Spitballing IoT Security

Ronald F. Guilmette rfg at tristatelogic.com
Sun Oct 30 00:32:19 UTC 2016


In message <20161029180730.GA10801 at thyrsus.com>, 
"Eric S. Raymond" <esr at thyrsus.com> wrote:

>You don't build or hire a botnet on Mirai's scale with pocket change.

Proof please?

Sorry, but I am compelled to call B.S. on the above statement.  This
is a really important point that I, Krebs, and others have been trying
to drive home:  In an era when you've got a half million CCTV cams
just lying around without even passwords on them, and in an era when
nobody makes any fuss anymore about the dozens or hundreds or people
and/or organizations (e.g. Shodan) that are out there scanning your
box and my box and everybody's boxes, every damn day, you don't need
to be either an omnious "state actor" or even SPECTER to assemble a
truly massive packet weapon.  Two kids with a modest amount of knowledge
and a lot of time on their hands can do it from their mom's basement.

It is comforting, for some, to think that this is not the case, just
as it is, to this day, comforting, for some, to believe, based on scant
evidence, that it -wasn't- just some lone nut case who killed President
Kennedy.  Psychologically, people have trouble coming to terms with
great impactful tragedies unless they can be blamed on large, unseen,
but enormously capable dark forces.  And the actual available hard
evidence relating to such events does not diminish the human yearning
for a convenient comic book supervillain to pin it all on.

>And the M.O. doesn't fit a criminal organization - no ransom demand,
>no attempt to steal data.

Allow me to refer you to an alternative possible motivation:

   https://en.wiktionary.org/wiki/lulz

>That means the motive was prep for terrorism or cyberwar by a
>state-level actor.

Frankly, I am dismayed to see a well-known Internet persona with a respected
name spreading this kind of absurd, alarmist, over-the-top, retorical fear-
mongering inference, which is without clear basis in either fact or evidence.

Even the hardest of the hard-core dyed-in-the-wool Clinton surrogates are
too circumspect in their pronouncements (i.e. with respect to Russia's
"obvious" connection to the DNC hack) to ever reach anything like this
level of unfounded hyperbole.  (And for the record, I am no Trump supporter
either.  I find myself equally disgusted when either side employs the
currently fashionable verbal sleight-of-hand that politicians of all stripes
have, of late, adopted whenever they want to say something without
themselves having to take responsibility for its truth or accuracy.  I get
angry when I hear Clinton surrogates using the "Some people are saying..."
dodge, e.g. when it comes to alleged nefarious Russian involvement with
anything and everything evil, just as I do when Trump uses the exact same
dodge in reference to... well... everything.)

>Bruce Schneier is right and is only saying what
>everybody else on the InfoSec side I've spoken with is thinking - the
>People's Liberation Army is the top suspect, with the Russian FSB
>operating through proxies in Bulgaria or Romania as a fairly distant
>second.

Yes, but I believe that Schneier was a bit more careful to separate the
known facts from his personal speculations.

In any case, all of this searching for who is to blame isn't contributing
a damn thing towards actually fixing the problem.  And if we really need
to find someone to blame, I think we should all just look in the mirror.

We, society, but especially those of us with more-than-average techno savvy,
have for years been only too eager to lap up whatever whiz-bang new techno
gadgets industry could crank out, with barely an afterthought given to
the longer term implications, like security and also how the hell we are
ever going to be able to recycle any of this s***.  We've all been doing
the exact same thing, since at least Windows 3.1 or earlier, and yet we
continue to expect a different outcome.  We eagerly grab for new capabilities
and new gadgets, thinking about security last or, more often, not at all.
In short, to quote Pogo, "We have met the enemy and he is us."


Regards,
rfg


P.S.  Even if the evidence were to support the view that only a superpower-
level nation-state could have pulled off the Dyn attack... and I'm not at
all persuaded that it does... it kills me that everyone seems to jump,
within a millisecond, immediately from -that- unwarranted conclusion to
the separate unwarranted conclusion that it must have been either Russia
or China.  Apparently, nobody even stops to consider the *other* elephant
in the room, the one that stretches from sea to shining sea, and which
itself has been heard to publically brag about its own cyber-offensive
capabilities of late.

In short, maybe our own guys did this.

OK, so maybe this theory -is- worthy of le Carre, but that don't mean it
ain't possible.  I mean we aren't stupid.  We don't build warehouses full
of nuclear weapons without at least testing the design once or twice first,
you know, to make sure they aren't all gonna end up being duds on impact.
(Mike Rogers would probably lose his stripes -and- his pension if an
actual cyber-confrontation came and it was revealed that nobody had ever
actually tested any of our theoretical capabilities.) And when we do test
our strategic weapons, we -don't- test them by dropping one on China, or
Russia, or Iran, and then saying "Oh!  Sorry.  Please excuse us.  Just
testing."  Doing that could come with consequences.

So, what's worse?  That Amazon and Twitter should be offline for a couple
of hours in the middle of October (i.e. for a little test) or that any
one of our many enemies should, you know, maybe take them down for days
on end in early December, at the height of the shopping season, with
us having no real/tested retaliatory capability?

(Nutty conspiracy theorists might even suggest that staging a limited
attack like this is a rather obvious way for certain three letter
entities and/or parts of DoD to squeeze even more out of congress than
the obscenely vast sums they are already getting, but I personally won't
even go there.  As I've noted, there are plenty of pragmatic and entirely
non-nefarious/non-self-serving reasons why our own guys might have done
a small/short practice run like this.)

Anyway, when it comes to attribution, the bottom line is that all anybody
has to do is to run their C&C through two or three levels of chained
compromised socks proxies, e.g. in Tajikistan, Bolivia, and Singapore,
and then, as a practical matter, nobody will ever be able to say for
sure who you are.  It's all just guesswork, and much of it, alas, isn't
even all that educated.

Who says that the Russians or the Chinese took down Dyn?  Are these the
same people who told us the fantasy... later retracted... that North
Korea hacked Sony?  Are these the same people who told us that Saddam
absolutely positively had weapons of mass destruction?

I would have hoped that all of us in this country (US) would have become
just a little bit more skeptical of press reports and "expert" pronouncements
by now.

Remember the Maine!


More information about the NANOG mailing list