How ’bout that Mirai Botnet

 

Do you remember that thing? It was the panic of the week last fall. Some jerks took large portions of the internet down for a couple hours. Everyone was in a tizzy for a bit. Well, the problem is still there. At least now nobody’s in a flail-your-arms panic over it, so maybe it’s worth discussing solutions.

Since there’s very little reason to remember the panic of the day even a week later, let me remind you how this works. A couple years back “Internet of Things” became the fashionable buzzword, so we all went out and bought WiFi enabled toasters. Now you can start toasting automatically when your alarm clock goes off. The fact that your toast will be ice cold by your seventh snooze is a small price to pay for living in The Future! But when you got your FutureToast, you didn’t bother to change the default password (it’s a hassle and if you did you’d forget the new one and what’s the worst that could happen anyway?) Mr. Nefarious Hacker sees that you’ve got a FutureToast, and he can log into it too. With your toaster and the 13,000 other ones that nobody’s changed the passwords on (and the 3300 GarageNoMores, and 4200 BlindsWithScience, and 132 HubCapConnects) he’s got access to a massive number internet connected devices. Mr. Nefarious Hacker can then use them to form punishing denial of service attacks, making the internet useless to the rest of us.

How do we solve this problem? It seems resistant to market forces. From FutureToast Inc.’s perspective adding security to their toasters makes them cost more and makes them less user friendly. That translates to less toaster sales. The Customer doesn’t care; the fact that his toaster is a tool for world domination doesn’t stop it from providing toast on demand.

If you ask the computer security industry, they tend to tell you “Government Regulation.” Every FutureToast variant has to have a password change on first boot up, mandated by law. This solves the problem in the future, but there’s still a heck of a lot of unsecured devices in existence today. The government is also a good way to take all the vitality out of an industry. Maybe there are better solutions.

You could educate the public. As a rule that never works. Take me as an example. I know this is a thing, and I think it’s a big enough problem to post about it on Ricochet. Now ask me what my password is for my Raspberry Pi. It’s not hard to guess.

You could hack back. If you go into my FutureToast and change the passwords then Mr. Nefarious Hacker can’t use it. But then I can’t use it anymore, either. That approach amounts to the destruction of property. This is also not a good solution.

You could, and I can’t overstate the general applicability of this solution, actively wait for your problem to go away. We haven’t seen Mirai in the news much at all even though nobody’s fixed the problem. Maybe the world wakes up and realizes their fridge really shouldn’t have anything to say to their toilet and they stop buying IoT devices. Maybe we figure out a better way to catch the people behind these attacks and launching them becomes a much riskier proposition. Maybe Russia gets into a war with China and the world’s supply of hackers gets busy fighting one another. Maybe none of those happen and we’re still stuck with the problem.

What do you think, Ricochet? Got any brilliant ideas?

Published in Technology
This post was promoted to the Main Feed by a Ricochet Editor at the recommendation of Ricochet members. Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 191 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Matt Balzer Member
    Matt Balzer
    @MattBalzer

    I’m giving this a like for BlindsWithScience. Also, I hate you.

    • #1
  2. Hank Rhody Contributor
    Hank Rhody
    @HankRhody

    Matt Balzer (View Comment):
    I’m giving this a like for BlindsWithScience. Also, I hate you.

    Blinds with Science is my Indian name.

    • #2
  3. Hammer, The Member
    Hammer, The
    @RyanM

    I say let them kill the internet so we can go back to being decent human beings. Also, if you buy a wi-fi toaster, I have no sympathy for you.

    • #3
  4. Matt Balzer Member
    Matt Balzer
    @MattBalzer

    Hammer, The (View Comment):
    I say let them kill the internet so we can go back to being decent human beings. Also, if you buy a wi-fi toaster, I have no sympathy for you.

    In my case at least the internet has nothing to do with it.

    • #4
  5. RightAngles Member
    RightAngles
    @RightAngles

    Hank Rhody (View Comment):

    Matt Balzer (View Comment):
    I’m giving this a like for BlindsWithScience. Also, I hate you.

    Blinds with Science is my Indian name.

    Mine is Dances With Difficulty.

    • #5
  6. Terry Mott Member
    Terry Mott
    @TerryMott

    Hank Rhody:You could hack back. If you go into my FutureToast and change the passwords then Mr. Nefarious Hacker can’t use it. But then I can’t use it anymore, either. That approach amounts to the destruction of property. This is also not a good solution.

    Although it offends my libertarian-ish sensibilities, I vote for hacking back.  When a user’s FutureToast stops working, they’ll contact the company’s support desk / send it back under warranty / post negative reviews on Amazon / toss it and vow never to buy anything from the FutureToast company again.  All that puts market pressure on the companies to make their IOT products more secure in the future.

    If the user actually learns what happened to their FutureToast, maybe next time they’ll take the extra minute to change the blankety-blank password.

    In the meanwhile, that’s one less idiotic “smart” device in the botnet.

    • #6
  7. James Lileks Contributor
    James Lileks
    @jameslileks

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees.  Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure.  One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price.  No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    • #7
  8. Aaron Miller Inactive
    Aaron Miller
    @AaronMiller

    My toaster keeps texting me pictures of toast burns shaped like celebrity faces.

    Nicolas Cage is just… well, toast.

    • #8
  9. OldDan Rhody Member
    OldDan Rhody
    @OldDanRhody

    Hank Rhody: You could, and I can’t overstate the general applicability of this solution, actively wait for your problem to go away.

    From the Tao, wu wei, action through nonaction.  Some of my best work was “accomplished” by this practice.

    • #9
  10. Randy Webster Member
    Randy Webster
    @RandyWebster

    Hank Rhody: How do we solve this problem?

    I solve it by buying a “just a toaster.”  I know I’m a Luddite before you comment.

    • #10
  11. Isaac Smith Member
    Isaac Smith
    @

    Randy Webster (View Comment):

    Hank Rhody: How do we solve this problem?

    I solve it by buying a “just a toaster.” I know I’m a Luddite before you comment.

    Yup.  I already have too many things and people telling me what to do, I should want my refrigerator to do the same?

    I don’t want my things to talk to each other; I’ve seen Terminator – it ends badly.

    • #11
  12. Guruforhire Inactive
    Guruforhire
    @Guruforhire

    James Lileks (View Comment):

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    Thats the technical solution, but nobody has any incentive to buy it.  Since the products aren’t causing problems for the consumers.  So your marketing would have to be hyperbolic.  Since the hyperbole would basically be pretty obvious to any one with the least amount of tech savvy.  The click baiters would kill it off.

    So the best thing to do is start an IETF working group and develop an standard API for home automation.  Then when there is an open standard, everybody would adopt it over time.  Then because developers can rely on standardized products, they can develop home automation platforms that are device neutral.  This is how the internet and networking in general work.  There isn’t much of the internet that isn’t the output of a UN committee, either the ITU or IETF.

    Verizon and Comcast will build a really basic one into the home routers because why leave money on the table.  Then if there is a creative interpretation of liability, a basic “secure my home” option will be enabled by default on the router.

    • #12
  13. Bryan G. Stephens Thatcher
    Bryan G. Stephens
    @BryanGStephens

    James Lileks (View Comment):

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    I think this is spot on. Technology usually fixes these sorts of issues.

    I am not sure what the answer to mass drone attacks is going to be either, but I bet we come up with one. I think it will be a defensive drone swarm, but who knows.

    • #13
  14. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    American Hero Hank Rhody, you’re a mad genius.

    This should be on the Main Feed post haste, but ‘less sales’–are you mad?

    • #14
  15. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    Hank Rhody: The Customer doesn’t care; the fact that his toaster is a tool for world domination doesn’t stop it from providing toast on demand.

    Doesn’t care? What is he, heartless, not just brainless? FYI Rhody, here’s a quote from a ‘customer’, who shall remain anonymous for reasons soon to become obvious:

    “You think I, like, don’t care? That’s bogus, man! First, I, like, am totally down with multi-tasking–that, like, the future, man! And B!, World Domination Toaster Revolution? Hellz to the yeah! Their early work with Mr. Nefarious was lit af and totally rad!”

    • #15
  16. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    James Lileks (View Comment):

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    You left out the part where people start worshiping these things & they also become conversation pieces. HomeShield, it will turn out, peppers you with fun facts. Not AccuArmor, that gives you vaguely spurious information about the attacks on you it is fending off. But NetSoldier is best for the young–it constantly tells you to man up, & also destroy people with different opinions.

    • #16
  17. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    Guruforhire (View Comment):

    James Lileks (View Comment):

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    Thats the technical solution, but nobody has any incentive to buy it. Since the products aren’t causing problems for the consumers. So your marketing would have to be hyperbolic. Since the hyperbole would basically be pretty obvious to any one with the least amount of tech savvy. The click baiters would kill it off.

    So the best thing to do is start an IETF working group and develop an standard API for home automation. Then when there is an open standard, everybody would adopt it over time. Then because developers can rely on standardized products, they can develop home automation platforms that are device neutral. This is how the internet and networking in general work. There isn’t much of the internet that isn’t the output of a UN committee, either the ITU or IETF.

    Verizon and Comcast will build a really basic one into the home routers because why leave money on the table. Then if there is a creative interpretation of liability, a basic “secure my home” option will be enabled by default on the router.

    I’m sorry, but where’s the part where the gov’t gets its dirty fingers all over this?

    • #17
  18. Bryan G. Stephens Thatcher
    Bryan G. Stephens
    @BryanGStephens

    Titus Techera (View Comment):

    James Lileks (View Comment):

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    You left out the part where people start worshiping these things & they also become conversation pieces. HomeShield, it will turn out, peppers you with fun facts. Not AccuArmor, that gives you vaguely spurious information about the attacks on you it is fending off. But NetSoldier is best for the young–it constantly tells you to man up, & also destroy people with different opinions.

    Bah, real men go with the Linux based OpenArmour. Now, that’s a real security, crowdsourced by the best minds in CopyLeft, Man!

    • #18
  19. Guruforhire Inactive
    Guruforhire
    @Guruforhire

    Titus Techera (View Comment):
    I’m sorry, but where’s the part where the gov’t gets its dirty fingers all over this?

    The part where we have an economic dilemma whereby no individual actor has an individual incentive for cooperative behavior, and the lack of cooperative behavior has negative externalities.

    There isn’t much about Ricochet that isn’t standing on top of a bunch of UN commissions like a US space program that would really rather not talk about purloined Nazi scientists.

    • #19
  20. Ekosj Member
    Ekosj
    @Ekosj

    Guruforhire (View Comment):

    Titus Techera (View Comment):
    I’m sorry, but where’s the part where the gov’t gets its dirty fingers all over this?

    The part where we have an economic dilemma whereby no individual actor has an individual incentive for cooperative behavior, and the lack of cooperative behavior has negative externalities.

    There isn’t much about Ricochet that isn’t standing on top of a bunch of UN commissions like a US space program that would really rather not talk about purloined Nazi scientists.

    Hey… But they were ‘our’ Nazi scientists.    Finders keepers!

    • #20
  21. Ekosj Member
    Ekosj
    @Ekosj

    Isaac Smith (View Comment):

    Randy Webster (View Comment):

    Hank Rhody: How do we solve this problem?

    I solve it by buying a “just a toaster.” I know I’m a Luddite before you comment.

    Yup. I already have too many things and people telling me what to do, I should want my refrigerator to do the same?

    I don’t want my things to talk to each other; I’ve seen Terminator – it ends badly.

    Amen Isaac and Randy.

    • #21
  22. skipsul Inactive
    skipsul
    @skipsul

    James Lileks (View Comment):

    How do we solve this problem? It seems resistant to market forces.

    Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.

    Does that seem far-fetched?

    You have obviously never had to do tech support.

    • #22
  23. skipsul Inactive
    skipsul
    @skipsul

    I had to replace my washer recently – the new one (an LG model) came with WiFi, there’s a smartphone app you can use to load it with your own customized wash cycles!  I’m not going to bother.

    The fact is: IoT is at the moment a frivolity for most applications.  People are still trying to figure out what to do with it, and so they’re loading it into everything, whether it makes sense or not.  Sorta like other prior tech fads going all the way back to radium (for heaven’s sake, they were putting it in cosmetics!).  Eventually it will work itself into some genuinely useful applications beyond using your phone to dim your lights.

    In the mean time, though, we should always remember this: security and convenience are ever at war.  The tech-savvy know how the security works and also know how to run the odds on whether it’s even applicable to themselves, while the rest of the population likely doesn’t use security at all unless they have to, or unless it is so easy to use as to cease being an inconvenience.

    So the market challenge is to make it easy to use while still being effective.  I think we’re a long way off from that.

    • #23
  24. DrewInWisconsin Member
    DrewInWisconsin
    @DrewInWisconsin

    Maybe this is a dumb question, but after reading about all of the above problems, hacks, and indecipherable tech solutions, there’s still one thing I don’t understand: Why do I want my Toaster to be internet-ready?

    • #24
  25. Judge Mental Member
    Judge Mental
    @JudgeMental

    DrewInWisconsin (View Comment):
    Maybe this is a dumb question, but after reading about all of the above problems, hacks, and indecipherable tech solutions, there’s still one thing I don’t understand: Why do I want my Toaster to be internet-ready?

    So you can monitor the progress of the toasting process from a remote location.

    • #25
  26. DrewInWisconsin Member
    DrewInWisconsin
    @DrewInWisconsin

    Judge Mental (View Comment):

    DrewInWisconsin (View Comment):
    Maybe this is a dumb question, but after reading about all of the above problems, hacks, and indecipherable tech solutions, there’s still one thing I don’t understand: Why do I want my Toaster to be internet-ready?

    So you can monitor the progress of the toasting process from a remote location.

    Oh.

    Er . . . uh . . .

    Huh.

    • #26
  27. RightAngles Member
    RightAngles
    @RightAngles

    I had no idea this was a thing, and since I’m just like most people, I bet nobody else (outside of IT) does either. I have Spectrum Intelligent Home (was Time Warner), a wireless home security system. So are you telling me I’m adding to potential disasters? And can hackers hack into it and use my toaster when I’m not home?

    • #27
  28. DrewInWisconsin Member
    DrewInWisconsin
    @DrewInWisconsin

    RightAngles (View Comment):
    I had no idea this was a thing, and since I’m just like most people, I bet nobody else (outside of IT) does either. I have Spectrum Intelligent Home (was Time Warner), a wireless home security system. So are you telling me I’m adding to potential disasters? And can hackers hack into it and use my toaster when I’m not home?

    Yes, but they can’t figure out where you keep the butter.

    • #28
  29. Matt Balzer Member
    Matt Balzer
    @MattBalzer

    DrewInWisconsin (View Comment):

    RightAngles (View Comment):
    I had no idea this was a thing, and since I’m just like most people, I bet nobody else (outside of IT) does either. I have Spectrum Intelligent Home (was Time Warner), a wireless home security system. So are you telling me I’m adding to potential disasters? And can hackers hack into it and use my toaster when I’m not home?

    Yes, but they can’t figure out where you keep the butter.

    It goes on the roll, duh.

    • #29
  30. Matt Balzer Member
    Matt Balzer
    @MattBalzer

    skipsul (View Comment):
    I had to replace my washer recently – the new one (an LG model) came with WiFi, there’s a smartphone app you can use to load it with your own customized wash cycles! I’m not going to bother.

    Neat! But you still have to put the clothes in manually, so even if you wanted to do that, why wouldn’t you just program the cycles at the machine? You wouldn’t even need it to be connected to anything for that.

    • #30
Become a member to join the conversation. Or sign in if you're already a member.