https://ghostbin.com/paste/q2vq2

I wasn't able to finish reading this, because after a few paragraphs the only question in my mind was whether or not the author really did all the things he says he did over the past year.

Because if this is legit, then: wow. We're sitting on a giant tinderbox, and it's only going to get much, much worse as more devices get IP addresses. How much time do I have before I'll need to cash out and wall myself up in a bunker with an underground greenhouse?

This hacker news comment about it is pretty bleak:



https://news.ycombinator.com/item?id=15946821

I get where this metaphor is coming from, but I'm not sure I agree. Maybe it makes sense if you're talking about trees. It makes much less sense if you're talking about people. If there were a pandemic disease that takes the lives of 1/5 people who contract it, we wouldn't say "this is good, it'll strengthen the gene pool". In some cases, the potential loses of a catastrophe are not tolerable, and so it is necessary to go to great lengths to mitigate the fallout if a catastrophe occurs.

Also, in the case of a wildfire, the catastrophic event consumes flammable material, so that if another fire happens, it won't be as bad. Is there an analogy to flammable material being consumed with IoT? It seems like the catastrophic event doesn't itself make it so that a second catastrophic event will be less severe. It seems all it would do is make people less complacent, and see there's greater need for security. But if some of us already know that there's a need for greater security, why not just go ahead and build it, because, ultimately, that's what would happen after a catastrophic event anyway?

Also, I'm only pretending to know anything about this.

So is that too long bunch of black text which I'm not going to read about burning 1/5 of humanity?

I thought we had the Trump thread for that topic?

For some reason a bunch of technical people decided that the novelty of low power devices with an internet IP address was very exciting for reasons that no one has yet been able to explain. Business people, especially the types that like to like to ride doomed hype trains, also like it because it unnecessarily implements basic functionality as a service which enforces consumer loyalty and possibly recurring fees.

IoT is actually a terrible idea. Routing device functionality directly through the cloud is moronic. It means that your network suddenly has as many points of failure as you have devices. It means that every device manufacturer is now responsible for securing their own devices, which they won't, because they don't know how and don't care. It means that if your internet access is compromised, you loose your functionality. It means that if the cloud service is discontinued, you loose your functionality. Which it will, because the whole thing is built on hype.

Obviously, it would be far better to have all of your devices connect to a gateway which handles internet security and administrates devices functionality locally. But they don't want that because it means that you can't be suckered into a monthly fee for a service that they will cancel in a few years anyway, leaving you with thousands in useless home automation hardware.

An IoT “fire” will “consume flammable material” because existing devices will be inoperable and their owners will have hopefully learned not to buy stupid ****.

if you don't walk into your room when you get home from work and tell alexa to turn on the lights, play some music, and order domino's for you, how are you supposed to have time to ****post?

I agree that being vulnerable to a greater attack surface on your own equipment could be inconvenient. But that's not really the great threat being pointed out here.

In general, the internet appears to be vulnerable to DDOS attacks. All that is needed is for a black hat to gain control of devices connected via addresses that there is otherwise no reason not to trust, such as a randomly selected home in North America. I.e., what's called a botnet.

AFAIK, botnets used to be mostly PC's running Windows (although maybe embedded devices too, like routers, even before the IoT craze). What's happened now simply is that there are a bunch more devices distributed to consumers that are also connected to the internet. If the number of IoT devices continues to grow, then an IoT botnet would have that much more devestating potential.

In the pastebin text, the guy says that he built a botnet of compromised nodes, which he used to disable over 10 million IoT devices he was able to gain control of, in order to neutralize them before somebody else with more destructive intentions could have done so.

But what really gets me is that he says he was able to do this because ISPs are even more vulnerable! And then he used ISP machines under his control to launch the rest of his attacks.



And:



This leaves me speechless.

Anyway, with the demise of net neutrality, I can't help but think that a botnet mitigating company like cloudflare will be partnering with content providers like Facebook and Comcast, forcing all consumers to run some externally controlled router software, which throttles to nothing essentially all "non-trusted" apps (basically, anything not Netflix, Facebook, Gmail, etc.). Say goodbye to reliable VPN connections that aren't surreptitiously tunneled (hello SSH over Facebook messenger?). Basically, if ISPs and device manufacturers can't be trusted to secure their devices and networks, your home is a potential cell in need of being disabled for the sake of the larger internet's health (now does the author's "chemotherapy" metaphor make sense?), then, well, your home router is going to be as locked down as a public WiFi ought to be.

That said, there's no real way to know that this isn't all fabricated. It seems plausible, though.

I'd be suspicious of any hacker bragging about how devastating their exploit is. Nonetheless the IoT is the strongest example of technodick grift.

But he didn't do that.

He said it could have been devestating.

Do you have any reason to think that a massive IoT botnet couldn't be devestating? Didn't a large scale IoT based DDOS attack already happen, if memory serves?

Yep.

I mean lines like this:



And I don't disagree at all that an IoT botnet is a terrifying idea, I just mean be skeptical of hackers who say stuff like that. Maybe their subnet crawler really is that good. Or, maybe their ego is a bit too strong.

In other news: positive correlation is not transitive unless two are really strong, which means I personally have misinterpreted data many times.

tldr didn’t read the OP but having worked in the industry that’s trying to get IoT vendors to fix their ****, I promise you that reality is much worse than anything you read online about it.

Oh, I also meant to write something about this.

The point of net neutrality isn’t to make it legal for ISPs to lock down your service, or even to extract more money directly from you. It’s so they can charge rents to information services. Google and Netflix will need to pay your ISP to deliver data to you, but you almost certainly won’t need to pay extra for SSH and other add-ons. ISPs understand their business well enough that they’re already charging you as much as you’re willing to pay, and they already have effective price discrimination models.

If this affects IoT it’ll be rents charged to Honeywell for internet access, not to you, and they aren’t gonna do **** about your busted IoT devices until they literally join a botnet at which point they could throttle them under the old rules anyway.

Bit shameful question but, in today's very connected world, is internet access an example of inelastic demand?

It’s an interesting question, but between price discrimination, tying, and monopoly rents, I think it would be difficult to construct a realistic model for how consumers react to price changes based on publicly accessible information.

I would assume so, but perhaps only to a baseline of service.

To be honest when people start going down this path of argument, repealing net neutrality doesn't seem so ridiculous to me. If Netflix is using some absurd amount of bandwidth during peak hours (what is it? 20%? 50%?), surely Netflix ought to be paying ISPs more than other web services that don't use so much bandwidth. After all, bandwidth is finite. If Netflix is using a lot of it, that means other services have less of it to use. As consumer habits change, and more and more video is streamed online, websites that serve video content will use up more and more bandwidth. At some point, ISPs will have to invest capital into expanding their infrastructure to carry all that data, which will cost ISPs even more money. So why shouldn't web services that drive the demand for more bandwidth pay ISPs to use their services?

And especially if the costs aren't passed onto consumers, why do I care that Netflix and Google have to pay ISPs out of their profits because their services take up more bandwidth than others? While there are other aspects of repealing net neutrality that are less appealing, when it comes to this, it seems more like deregulation working for consumers, rather than against them.

https://www.huffingtonpost.com/bruce-kushnick/the-book-of-broken-promis_b_5839394.html

Maybe because the same companies literally stole billions of dollars from the taxpayer to invest in infrastructure and kept all of it?

Maybe because telecoms companies are among the lowest-rated, rent-seeking sack of **** companies that thrive on technology ripped off from tax-funded DARPA research and resold to us?

Because consumers are already paying for the bandwidth they use. The fact that they’re choosing to use it on a particular service should be immaterial.

Netflix already has an ISP, which they pay to serve video data to you. Why should your ISP be able to double bill Netflix for internet service?

Simple answer: because they use more of a finite resource.

Consumers pay for internet access, and they get an all-you-can-eat buffet. But if there's a marginal cost to transmitting data, then shouldn't someone somewhere down the line have to pay for it? Why should the ISP simply eat the cost? To me it sounds perfectly fair that Netflix should pay more. They're using more.

Netflix isn’t using more of a finite resource, you are.

Major ISPs work under something called peering agreements. The way these work is, all of the different ISPs agree not to charge each other for bandwidth. Instead, each ISP charges their own customers for the full cost of handling that data within their own network. The sender is charged for sending the data to the border between ISPs, and the recipient is charged for sending the data from the border to their house.

What that means is any of the costs for serving Netflix are already being paid... by you. Charging Netflix an extra rent has nothing to do with bandwidth costs, and everything to do with the fact that Netflix is a moneyed competitor to their cable TV business units.

If Comcast can’t handle the bandwidth from everybody watching Netflix at the same time, that’s their fault for oversubscribing.

It infuriates me that people don't understand this. If I pay Fed Ex to deliver a package, it'd be breach of contract if they waited a year to deliver to a particular high volume destination unless the receiver paid as well. I'm already paying for the service! I don't want particular usages of that service crippled so the ISP can extort third parties into paying again.