The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks

from the build-it-poorly-and-they-will-come dept

Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.

According to Krebs, the attack came, he believes, after he began digging more deeply into various gangs that deliver DDoS attacks on-demand. And according to Krebs, this time they had the help of the hystercially piss poor security of the internet of things (IoT) industry:
"There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."
So not only are "smart" refrigerators, TVs, tea kettles and power outlets leaking your unencrypted data to any nitwit with a modicum of technical knowledge, they're being utilized to amplify existing attacks on security researchers who are actually trying to make things better. The attack comes directly on the heels of Bruce Schneier warning us the check is about to come due -- after IoT companies and evangelists that prioritized hype and sales over security fundamentals helped introduce millions of new network attack vectors into the wild over the last five years or so.

In a recent blog post, Schneier also noted that these larger DDoS attacks come as multiple groups and individuals (likely nation state sponsored hackers) have begun probing for vulnerabilities on an unprecedented scale:
"Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure."
And they're finding, as many have warned, millions of poorly secured Internet of Things "smart" devices with stupid default passwords -- or in many instances no security at all. In most instances the buyers of these products are utterly clueless of their participation in these botnets, and very frequently these devices don't give the end user transparent end control over what's being sent over the network anyway.

In a follow-up blog post by Krebs, he makes it clear that in addition to being immensely dangerous (potentially fatal if the right systems are targeted), these larger scale DDoS attacks propped up by the IoT should also be seen as a growing assault on free speech. After all, few independent journalists would be able to afford the kind of DDoS mitigation technologies necessary to truly stop these new, larger attacks:
"In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.
For a country that likes to talk a lot about cybersecurity (mostly to justify awful government policy like backdoors that make us less secure than ever), the United States isn't doing all that much to mitigate the looming threat. Much like Schneier, Krebs calls for a more coordinated effort by industry and government to wake up and begin greater institutional-grade collaborative efforts to shore up our collective security before things spiral out of control:
"I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."
And it probably goes without saying that this threat looms as we ponder electing two of the least technically sophisticated Presidential candidates in recent memory. These are two researchers who aren't prone to hyperbole, so it seems like we might just want to take their advice before the Internet of Things devolves from a running gag into a potentially fatal shitshow.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian krebs, ddos, iot, security
Companies: akamai


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Great_Scott (profile), 27 Sep 2016 @ 9:45am

    Gentlemen, start your firewalls!

    It seems like the best way to stop attacks like these is for the major home ISPs to block pings, or ICMP in general.

    It's sad its come to that.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 27 Sep 2016 @ 9:52am

    It's all an attitude problem.

    To paraphrase a quotation from an earlier event where warnings were given and ignored:

    "God himself couldn't sink this internet!"

    link to this | view in thread ]

  3. icon
    Ninja (profile), 27 Sep 2016 @ 10:01am

    Re: Gentlemen, start your firewalls!

    It seems to me that the best thing you can do is to block outbound connections by default and liberate only what should be going out and through specific channels. I've read it's more effective than trying to block what goes in and it makes sense in some ways. Specially if your things or the OS are the talkative types.

    link to this | view in thread ]

  4. identicon
    I.T. Guy, 27 Sep 2016 @ 10:02am

    "Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service."

    "Akamai would cost between $150,000 and $200,000 per year."

    Damn that free speech hating Google.
    Whatever's head is going to explode.

    link to this | view in thread ]

  5. icon
    Shawn (profile), 27 Sep 2016 @ 10:11am

    Re: Gentlemen, start your firewalls!

    Large DDoSes like this are often DNS reflection or NTP reflection. Blocking ICMP will not help

    link to this | view in thread ]

  6. identicon
    Rich Kulawiec, 27 Sep 2016 @ 10:12am

    This is why self-driving cars must be banned

    We've already seen massive security holes in automobile computer systems -- some of them so large that the automobile computer system IS the security hole. We've also seen that the manufacturers' response to this is denial, stonewalling, retaliation, censorship, litigation, etc. At no point has there been the slightest indication that any of them actually want to seriously address the problem.

    Which means that every car coming off the assembly lines, as well as all the ones that already have, is a bot waiting to happen. And self-driving cars aren't magically exempt from this.

    As I've so often said, if someone else can run arbitrary code on your computer, it's not your computer any more. When that computer is a laptop sending spam, this is annoying. When that computer is managing a multi-thousand pound vehicle moving at 65MPH in traffic, it's a catastrophe.

    link to this | view in thread ]

  7. icon
    Shawn (profile), 27 Sep 2016 @ 10:12am

    Re: Re: Gentlemen, start your firewalls!

    Good in theory, but we are talking about ISP's .. Not very likely that Comcast is going to manage outbound firewall rules for its millions of customers

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 27 Sep 2016 @ 10:19am

    Re: Re: Gentlemen, start your firewalls!

    Exactly, there are multiple ways to perform a DDOS attack.

    link to this | view in thread ]

  9. identicon
    Stosh, 27 Sep 2016 @ 10:22am

    My refrigerator had internet access, then I started finding pictures of nude washer-dryer sets and worse. Had to cut the connection entirely....

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 27 Sep 2016 @ 10:23am

    Re: This is why self-driving cars must be banned

    Maybe we should ban mechanical cars too. There are plenty of ways to sabotage those as well.

    However, with self driving, the blame can go squarely on the manufacturers which will bring an inherently similar problem. That is MFG claiming that their tech must be proprietary to protect it, which is a load of shit but so are politicians. And when you put two loads of shit together you get a couple of somethings in competition to stink to higher heavens.

    link to this | view in thread ]

  11. identicon
    The Phule, 27 Sep 2016 @ 10:29am

    Smart Refrigerators?

    Why would someone...

    'Smart' appliances are expensive! Who the hell can afford one?! How could they even be such a problem!

    link to this | view in thread ]

  12. icon
    Ninja (profile), 27 Sep 2016 @ 10:37am

    Re: Re: Re: Gentlemen, start your firewalls!

    I was talking about local settings (ie: your own router) but even in the ISP level there is something that can be done about traffic patterns. I mean, if you see a huge spike of interest towards a certain source that is sustained then something is wrong and you can act to stop it from your end too. As Krebs said, it would need to be a coordinated effort that won't generate any profits so it will only happen when the losses are greater than the cost of the effort.

    link to this | view in thread ]

  13. icon
    Ninja (profile), 27 Sep 2016 @ 10:39am

    Re: Re: Gentlemen, start your firewalls!

    If you read what Krebs wrote after the attacks you'll see it wasn't any technique like that. The attack came directly from thousands of devices, mostly DVRs and IP cameras. Even harder to fend off by himself.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 27 Sep 2016 @ 10:41am

    Re: Smart Refrigerators?

    I have a Smart capable water heater. I bought it for the 10 year warranty not the smart features. It needs an extra adapter to connect it up that I didn't purchase. If I did, it was capable of setting up schedules that control the status and temp. You could optimize your water heater schedule and save money on power.

    link to this | view in thread ]

  15. icon
    Ninja (profile), 27 Sep 2016 @ 10:42am

    Re: This is why self-driving cars must be banned

    Disagree. There's no need to ban those, you just need to do security properly. They will need input so keeping them offline might not be a good idea but you can prevent any remote modification to anything (ie: read only mode). I'm sure there are plenty of ways to do it right. There's no need to ban them.

    link to this | view in thread ]

  16. icon
    Ninja (profile), 27 Sep 2016 @ 10:43am

    Re:

    Imagine if it had radicalized and joined ISIS...

    link to this | view in thread ]

  17. identicon
    Michael, 27 Sep 2016 @ 10:45am

    Re: Re:

    We could end up in another cold war...

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 27 Sep 2016 @ 10:55am

    Re: Gentlemen, start your firewalls!

    How would stopping ICMP help? The attackers could just switch to using TCP port 80 or 443--nobody's going to block that, and it would use more CPU. And actually, if you compromise some large ad networks or web sites, you could have a ton of clients make lots of "normal" web requests to your target.

    link to this | view in thread ]

  19. identicon
    Rich Kulawiec, 27 Sep 2016 @ 11:04am

    Re: Re: This is why self-driving cars must be banned

    Maybe we should ban mechanical cars too. There are plenty of ways to sabotage those as well.

    Tell me about the ways that they can be sabotaged without ever coming into physical contact with them.

    Tell me about the ways that they can be sabotaged in milliseconds.

    Tell me about the way that they can be sabotaged without being detected by competent mechanics or even expert mechanics.

    Tell me about the ways that they can be sabotaged while passing by at 65 MPH.

    Tell me about the ways that they can be sabotaged en masse.

    Tell me about the ways that they can be used to sabotage other cars.

    Tell me about the ways that they can be placed under remote control individually or as a group.

    link to this | view in thread ]

  20. identicon
    Michael, 27 Sep 2016 @ 11:05am

    Re: Re: Smart Refrigerators?

    You could optimize your water heater schedule and save money on power

    Your data overages from your water heater running a DDoS attack might cost you more than you save.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 27 Sep 2016 @ 11:09am

    Is 620 Gbit/s really that much?

    620 Gbit/s is... 620 Google Fiber subscribers. Compromising a single apartment block could get you this kind of bandwidth (not really, with GPON being a shared medium, but a thousand people spread out could do it). Should we still be acting like this is a crazy amount of traffic?

    The amount of bandwidth available to individuals also hints at a possible solution: peer-to-peer delivery. Krebs is publishing basically static content. He could attach a digital signature to each article and put it on BitTorrent. Realistically, we need to make something like this that's more usable--built in to browsers, allows comments, doesn't publically reveal who's reading, etc. And BitTorrent isn't great for tiny files. Still, it seems like something that would just need a bunch of hard work rather than years of research.

    link to this | view in thread ]

  22. identicon
    Michael, 27 Sep 2016 @ 11:13am

    Re: Re: Re: This is why self-driving cars must be banned

    You seem to have a bit of an arbitrary set of guidelines for when something becomes too dangerous to be manufactured and sold.

    Is it that something must satisfy all or just one of these?

    I'm pretty sure a spike strip on the highway at night would handle most of these on any traditional car.

    Banning something outright because we can come up with scenarios that "make it dangerous" would have prevented the wheel from being used. While there are certainly security issues to be fixed with self-driving cars - and these are a big problem - they are currently safer than human driven cars and getting safer every day.

    Oh, and self-driving cars don't need to have critical systems hooked to the internet.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 27 Sep 2016 @ 11:23am

    Seems like the best long-haul approach to resolving these kinds of problems is to sue the companies making these devices for enabling them to be used in DDOS attacks and other hacks, thereby collaborating with the attackers.

    link to this | view in thread ]

  24. identicon
    Thad, 27 Sep 2016 @ 11:31am

    Re: Re: Re: Re: This is why self-driving cars must be banned

    I think you're both being obtuse, TBH.

    You're deliberately ignoring the huge difference of scale between sabotaging traditional cars and internet-connected ones, and the serious warning signs that these vulnerabilities are being ignored and security treated as an afterthought.

    He's ignoring that these issues exist in all internet-connected cars, not just self-driving ones, and proposing an unrealistic and excessive solution to a(n admittedly real and serious) problem.

    What we actually need is for auto companies to start taking security seriously. Unfortunately, for that to happen will require either sensible regulation or market incentives. What's unfortunate about that is that we don't have a Congress that has the knowledge or the inclination to pass sensible regulations, and "market incentives" here mean *people start dying*, because I'm very much afraid that's what it's going to take before auto makers' profits are impacted enough for them to start prioritizing security.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 27 Sep 2016 @ 11:33am

    Re: Re: Gentlemen, start your firewalls!

    That may be, but -
    How would an unhacked IOT device have anything to do with changes to DNS or NTP unless it was designed to be a hacker tool to begin with?

    link to this | view in thread ]

  26. identicon
    Thad, 27 Sep 2016 @ 11:34am

    JM Porup has an article at Ars called Unsafe at any clock speed: Linux kernel security needs a rethink; it's something to chew on.

    link to this | view in thread ]

  27. icon
    Padpaw (profile), 27 Sep 2016 @ 11:36am

    The cynic in me thinks this is exactly what those who are supposed to be protecting this want.

    An excuse to pass more laws that restrict citizen rights in the name of protecting that which they intentionally left exposed.

    link to this | view in thread ]

  28. identicon
    Thad, 27 Sep 2016 @ 11:38am

    Re:

    I fear you may be right. Companies aren't going to focus on security until security breaches start costing them more money than security developers.

    Suing companies for security negligence is (like suing anybody) something of a crapshoot. But if it starts to happen often enough, and harm enough companies' reputations, it could make a real difference.

    link to this | view in thread ]

  29. icon
    dogwitch (profile), 27 Sep 2016 @ 11:39am

    surpise on how often simple things are open

    long while back. black ice firewall was still around. i stumble on a issue with their firewall software. tech sent me a link to a download on the site. when i click it. it went to ftp. so k i wonder around clicking folder etc. to my surprise their whole company server was on the ftp. so all doc,software etc. was easy to access. not password or user names. i was shock. so a took a image and sent a email to their tech support. on hey your whole company open to the web. they where very thankful on me letting them know

    link to this | view in thread ]

  30. identicon
    Rich Kulawiec, 27 Sep 2016 @ 11:47am

    Re: Re: Re: Re: This is why self-driving cars must be banned

    I think what you're missing is that there are fundamental differences of scale in play here. Sure, a single car can have its brakes sabotaged, but that takes time, is hard to do competently, may be detected, and affects only that car.

    A security vulnerability in a self-driving car means that (at least) all those of the same make/model are vulnerable simultaneously.

    Don't picture one car going out of control. Picture every single one of that make/model on the highways within 15 miles of a city center being taken over during evening rush hour -- and turned into a directed precision-guided kinetic weapon. Now picture it happening in two cities, or twenty.

    The risks are incredibly higher for self-driving cars. (They're not nonzero for non-self-driving cars carrying sophisticated computer systems, by the way, but those would be harder to commandeer. Self-driving cars are DESIGNED to be driven via automation.)

    And on September 27, 2016, there is absolutely no sign whatsoever that auto makers are paying the slightest attention to the myriad security issues out there -- well, other than by trying to silence the researchers who found them, denying them, and lobbying Congress to make sure that it stays just as ineffectual as it has to date.

    It will probably take a horrible incident like the hypothetical I posed above to spur action on this. It will be too late, MUCH too late by then, of course: you can't retrofit security. Not really. Not effectively. It has to be designed-in from the whiteboard stage. And we're already well past that. But there will be the usual calls for Something To Be Done and it will be: badly.

    Maybe I'm wrong. I hope I'm wrong. But I doubt it.

    link to this | view in thread ]

  31. identicon
    Thad, 27 Sep 2016 @ 11:58am

    Re: Re: Re: Re: Re: This is why self-driving cars must be banned

    That's not *entirely* accurate; Tesla was pretty quick in pushing out an update recently when researchers demonstrated a way to remotely engage brakes.

    But (1) that's technically not a self-driving car and (2) that could very well be a reaction to the scrutiny Tesla's Autopilot feature has gotten over the past few months since there have been a couple of fatalities.

    link to this | view in thread ]

  32. icon
    Roger Strong (profile), 27 Sep 2016 @ 12:07pm

    Re: surpise on how often simple things are open

    "To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer."
    - Steve Gibson

    link to this | view in thread ]

  33. identicon
    Michael, 27 Sep 2016 @ 12:17pm

    Re: Re: Re: Re: Re: This is why self-driving cars must be banned

    Certainly there is concern, and I think we need to get auto manufacturers to put security at the top of the list rather than the bottom, but humans are susceptible to a number of things that could cause all kinds of highway havoc.

    A blinding light, an extremely loud sound, etc. Heck, a disabled car on the side of the highway causes traffic jams and collisions all the time these days. The idea that a hacker could cause all self-driving cars on a stretch of highway stop seeing obstacles is scary, but I'm not sure it would be any more difficult to do it to people than it is to do to an autonomous car.

    link to this | view in thread ]

  34. identicon
    Chuck, 27 Sep 2016 @ 12:47pm

    Perspective

    Just to put the sheer volume of this attack in perspective, this is 620 gigibits per second, not bytes. That's 77.5 Gigabytes every single second.

    Right now the movie with the largest number of seeds on TBP is the new Tarzan movie (counting only HD movies.) It is 1.69GB, which is fairly standard for HD Video torrents, and has 2424 seeds. Now, due to the way BitTorrent works, nearly all of those seeds do NOT have a full copy of the movie yet. Let's go for a simple answer and say they all have 1GB of the movie downloaded thus far.

    This attack uses the same amount of traffic as 77 of those seeders, but it uses it EVERY SECOND, which they certainly do not.

    Now, dividing 2424 by 77 gives us 31 seconds. This means that every 31 seconds, this attack uses more bandwidth than the TOTAL used by ALL of the seeders on the most popular HD Movie torrent on TPB.

    Assuming this torrent lasted for 30 minutes - which would make it a very short DDoS attack by most standards - that means that this attack used the same amount of bandwidth as 138,600 seeders would on a typical HD movie torrent.

    Now...didn't the MPAA say that a "majority" of traffic on the internet was caused by piracy?

    Given that this attack alone used more bandwidth than the sum total of the first 2 pages of HD Movies on TPB COMBINED, can we declare that statement from the MPAA totally bogus yet?

    Source: Common sense and a basic calculator.

    link to this | view in thread ]

  35. icon
    That One Guy (profile), 27 Sep 2016 @ 12:54pm

    Re: Perspective

    Well obviously DDOS attacks are just another kind of piracy, where you steal the right of someone to use their system without being under digital-war. So, our statement still stands, and if anything we underestimated the numbers.

    -The MPAA

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 27 Sep 2016 @ 12:56pm

    Re: Re: Re: Re: Re: This is why self-driving cars must be banned

    Like everything else it depends on effort.

    There are multiple ways to massively mess with mechanical devices, they are just not as practical as attacking an electronic device that was never given proper security to begin with. Look at the killdozer, he only needed to molest a single mechanical device to fuck with a lot of others. Are you going to say that because bulldozers can easily be converted into cheap but damn effective tanks should be outlawed as well?

    Manufacturers these days cannot resist the call to keep their creations connected and compromised at all times. The plebs known as consumers are entirely ignorant of the risks and essentially do nothing about it. There are quite a few ways that electronics can be made to be remotely unhackable.

    link to this | view in thread ]

  37. icon
    Adrian Cochrane (profile), 27 Sep 2016 @ 1:29pm

    Could we have an attack this election?

    It's a sad thing to hope for, but given how disliked the candidates are and how close the polling is I don't think we'd loose much from it. And as the researchers suggested this might be what it takes to push industry to fix the security holes throughout in the Internet's wiring, applications, & "Things".

    Besides all I want out of this election is chaos, and that would bring it while showcasing an important issue.

    link to this | view in thread ]

  38. identicon
    Rich Kulawiec, 27 Sep 2016 @ 1:45pm

    Re: Re: Re: Re: Re: Re: This is why self-driving cars must be banned

    but humans are susceptible to a number of things that could cause all kinds of highway havoc.

    Yes, BUT, and this is what you're missing, the scale is limited. The most catastrophic human-caused traffic accidents -- cascading highway pileups, usually in bad weather -- are extremely localized and very limited. Figure a quarter mile and a hundred cars as a rough idea of the scale.

    Now multiply that by dozens for one city. Now multiply that by dozens for multiple cities. Now factor in that it can be done again an hour (because nobody will be able to react quickly enough to stop it). Now factor in that it WON'T be an accident, that is, that it will be done deliberately: accelerators engaged, not brakes, and cars steered into each other, not away.

    Think that's far-fetched? Okay. Listen:

    15 years ago, the only people people who envisioned the possibility of an enormous global network of bots were those who'd read John Brunner's The Shockwave Rider and those who'd had some exposure to software worms. A few years later, there were over a hundred million. The scale of the problem became intractable in an alarmingly short time, and the only reason consequences haven't been worse is that almost none of those systems have control over physical devices. But they've been bad enough: billions have been expended fighting them and yet they continue to do damage to Internet infrastructure.

    We are now seeing the same thing happening with the IoT, because -- apparently -- people were too stupid, too lazy, too ignorant, and mostly too arrogant to learn from the last episode. This includes the people building self-driving cars, who are so full of self-admiration that they're not considering what will happen if they succeed.

    "We were so concerned with getting out that we never stopped to consider what we might be letting in, until it was too late." --- Leela Alexander

    link to this | view in thread ]

  39. identicon
    Im_not_JB, 27 Sep 2016 @ 2:43pm

    Im_not_JB's argument

    It wouldn't be TechDirt if they didn't pattern match, "This has something to do with cybersecurity," and reflexively imagine that it supports their position in one part of tech law. Unfortunately, since they have no bloody clue how tech law works, they picked the wrong part. They think this has something to do with laws concerning gov't access to communications. That's absurd. Instead, it actually fits very well into a different portion of tech law - the Rule 41 update! Of course, the problem is that these developments go against TechDirt's position on that issue, so they can't bring themselves to make the connection.

    Massive networks of bots (whether traditional computers or IoT devices) are very dangerous tools; TechDirt at least acknowledges this (though, it takes "their guy" getting his ox gored for them to realize it). In order to go after these people, law enforcement may have to take actions which manifest on devices in many different jurisdictions. This can effectively kill their progress, because it requires a ton of manpower to actually go to every single district in the country and file redundant paperwork and get everything coordinated/approved on some semblance of a schedule so that they can go, ya know, do police work. Part of the Rule 41 update is to fix this problem. Now, they still have to go get a judge's approval, but they don't have to get 50 judges approvals for the same thing at the same time. Instead, they can take all the info to one judge (in a jurisdiction where a crime has been committed by said criminals), and he can approve a warrant for the botnet. He still needs suitable probable cause, and the warrant still needs a particularity requirement (i.e., they can't just go rooting around in your computer looking for evidence of unrelated crimes).

    Next time, when you're reading the latest breathless TechDirt outrage word salad on Rule 41, remember this breathless TechDirt outrage word salad. Here, they're crying, "Something must be done!" Later, when they see that something reasonable is being done, they'll obstinately ignore any actual facts in order to whine that the government is doing things!

    link to this | view in thread ]

  40. identicon
    Thad, 27 Sep 2016 @ 4:45pm

    Re:

    I'd apply Occam's/Hanlon's Razor here, rather than assume a conspiracy.

    IoT devices are insecure because it's cheaper and easier than making them secure. No need for any shady backroom scheming.

    link to this | view in thread ]

  41. icon
    Finnegan (profile), 27 Sep 2016 @ 5:23pm

    Re: Perspective

    Wait a minute, this doesn't make any sense...

    ...people want to watch the new Tarzan movie?

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 27 Sep 2016 @ 5:50pm

    Is there an IOT pet rock?

    link to this | view in thread ]

  43. icon
    orbitalinsertion (profile), 27 Sep 2016 @ 7:41pm

    Re: Re: This is why self-driving cars must be banned

    Theoretically, and on principal, there is no reason to ban them. (Or the non-self-driving equivalent trash that has been around for a while and getting only worse.) Realistically, practically, historically, no one is securing anything. They add vulnerabilities. Unnecessary ones at that. They add bugs.

    Unless they are forced to treat IoT, cars and similar things especially, as military-grade in terms of hardening, not allowing unnecessary bundling of systems and limiting connectivity, with with a well coded and tested RTOS, well we are just waiting for worse things to happen. They always do. Rights and ideals or not, no innovation or market is going to cause these things to be fixed as they should be. It has not happened so far. Regulation is a crapshoot and then we have people discussing how much it hurts innovation with unnecessary burden. And it could make things worse. Or it could be entirely clueless.

    I don't have any suggestions other than what you have already pointed out. Only no one is going to do it.

    link to this | view in thread ]

  44. identicon
    Anonymous Coward, 27 Sep 2016 @ 9:09pm

    Who has the money

    Seriously. Who has the money to buy smart appliances, and what kind of jobs are you working? How did you get out of student debt?

    Most of the people I know can barely afford to have a five year out of date smart phone and a seven year out of date laptop as their primary computing platforms. Leftovers from when they were in college.

    link to this | view in thread ]

  45. icon
    Eldakka (profile), 28 Sep 2016 @ 1:05am

    Re: Re: Re: This is why self-driving cars must be banned

    How about using a B1 Lancer with a crapload of bomblets flying over a massive crowded highway?

    Or just a couple of nukes?

    I'm pretty sure either of those would satisfy most of those criteria ;)

    link to this | view in thread ]

  46. icon
    Eldakka (profile), 28 Sep 2016 @ 1:09am

    Re:

    Well, first you have to prove doing so is either:
    a) illegal;
    b) an actionable tort.

    If there is no law requiring them to secure them, then there is no illegal act.

    To bring a tort action, you'd have to also prove that you HAVE been (not could oneday mighta sorta be) actually damaged.

    link to this | view in thread ]

  47. icon
    nerd bert (profile), 28 Sep 2016 @ 8:36am

    Re: Re: Re: Re: Gentlemen, start your firewalls!

    That's not likely to be all that possible with IPv6 and IPv6 is likely to be even more required with IoT. Getting an IPv6 enabled router to filter your own devices properly right now is technically challenging even with things like OpenWRT, much less the crap software that's typically installed on a home router. Full statefull IPv6 connections with firewalls are tough on things like VoIP and require some finesse.

    Until these things become more accessible (i.e. automated), it's an issue for the average Joe.

    link to this | view in thread ]

  48. icon
    PT (profile), 28 Sep 2016 @ 3:33pm

    Re: Who has the money

    The advantage of a 7 year out of date laptop is you don't have to have Windows 10.

    link to this | view in thread ]

  49. identicon
    Anonymous Coward, 28 Sep 2016 @ 4:21pm

    Re: Re: Who has the money

    Or just buy a laptop without Windows.

    link to this | view in thread ]

  50. identicon
    Phil C., 20 Oct 2016 @ 4:45pm

    "... we ponder electing two of the least technically sophisticated Presidential candidates in recent memory."

    Have ANY of our Presidential candidates since Herbert Hoover been technically sophisticated? Sure, we've had Dr. Ben Carson and Dr. Ron Paul, but they've never come close to getting elected, and their field of expertise is medicine, not computer science.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.