[45h34jh53k4j]

I would like to remind those that think all is lost with this:

A serious conversation with vendors about default passwords and backdoors post this incident will help prevent recurrence. This has forced this talk and we are better for it.

There was a time when your windows box would get popped from being online for more than 4 minutes. We recovered from this. Conficker in 2008. Blaster in 2003. It was a 'BIG BOTNETS OH NO', but we cleaned up, recovered, hardened. Microsoft went from being botnet enabler to an active force in dismantling bots and crime rings. It sucks, and some of us have a bad day, but we recover ever stronger.

XiongMai Technologies may well find themselves in some international hot water over this incident, and I think they deserve it. They sold a faulty product that caused billions of dollars in lost revenue to some very large internet properties for a day in October 2016. I would encourage vendors look at these incidents from last decade and how these were turning points for upping their security game. I would encourage its victims to investigate legal recourse.

Specifically the current vulnerable nodes of Mirai, i am sure these will be removed from the internet pretty soon. One only gets to fire something like this a few times before the feds are on the door.

Your regularly scheduled program will commence shortly.

[kabdib]

Security is a process. We might be able to browbeat (insert clueless-about-security manufacturer here) into making an investment in secure firmware. Maybe they'll even get it right. But our experience is that additional security holes are always found, even in software written by knowledgable and motivated teams.

These devices need to have an update mechanism. The manufacturer needs to have an ongoing security effort, across their whole device line (probably a significant investment in development resources and process -- consider that right now, the firmware for a device is probably coming off of a firmware dev's laptop; I've seen this happen at a big company). And devices will have to be sunset, to control the ongoing cost. Consumers will love that.

I don't think we're doomed, exactly, but it's probably always going to be a problem. And there's probably a market for embedded firmware application layers that don't suck, for starters.

[Silhouette]

I would encourage its victims to investigate legal recourse.

It's all well and good saying that, and yes, if manufacturers are repeatedly/grossly negligent then maybe they should pay compensation and/or punitive financial penalties. However, unless you know something the rest of us don't about how to guarantee Internet-connected devices are perfectly secure, that sort of financial pressure can't be the whole solution, or even the main part of the solution. Ultimately, it may just mean that smaller players can't afford to risk participating in the industry any more, and no-one will be better off if reduced competition is the main result of this. We must be able to handle this more constructively than just demanding perfection and punishing those who inevitably fail to deliver it.

[ebbv]

if you draw the line between attacks of the past through this one you see that the scale of DDoS attacks continues to get worse. It's all well and good to say that the enablers of the past learn and improve their products. The problem is continually the enablers of the future.

It's been said before but I will repeat it here; manufacturers have no reason to expend any resources on security until they are held liable for the damage they facilitate. We must make selling insecure devices a liability just like selling unsafe devices is in meatspace.

[dpweb]

Just eliminate default passwords completely. The first person that opens the box, or applies a license key, sets the password and it must be strong.

[webmaven]

A better solution is for each physical instance of a device to have a default password that is strong and unique (and encoded in the firmware, such that a factory reset of the device doesn't make it default to a non-unique PW).

There are a few other ways to handle the problem of securing endpoint devices. For example, for devices that are intended to use a local aggregator, gateway, or proxy of some sort you can get around the issue (and improve the UX) by avoiding passwords entirely, and requiring that the device instead be paired with a base station through a physical action the user performs (pressing a button on both, knocking them together, etc.) instead.

[heisenbit]

Yes. But keep in mind that these where in part maintenance accounts not visible to users. The areas that also need to be kept in mind are manufacturing, maintenance, repair and upgrades.