Matthew Garrett on Yesterday's Big DDoS Attack in U.S.
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 11 of 11
  1. #1
    Join Date
    May 2012
    Location
    NC
    Posts
    2,261

    Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    Interesting Matthew Garrett post on yesterday's very large and very annoyng DDoS attack in the U.S.

    Consensus seems to be this was done via Internet of Things gizmos. Apparently many of these products have dumb default usernames and passwords that the user cannot change and otherwise lack any security focus.

    Given the financial losses of large attacks like this, and the potential safety and health risks, I wouldn't be surprised to see demands for the creation of oversight agencies that regulate internet-enabled products, much like the FDA.

    That would be contentious in some circles. But it's no more realistic to expect people to be able to assess the security strengths and weaknesses of an IoT product than it is to think we can assess the pills we take. We might start with banning the import and sales of products that use a single default and unchangeable username/password. Global regulation would be required, meaning international pressure, accords, etc. (Or just lean hard on China.)

  2. #2
    Join Date
    Oct 2010
    Location
    Canberra
    Posts
    3,002

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    I agree with Mr. Garrett's observation that most consumers are in no position to do much about this, and that the manufacturers are mostly outside the jurisdiction of the affected countries.

    However, he may have overlooked one player. Most consumers get their devices through a local reseller. Perhaps they should be the ones taking some responsibility for selling defective items.

    Unfortunately I expect what we will see is the usual "rewarding of the guilty and punishing of the innocent" where businesses get to continue to do whatever they want while the consumer gets the costs and inconvenience.

    User error. Please replace user and try again

  3. #3
    Join Date
    Mar 2004
    Location
    In your closet
    Posts
    15,735

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    The blame is with the manufacturers, not the re-seller or the consumer.
    Glenn
    The Bassinator

  4. #4
    Join Date
    Dec 2008
    Location
    Maryland
    Posts
    492

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    I'm agreeing with Glennzo here - the manufacturers of almost everything should be concerned with product safety, and people only dicker about how much to hold them responsible.

    But that's the supply side. The demand side comes from the consumer, so I'm going to reserve just a tiny bit of judgmental blame for those who ignored the dangers or were willfully ignorant. That works for cars, cell-phone batteries and sugary sodas.

    Be aware and act accordingly.

  5. #5
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    6,485

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    I've never felt the urge to have an IoT fridge or washing machine. Our TV sets and set top boxes are dumb too. The 'smart' comes from Chromecast.

    So the only way consumers really have any influence is buying or not. That isn't going to stop manufacturers churning out devices without passwords. Imagine the amount of support enquiries they'd get from people who lose passwords and need to reset, coupled with throwing away or never reading the manual.

  6. #6
    Join Date
    Nov 2008
    Location
    Canada
    Posts
    2,723

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    I'm not going to finish reading the article. I could barely read a paragraph after eye-rolling the title, "Fixing the IoT isn't going to be easy." Christ, it's just cancerous economic greed hard at work again: data mining you on the internet wasn't good enough alone. Demand consumer protection, clearly industry has no desire in providing it.

    Need a litmus test? If it doesn't work without calling home or checking in with its mothership, then leave it on the shelf.

  7. #7
    Join Date
    May 2012
    Location
    NC
    Posts
    2,261

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    Krebs, et al, https://krebsonsecurity.com/2016/10/...ternet-outage/ name a specific Chinese firm as responsible for making many of the insecure components sold downstream to assemblers of cameras, DVR's, etc.

    I don't think it's at all realistic to expect consumers to even be aware these products pose a threat, much less boycott them in the market place. Even if a few rare individuals do know, how can they know when they're standing in a Big Box store looking at an internet-enabled appliance which one is secure and which one is a sieve? Even if you read one month that Brand X is good, next month the unit you buy may have been made with parts from another OEM.

    Individual ad hoc action by individual governments could protect their own populations but can't end the threat of IoT-spawned DDoS attacks as long as the products are made and on the market someplace. It will take coordinated efforts to block "bad" imports by the large economies before the culprit vendors change their products or go out of business.

  8. #8
    Join Date
    May 2012
    Location
    NC
    Posts
    2,261

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    Quote Originally Posted by beaker_

    If it doesn't work without calling home or checking in with its mothership, then leave it on the shelf.
    Sure, but people want cameras that can dump photos onto a server in real time, or a fridge that calls them at work when the power goes off, or whatever. Security is someone else's problem, as most people see it. They probably won't knowingly buy another box from a brand that burns them, but since we're talking about OEM parts inside those toys, it might not make much difference.

  9. #9
    Join Date
    Nov 2008
    Location
    Canada
    Posts
    2,723

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    Quote Originally Posted by joncr
    Sure, but people want cameras that can dump photos onto a server in real time..,
    I don't. I'm happy with my Roli and 6006. Who's server and who is data mining you in real time? Part of me thinks, if they're too lazy to move memory cards then there's no reasoning.

    ... or a fridge that calls them at work when the power goes off, or whatever.
    People pay good money for monitoring. But, in this case (cheap), just give Radio Shack $15 for an autodialer or sling an event with sendmail and an AT command compatible io board. Hell.., toss in apache tomcat, a little css, and you've got a marketable product. Wanna compete with whirlpool?

    Security is someone else's problem, as most people see it. They probably won't knowingly buy another box from a brand that burns them, but since we're talking about OEM parts inside those toys, it might not make much difference.
    Irrelevant. It's your LAN. And assuming people realise they've been burned. Most people will think, if they think at all, that a simple NAT router and firewall will do the trick; and, so far as I'm concerned, it should. But, that doesn't turn you into a good product! Getting that info back to me does!

    Late edit: I should have wrote, "want to build and sell to whirlpool, frigidaire, mr moneywell...,"

  10. #10
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    6,485

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    Firewall rules are a good idea but it depends on the end user having the knowledge to implement them. A lot of consumers aren't up to speed with managing their router.

    I've found from experience half of the time domestic clients of mine have never opened the router interface on their ISP provided equipment (in chocolate fireguard configuration by default to avoid connection issues and lots of support enquiries)

  11. #11
    Join Date
    Aug 2004
    Posts
    4,082

    Re: Matthew Garrett on Yesterday's Big DDoS Attack in U.S.

    Is there encrypted communication between a device like the surveillance camera in a home and the router in the home?

    If not, one could imagine a scenario where "foreigners" smuggle- in devices disguised as consumer products that are capable of listening to home-device-to-home-router traffic and masquerading as the device. In that scenario, having a strong password on legitimate devices wouldn't protect against the attack.

    [Edit: According to this: http://arstechnica.com/security/2015...ever-heard-of/ there is a (perhaps flawed) standard for encryption - which I assume applies to wireless communication between a "thing" on the "internet of things" and a home router. How well do manufacturers obey this standard ? ]
    Last edited by tashirosgt; 28th October 2016 at 08:33 AM.
    "Never let the task you are trying to accomplish distract you from the study of computers."

Similar Threads

  1. Ddos attack
    By fhaider in forum EOL (End Of Life) Versions
    Replies: 2
    Last Post: 19th November 2013, 07:40 PM
  2. Apache DDoS attacks
    By eXDee in forum Servers & Networking
    Replies: 2
    Last Post: 9th May 2010, 02:02 PM
  3. Getting DDoS'd For Over a Month Now...
    By TheLK in forum Security and Privacy
    Replies: 2
    Last Post: 6th April 2009, 06:15 PM
  4. Problem about VsFTPd attack ( scan attack )
    By pratchaya in forum Security and Privacy
    Replies: 0
    Last Post: 25th April 2007, 04:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •