Large DDoS attack on the servers of Dyn, a major DNS host

[stuckathuntermtn]

How hard is it to give the customer admin capability or at least a second key so that a human has to push a button when it's time to let the device chat with the manufacturer? I see what stfu is saying about everything amounting to a hard coded admin password if the manufacturer has to be able to contact every device in the wild. But unless those devices are being sold to Iran etc. I think the real issue is the assumption that the manufacturer must be able to do so without consent or knowledge of the user. It's either the problem or the solution. If manufacturers are keeping that right and de facto leasing their devices to customers, they ought to be responsible for how their devices are used, including by predictable hacks.

Then you'd have no automation.

[jono]

Then you'd have no automation.

You mean less automation?

[stfu&gbtw]

How hard is it to give the customer admin capability or at least a second key so that a human has to push a button when it's time to let the device chat with the manufacturer? I see what stfu is saying about everything amounting to a hard coded admin password if the manufacturer has to be able to contact every device in the wild. But unless those devices are being sold to Iran etc. I think the real issue is the assumption that the manufacturer must be able to do so without consent or knowledge of the user. It's either the problem or the solution. If manufacturers are keeping that right and de facto leasing their devices to customers, they ought to be responsible for how their devices are used, including by predictable hacks.

It's got nothing to do with consent... How and when updates are applied is controlled via admin settings. And for major updates, it's not unusual to download the new firmware or whatever and apply it manually.

But the whole point of those devices is that they're basically selling research/administration as a service. A device's atp/ips settings might get updated a dozen times in a day if circumstances called for it. It would be far too time consuming to try to process all the data supporting the advanced feature set manually. In the next-gen firewall world, failed updates are a real pain point, so lots of designs favor consistently successful updates over more stringent security.

Every decision in computer system security boils down to exactly the same question: Given that security and functionality exist on opposite ends of the same spectrum, what is the appropriate compromise for this specific use case?

[stfu&gbtw]

Oh fuck, don't tell me that right now.

Meh, I wouldn't lose any sleep over it. What device are you concerned about? Chances are the super secret password is "12345“. That“s the same one Bill Gates uses on his luggage.

[stuckathuntermtn]

Hahaha.
SonicWall tz400 wireless that I may have spent up 12 or more hours setting up and smoothing out all the kinks and talking to dudes in India about.
What a fucking pain in the ass.
Are Cisco Murakis much better? They're more expensive.
It's a doctor's office, so no Content Filtering or VPN, but DPI SSL and full ips/gateway security. 2 wireless laptops, 3 wired desktops, and 1 wired printer.
Shit was just randomly not working.
Wireless isn't setup to be on the same network as the built in switch by default. Was a pain in the ass to set up. Wireless features are a lot more limited than I thought they'd be. (Won't do 2.4GHz and 5GHz at the same time! Half duplex!). DPI SSL is inexplicably over active on WiFi. Kaspersky Internet Security can be a pain. He went and bought a different version than I put in my quote. Business Security! Business!
Anyway, that's been my life.
At least Dell support is alright.

[stuckathuntermtn]

Rshea, I wasn't talking about distance, just that even down the street, whatever physical connection or dns I seemed to be on/using was totally different than a client down the street with the same provider. Seems very patchwork.

[RShea]

Rshea, I wasn't talking about distance, just that even down the street, whatever physical connection or dns I seemed to be on/using was totally different than a client down the street with the same provider. Seems very patchwork.

Well you know, I hope, that there is DHCP and if it is turned on, then the DNS servers are automatically assigned by the DHCP server and ultimately the ones picked by that network admin. They could be the recommended servers by the ISP, or servers such as Google DNS, Genuity (Verizon), or some other offering like OpenDNS or even some business networks run their own DNS private servers. If you do not do DHCP, then you can specify the DNS servers in use and they do not have to be your ISP's recommended DNS server.

[Skidog]

Well you know, I hope, that there is DHCP and if it is turned on, then the DNS servers are automatically assigned by the DHCP server and ultimately the ones picked by that network admin. They could be the recommended servers by the ISP, or servers such as Google DNS, Genuity (Verizon), or some other offering like OpenDNS or even some business networks run their own DNS private servers. If you do not do DHCP, then you can specify the DNS servers in use and they do not have to be your ISP's recommended DNS server.

You can use DHCP and still assign a different DNS server to any individual machine anytime you want. Unless your admin locks down the environment this is just a setting on the network card. I do it when troubleshooting sometimes. 8.8.8.8 or 4.4.4.4 work pretty good usually.

[jono]

It's got nothing to do with consent... How and when updates are applied is controlled via admin settings. And for major updates, it's not unusual to download the new firmware or whatever and apply it manually.

But the whole point of those devices is that they're basically selling research/administration as a service. A device's atp/ips settings might get updated a dozen times in a day if circumstances called for it. It would be far too time consuming to try to process all the data supporting the advanced feature set manually. In the next-gen firewall world, failed updates are a real pain point, so lots of designs favor consistently successful updates over more stringent security.

Every decision in computer system security boils down to exactly the same question: Given that security and functionality exist on opposite ends of the same spectrum, what is the appropriate compromise for this specific use case?

I was referring mainly to cameras and DVR's. Where major firmware updates are distinguished from everyday use there is already an opportunity to allow the user to manually approve a change to a "hard coded password" though, right? Consent has a separate downside for some manufacturers, but I agree that's not really about security vs. functionality; obviously end users crack their own devices though, so that's a whole different discussion.

[KQ]

American vigilante hacker sends Russia a warning

An American vigilante hacker -- who calls himself "The Jester" -- has defaced the website of the Russian Ministry of Foreign Affairs in retaliation for attacks on American targets.

On Friday night, the Jester gained access to the Russian government ministry's website. And he left a message: Stop attacking Americans.

"Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message," he wrote. "Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed."

[DJSapp]

Not certain how real this is, but fun to watch

http://map.norsecorp.com/#/

And as for less secured internet connected devices, that crap terrifies me. Just to name some common household items that aren't your computer/phone/tablet in a descending level of commonality:

xbox/playstation/wii
chromecast/apple tv/roku
TV/DVD player
A/V Receiver
A/C controller
Garage Door
Refrigerator & other appliances
Security camera/system

[RShea]

And there are stories now coming out that this is a bot written to infect equipment and then use IoT devices for the work of the attack:

https://threatpost.com/chinese-manuf...n-ddos/121496/

So be careful of what you expose to the Internet and if it is exposed, make sure you keep up with updates to the equipment on a regular basis...

[stuckathuntermtn]

Why the fuck is there a web browser a fridge, btw?
And off topic, but sorta related: why must soda be a touchscreen now?

[stfu&gbtw]

Why the fuck is there a web browser a fridge, btw?
And off topic, but sorta related: why must soda be a touchscreen now?

DNRTFA but I'd bet they use the browser framework to deliver the app...

[old goat]

I still haven't figured out why I need to tell my furnace to turn on when I'm somewhere else. God forbid I should be cold for 15 minutes if I come home while the temperature is programmed to be low.

[stuckathuntermtn]

Well, we've had programmable thermostats for a long time without needing Internet access. Coming into a cold house sucks.
Still don't understand how my fridge would benefit from an internet connection.

[Norseman]

American vigilante hacker sends Russia a warning

Woah! That is a very ballsy move, holy shit! Slap to the face.

[teledad]

I still haven't figured out why I need to tell my furnace to turn on when I'm somewhere else. God forbid I should be cold for 15 minutes if I come home while the temperature is programmed to be low.

Try radiant heat. 12+ hours to heat my house up from 50 degrees (what I leave it at when I'm away for more than a day) to 68. Awesome once it's warm though. Wifi connected thermostats have helped me avoid a bunch of cold nights (or wasted propane).

[LightRanger]

^^^ Yeah, been meaning to remind my FIL to install a Nest in their new place in TD. House is at 50 or 55 when there's nobody there. Would be useful to be warmer prior to setting foot in the house.

[mcski]

Also handy to turn the heat down remotely when you let knucklehead friends use the cabin and they leave it at 72 and leave.

[Skidog]

Well, we've had programmable thermostats for a long time without needing Internet access. Coming into a cold house sucks.
Still don't understand how my fridge would benefit from an internet connection.

Re fridge. Think call home repairs, and in the future potentially creating and sending your grocery list so all you have to do is pick it up at the store. Also maybe easy of use for cooks and their recipes. Necessary? Fuck no, but that's the manufacturer thought process.

[RShea]

Well, we've had programmable thermostats for a long time without needing Internet access. Coming into a cold house sucks.
Still don't understand how my fridge would benefit from an internet connection.

There is the thinking that the fridge connected to the internet offers a benefit while shopping at the grocery store. Need to know the status of milk, beer or something like that, jump on the web and have a look to see via the camera and web connection.

[riser4]

We deserve to be hacked and overrun by another country if we get so lazy that we are unable to do such basic functions as making a grocery list. The risk is not worth the reward.

[stfu&gbtw]

We deserve to be hacked and overrun by another country if we get so lazy that we are unable to do such basic functions as making a grocery list. The risk is not worth the reward.

Yup... We're so overinvested in progress, we're leaving a trail of half baked bullshit problems behind us that will one day align to take the whole thing apart. Most recently, I've been playing with some of these "next gen" firewalls, and it's amazing how many have managed to introduce a bunch of fancy application layer functionality at the minor expense of losing the ability to correctly route network traffic. But the graphics are awesome!

[ACH]

Yup... We're so overinvested in progress, we're leaving a trail of half baked bullshit problems behind us that will one day align to take the whole thing apart.

This resonates, I feel the same way...

So, now that his has happened, has drawn a lot of attention, what is the potential fallout?