Spitballing IoT Security

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Sat Oct 29 18:48:50 UTC 2016

On 2016-10-29 14:07, Eric S. Raymond wrote:

> You don't build or hire a botnet on Mirai's scale with pocket change.
> And the M.O. doesn't fit a criminal organization - no ransom demand,
> no attempt to steal data.

it is wrong to underestimate script kiddies and open source code. It is
wrong to underestimate a community that shares their own experiences
with different devices. One contributes default password for brand X
camera, one gives the defaults for brand Y router etc.

Imagine someone writes code for university project to scan the network
for improperly protected devices. That code, while designed as a
security audit, could be integrated into something far nastier.

At the end of the day, you may have plenty of open source information
available to assemble this into something like Mirai.

Yeah, there may be more sinister forces out there. The DYN attack may
have been a "demo" of capabilities that will be part of
threats/balckmail against other large players on the Internet.

> everybody else on the InfoSec side I've spoken with is thinking - the
> People's Liberation Army is the top suspect, with the Russian FSB
> operating through proxies in Bulgaria or Romania as a fairly distant
> second.

Or some guy in Arkansas starting a new blackmail/extortion business,
hoping to cash in on the software he put together.

And if we're gonna talk conspiracies, include Trump. he publishes a
"policy" on cyber attacks on a day, a couple days later a major cyber
attack happens. Coincidence ? :-)

I think the focus should be on preventing such attacks, and reducing
their impacts when they happen and improving traceability tools as they
happen. Speculating on who is reponsible doesn't do much to proect the
internet against such attacks.

More information about the NANOG mailing list