<mismatched_trust_1>
Thought I'd better get some actual content into the phlog before I quit for the day. Something that strikes me more
and more as I get deeper into my technical life is the relationship between persons/institutions and the
technologies employed by the same for any reason. I read an article [0] the other day--it isn't particularly well
written but the subject is sufficiently interesting that it is saved--and was left with a bunch of swirling
thoughts afterwards. I certainly cannot address all of this in the time I currently have sitting here, however we
can at least outline the situation. First, the ingredients:
0) The state of technology (abstractly construed)
1) The trust placed in persons/institutions in the same
3) What the Internet is actually like
4) The hubris of governments / authorities
5) The degree to which internetworked computers pervade our lives
6) The degree to which the average person understands these technologies
More things ought to be on this list but it will do for now. So the essence of this article is a sort of summary of
the events surrounding the rise and fall of the Mirai botnet following the arrest of its authors. The consensus
among security researchers and law enforcement officials before the discovery of the creators of Mirai was that it
simply had to be the work of Russian or Chinese state-sponsored cyber-terrorists, and that the Dyn attack last year
was a recon move to test proof of concept for an attack designed to crush the entire internet. Turns out that a
couple of undergraduates seeking to gain advantage & profit in Minecraft built Mirai. How many times have we heard
that "individuals lack the sophistication to achieve significant <x> in <y> timeframe..." so whatever has gone
wrong must be "the work of a nation-state or extremely well funded criminal syndicate"? I'm no expert on DDoS, but
the figures cited in the article put Mirai with a >1TBPS attack volume as compared to 2-digit GPBS attack volumes
as the previously held "large DDoS" attacks. If these are valid numbers then 3 college students built a network
weapon with 10-100x the power that had previously been seen. Fascinating, makes me think that we're back in a time
when individual efforts might make a lasting impact on history with far higher frequencies than we've seen since
the dawn of the Industrial Revolution.
At any rate, besides being an interesting series of events in its own right, and illustrating the initial hubris of
the investigators (who I'm sure were quite entertained when they figured it out), it turns out that the Mirai
botnet acquired this massive attack volume by seeking out and attempting to access IoT devices using manufacturer
set default passwords. In an overwhelming number of cases, this attack vector succeeded. Wow. I understand that
people are generally not as technical as the SDF audience is, but this still blows my mind that people will bring
something into their home or business, implicitly trust the manufacturer to have created a little happy safe place
for them, and the proceed to allow the device onto their home or business network, happily exhanging data with
who/where God-knows-what. All without even having considered that it might be a good idea to find out how this
information is protected.
To be fair, we have trained the average person to behave this way, and it has made some of us incredibly rich (not
me, unfortunately). I am not really picking on anybody with the above comments, and certainly don't expect your
Aunt June to be the sysadmin for her home, but this is a serious problem. One without a simple solution. Nor do I
think the business model of tech companies (including my own employer) makes a whole lot of sense in this regard:
"Don't worry Aunt June, Amamicrobookooglehooibm engineers have taken care of everything, just plug this in, input
your credit card, and enjoy your voice activated toaster oven." There's got to be a happy medium where users take a
bit more responsibility for their technology and we quit over selling what we can accomplish on their behalf. God
knows a few more Rutgers sophomores might want to win at a videogame.
During years of after work rye conversations I've argued that the Internet is a war, albeit a useful one, and we
ought not meander about without a healthy respect for what can go wrong. Though i must clarify that in the same way
it makes no sense to avoid cities because you're more likely to get mugged, you shouldn't be paranoid either. There
are no magical solutions that create security, and I've sold my time as a programmer long enough to know that there
are no secure applications or networks. There are only applications and networks that cost more to break than they
are worth. That said, we are entering into a time in human history where packets spammed from baby-monitors and
Keurig machines can bring down governments and entire sectors of economies. The trust people place in their devices
relative to their own understanding of them is insane, and only because there is no one else to do it, I believe
that the onus is on us as engineers, admins, and analysts to at least make forgettable comments at dinner parties
about how irresponsible this is. Perhaps it's time to invest more in easy to use UI/UX for implementation of common
sense best practices in the admin panels of commodity hardware along with instructions for their use that aren't in
boring manuals people throw away with the boxes things come in. I know that no one can be held responsible in truth
except for the end-user, but because of the stakes, we ought to try to flatten the learning curve a bit.
Though in all honesty I'm as like as not to wake up tomorrow thinking this is hilarious and dreaming up theoretical
ways to make Mirai N.0 100x worse...
(I know there is a way to properly input citations in gopherland, but I'm not that advanced yet)
[0] {HTTP!}
https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
