Spitballing IoT Security

bzs at TheWorld.com bzs at TheWorld.com
Sat Oct 29 18:31:05 UTC 2016

On October 29, 2016 at 14:07 esr at thyrsus.com (Eric S. Raymond) wrote:
 > bzs at TheWorld.com <bzs at TheWorld.com>:
 > > 
 > > On October 28, 2016 at 22:27 list at satchell.net (Stephen Satchell) wrote:
 > >  > On 10/28/2016 10:14 PM, bzs at TheWorld.com wrote:
 > >  > > Thus far the goal just seems to be mayhem.
 > >  > 
 > >  > Thus far, the goal on the part of the botnet opearators is to make
 > >  > money.  The goal of the CUSTOMERS of the botnet operators?  Who knows?
 > > 
 > > You're speaking in general terms, right? We don't know much anything
 > > about the perpetrators of these recent Krebs and Dyn attacks such as
 > > whether there was any DDoS for hire involved.
 > We can deduce a lot from what didn't happen.
 > You don't build or hire a botnet on Mirai's scale with pocket change.

Do we know this or is this just a guess?

The infamous 1988 Morris worm was also thought to be something
similarly sinister for a short while until Bob Morris, Jr et al owned
up to it just being an experiment by a couple of students gone out of

Back around 1986 I accidentally brought down at least half the net by
submitting a new hosts file (for Boston Univ) with an entry that
tickled a bug in the hosts.txt->/etc/hosts code which everyone ran at
midnight (whatever) causing a loop which filled /tmp (this would be
unix hosts but by count they were by far most of the connected
servers) and back then a full /tmp crashed unix and it often didn't
come back up until a human intervened.

Ok I doubt this was an accident, tho its scale could've been an
accident, a prank gone wild.

Anyhow what do we *know*?

That the effect was large doesn't necessarily imply that it required a
lot of resources.

We live in a world rife with asymmetric warfare. A few boxcutters and
3,000+ people dead.

 > And the M.O. doesn't fit a criminal organization - no ransom demand,
 > no attempt to steal data.

Same question. Would Dyn et al publicize ransom demands at this point?

And even if not how do we rule out a prank or similar?

Is there something specific about this attack which required
significant resources? How significant?

 > That means the motive was prep for terrorism or cyberwar by a
 > state-level actor.  Bruce Schneier is right and is only saying what
 > everybody else on the InfoSec side I've spoken with is thinking - the
 > People's Liberation Army is the top suspect, with the Russian FSB
 > operating through proxies in Bulgaria or Romania as a fairly distant
 > second.

Well, barring further details one can go anywhere with a few

 > Me, I think this fits the profile of a PLA probing attack perfectly.
 > -- 
 > 		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

More information about the NANOG mailing list