1/ This is a pretty funny story. A hacker divulged the personal details of 1000 politicians, artists, and other famous people in Germany. It's been a major part of their news cycle for the past week.
2/ But typically, they get everything wrong. It wasn't Russian intelligence, but a 20 year old hacker living with their parents. The proposed legislation responding to this -- doesn't. It's used as an excuse to push agendas, relying upon people's technical ignorance.
3/ It's like how all the legislation here in response to Mirai isn't. Little of the legislation has anything related to Mirai, it just seems so superficially, using a famous event to push existing agendas.
4/ It's like how authoritarians used 9/11 attacks to push for a national ID law, even though the terrorists all had valid IDs. In the case of Mirai, they are pushing for IoT security laws, like "no default passwords", even though that wasn't Mirai's problem.
5/ Sure, superficially it looks like Mirai spread using default/hard-coded passwords, but that's simply people aren't paying attention to what really happened. They don't really care, because they only cherry pick the bits that match their preconceived agenda.
6/ It's like how Bruce Schneier talks about how Mirai infected your home DVR. That's because he's either ignorant himself, or is exploiting your ignorance. Mirai didn't infect DVRs people have in homes, and certainly not YOUR home.
7/ Mirai infected security cameras and "security camera DVRs", the digital video recorders that collect streams from multiple video cameras and save them to disk. These aren't the same as home TV DVRs recording digital TV video.
8/ Sure, they are both "DVRs", but aren't the same product, and you can't use one as replacement for the other. It's like saying Mirai infected "cameras", leaving it undefined whether they mean your Nikon camera, your iPhone's camera, or security camera.
9/ This difference, security cameras and DVRs, is important. The problem is that you can't get video from a camera behind a NAT to your phone which is also behind a NAT, so people just put their cameras/DVRs outside the firewall so they can access them from the Internet.
10/ The billions of IoT devices being added to the Internet are otherwise overwhelmingly behind NAT firewalls, meaning the Mirai technique of spreading won't work with them. This fact is IMPORTANT.
11/ Likewise, look at the countries with the infected devices. Why Ukraine and Vietnam prominent at the head of the list? It has to do with their markets and stage of Internet development, where they are more likely than other countries to have IoT devices outside firewalls.
12/ Laws focused on punishing American consumers and companies for Mirai is missing the point that it infected devices outside America, and WHY those specific countries and not other countries. What makes Ukraine different that security cameras are more likely outside firewalls??
13/ Well, this is excellent. This tweet was from the original analysis of Mirai, which demonstrates the superficial analysis, the first impression before cameras I ordered arrived so I could analyze the worm:
14/ My superficial analysis was wrong. Yes, Mirai spread via passwords from /etc/passwd, but these were different than the password system a user configures for a camera, stored in .htaccess or other files.
15/ These are passwords, certainly, but unrelated to user passwords. The actual flaw was that these devices enabled Telnet as a backdoor, without which /etc/passwd wouldn't have been reachable.
16/ It's like the recent PlayStation Classic device. It's Linux based, with /etc/passwd, but nothing uses /etc/passwd unless you can solder on wires to the UART in order to log in via the serial console.
17/ So the point is that politicians only care about a superficial analysis that agrees with their agenda, not analysis. I did the in depth analysis with Mirai and found the details disagreed with my superficial analysis.
18/ Another thing about default, hard-coded passwords. In the past, this was synonymous with "remote code execution", such as when Telnet or SMB was exposed. Now, with application passwords on IoT devices, it doesn't mean remote code execution.
19/ I recently bought a cable modem with user "admin" and password "1234" as the default. As far as I can tell, after a quick analysis of the device, there is no way to get remote code execution knowing this password. Even the firmware update is signed.
20/ I often listen to German news on my nightly 5km walks. It's been fun listening to their wholly inappropriate and ignorant response to this incident. The politicians woke up because it's happening to THEM, and have gone crazy.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵉʳᵗ Graham, at S4x19 then at shmoocon
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!