back to article Researcher sets up illegal 420,000 node botnet for IPv4 internet map

An anonymous researcher has taken an unorthodox approach to achieve the dream of mapping out the entire remaining IPv4 internet - and in doing so broken enough laws around the world to potentially put him or her behind bars for thousands of years. To scan the IPv4 address space, billions of pings must be sent to discover all …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    They will find the one responsible, oh yes they will.

    1. HMB

      Anyone sufficiently intelligent to do something this amazing would have no problems remaining anonymous if they really wanted to and it occurred to them (it's amazing how smart some people can be and still lack common sense). I'm aware of the different ways remaining anonymous can be achieved as an IT professional as will many other reg readers. *coughs* PRINGLES *coughs*

      * I would like to add for the record as an IT Professional that I don't endorse anything unethical or illegal in this statement.

      1. Anonymous Coward
        Anonymous Coward

        On tracking.

        The config.log file available in the code download from the project website suggests that whoever did this is a hadoop customer. That would be somewhere for the authorities to start looking.

        Note to greyhats: Always "make distclean" before you release something...

        1. frank ly

          Re: On tracking (etc)

          " ..It also carried a readme file with a description of the project and an email address for the owner, or law enforcement, to get in touch if it was discovered."

          Would that be a good starting point?

          1. koolholio
            Stop

            Re: On tracking (etc)

            Depends if the information stored in the readme is a herring or the truth? how could one tell the difference? What if its somebody elses information in order to frame them for such? I guess if it said Jeremy Clarkson, there might be motive too! CRAZY! *facepalms*

          2. Anonymous Coward
            Anonymous Coward

            Re: Would that be a good starting point?

            Well that depends. An email address that the owner sets up and only ever accesses over TOR isn't much use to anybody. Whereas hadoop keeps a list of all its customers because it has to be able to get them to pay their bills.

      2. Steve Knox
        Mushroom

        NO..

        Anyone sufficiently intelligent to do something this amazing would have no problems remaining anonymous if they really wanted to...

        First of all, this is not that "amazing". A script kiddie could have done this.

        Second, ability in one field does not necessarily translate to ability in another. There's no reason to assume an "amazing" physicist would make even a passable geologist, for example. So ability in creating a botnet doesn't necessarily translate to ability to hide one's tracks.

        1. Destroy All Monsters Silver badge
          Holmes

          Re: NO..

          > A script kiddie could have done this.

          LOLNO.

          I do hope your professional abilities are better than your evident lack of judgement would suggest.

          1. Anonymous Coward
            Anonymous Coward

            Re: NO..

            > A script kiddie could have done this.

            A script kiddie already did it, and for the same reasons Robert Morris, in 1988. In Morris's case he just made a little mistake that caused infected systems to run so slowly that it was noticed.

        2. Anonymous Coward
          Anonymous Coward

          Re: NO..

          Ahahahah.

          You have no idea what you're talking about.

          Getting a piece of C to compile for multiple architectures and operating system flavours, especially embedded ones, and run without segfaulting or accidentally breaking something due to someone's insane interpretation of some obscure implementation of "POSIX", that's a challenge that is so far beyond the average script kid these days they couldn't see it with the Hubble Telescope.

          1. Phil W

            Re: NO..

            "Getting a piece of C to compile for multiple architectures and operating system flavours, especially embedded ones, and run without segfaulting or accidentally breaking something"

            Well that's a very good point isn't it. How do we or this "researcher" know he didn't totally fsck up some of the systems he ran his code on.

            It'd be interesting to know the number of IPs he was able to log in to which suddenly became uncontactable after his code ran.

            I wonder what percentage of those were

            a) legitimately switched off

            b) changed IP

            c) someone or something noticed his code and killed it

            d) coincidently had a fault at that time

            e) the system broke/exploded due to his code

          2. Anonymous Coward
            Anonymous Coward

            Re: NO..

            "Getting code to compile for multiple architectures"

            And that's the problem - he had absolutely no way of knowing if what he was doing was going to stop mis-configured hardware working, he also had no way of knowing what the hardware was and what it was doing at the time.

            This is an utterly irresponsible act.

            1. Anonymous Coward
              FAIL

              Re: NO..

              This is an utterly irresponsible act.

              Are you an anal retentive? Do you have COPD? Have you ever had a girlfriend?

            2. DRendar

              Re: NO..

              "This is an utterly irresponsible act."

              Possibly. But what is more irresponsible is putting a device, ANY device out there with not only TELNET enabled, but also with global root access, and either a blank or same-as-username password. THAT'S the utterly irresponsible act.

              Just thinking "oh security doesn't matter - this device won't connect to the internet" is bloody stupid... if that were truly the case, then why do the devices have default gateways configured... allowing communication with the outside world.

              If this guy really wants to avoid negative legal action, he should send out notifications to the owners of all the IP addresses that he managed to get into to tell them to fire their IT staff!

          3. Gav
            Boffin

            Sure a script-kiddy could have done this

            Sure a script-kiddy could have done this: badly and in such a way that it would have failed to work on half the targeted boxes, or broken them, or made its presence obvious. And they'd also have it all traceable back to their bedroom.

            Doing it so no-one noticed, over such a long period. Well it's maybe not brilliance, but evidence of an excellent professional who really knew what they were doing. Ethically however.... dodgy ground indeed.

            1. Roland6 Silver badge

              Re: Sure a script-kiddy could have done this

              "Doing it so no-one noticed, over such a long period."

              Good point, my first thoughts were why didn't the security companies report seeing traces? or was this something that they saw but because they couldn't get a handle on it, they didn't make any announcements?

              Perhaps the main reason for this low profile was the decision to target specific device platforms, although the report doesn't give too many details, I suspect the target OS was Linux -based and the preferred platform was consumer routers and set-top boxes ie. not end-user workstations - since these would typically be sitting behind a router.

              Basically, the target systems were those that normally do not run any security software, unlike many Windows workstations, and hence were highly unlikely to detect and report the presence of new code. Additionally, the code was focused on devices directly attached to the Internet rather than via a LAN/private network ie. places where it is possible to monitor network traffic and identify abnormal traffic patterns.

              This research also raises a question about the claims that get made about Linux security, as without a security scanner how would you know if a Linux system was running unauthorised code?

              Finally what this research also demonstrates is that it isn't only SCADA systems that are in need of greater security (see http://www.theregister.co.uk/2013/03/20/scada_honeypot_research/ ) ...

              1. Pookietoo

                Re: how would you know if a Linux system was running unauthorised code?

                As one of the first things you do is change the default admin ID and password, and limit the scope of any remote login facility (if you don't disable it completely) you won't need to worry that your router has been compromised by this sort of attack, will you? You did change the ID ... ?

        3. Roland6 Silver badge

          Re: @Steve Knox : NO.. A script kiddie could have done this.

          Whilst it is not impossible for a script kiddie to have done this. I've yet to come across any script kiddie who can coherently write up the results of their work; the paper and level of presentation detail strongly indicate that this is the work of a professional albeit one who gets a kick out of what they do - but hey that's the reason why many of us work in IT.

      3. Roland6 Silver badge

        @HMB Re: remaining anonymous

        The real problem facing the person behind this research will be keeping quiet!

        This research really is something to shout about. If this was a 'normal' research project there is more than enough material for the person to write this up as a formal paper and have it published as the product of a masters project. Additionally, how many people can say that they've built and successfully operated a massive botnet? but that ignores the successful retrieval and collation of substantial amounts data from it and its analysis and interpretation.

        So I would expect details to eventually leak out - however, unless people can actually provide evidence that their device was used I would think the researcher is relatively safe from prosecution...

  2. Grikath
    Go

    Prosecution would be proof of idiocy..

    Yes, there is a question of ethics here, but going by the description in the article the researcher in question did everything By The Book when it comes to Gentleman Hacking.

    Hell, he even left his contact details right there in the code....

    Even so, besides a pretty map the whole project has proven a number of things:

    - Linux devices are as secure as their admins. Come on... standard passwords?

    - There are other people actively using the same vector for not-so-friendly purposes.

    - You cannot stop, nor deter a dedicater Nerd.

    The guy should get a medal for this, really.

    1. Wzrd1 Silver badge

      Re: Prosecution would be proof of idiocy..

      Name just *ONE* time a government has not done its level best to prove its idiocy? Indeed, over the past decade, many governments seem to try to outdo each other in idiotic acts.

      So, I suspect this researcher will end up in prison until the heat death of the universe. :/

      1. Destroy All Monsters Silver badge
        Pint

        Respect muh authority! This WILL be fully prosecuted.

        This is activity seems to be on the level of "urban exploration". On a bad day you may end up being chased by rats, guard dogs, mafiosi and coppers. Or come too near a radioactive landfill site. Or give an old lady a premature heart attack. On a good day, you come away with a set of nice high-resolution pictures.

        There is always the chance that the scan hits the Internet-connected widely open medical device controller, which would be bad. I still wouldn't get into a tizzy over "ethics", which are often just a convenient bullet-pointed-and-ordered-by-priority way of pretending that tradeoffs and fast or dubious decisions don't exist in the real world. Or worse, that one is whiter than driven snow...

      2. big_D Silver badge
        Joke

        Re: Prosecution would be proof of idiocy..

        @Wzrd1

        Come on Sgt. Bribeasy, we'll show that hacker how intelligent I am!

        Right inspector, you get a tape measure and I'll fetch the two short planks!

        To misquote Smith and Jones.

    2. El Zed

      Re: Prosecution would be proof of idiocy..

      - Linux devices are as secure as their admins. Come on... standard passwords?'

      Admins?, A quote from the article

      'The vast majority of infected systems were consumer routers or set-top boxes'

      So, these devices really have no 'admins', per se, and their users probably haven't a clue they run any sort of OS at all. The manufacturers need their arses collectively kicked regarding things like default security of these devices, knowing full well that the average target user of a piece of consumer electronics is just going to plug the bugger in and get on with it without RTFM about security.

      What should be more of a worry (though it isn't that surprising) were the

      '..Cisco and Juniper hardware, x86 equipment with crypto accelerator cards, industrial control systems, and physical door security systems.'

      that they managed to compromise.

      From this, I take it, amateur hour isn't quite over yet out there.

      1. Anonymous Coward
        Thumb Up

        Re: Prosecution would be proof of idiocy..

        I'm pretty sure our router participated. It was decommissioned yesterday but, yes, it was admin/admin and I had no say in the matter. You can have the most knowledgeable security people in the world but it doesn't do jack if management (CEO) sets an idiotic policy.

        OTOH, policy set by the new manufacturer created the password from hell, and aside from typos, I'm loving it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Prosecution would be proof of idiocy..

      The guy should get a medal for this, really.

      Yawn, here we go again. I walked into your house because you left the door unlocked and I'm only surveying the wallpaper in this street - still illegal, still going to jail, still not passing "Go", and still not collecting $200.

      So, let me use uppercase because it appears it is needed.

      THE REASON FOR WHICH YOU BROKE THE LAW MATTER ONLY INSOFAR THAT THEY CAN AFFECT THE FINE WHEN CAUGHT - THEY DO NOT CHANGE THE FACT THAT YOU COMMITTED A CRIME.

      Got that? Good. Read it *again*.

      FFS, get this into your thick heads - the only safe way to explore security is by permission, and you damn well should get it in writing - people have a habit of changing their minds when you dig up something embarrassing. Accessing any kind of device without the explicit permission of its owner is in most countries considered a criminal act, for very good reasons (this is the coat hanger they convict the bad guys with as well, and they would naturally claim they were only checking security. This is why you cover your rear end when you report a vulnerability you come across as "it is is possible that"..

      Even accessing a public website in a manner different than your normal browser would , can, if proven, get you in trouble.

      1. M7S

        the only safe way to explore security.....

        I've seen plenty of documentaries in which UK policepersons will sneak up on unsuspecting people in railway stations or similar places and take their bag (which they are not watching properly) and wait until the person notices it is missing (usually when then setting off) before advising them of the error of their ways.

        It used to be common practice for police on foot patrol at night (OK, I know, I'm nostalgic) to rattle the doors/gates to commercial premises to check they were secure and if not, to pop in to check that all was well and if possible, later advise the owner to apply better security.

        Both of the above are laudable, and done with the best of intent. In the latter case there's no reasonable suspicion of an offence other than an unlocked door and in the former there's no crime except that possibly (no permanent deprivation intended so it's not theft but it might be something like "interfering with my stuff") being committed by the officer.

        I wouldn't seek to stop either practice but perhaps on examination the actions of the police are a little bit greyer. PC Dixon's not going to do the same to my computer. How, really, do the actions of this researcher in this instance (and I appreciate the danges of setting precedent) differ? I know, I could pay a company to do this but most people aren't going to, in the same way that most people won't engage a security contractor to come and assess their home. You're certainly not going to get such a wide survey done via contractors. Just food for thought.

        1. Captain Hogwash
          Thumb Down

          Re: in the former there's no crime except

          Taking without consent (TWOC in the vernacular) sounds about right.

        2. JDX Gold badge

          @M7S

          >>I've seen plenty of documentaries in which UK policepersons will sneak up on unsuspecting people in railway stations or similar places and take their bag (which they are not watching properly) and wait until the person notices it is missing (usually when then setting off) before advising them of the error of their ways.

          It used to be common practice for police on foot patrol at night (OK, I know, I'm nostalgic) to rattle the doors/gates to commercial premises to check they were secure and if not, to pop in to check that all was well and if possible, later advise the owner to apply better security.

          Both of the above are laudable, and done with the best of intent.

          1)Both of those are done by POLICE not VIGILANTEs

          2)It's not illegal for me to pick up your bag. I'm not going inside to rummage about and then handing it back. Entering your computer system uses cycles and you cannot guarantee his code is bug-free.

          1. Anonymous Coward
            Anonymous Coward

            Re: @M7S

            To follow up on JDX

            The appropriate phrases around the police checking doors are "policing by consent" and "within a legal framework"

            Such activities were with the connivance of the owners and their insurers.

            A modern equivalent of trying the doorknob might be to see if a password challenge was issued but no more than that.

      2. edge_e
        Boffin

        Re: Prosecution would be proof of idiocy..

        Yawn, here we go again. I walked into your house because you left the door unlocked and I'm only surveying the wallpaper in this street - still illegal, still going to jail, still not passing "Go", and still not collecting $200.

        In the UK, this would not result in jail time. It's unlikely to even result in prosecution. The only reason it would be against the law at all is because of recent changes to squatting legislation

        1. Anonymous Coward
          Anonymous Coward

          Re: Prosecution would be proof of idiocy..

          It would certainly be trespass (which was upgraded to criminal, IIRC), and they would probably be able to get you for "going equipped" if you had anything even remotely dodgy on you.

          1. Anonymous Coward
            Anonymous Coward

            Re: Trespass

            Trespass in and of itself in the UK is not regarded as a criminal matter, unless there are other factors involved.

            http://trespassing.co.uk/

      3. Rick Giles
        Terminator

        @AC 07:51 Re: Prosecution would be proof of idiocy..

        Physical - Virtual -- Apples - Oranges

      4. DocJD
        Facepalm

        Re: Prosecution would be proof of idiocy..

        On the other hand, how much effort would the police spend tracking someone down if you told them you think maybe, when you left the door open, someone might have looked in at your wallpaper, but you can't really prove it.

      5. croc

        Re: Prosecution would be proof of idiocy..

        There are 'white hats', 'gray hats' 'black hats' and ass hats... An ass hat is someone so naive as to believe that they are breaking no laws in their squeaky-clean lives. This gives them the moral authority to proclaim from behind their anonymous coward masks that indeed THE REASON FOR WHICH YOU BROKE THE LAW MATTER ONLY INSOFAR THAT THEY CAN AFFECT THE FINE WHEN CAUGHT - THEY DO NOT CHANGE THE FACT THAT YOU COMMITTED A CRIME.

        Well, let me tell you, ass hat... that laundry you are wearing isn't as clean as you think it is...

        1. This post has been deleted by its author

    4. JDX Gold badge

      Re: Prosecution would be proof of idiocy..

      Poppycock.

      If someone breaks into my car while I'm on holiday and drives around in it to do their shopping, then washes it and tops up the fuel and leaves a thankyou note, it does not stop it being a crime.

      If they break into my house and live there but do no damage it's still a crime.

      Please, buy a ticket to the real world. Just because it's the internet does not mean it's OK. It's cool and clever in the same way many crimes are cool and clever but it's still a crime.

      Not taking action sends out a message plain and simple that this kind of thing is OK. What happens when 100 people do the same thing and all target the same devices?

      1. Rick Giles
        Terminator

        @JDX Re: Prosecution would be proof of idiocy..

        Physical - Virtual -- Apples - Oranges

    5. Anonymous Coward
      Anonymous Coward

      Re: Prosecution would be proof of idiocy..

      Windows boxes force you to pick a secure password by default. Bit of a Linux fail there.

      1. Oninoshiko
        Facepalm

        Re: require creation of secure password.

        Many Linux distros require a "secure password" as well.

        Almost none of the machine where installed by their operators. They where embedded systems (routers, swtiches) so, the fail is on the manufacturer (and/or admin).

    6. Rick Giles
      Linux

      Re: Prosecution would be proof of idiocy..

      "The guy should get a medal for this..."

      Or at least the admiration of his/her peers.

  3. Mussie (Ed)

    WOW

    Default Password FTW

    1. Danny 14
      Stop

      Re: WOW

      yes because granny francine knows all about changing router passwords when she gets a preconfigured box through the post, plugs it in and gets internet.

  4. Craig Foster

    ZOMG Running out of IPv4 addresses!!!!

    1.3b out of 4.3b is not "running out"

    1. Martin 71 Silver badge
      Thumb Up

      Re: ZOMG Running out of IPv4 addresses!!!!

      I'd agree, I'd certainly argue that DEC no longer needs an entire /8... for example. I think they need to *yoink* back those IP ranges that aren't being used.

      1. Anonymous Coward
        FAIL

        Re: ZOMG Running out of IPv4 addresses!!!!

        This argument again?

        1) DEC doesn't exist anymore, it's HP now.

        2) Getting a few /8's back just delays the enivitable by a few months. That's it. By the time you force HP to remember their entire internal network just to free the /8 up, it would already be too late.

        Instead of trying to take things away from people that they legitimately have, maybe you should start IPv6 enabling your network.

        1. Lee D Silver badge

          Re: ZOMG Running out of IPv4 addresses!!!!

          "Instead of trying to take things away from people that they legitimately have, maybe you should start IPv6 enabling your network."

          I don't know about everyone else but my networks have been IPv6-ready for several years now. I see precisely zip IPv6 traffic (a bit of IPv6 NTP to a pool server I run, but that's about it). Hell, my log analysis scripts still break on IPv6 and I can't be bothered to fix them for the rare occasions one of those addresses pops up in the logs.

          And before we start questioning why home users aren't using IPv6, maybe we should point the finger at places like The Reg itself, or Slashdot, or anyone of the myriad "technical" sites that doesn't even publish an AAAA address at all but yet PUBLISHES ARTICLES about it.

          1. Danny 14

            Re: ZOMG Running out of IPv4 addresses!!!!

            Big name software doesnt help matters. TMG wont play nice with ipv6 so if you have an isp with 6 only or hosting websites etc then 6->4 translation is what you would be stuck with. Not ideal really.

      2. Anonymous Coward
        Anonymous Coward

        Re: ZOMG Running out of IPv4 addresses!!!!

        If you really want to get technical, do any of these companies actually need a /8 (some have more than one as well)

        006/8 Army Information Systems Center

        013/8 Xerox Corporation

        015/8 Hewlett-Packard Company

        016/8 Digital Equipment Corporation (acquired by Compaq who was then acquired by HP)

        017/8 Apple Computer Inc.

        018/8 MIT

        019/8 Ford Motor Company

        021/8 DDN-RVN

        022/8 Defense Information Systems Agency

        026/8 Defense Information Systems Agency

        028/8 DSI-North

        029/8 Defense Information Systems Agency

        030/8 Defense Information Systems Agency

        033/8 DLA Systems Automation Center

        034/8 Halliburton Company

        044/8 Amateur Radio Digital Communications

        048/8 Prudential Securities Inc.

        051/8 UK Government Department for Work and Pensions

        052/8 E.I. duPont de Nemours and Co., Inc.

        053/8 Cap Debis CCS

        054/8 Merck and Co., Inc.

        056/8 US Postal Service

        057/8 SITA

        The DoD which has four /8's.

        Lastly, there are a number of /8's that have never been assigned:

        000/8 IANA - Local Identification

        240/8 Future use

        241/8 Future use

        242/8 Future use

        243/8 Future use

        244/8 Future use

        245/8 Future use

        246/8 Future use

        247/8 Future use

        248/8 Future use

        249/8 Future use

        250/8 Future use

        251/8 Future use

        252/8 Future use

        253/8 Future use

        254/8 Future use

        255/8 Future use

        There would be some /24's out of 0/8 and 255/8 that couldn't be assigned but others that would be usable.

        The real answer is IPv6 as sooner or later you need the additional addresses. When most of the legacy IPv4 blocks were assigned, the address space was used internally. There are institutions that still do that which is just a huge waste of address space.

        1. Anonymous Coward
          Trollface

          Re: ZOMG Running out of IPv4 addresses!!!!

          Note to self:

          1) Start corporation

          2) Name corporation "Future use"

          3) Profit!

      3. ja

        Re: ZOMG Running out of IPv4 addresses!!!!

        What about Nortel /Northern Telecom/Northern Electric and the Bell Northern Research 47 network?

  5. Grave

    take a look at domain overview

    tells you just what kind of lamers many isp's employ. i mean if a technician sets up customers device, he should change the default password ffs.

  6. Anonymous Coward
    Anonymous Coward

    Linux

    Why was this done using only Linux endpoints?

    1. southpacificpom
      Devil

      Re: Linux

      He probably wanted a bit of a challenge. Lets face it, the average Windows user PC is about secure as Swiss cheese.

    2. Richard 12 Silver badge

      Re: Linux

      Probably because there are far, far more of them, most are run by average consumers and they are left running 24x7.

      The majority of the commodity hardware sat on the actual Internet or in the DMZ (as opposed to NATed) is running Linux, simply to get a network stack.

      ADSL routers, switches, firewall appliances, Internet-webcams - that kind of thing.

      Comparatively, there are very few Windows PCs directly on the Internet anymore - it's only really servers these days, and one would hope the admins of the majority are sane and competent.

      In most cases the idiocy is probably the device manufacturer, leaving telnet or SSH turned on with a default password.

      Very few home users are going to check the security of the WAN port of their home ADSL router, and they aren't going to try SSH or telnet attacks when fitting a webcam to watch the kids from work, they'll just forward the ports or even put it in a DMZ.

    3. Anonymous Coward
      Anonymous Coward

      Re: Linux

      Because Windows forces you to choose a secure password - and has far fewer remote exploits than Linux. 99% of Windows exploits require user interaction, whereas 99% of Linux exploits don't. This is why Windows get desktop viruses and Malware, but is far more secure and less likely to be hacked as a server system than Linux is.

      1. Chemist

        Re: Linux

        " 99% of Windows exploits require user interaction, whereas 99% of Linux exploits don't."

        HaHaHa!

        By the way you've SO missed the point. These are devices configured badly with open telnet ports and bad defaults. The chances ANY of them run Windows seems vanishingly small.

      2. David Dawson
        FAIL

        Re: Linux

        Because Windows forces you to choose a secure password - and has far fewer remote exploits than Linux. 99% of Windows exploits require user interaction, whereas 99% of Linux exploits don't. This is why Windows get desktop viruses and Malware, but is far more secure and less likely to be hacked as a server system than Linux is.

        ----------------

        Goodness me! Really? 99%. OH MY GOD.

        We need to get those linux servers off the internets. now! Who's with me?? If we each take a datacentre, we can yank the network cables in the space of a few days. We'll save the world!

        Oh.. er.. wait...

        You made those numbers up, didn't you? well?

        1. Anonymous Coward
          Anonymous Coward

          Re: Linux

          "If we each take a datacentre, we can yank the network cables in the space of a few days. We'll save the world!" - well you might have saved Sony a £100 million or so....

          http://www.zone-h.org/news/id/4737

          1.419.203 web­sites deface­ments

          Oper­a­tive System Year 2010

          Linux 1.126.987

          Win­dows 2003 197.822

          FreeBSD 46.992

          Win 2008 15.083

          F5 Big-​IP* 14.000

          Unknown 7.840

          Win 2000 6.097

          Solaris 9⁄10 2.373

          MacOSX 1.038

          Cit­rix Netscaler* 232

          Win NT9x 221

          Win XP 196

          NetBSDOpenBSD 99

          HP-​UX 73

          IRIX 47

          SCO UNIX 22

          Unix 15

          SolarisSunOS 13

          BSDOS 12

          Solaris 8 11

          OpenBSD 8

          Com­paq Tru64 5

          Com­paq OS2 5

          OS390 3

          MacOS 3

          AIX 3

          NovellNetware 1

          AS/​400 1

          1. Anonymous Coward
            Anonymous Coward

            Re: Linux

            Those are completely meaningless stats.

            If that 219,419 Windows defacements was 90% of the Windows-hosted websites, and the 1,126,987 Linux ones were 1% of Linux-hosted websites, which is more secure?

            How many were repeated defacement of the same website?

            They don't even attempt to give any sense of the actual scale.

            Aside from that, a website defacement is highly unlikely have anything whatsoever to do with the hosting server OS anyway. Defacements are almost always about the content management system.

    4. Anonymous Coward
      Anonymous Coward

      Re: Linux

      "Why was this done using only Linux endpoints?"

      Ignoring the FUD about remote exploits above; I imagine the most likely reason is he was targeting embedded systems, such as routers etc. Linux runs on far lower hardware than Windows and is commonly the OS of choice for such devices.

  7. John Hawkins
    Thumb Up

    Give the researcher a medal!

    It's the no-hopers who've kept/set the passwords that should be prosecuted. Or at least hung from the ceiling using a thin Ethernet cable around sensitive parts until they promise to never ever ever use such a password again.

    1. Danny 14
      Stop

      Re: Give the researcher a medal!

      like i said earlier though. There are many users out there who simply buy a box off the shelf plug in and it works. These are average people with no IT skills other than plug in, it works.

      Perhaps routers should FORCE people to change the default password on first use? Expecting the average joe to do this voluntarily though is not practical. It is akin to leaving your front door open and hoping you dont get burgled but there are still places like that around, many small villages I used to visit in scotland still had their external doors open and porch internal door shut. Doesnt excuse the crimes.

      1. Justin Stringfellow
        Stop

        Re: Give the researcher a medal!

        The question is not should the device in question force a password change, but should it be be exposing a login prompt to the internet?

        Most routers I've come across only provide a ssh login on the internal interface.

        1. Chemist

          Re: Give the researcher a medal!

          "Most routers I've come across only provide a ssh login on the internal interface."

          Eh ?

          How would you get in from outside then. I have mine set-up to port forward ssh to an internal server for the purposes of remote access and reverse proxy use. Nothing wrong with ssh as long as it's up-to-date and has sufficient security - the real problem is exposing telnet or web interfaces to the outside by default with weak usernames/passwords

          1. Anonymous Coward
            Anonymous Coward

            Re: Give the researcher a medal!

            "How would you get in from outside then"

            He's not talking about port forwarding SSH, he's talking about the router's configuration interface, be it SSH, HTTP or anything else should only be accessible on the internal network facing interface and not the Internet facing interface.

            That way consumers who just plug and play aren't exposed to default password threats as that is what this guy has exploited. You're saying SSH is perfectly secure "as long as it's up-to-date and has sufficient security" - the point is, it wasn't sufficiently secure because manufacturers used default passwords.

            1. This post has been deleted by its author

  8. Dazed and Confused

    ain't going to work

    This isn't going to work as methodology to find unused IP addresses. Many of those IP addresses will be behind firewalls, no attempt to contact them is going to get through, but they may still be able to see out, and then there are lots of addresses hidden behind firewalls using valid IP addresses but which can't see out. OK, many of these could be moved to using private addresses, but no one is in a position to force their owners to do so and free up the addresses blocks they're hoarding.

  9. mIRCat
    Linux

    If you wanna be elite...

    You gotta do a righteous hack.

    1. koolholio
      Joke

      Re: If you wanna be elite...

      Call Jeremy Clarkson, he might condone it to find those people!? :-/

  10. Jan 0 Silver badge
    Headmaster

    Kudos to Iain Thomson

    For a nice use of "them", since we don't know the sex of the researcher.

    1. Danny 14
      Thumb Down

      Re: Kudos to Iain Thomson

      rather than be a journalist and look up the sources to find out you mean?

    2. Irony Deficient

      kudos?

      Jan 0, English has offered a choice between singular them and epicene him to refer to a person of indeterminate sex for at least five centuries. Why do you laud Iain for his choice? It seems a bit like congratulating someone on his* preference for of one of wrath, anger, or ire.

      * — Yes, that’s an epicene his.

  11. Anonymous Coward
    Anonymous Coward

    This is why they make prisons

    ...for people who can't live within the laws of society. You can call yourself a "researcher" and "grey-hat" or a$$nonymous or whatever makes you happy, but the truth is that these people are unscrupulous criminals falsely believing that can do whatever they feel like. Judicial systems around the globe are proving that these clowns are wrong.

    1. hplasm
      Meh

      Re: This is why they make prisons

      I agree- Jail for all AC posters.

    2. Magnus_Pym

      Re: This is why they make prisons

      Yes. But who are 'they'?

  12. Anonymous Coward
    Anonymous Coward

    with security like this

    It's no fecking wonder botnets are running wild.

    BTW: botmasterru.com - hosted on redstation.co.uk - seems to do what it says on the tin - and redstation don't seem terribly interested.

  13. Gordon Pryra

    This guy a Yank?

    because if he was English we would have the Merkin .gov on the phone trying to get him extradited and pay their made up costs of 20 billion (or something)

    1. Anonymous Coward
      Anonymous Coward

      Re: This guy a Yank?

      Ho hum, a bit of casual racism makes the day go by.

      It's really upsetting to quite a few Americans to be called Yanks or Merkins (you do know what a Merkin is, don't you?) particularly the ones who live "over here".

      1. Anonymous Coward
        Anonymous Coward

        Re: This guy a Yank?

        "It's really upsetting to quite a few Americans to be called Yanks or Merkins (you do know what a Merkin is, don't you?) particularly the ones who live "over here"."

        Yes, most people do. That is why they use the term with such particular relish. It doesn't start to make up for the hearing damage, but it's a start.

      2. Anonymous Coward
        Anonymous Coward

        Re: This guy a Yank?

        "Ho hum, a bit of casual racism makes the day go by."

        "American" is not a race, it's more of a team sport. Have another day.

        1. Anonymous Coward
          Anonymous Coward

          Re: This guy a Yank?

          Yes, yes, American is not a race, but Pakistani is not a race either, you wouldn't say the P word, so don't use other similar names for the people of other countries.

          I'm sick of supposedly intelligent. liberal people who would never consider saying anything about people who are a different colour spouting off about "fucking yanks". It's about time it stopped.

          1. Anonymous Coward
            Anonymous Coward

            Re: This guy a Yank?

            We'll stop when Hollywood stops making every movie villain British. Meanwhile, since we're the only foreigners Hollywood still has the guts to demonize, we'll play to the role...

          2. Anonymous Coward
            Anonymous Coward

            Re: This guy a Yank?

            "I'm sick of supposedly intelligent. liberal people who would never consider saying anything about people who are a different colour spouting off about "fucking yanks". It's about time it stopped."

            After you :)

          3. This post has been deleted by its author

          4. Anonymous Coward
            Anonymous Coward

            Re: This guy a Yank?

            "I'm sick of supposedly intelligent. liberal people who would never consider saying anything about people who are a different colour spouting off about "fucking yanks". It's about time it stopped."

            Is it? Why, precisely? Because of manifest destiny? Crazy gun fetishes? Weirdly prevalent religiosity?

            You, sir or madam, need to grow a pair. It happens. Whining about it just makes people dislike you more. Other nations do it to each other all the time, try being Swedish in Denmark, or English in Glasgow.. or not from within about a mile of where you are within Yorkshire. It's part of life's rich pageant.

            It has been happening since long before your newly-minted novelty nation existed. Adolescents are often unwittingly hilarious, and squeaking "I hate you, you're not even my real parents" tends not to impress anyone, making it harder to suppress giggles.

            Chilling out may be the best idea. In time, you might learn how banter works. Don't take everything so very personally.

        2. Anonymous Coward
          Anonymous Coward

          Re: This guy a Yank?

          Thanks for playing, Yank. Come back when the majority of your countrymen consider the use of "faggot" as a pejorative completely unacceptable.

          (If I had a dollar for every time that I've heard "are you some sort of British faggot?", I'd have have a few more dollars to put towards living somewhere with fewer guns and god botherers)

          1. Anonymous Coward
            Anonymous Coward

            Re: This guy a Yank?

            That's the thing, I'm not American, I'm English, but I have American family and friends. Some over here, some over there. I've never been treated with anything except utmost respect and hospitality when in America, sure their society is different to ours but I've never had a bad experience. That I cannot say for my family and friends over here, who have to put up with being called "fucking yanks" in the pub, by people who've never met them before or sometimes generally abused in the street. People "jokingly" asking my sister why she married an American - it's not a joke when it's happened for the umpteenth time, you would never, ever, get this in America.

            1. croc

              Re: This guy a Yank?

              I'm not prejudiced... Some of my best friends are 'Mercans!

            2. Irony Deficient

              Re: This guy a Yank?

              As an American, I’m impressed by the nearly exclusive contributions of Anonymous Cowards to this exchange.

              Anonymous Coward, I have to agree with Anonymous Coward; Yank, Merkin, and whatever the P-word might be aren’t racist names (unless one considers Pakistanis to comprise a single “race”); “statist” would be closer to the mark, although this use of that word might initially confuse some libertarians. I’ve never met an American who was offended by the term Yank. I have known some, though, mainly from our southern tier, who would be offended by the term Yankee. We don’t hear Merkin, septic tank, &c. too often over here, so it doesn’t get our itchy trigger fingers twitching.

              Anonymous Coward, are you saying that those British actors who willingly take on villainous rôles in Hollywood films are somehow not responsible for signing on the dotted line? Aren’t those the parts that are supposed to be the most fun to portray?

              Anonymous Coward, that’s something that’s so ironic that even I can detect it — an Anonymous Coward telling another Anonymous Coward of the “need to grow a pair”. I agree with the rest of your post, though, and I plan on manifestly destinising your intellectual property rights to the term “newly-minted novelty nation” in describing the land of my birth, by working it into conversations whenever opportunity permits.

              Anonymous Coward, depending upon your sister’s sense of humour, she could respond to those who ask her why she married an American that she heard something down the pub about “fucking Yanks”, and she mistook the adjective for a gerund. ;*)

              1. Anonymous Coward
                Anonymous Coward

                Re: This guy a Yank?

                That definitely deserves an English upvote :)

              2. Anonymous Coward
                Anonymous Coward

                Re: This guy a Yank?

                "Aren’t those the parts that are supposed to be the most fun to portray?"

                Well, some really dreadful Hollywood movies have been rendered watchable by a random Alan Rickman or similar villain performance, it's true.

              3. Anonymous Coward
                Anonymous Coward

                Re: This guy a Yank?

                Dear Irony Deficient,

                Please feel free to steal, repurpose or even leverage the phrase “newly-minted novelty nation” (establishing best practise for key stakeholders across the piece)- with my blessing.

                By the by, I don't think not being an AC makes anyone more or less brave, unless "Irony Deficient" is your given name.. I shall refrain from speculating upon possible names of your siblings, were this the case. Having a silly handle around here doesn't really identify you, it just seems to allow people to clump up into slightly silly cliques or tree house gangs. Because I am a massive misanthrope, I obviously prefer to obviate the danger of becoming part of any sort of clique, brr.

                Anyway, I salute you, and even mostly agree. I'd offer you a pint of something character forming, but sadly this is but one of those Interwebulator forum thingies..

            3. Anonymous Coward
              Facepalm

              Re: This guy a Yank?

              "People "jokingly" asking my sister why she married an American - it's not a joke when it's happened for the umpteenth time, you would never, ever, get this in America."

              I'm American, and this is correct. I flat out can't imagine it happening - maybe if it was someone French, but even then it would be pretty poor form.

              The thing that gets me is that this guy got *four downvotes* just for *describing his personal experience*. Do the downvoters figure he's just delusional or something? Or do they think it's intrinsically unreasonable to say you've experienced hospitality while in the US? Or that if you're saying something nice about an American you must be lying?

              It's bizarre.

              I suppose that regardless, it's kind of a show of support - he got slagged off on just for *politely saying* that his family gets slagged off on. There's hardly a better way to illustrate the point...

      3. Anonymous Coward
        Anonymous Coward

        Re: This guy a Yank?

        Perhaps you mean xenophobic.

        1. Loyal Commenter Silver badge

          Re: This guy a Yank?

          Perhaps you mean xenophobic.

          Or perhaps not, as Xenophobia implies hatred of all that is foreign, whereas a healthly dislike for the gung-ho self-righteous attitude displayed by what is, although probably not a representative, certainly a vocal portion of our transatlantic cousins, is quite understandable.

          Or, to put it simply, we call you 'yanks' and 'merkins' because, in general*, you are loud and obnoxious, and we don't like you. It's meant to be offensive. Enjoy.

          *Yes, this is a generalisation, ther are plenty of Americans who aren't morons. If you object to me making such generalisations, then you aren't one of them.

  14. Crisp

    Using a default username and password isn't hacking

    It's using the system as intended.

    After all, if people didn't want to share their devices, they would have changed the default password when they installed it.

    1. Ragarath

      Re: Using a default username and password isn't hacking

      So if I notice your car keys on your table through your window. I can break the window to get your keys to take your car, because otherwise you would not have windows in your house for easy access.

      Yes my example is ludicrous but I am afraid so is your statement.

      1. JDX Gold badge

        Re: Using a default username and password isn't hacking

        Ragarath's example is bad, a better analogy is if I don't lock my front door, it's still illegal for you to come in and lounge around on my sofa. You know you aren't allowed in, regardless how easy I make it.

        1. Crisp

          Re: Using a default username and password isn't hacking

          I'm sorry, but people that don't secure their systems from this level of attack are part of the problem.

          Because when your system is compromised, it starts whacking my web servers and then it becomes my problem.

          You aren't leaving the front door to your house unlocked, your leaving your Low Orbit Ion Cannon unlocked outside the school gates with the engine running.

          1. AndrueC Silver badge
            Thumb Down

            Re: Using a default username and password isn't hacking

            I'm sorry, but people that don't secure their systems from this level of attack are part of the problem.

            And I'm sorry to tell you that in the real world not everyone using the net is a geek or highly qualified IT professional. If you design or implement IT systems you need to understand that and act accordingly. The alternative is to ban anyone who doesn't have the requisite qualifications from using the internet. It'd make for a safer online world but it'd be a lot quieter as well :(

          2. david 12 Silver badge

            Re: Using a default username and password isn't hacking

            >I'm sorry, but people that don't secure their systems from this level of attack are part of the problem.

            Which is why, in my area, it is ILLEGAL to leave your car keys in your car when you are absent.

            Note that it is NOT illegal to leave your house unlocked. Cars are different. We can argue about which catagory computers should be in.

        2. Colin Wilson 2

          Re: Using a default username and password isn't hacking

          If I don't lock my front door, is it illegal for my neighbour to pop in with a flask of home-made soup, because they know I'm feeling poorly. "We didn't ring the bell because we could see you were asleep on the sofa".

          It happened to my Mum he other day. She was very grateful. She didn't call the police!

          1. JDX Gold badge

            Re: Using a default username and password isn't hacking

            Are you being deliberately stupid or does it just come naturally?

            How is your friend possibly equivalent to a stranger trying all the door handles to see which are open?

          2. Boothy

            Re: Using a default username and password isn't hacking

            @ Colin Wilson 2

            Technically yes, still illegal unless you'd agreed in advance that they were allowed access or it was allowed by the law (police/fire department/court order etc.). Doesn't matter who they are, friend, family or stranger, or why they were going into the house, it's still an illegal act. As mentioned above, the purpose for entry only effects the punishment, it doesn't change that fact that the law was broken.

            Besides your analogy is flawed, you have a neighbour you know walking in, this is a complete stranger. How would you feel if you woke up to find someone you didn't know just wandering about the house? Even if they had soup, wouldn't you be a little suspicious of it's contents and their motives?

          3. Crisp

            @Colin Wilson

            This isn't a case of leaving your front door unlocked, this is more a case of leaving a firearm outside a gun cabinet where anyone could get hold of it.

        3. Loyal Commenter Silver badge

          @JDX

          No, your analogy is not actually any better. Principally because what you describe is not, in the UK at least, illegal, but also because it doesn't accurately mirror what the researcher in question has done.

          A better analogy would be finding someone's front door open, and popping your head round the door and asking if anyone is home, before going on to pour yourself a glass of water in the kitchen. It's certainly very rude, and you wouldn;t like it if someone did it to you, but is on the 'not illegal' side of things, although only just.

          1. Anonymous Coward
            Anonymous Coward

            Re: @JDX

            @Loyal Commenter - It is illegal, it's called Trespass.

            1. Richard 26

              Re: @JDX

              @AC 13:51 Loyal Commenter is quite correct, trespassing isn't generally a crime in the UK , it's a civil matter.

              1. Anonymous C0ward

                Re: @JDX

                And doesn't it only become trespass if you refuse to leave when asked?

              2. Anonymous Coward
                Anonymous Coward

                Re: @JDX

                I've done a quick bit of research and it appears that trespass becomes criminal trespass when it's inside someone's property.

        4. bob42

          Re: Using a default username and password isn't hacking

          Perhaps I'll not bother locking my door in future, it's a hassle having to take the key with me and it would be illegal for anyone to go in anyway. I bet you lock yours though, and I bet you are smart enough not to leave default passwords on your kit.

    2. Anonymous Coward
      Anonymous Coward

      Re: Using a default username and password isn't hacking

      Rubbish. It's using the system as you can, not as it is intended. Doing something "because you can" doesn't really stand up well in court.

    3. Roland6 Silver badge

      Re: @Crisp : Using a default username and password isn't hacking

      I think the actual act of using a default username and password would not in itself constitute hacking; although depending upon the context it could be regarded as suspicious and potentially indicative of intent. For example, I knock on my neighbour's door and get no response so I try the handle as I think there might be someone inside, is a different scenario to me walking down the street and repeating the same sequence of actions with every house.

      However, having gained access, it is what you do next that would be used to determine whether hacking has or hasn't taken place.

      Remember on many end user systems a warning message is presented that effectively say if you are not the authorised user to log off immediately. Such messages started to appear after some early hacking cases and people pleading that there was no warning that they were trespassing etc.

      So with respect to the research, the initial random testing of default credentials could be argued as not constituting hacking, however the systematic testing of devices for usage of default credentials would be considered differently particularly as the intent of the systematic access was to install and execute code on the third-party devices.

      But having said that, the Internet Census 2012 is a stunning piece of research!

  15. Ian Yates
    Headmaster

    "Using insecure configurations and default passwords to gain access to remote devices and run code on them is unethical"

    Garbage. How is it unethical? The ethics are in the intent and this guy had no malicious intent of any kind. He purposefully designed it to eat the fewest cycles possible.

    1. Matthew 3

      "He purposefully designed it to eat the fewest cycles possible."

      And therein lies the problem. S/he was using a resource that someone else has to pay for, without their consent. If I take money from you and say 'But I was only taking your smallest banknote' would you accept that as fair?

      Personally I don't have an issue with what this person did - I see the value in the results and a lack of malicious intent. But others will simply see it as immoral/illegal. The law is on their side.

      1. Ian Yates

        I won't argue over the legality, that's for the courts to decide, but there is a major difference between a "harmless" piece of code sitting and ping a network before disappearing completely and physically depriving someone of a banknote (whatever the size).

        @JDX: May be I'm a minority, but I fail to see how eugenics is unethical, assuming consenting participants. Murdering people who's genes you dislike is unethical, and only vaguely related to eugenics (as I assume that's what you were referring to). Or denying non-consenting people the right to breed. Both of those add a definite unethical action.

        "Probably lots of malicious malware is written to be efficient too"

        Which is exactly my point: malicious. His code likely went entirely unnoticed without leaving a trace of its presence, which is exactly what I meant by "intent".

        Had it scrapped network traffic or garbled config files, yes, unethical; but it did (reportedly) none of those things.

        <weak metaphor>

        It's akin to seeing the front door of a house open and sticking your head in and shouting "hello, did you know your door was open?". Is that unethical?

        </weak metaphor>

        1. (AMPC) Anonymous and mostly paranoid coward
          Go

          @<weak metaphor>

          More like sticking your head in, seeing that no one is home and then using the phone to dial everybody else in the neighborhood.

    2. JDX Gold badge

      @Ian Yates

      Your arguments are entirely bogus:

      >> How is it unethical? The ethics are in the intent

      Are they? So it's not unethical to secretly use eugenics with the intent of making the human race better?

      >>He purposefully designed it to eat the fewest cycles possible.

      Probably lots of malicious malware is written to be efficient too so it doesn't get noticed as easily, and can spread better.

      If I joyride your car but stay under 30mph does that make it OK?

  16. IT Hack
    Pint

    Network Analysis

    So how long before doing a tracert gets you in pokey?

    Pint while I wait for the day in court. Should be quite amusing.

    1. Boothy

      Re: Network Analysis

      That's different, your still using the network as intended, and network admins can set their systems to not respond to the requests if they wish. Your just asking them to respond to a request for information, they can respond or not, their choice. Also it's not giving you access to the systems themselves.

      1. IT Hack

        Re: Network Analysis

        Yes. It was not really meant to be taken THAT seriously. It was more a comment on the IT knowledge of the courts.

        In other words my friend...a joke ;)

  17. oswdt
    Thumb Up

    Maybe he can implement it as distributed computing project like folding at home

  18. Jon Double Nice

    "Goddess of Door Hinges"

    I wonder who the goddess of blu tac is?

    1. Crisp
      Coat

      Re: "Goddess of Door Hinges"

      Smurfette

  19. Anonymous Coward
    Anonymous Coward

    What should we learn

    from this.

    1. Trollslayer

      Re: What should we learn

      That people who install equipment should change the passwords from the manufacturer's defaults.

      Even banks fail on this at times.

    2. Anonymous Coward
      Anonymous Coward

      Re: What should we learn

      That big corporations and government institutions horde and hog huge address blocks for no apparent reason and they should be fined and their IP addresses revoked.

      That the authorities who assign addresses don't do a good job at allocating address space, the entire ipv4 map is very fragmented.

      That a lot of people run devices with default credentials or easy to guess credentials.

  20. I think so I am?
    Thumb Up

    Look at europe

    Any one notice how massively dense central Europe is compared to every where else

    1. This post has been deleted by its author

  21. Amorous Cowherder
    Facepalm

    I used to get bored some evenings and port scan addresses on my local subnets, you'd easily find at least 10% of the devices totally unprotected and connected directly to the live net connection. You'd find printers, lots of FTP and webservers, the odd NAS box all with default passwords still left in place, modem/routers with wide open configs that would given the time allow you through into the networks behind. It's no wonder these botnets take off, you don't need to waste time messing about hooking people thorugh iffy webpages, just port scan like this person did and "Bob's your Auntie's live in lover"!

    ( I'm one of those who believe people should have a license to be able to use the internet! )

    1. Boothy

      I remember years ago when the first broadband Internet rolled out round my area (UK), this was a cable service provided (local cable TV operator, NTL). With heady speeds of 64kbs, later upgraded to 128kbs (compared to dial-up of course, which was typically around 40kbs, this was fast, and low pings too, good for gaming).

      Turns out it wasn't actually a direct Internet connection, unlike say ADSL, it was a NAT connection, so you were effectively on a local LAN with all the other NTL customers. This then went via a router to the internet itself.

      The connection itself was fine, but those early cable models didn't have anything in them, effectively just a modem, so no Firewall or other security etc. (no options at all in fact, they were locked down, just plug and go).

      So unless you were running a local Firewall, it meant you could be seen on the NTL network, and back then, few people had firewalls installed (pre-XP days, so not even the basic built in OS one either). So you could literately just browse the Network with Windows Explorer and see other peoples PC's, browse their shares, plus all the default admin shares and such.

      A few friends of mine were also on NTL (now owned by Virgin), so we just set up shared folders and could just use Windows Explorer to drop off and pull files from each others PCs! No need for FTP etc.

      1. Pookietoo

        re: few people had firewalls installed

        I had a Linux box doing NAT when we were still on dialup. :-)

  22. harmjschoonhoven

    Re: Researcher sets up botnet

    Installing software on a system you do not know and execute it on said system of which you do not know the purpose is a crime FULL STOP

  23. Jon 56
    Flame

    BURN HIM! Or give him a proper job.

  24. Anonymous Coward
    Anonymous Coward

    Computer Misuse Act

    It's an interesting map - but illegal. In the UK accessing a computer without permission is illegal.

    www.legislation.gov.uk/ukpga/1990/18

    Computer Misuse Act 1990 CHAPTER 18 - An Act to make provision for securing computer material against _unauthorised access_ or modification; and for connected purposes.

    Also section 9 - British citizenship immaterial. Doesn't matter here where you're from - they'll get you.

    1. Loyal Commenter Silver badge

      Re: Computer Misuse Act

      Technically, it could be argued that using a default password on a public-facing device is authorisation; the auth protocol itself hasn't been circumvented via a flaw or back-door, so the act of logging in as admin:12345 is potentially not illegal. Of course, IANAL, so I wouldn't recommend trying this one out, and the reasearcher is certainly taking a big risk by doing so. You might also be able to argue that a router isn't a computer, any more than a washing machine is, that no access has been gained to anything other than the public facing device, and that no material has been secured from that device. They might well fall foul of the 'modification' part, which could reasonably be seen as being a bit naughty. Again, it's not a risk I would be prepared to take myself, but if it happened to me, I'd take steps to properly secure my router rather than prosecute the perpetrator.

      1. Anonymous Coward
        Anonymous Coward

        Re: Computer Misuse Act

        "Technically, it could be argued that using a default password on a public-facing device is authorisation"

        There is absolutely no way you would ever get away with that, you would also not be able to argue that a router isn't a computer, it's been tried and it fails every time. The router has been logged on to and instructed to perform an operation, which it's owner in no way gave permission for it to run, it's a clear cut breach of the computer mis-use act.

        1. Roland6 Silver badge
          Happy

          Re: Computer Misuse Act

          "you would also not be able to argue that a router isn't a computer"

          Obviously not a Patent Attorney then...

      2. Boothy

        Re: Computer Misuse Act

        How you gained access isn't relevant. You still accessed the system without the owners permission, therefore it's still illegal.

        As an analogy, it doesn't matter if the door was closed, closed and locked, or wide open, the simple act of walking through the door is illegal. How you got through only changes the level of punishment, it doesn't change the illegality of the act itself.

        Any access to any computer system, whether a PC, a server, an embedded controller, a mobile device and so on and so on, if you don't have explicit permission from the owner of that device, then accessing that device is illegal.

      3. Vic

        Re: Computer Misuse Act

        > it could be argued that using a default password on a public-facing device is authorisation

        Not with any success, it couldn't.

        Supplying a username and password is an *authentication* step; authorisation is a little different.

        Vic.

  25. LinkOfHyrule
    Coat

    Roman goddess of physical health or door hinges

    Sorry to go off topic but I just wanted to say, I worship her often. The ceremony involves copious amounts of 3-in-one oil!

  26. Trollslayer

    Not as difficult as you think

    This was aimed at embedded and infrastructure equipment and there are very few architectures in use there. Remember that this wasn't mean to be exhaustive and VERY few admins people change the passwords, even in digital phone systems.

    If you can avoid the need for driver modules then you aren't looking for a particular kernel version.

    Add to that the information that the Trojan was given the lowest priority possible so it didn't affect performance this is someone who knows what they are doing.

  27. thosrtanner

    To be honest, I'd rather know if I had an open door onto the internet. I'm not disgusted by what this researcher has done, the reason it's shocking is they could do it.

    Penalising them would be silly - it's not going to make anyone's systems more secure. Acting on their results and getting people to configure their connections securely and making sure manufacturers provided equipment that was secure at startup would be far more productive. FWIW my router has a non-default password when it was supplied, thank god. I was less impressed by the support person who said I could reset the password to nothing when I needed to update a setting under their advice...

  28. rh587

    Illegal? Yes (in most of the Western World anyway).

    Unethical? Meh, a bit, but then arguably it's simply not practicable to conduct such research on this scale following normal consent guidelines. Maybe a BOINC project could work but even that's going to be '000s of nodes, not 00,000s.

    But hey, no harm no foul. I'd hope any action by authorities would be to build on this research to go after the less benign individuals who it seems are already using this vector for malicious purposes.

    As a taxpayer that would seem to be a much better use of resources than going on a witch hunt after this researcher for the heinous act of going "Hey, look at this!"

  29. Anonymous Coward
    Anonymous Coward

    While the individual states he did not intend to interfere with the devices, it's hard to argue against the fact that what the person did is in fact illegal. I have to say the quotes from the paper in the 3rd and 4th paragraphs say a lot about the person's state of mind.

    I noted the person posted to seclists.org (http://seclists.org/fulldisclosure/2013/Mar/166) and has uploaded the research to three sites:

    http://internetcensus2012.bitbucket.org

    http://internetcensus2012.github.com/InternetCensus2012/

    http://census2012.sourceforge.net/

    All of which include a hidden div tag with a counter from supercounters (but it says account terminated if you unhide it from developer tools in Chrome).

    As someone pointed out the config.log does indicate (hadoop0 was the hostname and /bin/hadoop was in the PATH) they are using hadoop but it was mentioned in the paper that it was used to analyse the data. There's other info on the OS and kernel versions but little else that I noticed straight off the bat.

    I didn't see an email in the README file (the only emails I can see so far are from copyright notices and changelog info for nmap source code and other libraries used in the code).

  30. Tomas K.

    As ye sow...

    ...so shall ye reap.

  31. Rick Giles
    Linux

    Is it me

    or are the laws for virtual "crimes" getting harsher than the laws for actual physical crimes that actual hurt people?

    I hope someone comes up with a good way to interconnect Pirate Boxes soon...

  32. W.O.Frobozz

    Once again...

    ...this just proves that someday, our only defense will be "The Galactica Maneuver", which is to say the only way we can keep ourselves safe from this kind of invasion is to not network anything.

    Hell maybe Sir Arthur will be proven right in his godawful 3001 novel...way may need a munitions dump on the moon for "the world's worst computer viruses."

  33. mr.K
    Happy

    My house

    I can see my house from here.

  34. Joe Gurman

    So this is a map of....

    ....clueless owners of devices with insecure default configurations, or that they have made insecure by bonehead password selection?

  35. Anonymous Coward
    Anonymous Coward

    I just wanted to...

    ...take this time to laugh at all the insecure little whiners who are always banging on about throwing those filthy illegal hackers in jail for a long time. Go and cry to your government.

    Oh, and nice coding dude(ette?s?).

  36. Anonymous Coward
    Anonymous Coward

    How are those nodes working for ya?

    I wonder how those nodes are going to work for the perp while in prison? If you can't do the time, check out like candy arse Swartz did.

  37. Jamie Jones Silver badge
    Facepalm

    /.

    Stupid flame wars, ridiculous analogies... (we even had a car analogy in a recent posting)

    All we need now is for people to not bother reading the articles and the comments section of El Reg will be just like slashdot!

  38. JimTopbloke
    Thumb Up

    That's a lot of Data!

    Whoever done the 'crime' must have an awesome data connection, collecting over 7Tb of data from his Botnet over 6 Months..

    I reckon my ISP would shit a brick if I used over a Terabyte a month!

  39. 0perat0r

    BBC mangled version of this story

    http://www.bbc.co.uk/news/technology-21875127

This topic is closed for new posts.

Other stories you might like