On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney <admin@pilobilus.net> wrote:

On 09/27/2016 11:21 PM, grarpamp wrote:
> On Sun, Sep 25, 2016 at 3:46 AM, Mirimir <mirimir@riseup.net> wrote:
>> Yes, it's for sure a hard problem. Any entity resourceful enough to
>> withstand Tbps DDoS is likely a huge privacy risk :(
>>
>> On the other hand, Krebs has been totally asking for it, for years ;)
>> He's been going after major cybercriminals, who perhaps have major
>> connections with global TLAs. And he's often been a jerk about it.
>> Hugely self-righteous, and humorless. So meh ;)
>
> He's already been swatted, manure mailed for lols, etc.
> Though being AP'd by the cybers is probably unlikely.

Meanwhile the Big DDoS has apparently been mitigated by Akamai or
somebody.

It was mitigated by Google's Project Shield. The Internet is starting to feel a lot more like feudalism, where you have to swear fealty to some lord or get overrun by barbarian hordes. Or, I guess, the way all governments want us to feel about the world. "Bad guys" like this are a government's best friend. Or a megacorp's.

What bothers me is not this particular instance, but the proof of
concept it represents, in a world where everything from refrigerators to
night lights phones home. Things present a very diffuse and low-reward
attack surface individually, but as reflectors they provide a potential
solar-furnace-like effect in the hands of a sophisticated attacker.

But the fact that they blew their wad early on a low-value target like Krebs means that the issue will get attention. Of course, if the cost to any given end user or their ISP is small enough, perhaps it won't be enough.

"Physical access is game over" so it may turn out that whoever owns the
most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.