Thought I'd better get some actual content into the phlog before I quit for the day. Something that strikes me more and more as I get deeper into my technical life is the relationship between persons/institutions and the technologies employed by the same for any reason. I read an article [0] the other day--it isn't particularly well written but the subject is sufficiently interesting that it is saved--and was left with a bunch of swirling thoughts afterwards. I certainly cannot address all of this in the time I currently have sitting here, however we can at least outline the situation. First, the ingredients: 0) The state of technology (abstractly construed) 1) The trust placed in persons/institutions in the same 3) What the Internet is actually like 4) The hubris of governments / authorities 5) The degree to which internetworked computers pervade our lives 6) The degree to which the average person understands these technologies More things ought to be on this list but it will do for now. So the essence of this article is a sort of summary of the events surrounding the rise and fall of the Mirai botnet following the arrest of its authors. The consensus among security researchers and law enforcement officials before the discovery of the creators of Mirai was that it simply had to be the work of Russian or Chinese state-sponsored cyber-terrorists, and that the Dyn attack last year was a recon move to test proof of concept for an attack designed to crush the entire internet. Turns out that a couple of undergraduates seeking to gain advantage & profit in Minecraft built Mirai. How many times have we heard that "individuals lack the sophistication to achieve significant in timeframe..." so whatever has gone wrong must be "the work of a nation-state or extremely well funded criminal syndicate"? I'm no expert on DDoS, but the figures cited in the article put Mirai with a >1TBPS attack volume as compared to 2-digit GPBS attack volumes as the previously held "large DDoS" attacks. If these are valid numbers then 3 college students built a network weapon with 10-100x the power that had previously been seen. Fascinating, makes me think that we're back in a time when individual efforts might make a lasting impact on history with far higher frequencies than we've seen since the dawn of the Industrial Revolution. At any rate, besides being an interesting series of events in its own right, and illustrating the initial hubris of the investigators (who I'm sure were quite entertained when they figured it out), it turns out that the Mirai botnet acquired this massive attack volume by seeking out and attempting to access IoT devices using manufacturer set default passwords. In an overwhelming number of cases, this attack vector succeeded. Wow. I understand that people are generally not as technical as the SDF audience is, but this still blows my mind that people will bring something into their home or business, implicitly trust the manufacturer to have created a little happy safe place for them, and the proceed to allow the device onto their home or business network, happily exhanging data with who/where God-knows-what. All without even having considered that it might be a good idea to find out how this information is protected. To be fair, we have trained the average person to behave this way, and it has made some of us incredibly rich (not me, unfortunately). I am not really picking on anybody with the above comments, and certainly don't expect your Aunt June to be the sysadmin for her home, but this is a serious problem. One without a simple solution. Nor do I think the business model of tech companies (including my own employer) makes a whole lot of sense in this regard: "Don't worry Aunt June, Amamicrobookooglehooibm engineers have taken care of everything, just plug this in, input your credit card, and enjoy your voice activated toaster oven." There's got to be a happy medium where users take a bit more responsibility for their technology and we quit over selling what we can accomplish on their behalf. God knows a few more Rutgers sophomores might want to win at a videogame. During years of after work rye conversations I've argued that the Internet is a war, albeit a useful one, and we ought not meander about without a healthy respect for what can go wrong. Though i must clarify that in the same way it makes no sense to avoid cities because you're more likely to get mugged, you shouldn't be paranoid either. There are no magical solutions that create security, and I've sold my time as a programmer long enough to know that there are no secure applications or networks. There are only applications and networks that cost more to break than they are worth. That said, we are entering into a time in human history where packets spammed from baby-monitors and Keurig machines can bring down governments and entire sectors of economies. The trust people place in their devices relative to their own understanding of them is insane, and only because there is no one else to do it, I believe that the onus is on us as engineers, admins, and analysts to at least make forgettable comments at dinner parties about how irresponsible this is. Perhaps it's time to invest more in easy to use UI/UX for implementation of common sense best practices in the admin panels of commodity hardware along with instructions for their use that aren't in boring manuals people throw away with the boxes things come in. I know that no one can be held responsible in truth except for the end-user, but because of the stakes, we ought to try to flatten the learning curve a bit. Though in all honesty I'm as like as not to wake up tomorrow thinking this is hilarious and dreaming up theoretical ways to make Mirai N.0 100x worse... (I know there is a way to properly input citations in gopherland, but I'm not that advanced yet) [0] {HTTP!} https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/