you want and likewise.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.