Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
How ’bout that Mirai Botnet
Do you remember that thing? It was the panic of the week last fall. Some jerks took large portions of the internet down for a couple hours. Everyone was in a tizzy for a bit. Well, the problem is still there. At least now nobody’s in a flail-your-arms panic over it, so maybe it’s worth discussing solutions.
Since there’s very little reason to remember the panic of the day even a week later, let me remind you how this works. A couple years back “Internet of Things” became the fashionable buzzword, so we all went out and bought WiFi enabled toasters. Now you can start toasting automatically when your alarm clock goes off. The fact that your toast will be ice cold by your seventh snooze is a small price to pay for living in The Future! But when you got your FutureToast, you didn’t bother to change the default password (it’s a hassle and if you did you’d forget the new one and what’s the worst that could happen anyway?) Mr. Nefarious Hacker sees that you’ve got a FutureToast, and he can log into it too. With your toaster and the 13,000 other ones that nobody’s changed the passwords on (and the 3300 GarageNoMores, and 4200 BlindsWithScience, and 132 HubCapConnects) he’s got access to a massive number internet connected devices. Mr. Nefarious Hacker can then use them to form punishing denial of service attacks, making the internet useless to the rest of us.
How do we solve this problem? It seems resistant to market forces. From FutureToast Inc.’s perspective adding security to their toasters makes them cost more and makes them less user friendly. That translates to less toaster sales. The Customer doesn’t care; the fact that his toaster is a tool for world domination doesn’t stop it from providing toast on demand.
If you ask the computer security industry, they tend to tell you “Government Regulation.” Every FutureToast variant has to have a password change on first boot up, mandated by law. This solves the problem in the future, but there’s still a heck of a lot of unsecured devices in existence today. The government is also a good way to take all the vitality out of an industry. Maybe there are better solutions.
You could educate the public. As a rule that never works. Take me as an example. I know this is a thing, and I think it’s a big enough problem to post about it on Ricochet. Now ask me what my password is for my Raspberry Pi. It’s not hard to guess.
You could hack back. If you go into my FutureToast and change the passwords then Mr. Nefarious Hacker can’t use it. But then I can’t use it anymore, either. That approach amounts to the destruction of property. This is also not a good solution.
You could, and I can’t overstate the general applicability of this solution, actively wait for your problem to go away. We haven’t seen Mirai in the news much at all even though nobody’s fixed the problem. Maybe the world wakes up and realizes their fridge really shouldn’t have anything to say to their toilet and they stop buying IoT devices. Maybe we figure out a better way to catch the people behind these attacks and launching them becomes a much riskier proposition. Maybe Russia gets into a war with China and the world’s supply of hackers gets busy fighting one another. Maybe none of those happen and we’re still stuck with the problem.
What do you think, Ricochet? Got any brilliant ideas?
Published in Technology
But getting back to the serious nature if this post, should I cancel my wireless home security system?? It’s making me nervous now.
Game, set, and match – JM.
I’d start by contacting their support staff and discuss your concerns. They may be able to direct you toward ways to beef up the security of the system. At the very least, make sure any password-protected components have had their password changed from any defaults they might have.
You might want to do some web searches to see if anyone has posted suggestions for hardening that particular system against botnet intrusion.
Just being mindful that the system needs to be secure from external access is the first, most important step.
I think that depends. Why did you buy it in the first place?
To keep an eye on the Toaster.
Remember when Thrifty ice cream was a nickel a scoop?
You’re forgetting his clown horror show, I.T.
The Dark Toaster
Kluge-o.
Different Seasonings
The Bread Zone
Firestarter
Toast Madder
The Dark Half
Salem’s Hot
Gerald’s Grain
The Bread Zone is a contender.
To answer your question, it’s almost certainly not making you any less secure than you were before. If you want to take a lesson from this post, it’s to change your device’s default passwords. It’s like locking your car doors; it keeps the lazy thieves looking for softer targets. If you want something to do after that, go into your devices every so often and see if they have any patches waiting to be applied. If you can manage that, you’ve reached a level of security that Fortune 500 companies struggle to achieve. Of course, they’ve got thousands more devices than you do. Probably; I haven’t seen your garage.
There exists another solution.
This is less burdensome than formal regulation, but seeing as this is the same process that gave us ISO 9000 standards I’m not sure I like it either.