,
20 tweets,
4 min read
Read on Twitter
1/ This is a pretty funny story. A hacker divulged the personal details of 1000 politicians, artists, and other famous people in Germany. It's been a major part of their news cycle for the past week.
2/ But typically, they get everything wrong. It wasn't Russian intelligence, but a 20 year old hacker living with their parents. The proposed legislation responding to this -- doesn't. It's used as an excuse to push agendas, relying upon people's technical ignorance.
3/ It's like how all the legislation here in response to Mirai isn't. Little of the legislation has anything related to Mirai, it just seems so superficially, using a famous event to push existing agendas.
4/ It's like how authoritarians used 9/11 attacks to push for a national ID law, even though the terrorists all had valid IDs. In the case of Mirai, they are pushing for IoT security laws, like "no default passwords", even though that wasn't Mirai's problem.
5/ Sure, superficially it looks like Mirai spread using default/hard-coded passwords, but that's simply people aren't paying attention to what really happened. They don't really care, because they only cherry pick the bits that match their preconceived agenda.
6/ It's like how Bruce Schneier talks about how Mirai infected your home DVR. That's because he's either ignorant himself, or is exploiting your ignorance. Mirai didn't infect DVRs people have in homes, and certainly not YOUR home.
7/ Mirai infected security cameras and "security camera DVRs", the digital video recorders that collect streams from multiple video cameras and save them to disk. These aren't the same as home TV DVRs recording digital TV video.
8/ Sure, they are both "DVRs", but aren't the same product, and you can't use one as replacement for the other. It's like saying Mirai infected "cameras", leaving it undefined whether they mean your Nikon camera, your iPhone's camera, or security camera.
9/ This difference, security cameras and DVRs, is important. The problem is that you can't get video from a camera behind a NAT to your phone which is also behind a NAT, so people just put their cameras/DVRs outside the firewall so they can access them from the Internet.
10/ The billions of IoT devices being added to the Internet are otherwise overwhelmingly behind NAT firewalls, meaning the Mirai technique of spreading won't work with them. This fact is IMPORTANT.
11/ Likewise, look at the countries with the infected devices. Why Ukraine and Vietnam prominent at the head of the list? It has to do with their markets and stage of Internet development, where they are more likely than other countries to have IoT devices outside firewalls.
12/ Laws focused on punishing American consumers and companies for Mirai is missing the point that it infected devices outside America, and WHY those specific countries and not other countries. What makes Ukraine different that security cameras are more likely outside firewalls??
13/ Well, this is excellent. This tweet was from the original analysis of Mirai, which demonstrates the superficial analysis, the first impression before cameras I ordered arrived so I could analyze the worm:
14/ My superficial analysis was wrong. Yes, Mirai spread via passwords from /etc/passwd, but these were different than the password system a user configures for a camera, stored in .htaccess or other files.
15/ These are passwords, certainly, but unrelated to user passwords. The actual flaw was that these devices enabled Telnet as a backdoor, without which /etc/passwd wouldn't have been reachable.
16/ It's like the recent PlayStation Classic device. It's Linux based, with /etc/passwd, but nothing uses /etc/passwd unless you can solder on wires to the UART in order to log in via the serial console.
17/ So the point is that politicians only care about a superficial analysis that agrees with their agenda, not analysis. I did the in depth analysis with Mirai and found the details disagreed with my superficial analysis.
18/ Another thing about default, hard-coded passwords. In the past, this was synonymous with "remote code execution", such as when Telnet or SMB was exposed. Now, with application passwords on IoT devices, it doesn't mean remote code execution.
19/ I recently bought a cable modem with user "admin" and password "1234" as the default. As far as I can tell, after a quick analysis of the device, there is no way to get remote code execution knowing this password. Even the firmware update is signed.
20/ I often listen to German news on my nightly 5km walks. It's been fun listening to their wholly inappropriate and ignorant response to this incident. The politicians woke up because it's happening to THEM, and have gone crazy.
