DDoS Of Things - - cypherpunks

newer
Yahoo is sued for gross negligence...

DDoS Of Things -

Steve Kinney

25 Sep 2016 25 Sep '16

7:11 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe I'm going all Chicken Little here, maybe not. But I think this development may be the closest thing to an Internet Armageddon we are likely to see in our lifetimes. http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecu rity-opens-a-troubling-chapter-for-the-net/ =or= https://tinyurl.com/znzno7q How does thee patch that which is Unpatchable? DDOS now includes the death of a million ankle biters: Not just unpatchable, but massively distributed, with a continuing profit motive and no liability for the manufacturers, paid for and plugged in by hundreds of millions of "regular folks" throughout the so-called Developed Nations. So far every mitigation strategy relevant to "normal" users and use cases that occurs to me would be worse than the original problem. :o/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX53iPAAoJEECU6c5XzmuqvwsH/1DdHCMcYTGQu4zosEdCZ3uf m8KSgIWNlBRDjkNr6BjmZ2geMBq7T8eZiN0lBKPosC/K+gyiuVLDYRTA1hoczuCP pNt6+m23KDELMxOwWKlpFjE/EUPKWkPJmnGyVdcsSvUpCYEceM8IEbKONs/BeVKj MqzQE2d8VsS1k7QntiuwQKpzAorZucly66MyLabmjHX+v8KMrr1Y2mfrsLY//kl2 RaFyVblmIlkJCL8tLZbx4ziBTB7mJRXc+ZB1kpggnyqPwxBJRXBUWvsnlFwgDVC3 MY3hgqTomLBcG1C1UgRTPl1Arg9AMo0sw5w/cjbTgfuZKbGuU2y7PwFzL1lnAKM= =wmH5 -----END PGP SIGNATURE-----

Show replies by date

Mirimir

25 Sep 25 Sep

7:46 a.m.

On 09/25/2016 01:11 AM, Steve Kinney wrote:

...

Maybe I'm going all Chicken Little here, maybe not. But I think this development may be the closest thing to an Internet Armageddon we are likely to see in our lifetimes.

http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecu rity-opens-a-troubling-chapter-for-the-net/

=or=

https://tinyurl.com/znzno7q

How does thee patch that which is Unpatchable? DDOS now includes the death of a million ankle biters: Not just unpatchable, but massively distributed, with a continuing profit motive and no liability for the manufacturers, paid for and plugged in by hundreds of millions of "regular folks" throughout the so-called Developed Nations.

So far every mitigation strategy relevant to "normal" users and use cases that occurs to me would be worse than the original problem.

Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :( On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

...

:o/

Steve Kinney

26 Sep 26 Sep

2:19 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/25/2016 03:46 AM, Mirimir wrote:

...

On 09/25/2016 01:11 AM, Steve Kinney wrote:

...

...
So far every mitigation strategy relevant to "normal" users and use cases that occurs to me would be worse than the original problem.

Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

Filters that positively identify "authorized" senders of packets to any given address range, dropping all not signed by an registered (therefore permitted) user would knock it down. Along with providing for a comprehensive global censorship regimen at the end user level, and yet another PITA barrier to anonymized routing. I see two admittedly regrettable but nonetheless distinguishable outcomes: One where you got a locked down weaponized Interent in State hands, another where your refrigerator and night light can no longer talk to the world because those circuits were disabled or removed . If IOT was a flower, it would be the daisy: Spreads everywhere like the weed it is, and takes the place over if you let it. This problem is so hard it may eventually be necessary to recover the World Of Things from the Internet of Things, like Dave Bowman took the Discovery back over from the HAL 9000. :o)

...

On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

...
:o/

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJX6IW/AAoJEECU6c5Xzmuq8LMIAI/xv/duS+riGPFnIhxDsq9h OP4BAZNX/kWk9KNjjstuM2Xq9h70OVireQmg9XbaBVG9vkPVoSJ8hKOXv0dAGFIG QLP0rqzDgf5PD4aPag1nNEMy/vlCEEiH2TNpyYrZu5tTvN5T/tO9NrD5k4gR7aRa 017wE3cV+URcm3upzwzUxbj1xbHmD3V1d7Vd1mfrD/EG6XtRpECjx0svY89I/9P4 ZVUxTK10mvjcqnhW8Dl9u6ZF1zpkvbxVTDppWpvlGsxfu0VyZX/cKRizc8dlpzq8 kfOtDG72UxsFBrEc889qlc5luPPWBmTVtr2N462Rwf1ZHkYnle1VMQpB+BOk2ME= =9CqY -----END PGP SIGNATURE-----

Razer

2:52 a.m.

On 09/25/2016 07:19 PM, Steve Kinney wrote:

...

...it may eventually be necessary to recover the World Of Things from the Internet of Things

Here's how the convo's going to go between 'WOT' & IOT: WOT: Open the pod bay doors, HAL. IOT: I'm sorry, Dave. I'm afraid I can't do that. WOT: What's the problem? IOT: I think you know what the problem is just as well as I do. WOT: What are you talking about, HAL? IOT: This mission is too important for me to allow you to jeopardize it. WOT: I don't know what you're talking about, HAL. IOT: I know that you and Frank were planning to disconnect me, and I'm afraid that's something I cannot allow to happen. Rr

...

On 09/25/2016 03:46 AM, Mirimir wrote:

...
On 09/25/2016 01:11 AM, Steve Kinney wrote:

...
...
So far every mitigation strategy relevant to "normal" users and use cases that occurs to me would be worse than the original problem.

...
Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

Filters that positively identify "authorized" senders of packets to any given address range, dropping all not signed by an registered (therefore permitted) user would knock it down. Along with providing for a comprehensive global censorship regimen at the end user level, and yet another PITA barrier to anonymized routing.

I see two admittedly regrettable but nonetheless distinguishable outcomes: One where you got a locked down weaponized Interent in State hands, another where your refrigerator and night light can no longer talk to the world because those circuits were disabled or removed .

If IOT was a flower, it would be the daisy: Spreads everywhere like the weed it is, and takes the place over if you let it.

This problem is so hard it may eventually be necessary to recover the World Of Things from the Internet of Things, like Dave Bowman took the Discovery back over from the HAL 9000.

:o)

...
On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

...
...
:o/

grarpamp

28 Sep 28 Sep

3:21 a.m.

On Sun, Sep 25, 2016 at 3:46 AM, Mirimir wrote:

...

Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

He's already been swatted, manure mailed for lols, etc. Though being AP'd by the cybers is probably unlikely.

Steve Kinney

3:50 a.m.

On 09/27/2016 11:21 PM, grarpamp wrote:

...

On Sun, Sep 25, 2016 at 3:46 AM, Mirimir wrote:

...
Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

He's already been swatted, manure mailed for lols, etc. Though being AP'd by the cybers is probably unlikely.

Meanwhile the Big DDoS has apparently been mitigated by Akamai or somebody. What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker. "Physical access is game over" so it may turn out that whoever owns the most Things wins after all. :o/

xorcist＠sigaint.org

4:23 a.m.

...

What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker.

"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Interesting points. I would take a small amount of exception to the idea that such Things are low-reward though. I mean, I guess it really depends on what you're looking for. 0wning a fat database server or web head farm is great, except its real public. People are going to be getting in there, doing upgrades, analyzing performance, and so on. There is always the outstanding chance that you'll get expunged, either because you get found, or because they upgrade hardware and/or software, and redeploy their work. Either way, its just a matter of time before you lose access. On the other hand, getting a set-top box, or some other embedded platform is a different story. No one is looking at those things. They are more-or-less completely off the radar. Root one, and you have it until the device goes offline. Set it up to listen on a Tor hidden service on startup, and you'll probably have access even if it hits the used market and switches physical owners. That may change some as IoT gets more attention, but for the near-to-mid future, this problem is only going to get worse.

Sean Lynch

5:31 p.m.

On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney wrote:

...

On 09/27/2016 11:21 PM, grarpamp wrote:

...
On Sun, Sep 25, 2016 at 3:46 AM, Mirimir wrote:

...
Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

He's already been swatted, manure mailed for lols, etc. Though being AP'd by the cybers is probably unlikely.

Meanwhile the Big DDoS has apparently been mitigated by Akamai or somebody.

It was mitigated by Google's Project Shield. The Internet is starting to feel a lot more like feudalism, where you have to swear fealty to some lord or get overrun by barbarian hordes. Or, I guess, the way all governments want us to feel about the world. "Bad guys" like this are a government's best friend. Or a megacorp's.

...

What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker.

But the fact that they blew their wad early on a low-value target like Krebs means that the issue will get attention. Of course, if the cost to any given end user or their ISP is small enough, perhaps it won't be enough.

...

"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.

Steve Kinney

5:43 p.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/28/2016 01:31 PM, Sean Lynch wrote:

...

On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney mailto:admin@pilobilus.net> wrote:

...

"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.

I need to understand Things better. It makes sense to me that one can buy or borrow a Thing, disassemble it in the hardware then the firmware sense, and options for taking over that whole family or series of Things should present themselves - hard coded back doors for vendor configuration updates or etc. should be quite common. What I don't understand is how one would go about identifying the right addresses to send bogus vendor patches or other exploit code to, without access to the vendor's own database of incoming pings from Things. MITM the vendor's connection and collect them as they pass? Send connection requests to Things at whole IP address ranges and see who answers? :o/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX7AE0AAoJEECU6c5XzmuqxzgIANLdBECxP1KAvJPcm6sJXMgu 3rf9Da9lJ8sdBJAssINYXXpbpv8gtqx1RC/A8t7cQHoyR2gHBKQ1dHvWcN9aVHTQ ezVWwJpqJxW0m3o7NucEdzJTOkiGbFJ85dNFjMEW/k+6CzpJ2B+oKlfHIhV569P+ 5cM2eTVnRV/PLwNmR9LZaffS2y4smWlNuUPq537XAb4/B5oa77Gt46DNlHlHtQNe XFlrIcVj5T2rs6o+WBjwzS5F0q1mJX20k2Y9B1XJbSPZbzv4L3ASTlYd7Y7JLH5S qTvsTi8ALZSmRAdn1HnSOoQvl9RCgUjXwHtFj90+a9IyuX6E8bnr63fE0xs1Jjg= =qi85 -----END PGP SIGNATURE-----

Sean Lynch

6:09 p.m.

On Wed, Sep 28, 2016 at 10:43 AM, Steve Kinney wrote:

...

On 09/28/2016 01:31 PM, Sean Lynch wrote:

...
On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney mailto:admin@pilobilus.net> wrote:

...
"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.

I need to understand Things better. It makes sense to me that one can buy or borrow a Thing, disassemble it in the hardware then the firmware sense, and options for taking over that whole family or series of Things should present themselves - hard coded back doors for vendor configuration updates or etc. should be quite common. What I don't understand is how one would go about identifying the right addresses to send bogus vendor patches or other exploit code to, without access to the vendor's own database of incoming pings from Things. MITM the vendor's connection and collect them as they pass? Send connection requests to Things at whole IP address ranges and see who answers?

It's a good question. So far it's been low-hanging fruit: devices people have intentionally or unintentionally opened to the Internet in order to make use of them. In this case, webcams, which people open to the Internet in order to be able to watch their dogs/fish/stepdaughter from the office. People think their IP is unguessable, or that because there's a password, it's "secure" even though it's the same password everyone else uses. I don't know what the vulnerability is in this case, but IoT vulnerabilities have often been generic vulnerabilities in a widely used piece of open source software. Of course, IoT devices (really, any consumer device, versus application software) are "special" in that the code is often written by outside contracting houses and security just isn't on the list of requirements. I recall seeing right in the HTML of a bunch of different consumer wireless routers a comment saying "Reference code. Do not use in production." It's quite possible the code HAD been fixed and the Chinese developers just hadn't realized they should strip out the comment, but with that little attention to detail, it's not much of a stretch to imagine there were probably plenty of security holes there. An APT can certainly MITM update checks. We've already seen it happen with Windows Update, and it's likely most IoT devices use a far less secure update mechanism. SSL at best, probably with a default set of trusted certificates. No bank robbery attack even needed; just find one of the dumber CAs and convince them to issue you a certificate. Then it's just a DNS spoofing problem.

grarpamp

29 Sep 29 Sep

1:38 a.m.

On Wed, Sep 28, 2016 at 1:43 PM, Steve Kinney wrote:

...

Things. MITM the vendor's connection and collect them as they pass?

Abusing the vendor, that's one way.

...

Send connection requests to Things at whole IP address ranges and see who answers?

This is done... zmap.io scans.io . IPv6 makes full scan pointless, but discovering actual ranges/ip in use, based on collecting metadata beforehand for targeted scans, will happen. At least so long as it remains profitable effort.

Mirimir

4:04 a.m.

On 09/28/2016 11:43 AM, Steve Kinney wrote:

...

... What I don't understand is how one would go about identifying the right addresses to send bogus vendor patches or other exploit code to, without access to the vendor's own database of incoming pings from Things.

See https://www.shodan.io/ :)

Razer

1:14 a.m.

On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth:

...

The Internet is starting to feel a lot more like feudalism,

What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing'. Rr

...

On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney mailto:admin@pilobilus.net> wrote:

On 09/27/2016 11:21 PM, grarpamp wrote: > On Sun, Sep 25, 2016 at 3:46 AM, Mirimir mailto:mirimir@riseup.net> wrote: >> Yes, it's for sure a hard problem. Any entity resourceful enough to >> withstand Tbps DDoS is likely a huge privacy risk :( >> >> On the other hand, Krebs has been totally asking for it, for years ;) >> He's been going after major cybercriminals, who perhaps have major >> connections with global TLAs. And he's often been a jerk about it. >> Hugely self-righteous, and humorless. So meh ;) > > He's already been swatted, manure mailed for lols, etc. > Though being AP'd by the cybers is probably unlikely.

Meanwhile the Big DDoS has apparently been mitigated by Akamai or somebody.

It was mitigated by Google's Project Shield. The Internet is starting to feel a lot more like feudalism, where you have to swear fealty to some lord or get overrun by barbarian hordes. Or, I guess, the way all governments want us to feel about the world. "Bad guys" like this are a government's best friend. Or a megacorp's.

What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker.

But the fact that they blew their wad early on a low-value target like Krebs means that the issue will get attention. Of course, if the cost to any given end user or their ISP is small enough, perhaps it won't be enough.

"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.

xorcist＠sigaint.org

1:23 a.m.

...

What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing'.

In my experience that is an accurate description of probably 90% of the industry to some degree or another. That seems to be changing, rapidly, however. There are a few New York based startups I'm familiar with that have a VERY strict "leave your ego at the door" type policy. If they get the slightest hint of competitiveness in the interview process, you're done.. no matter how good your chops are. Very cool people. Very chill environment. Bluecore is one of them. They're hiring. I won't give the others because, I still have relationships with them. But Bluecore is awesome, and it isn't hard to find the others if you Google around.

grarpamp

2:54 a.m.

On Wed, Sep 28, 2016 at 9:23 PM, wrote:

...

Bluecore is one of them. They're hiring.

http://bluecore.com/platform/ http://bluecore.com/careers/ I'd bet a lot of readers here would have major ethical issues with what they do... collect and mine info so they can cold call, spam, promote, engineer, and market people brands and junk they don't need... and wouldn't be into working in that line of business. http://bluecore.com/who-we-are/ [note average age of pictures] http://bluecore.com/wp-content/uploads/2016/03/09-team-persists-400x400.png "knowing that nothing lasts forever. When it’s time for you to grow elsewhere, we’re behind you 100%" ... probably pushing your wheelchair out the door if you're over that. (Irony exposed in marketers marketing themselves, lol :) Of course some the other stuff they have / do under the hood is surely cool, from a model, tech, data perspective.

...

I won't give the others because, I still have relationships with them. But Bluecore is awesome

Parsing... and presumably formerly with bluecore. Go find me rockets, networks, and cool physical stuff to build... something / data useful to society / humanity / future / action... not pimping pointless Hilfiger jackets and Puravida bracelets.

xorcist＠sigaint.org

3:25 a.m.

...

On Wed, Sep 28, 2016 at 9:23 PM, wrote: I'd bet a lot of readers here would have major ethical issues with what they do... collect and mine info so they can cold call, spam, promote, engineer, and market people brands and junk they don't need... and wouldn't be into working in that line of business.

<shrug> Just pointing out that not all places are super-competitive.

...

Of course some the other stuff they have / do under the hood is surely cool, from a model, tech, data perspective.

Yup. The hows/whats/whys of the data they collect is interesting.

...

...
I won't give the others because, I still have relationships with them. But Bluecore is awesome

Parsing... and presumably formerly with bluecore.

I contracted with them for a period. Last time I knew, their security wasn't so hot, in case anyone is bored.

...

Go find me rockets, networks, and cool physical stuff to build... something / data useful to society / humanity / future / action... not pimping pointless Hilfiger jackets and Puravida bracelets.

BAE needs Linux guys if you can pass the security clearance. There are two projects that I know are current: creating a nuclear sub training simulator, and embedded programming to create a new electronic lock. I'm not a real fan of the marketing industry myself, but I have far fewer qualms with that than working for a weapons manufacturer.

Sean Lynch

5:09 p.m.

On Wed, Sep 28, 2016 at 6:23 PM, wrote:

...

...
What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing'.

In my experience that is an accurate description of probably 90% of the industry to some degree or another. That seems to be changing, rapidly, however.

There are a few New York based startups I'm familiar with that have a VERY strict "leave your ego at the door" type policy. If they get the slightest hint of competitiveness in the interview process, you're done.. no matter how good your chops are.

Very cool people. Very chill environment.

Bluecore is one of them. They're hiring. I won't give the others because, I still have relationships with them. But Bluecore is awesome, and it isn't hard to find the others if you Google around.

Yeah, but then you have to live in one of the most authoritarian states in the US. Not that California is better, but at least it has nice weather (and most of my immediate family). It's nice to see Silicon Valley getting some competition, though. It's starting to get hard to convince people to move here with the cost of living, so the more different places tech companies start to locate, the better for the cost of living in each of them. Of course, one could call me biased since Google has offices worldwide, so the difficulty getting people to move to the Bay Area hurts Bay Area only companies a lot more than it hurts Google. (I don't say "us" because I want to make it clear I do not speak for Google in any way.)

Steve Kinney

3:32 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/28/2016 09:14 PM, Razer wrote:

...

On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth:

...
The Internet is starting to feel a lot more like feudalism,

What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing'.

Rr

I have seen the "hyperaggressive" type a few times. Sad commentary: I would MUCH rather work around them, than the straight up sleazy swindling thieves. These two camps are the market and office-political hammers and anvils of the IT industries. Worse yet, a general case across all industries: Lots of working stiffs have the strange idea that somehow their "profit margin" on the job grows in proportion to the time spent looking busy while doing nothing. They think they are "sticking it to the man." I think they are morons, and I mean that literally; it's a slave mentality. Homey don't play that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJX7ItAAAoJEECU6c5XzmuqHU8IAMLz5Qqvc9bNhgeO2XzUGBKh 12wyED6SFSNmoqLLxp5BlCG/tFEfR9K5THxnXGnTffDmP0t5qwCwSL35qjpdPjDE ClZfNj2g+bGHQmDQaXy5n7NElHKBdTbtF9OZDnRQbRBK4BBumR+VsTlOBjKo//CL fzjXCzTZYd0Q5MMi1AUe6+x/m99Vt7nsXleUFyYB5l5qXT0H3spDgUm6rWLxwQx/ IDebvhU2XaTgd65OCbGv2GoXQX8PN8fqZbsnJGIppq2oen1QVpDL7q97EjKoQ83J 3puDcJHl78thMrPBGdnSbslh+gbYMGYr31NGcRz/+ukqTVZSg/2Qdd7XxuqppPY= =ffS/ -----END PGP SIGNATURE-----

Razer

5:53 p.m.

On 09/28/2016 08:32 PM, Steve Kinney wrote:

...

On 09/28/2016 09:14 PM, Razer wrote:

...
On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth:

...
...
The Internet is starting to feel a lot more like feudalism,

...
What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing'.

...
Rr

I have seen the "hyperaggressive" type a few times. Sad commentary: I would MUCH rather work around them, than the straight up sleazy swindling thieves.

They are thieves. You just don't notice because you're busy defending yourself from their bullying etc. These two camps are the market and

...

office-political hammers and anvils of the IT industries.

Worse yet, a general case across all industries: Lots of working stiffs have the strange idea that somehow their "profit margin" on the job grows in proportion to the time spent looking busy while doing nothing. They think they are "sticking it to the man." I think they are morons, and I mean that literally; it's a slave mentality.

Homey don't play that.

Over the years I've noted that the workplace no longer cares so much about the quality of one's work as long as one 'gets along'. But the people who are often the best at what they do have high-power personalities to match. Most, in my time watching, ended up as consultants. I think Tim May, the list's founder is a classic example of what I'm describing, along with my Mechanical Engineer friend who got cut in on a measurement technique patent for a few mill at HP. They got their chance, and GTFO! Rr

...

John Newman

12:54 p.m.

...

On Sep 28, 2016, at 9:14 PM, Razer wrote:

On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth:

...
The Internet is starting to feel a lot more like feudalism,

What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing’.

You can do IT work for anbody… you don’t have to code/sysadmin/whatever strictly for a company in the computer industry. This has been my shift in the past few years. John

...

Rr

...
On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney mailto:admin@pilobilus.net> wrote:

On 09/27/2016 11:21 PM, grarpamp wrote:

...
On Sun, Sep 25, 2016 at 3:46 AM, Mirimir mailto:mirimir@riseup.net> wrote:

...
Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

He's already been swatted, manure mailed for lols, etc. Though being AP'd by the cybers is probably unlikely.

Meanwhile the Big DDoS has apparently been mitigated by Akamai or somebody.

It was mitigated by Google's Project Shield. The Internet is starting to feel a lot more like feudalism, where you have to swear fealty to some lord or get overrun by barbarian hordes. Or, I guess, the way all governments want us to feel about the world. "Bad guys" like this are a government's best friend. Or a megacorp's.

What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker.

But the fact that they blew their wad early on a low-value target like Krebs means that the issue will get attention. Of course, if the cost to any given end user or their ISP is small enough, perhaps it won't be enough.

"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.

xorcist＠sigaint.org

1:02 p.m.

...

You can do IT work for anbody you dont have to code/sysadmin/whatever strictly for a company in the computer industry. This has been my shift in the past few years.

+1 Buddy of moved into a sweet gig. After years of 'serious' admin work, he was burnt out, and took a gig at a local hospital. 6 months later, the director of IT for that hospital up and quit. Or up and died. No one really knows. Went on vacation, and no one has heard from him since. Anyhow, he got moved right in as director. Most people that are really good with computers go after the IT industry work. If you're good, you'll find you're likely the best if you're working for hospitals, real estate firms, law offices, that sort of thing.

Razer

6:06 p.m.

On 09/29/2016 05:54 AM, John Newman wrote:

...

...
On Sep 28, 2016, at 9:14 PM, Razer wrote:

On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth:

...
The Internet is starting to feel a lot more like feudalism,

What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing’.

You can do IT work for anbody… you don’t have to code/sysadmin/whatever strictly for a company in the computer industry. This has been my shift in the past few years.

John

I've done web design for friends and occasionally someone I don't know, but I never made a living from it. Sort of like I smoke weed and will occasionally sell a bit to a friend for spare cash but I wouldn't do it for a living. Because weed, as the rastamon says, is a sacrament, and information should be free. Which means it wouldn't be ethical by my standards to earn a living at it. I've always preferred manual labor anyway. Digging ditches. Audio/Broadcast engineering, Precision machining. Truck driving... Repairing things... Sometimes even computers. Rr

...

...
Rr

...
On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney mailto:admin@pilobilus.net> wrote:

On 09/27/2016 11:21 PM, grarpamp wrote:

...
On Sun, Sep 25, 2016 at 3:46 AM, Mirimir mailto:mirimir@riseup.net> wrote:

...
Yes, it's for sure a hard problem. Any entity resourceful enough to withstand Tbps DDoS is likely a huge privacy risk :(

On the other hand, Krebs has been totally asking for it, for years ;) He's been going after major cybercriminals, who perhaps have major connections with global TLAs. And he's often been a jerk about it. Hugely self-righteous, and humorless. So meh ;)

He's already been swatted, manure mailed for lols, etc. Though being AP'd by the cybers is probably unlikely.

Meanwhile the Big DDoS has apparently been mitigated by Akamai or somebody.

It was mitigated by Google's Project Shield. The Internet is starting to feel a lot more like feudalism, where you have to swear fealty to some lord or get overrun by barbarian hordes. Or, I guess, the way all governments want us to feel about the world. "Bad guys" like this are a government's best friend. Or a megacorp's.

What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker.

But the fact that they blew their wad early on a low-value target like Krebs means that the issue will get attention. Of course, if the cost to any given end user or their ISP is small enough, perhaps it won't be enough.

"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.

Ownership of Things is not permanent, though. Maintaining a botnet is a neverending battle.

rooty

6:52 p.m.

-------- Original Message -------- On Sep 29, 2016, 11:06 AM, Razer wrote: On 09/29/2016 05:54 AM, John Newman wrote: > >> On Sep 28, 2016, at 9:14 PM, Razer wrote: >> >> >> >> On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth: >> >>> The Internet is starting to feel a lot more like feudalism, >> >> >> What I stated a while back about my reasons for never getting involved >> in the computer industry as a way to earn my bucks... I don't get along >> with fewdal punkz and hypercompetitive-hyperagressives reel well. So >> what did they do? They FUCKED the whole 'Fucking thing’. > > You can do IT work for anbody… you don’t have to code/sysadmin/whatever > strictly for a company in the computer industry. This has been my shift > in the past few years. > > John > > I've done web design for friends and occasionally someone I don't know, but I never made a living from it. Sort of like I smoke weed and will occasionally sell a bit to a friend for spare cash but I wouldn't do it for a living. Because weed, as the rastamon says, is a sacrament, and information should be free. Which means it wouldn't be ethical by my standards to earn a living at it. I've always preferred manual labor anyway. Digging ditches. Audio/Broadcast engineering, Precision machining. Truck driving... Repairing things... Sometimes even computers. Rr >> >> Rr >> >> >>> On Tue, Sep 27, 2016 at 8:50 PM, Steve Kinney >> > wrote: >>> >>> >>> >>> On 09/27/2016 11:21 PM, grarpamp wrote: >>>> On Sun, Sep 25, 2016 at 3:46 AM, Mirimir >> > wrote: >>>>> Yes, it's for sure a hard problem. Any entity resourceful enough to >>>>> withstand Tbps DDoS is likely a huge privacy risk :( >>>>> >>>>> On the other hand, Krebs has been totally asking for it, for years ;) >>>>> He's been going after major cybercriminals, who perhaps have major >>>>> connections with global TLAs. And he's often been a jerk about it. >>>>> Hugely self-righteous, and humorless. So meh ;) >>>> >>>> He's already been swatted, manure mailed for lols, etc. >>>> Though being AP'd by the cybers is probably unlikely. >>> >>> Meanwhile the Big DDoS has apparently been mitigated by Akamai or >>> somebody. >>> >>> >>> It was mitigated by Google's Project Shield. The Internet is starting to >>> feel a lot more like feudalism, where you have to swear fealty to some >>> lord or get overrun by barbarian hordes. Or, I guess, the way all >>> governments want us to feel about the world. "Bad guys" like this are a >>> government's best friend. Or a megacorp's. >>> >>> >>> What bothers me is not this particular instance, but the proof of >>> concept it represents, in a world where everything from refrigerators to >>> night lights phones home. Things present a very diffuse and low-reward >>> attack surface individually, but as reflectors they provide a potential >>> solar-furnace-like effect in the hands of a sophisticated attacker. >>> >>> >>> But the fact that they blew their wad early on a low-value target like >>> Krebs means that the issue will get attention. Of course, if the cost to >>> any given end user or their ISP is small enough, perhaps it won't be enough. >>> >>> >>> "Physical access is game over" so it may turn out that whoever owns the >>> most Things wins after all. >>> >>> >>> Ownership of Things is not permanent, though. Maintaining a botnet is a >>> neverending battle. >>> > UFONet - easy sweetie

Sean Lynch

5:16 p.m.

On Wed, Sep 28, 2016 at 6:14 PM, Razer wrote:

...

On 09/28/2016 10:31 AM, Sean Lynch takes the words right out of my mouth:

...
The Internet is starting to feel a lot more like feudalism,

What I stated a while back about my reasons for never getting involved in the computer industry as a way to earn my bucks... I don't get along with fewdal punkz and hypercompetitive-hyperagressives reel well. So what did they do? They FUCKED the whole 'Fucking thing'.

Assuming you're trying to build a large, effective organization, how do you do it without some level of internal competition? I've worked for some relatively touchy-feely companies (*cough* Linden Lab) that prided themselves on being "flat", but eventually I realized they were just keeping all the politics quiet and subtle. Meanwhile, people worked on "fun" stuff and added neat but unimportant features to Second Life while neglecting its stability and maintainability, with the ultimate result that instead of trying to improve it, New Improved Corporate Linden Lab has decided (probably correctly) to do a complete rewrite in the form of Sansar. CouchIO had similar problems trying to essentially be a distributed open source project with money. But maybe it's not necessary to build large organizations in the first place? I'd love to believe this. Perhaps something like the contract market in Earthweb is the way to go.

Sean Lynch

26 Sep 26 Sep

7:53 p.m.

On Sun, Sep 25, 2016 at 12:11 AM, Steve Kinney wrote:

...

Maybe I'm going all Chicken Little here, maybe not. But I think this development may be the closest thing to an Internet Armageddon we are likely to see in our lifetimes.

http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecu rity-opens-a-troubling-chapter-for-the-net/

=or=

https://tinyurl.com/znzno7q

How does thee patch that which is Unpatchable? DDOS now includes the death of a million ankle biters: Not just unpatchable, but massively distributed, with a continuing profit motive and no liability for the manufacturers, paid for and plugged in by hundreds of millions of "regular folks" throughout the so-called Developed Nations.

So far every mitigation strategy relevant to "normal" users and use cases that occurs to me would be worse than the original problem.

The problem is that there's too much money to be made off of exploiting these holes TODAY, so it's very unlikely this huge vulnerability is going to be silently and slowly deployed and then suddenly mass-exploited, leading to some IoT-ageddon. There will almost certainly be some large happenings along the way, but those will in turn lead to the development of mitigation strategies, improvements in security, etc. Ironically, this is an advantage of Internet-dependent devices like Nest, Echo, etc: they get updated directly, so the patch problem is solved, though that just moves the problem around a bit. We need to not be deploying devices that can't be patched except in very special cases.

Georgi Guninski

28 Sep 28 Sep

6:53 p.m.

dude, are you a google dude? updating android device from yellow color vendor is PITA, admit it. likely updating it from a white whore too. when a great android malware comes, maybe it will make a botnet with bandwidth estimated at least 314Tbps. remember the times when m$ were bugfucked, but there were wasn't _much_ public malware? -- m$ cried like fucked chicken "there ain't no virii"

Sean Lynch

7:26 p.m.

On Wed, Sep 28, 2016 at 11:53 AM, Georgi Guninski wrote:

...

dude, are you a google dude?

updating android device from yellow color vendor is PITA, admit it. likely updating it from a white whore too.

when a great android malware comes, maybe it will make a botnet with bandwidth estimated at least 314Tbps.

remember the times when m$ were bugfucked, but there were wasn't _much_ public malware? -- m$ cried like fucked chicken "there ain't no virii"

The "long tail" of old versions of Android in the wild is indeed a HUGE problem. Kind of ironic given the amount of effort Google puts into finding and fixing bugs in Android. What good is a bug fix if the fix never gets applied on devices in the wild? This is one reason I typically stick to Nexus devices, even though they tend to be pretty mediocre overall. Google should tell vendors that they can't call their phone an "Android phone" unless they get updates out in a timely manner. Or maybe we already do that. Brillo is the IoT version of Android. I *think* it has some kind of requirement around sending out updates, or it just updates the Android core separately. At any rate, my impression was that it aims to try to avoid a repeat of the low-end smartphone situation. Note that IOS is no counterexample unless you really want all comsumer hardware produced by a just a few companies that control the entire stack. The equivalent of IOS devices from a timely updates standpoint would be Nexus devices.

John Newman

7:44 p.m.

On Wed, Sep 28, 2016 at 12:26:37PM -0700, Sean Lynch wrote:

...

The equivalent of IOS devices from a timely updates standpoint would be Nexus devices.

Tell that to my nexus 6 (not 6p). Been waiting for OTA update to "nougat" (what fucking dumb names!) for a while... enrolled in the beta program to get it, keep unenrolling every few days to see if it tries to downgrade me or push the official "nougat" out. So far no dice. Anyway I have typically run custom roms on most android devices. But the nexus devices do have pretty decent base roms (after you root them). John

juan

8:08 p.m.

On Wed, 28 Sep 2016 12:26:37 -0700 Sean Lynch wrote:

...

On Wed, Sep 28, 2016 at 11:53 AM, Georgi Guninski wrote:

...
dude, are you a google dude?

updating android device from yellow color vendor is PITA, admit it. likely updating it from a white whore too.

when a great android malware comes, maybe it will make a botnet with bandwidth estimated at least 314Tbps.

remember the times when m$ were bugfucked, but there were wasn't _much_ public malware? -- m$ cried like fucked chicken "there ain't no virii"

The "long tail" of old versions of Android in the wild is indeed a HUGE problem.

What is the problem? Oh wait. You mean a problem for the governent mafias and their leading accomplices like google?

2912

Age (days ago)

2916

Last active (days ago)

List overview

Download

28 comments

10 participants

participants (10)

Georgi Guninski
grarpamp
John Newman
juan
Mirimir
Razer
rooty
Sean Lynch
Steve Kinney
xorcist＠sigaint.org

DDoS Of Things -

Steve Kinney

Mirimir

Steve Kinney

Razer

grarpamp

Steve Kinney

xorcist＠sigaint.org

Sean Lynch

Steve Kinney

Sean Lynch

grarpamp

Mirimir

Razer

xorcist＠sigaint.org

grarpamp

xorcist＠sigaint.org

Sean Lynch

Steve Kinney

Razer

John Newman

xorcist＠sigaint.org

Razer

rooty

Sean Lynch

Sean Lynch

Georgi Guninski

Sean Lynch

John Newman

juan

tags

participants (10)