Re: Spitballing IoT Security

[bzs () TheWorld com]

On October 29, 2016 at 14:07 esr () thyrsus com (Eric S. Raymond) wrote:
> bzs () TheWorld com <bzs () TheWorld com>:
> > On October 28, 2016 at 22:27 list () satchell net (Stephen Satchell) wrote:
> >  > On 10/28/2016 10:14 PM, bzs () TheWorld com wrote:
> >  > > Thus far the goal just seems to be mayhem.
> >  > 
> >  > Thus far, the goal on the part of the botnet opearators is to make
> >  > money.  The goal of the CUSTOMERS of the botnet operators?  Who knows?
> >
> > You're speaking in general terms, right? We don't know much anything
> > about the perpetrators of these recent Krebs and Dyn attacks such as
> > whether there was any DDoS for hire involved.
>
> We can deduce a lot from what didn't happen.
>
> You don't build or hire a botnet on Mirai's scale with pocket change.

Do we know this or is this just a guess?

The infamous 1988 Morris worm was also thought to be something
similarly sinister for a short while until Bob Morris, Jr et al owned
up to it just being an experiment by a couple of students gone out of
control.

Back around 1986 I accidentally brought down at least half the net by
submitting a new hosts file (for Boston Univ) with an entry that
tickled a bug in the hosts.txt->/etc/hosts code which everyone ran at
midnight (whatever) causing a loop which filled /tmp (this would be
unix hosts but by count they were by far most of the connected
servers) and back then a full /tmp crashed unix and it often didn't
come back up until a human intervened.

Ok I doubt this was an accident, tho its scale could've been an
accident, a prank gone wild.

Anyhow what do we *know*?

That the effect was large doesn't necessarily imply that it required a
lot of resources.

We live in a world rife with asymmetric warfare. A few boxcutters and
3,000+ people dead.

> And the M.O. doesn't fit a criminal organization - no ransom demand,
> no attempt to steal data.

Same question. Would Dyn et al publicize ransom demands at this point?

And even if not how do we rule out a prank or similar?

Is there something specific about this attack which required
significant resources? How significant?

> That means the motive was prep for terrorism or cyberwar by a
> state-level actor.  Bruce Schneier is right and is only saying what
> everybody else on the InfoSec side I've spoken with is thinking - the
> People's Liberation Army is the top suspect, with the Russian FSB
> operating through proxies in Bulgaria or Romania as a fairly distant
> second.

Well, barring further details one can go anywhere with a few
suppositions.

> Me, I think this fits the profile of a PLA probing attack perfectly.
> -- 
>              <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>

-- 
        -Barry Shein

Software Tool & Die    | bzs () TheWorld com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*