Darknet Diaries - Ep 13: Carna Botnet
Episode Date: February 15, 2018In 2012 the Carna Bot was built and unleashed on the world. But it didn't have any intentions on doing anything malicious. It was built just to help us all understand the Internet better. Thi...s botnet used the oldest security vulnerable in the book. And the data that came out of it was amazing.
Transcript
Discussion (0)
There's a big list of all known security vulnerabilities for computers.
And you want to know what the oldest known computer vulnerability is?
The oldest I could find is weak default passwords.
This has been a known vulnerability since 1969.
Specifically, computers sometimes have the username admin with the password also admin.
And the computer doesn't ask you to change it when you buy it.
So it can stay that way for a long time, years.
And many computers after that also use admin admin as the default username and password.
And over the years, many hackers have been able to get into many systems that they didn't own using this basic
username and password. So now, it's been 40 years since we became aware of this security weakness.
Surely, by now, this weakness has been resolved, right? And there aren't any computers in the world
that have this username and password anymore, right? Right? I sure hope so. This is Darknet Diaries. True stories from the dark side of the
internet. I'm a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me. Delete Me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete Me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes Thank you. slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go
to joindeleteme.com slash darknetdiaries and enter code darknet at checkout. That's
joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. I'm sure they can help. But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive.
And they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to
get some world-class training. That's blackhillsinfosec.com. blackhillsinfosec.com.
In 2012, a security researcher began scanning the internet to see what computers are still running Telnet.
Telnet is a way to log into a computer remotely, but it doesn't have encryption. So when you log into a computer using Telnet, you send your username and password in clear text for anyone
to see on the internet. The alternative is to use SSH, which does the same job, but it's encrypted.
And SSH has been around since the 90s,
so there's really no excuse to run Telnet anymore.
But while the security researcher was scanning the internet
trying to see how many systems are running Telnet,
they also wanted to see how many systems are using those default passwords.
They used the following four username-password combinations.
Admin-admin, admin with no password, root-root, and root with no
password. They took these four username-password combinations and started scanning the internet
to see if any systems would let them log in using Telnet. And they were finding unsecured systems
pretty quickly. But it took them over 16 hours just to scan 100,000 IPs. And the internet had
almost 4 billion IPs, so scanning the whole thing poses a big challenge. If they were to scan 100,000 IPs. And the internet had almost 4 billion IPs, so scanning the whole
thing poses a big challenge. If they were to scan 10 IPs a second, it would take them 10 years to
complete the scan. So the researcher thought, if they had two scanners, it would go twice as fast.
And 100 scanners would go 100 times faster. And since the researcher was finding all these systems
on the internet that they could log into as admin, then why not put those systems to work to help scan the internet?
So the researcher created a program that would scan and find unprotected systems and then upload
that same program to the systems it found and then put that system to work scanning for more systems.
They were creating a botnet. A botnet is a program
running on many computers that are all working together to do the same task. But the botnet
creator doesn't have permission to use any of those computers. And actually just logging into
one computer as admin that they didn't own was illegal. So of course it was very illegal to do
it to thousands of computers. The researcher knew
this was illegal and had to stay anonymous and not get caught. And they let this program run
and propagate all over the internet all night long.
The next day, the botnet had spread to 30,000 computers and wasn't even close to finishing the full scan. After some
tweaks and more testing and more scans, the botnet finished the scan of the internet,
looking for all devices running Talnet that had those default passwords. And the botnet discovered
1.2 million of these kind of devices. Many of these vulnerable devices shouldn't even be on the internet.
There were TVs and industrial control systems, cameras, water sprinklers, none of which should
be accessible from the internet. And out of those 1.2 million vulnerable devices,
the botnet got installed in 420,000 hosts. Not all the systems could run the program,
and they didn't want to install it on any
industrial control systems. Controlling 420,000 machines all at once was a complicated task.
The researcher had to set up an elaborate system, which included middle nodes and end nodes, and
each system had to be controlled individually to perform a different task. Some systems would get
rebooted, and their IPs would change,
and it was a constant changing environment. Now what would you do if you had control of 420,000 computers? With that many computers, you could do a massive denial of service attack
against your enemies, or try to infect the world with a terrible virus. But this person had no evil
intentions as far as we can tell. They were just a security researcher that was willing to break a few laws
to try to understand the internet further.
They now had a new mission,
which was to get a detailed scan of the entire internet.
The first mission was just to see how many devices
were running Telnet with default passwords.
This new mission was to use those vulnerable devices
to do a full scan of the internet.
Not just checking for telnet, but pinging every IP and checking the top 100 ports.
In 2012, there really wasn't that much data of people scanning the entire internet,
partially because it just takes so long.
If you were to scan 10 IPs at a time, it would take you over 10 years to complete it.
There were over 3.6 billion IPs allocated at the time, it would take you over 10 years to complete it. There were over 3.6 billion IPs
allocated at the time. So scanning the whole internet required a lot of storage for the results.
And it also required a lot of time to complete the scan. So they wanted to use this botnet to
try to quickly scan the internet and see what's out there. The scan they decided to do did numerous
checks to see if the IP is alive. They would ping it, nmap it, and test to see if the
top 100 ports were open on it. So even though the internet had almost 4 billion IPs on it,
the scan would really need to make over 60 billion probes to test all these different things.
But with the help of 420,000 systems, they calculated they could scan the whole internet
in an hour. But this kind of creates a new problem. Storing that many scan results
creates a major logistics issue.
We're talking about having the ability
to receive over 1 million events per second of data
coming back from the scan.
So the researcher built a web application
using Python and PHP
and used Hadoop as a database.
At this point, the botnet was now fully built and ready to conduct a full scan of
the internet. The researcher looked at this creation and decided to call it the Karna botnet.
Botnets are sometimes named after Roman or Greek gods, and Karna was the Roman goddess known to
protect the vital organs of the physical body. While the researcher was setting up the botnet, they noticed something strange.
They were finding someone else was also building a botnet
and using the exact same vulnerabilities.
And they were finding this other botnet on the same computers
that the Karna botnet was installed on.
It was known as the Adra botnet.
But the Adra botnet had malicious intent.
It was being used to take down computers and did
bad things. The researcher was able to detect that Adra had infected over 30,000 of the same
computers as the Karna botnet. Being in this unique position, the researcher decided to block
the Adra botnet from accessing devices. They were able to remove Adra from a system and block that
IP so Adra wouldn't come back.
And so ADRA started losing numerous nodes because of this.
It fascinates me to think about these two botnets out there in the world battling each other.
And after the Karna botnet was built and more tests were done, it was time to conduct the full scan.
The researcher gave the command for all 420,000 systems
to scan the entire internet.
And it worked.
All public IPs in the world were scanned
and the data was collected on the results.
But to the researcher, that wasn't enough.
After building this massive botnet
and an incredible infrastructure to support it,
a single scan just wasn't satisfying enough.
So they decided to scan a second time, and a third, and a fourth. And in fact, they continued
to scan the entire internet over and over, repeating it again and again, weeks after weeks,
month after month. Because hour by hour and day by day, the internet changes. So by conducting
numerous scans of the entire internet
would be the only way to understand exactly what's out there.
After six weeks of continually scanning the internet and collecting all the data,
the researchers shut down the botnet.
All the programs that were on the infected hosts quietly deleted themselves
and all systems were returned just to how they were before the botnet was installed.
That's the end of the story for the Karna botnet.
Now begins the story of the Internet Census.
With all these billions of probes and data points collected from the Karna botnet,
it was now time for the researcher to pour through all this data and try to make sense of it.
The researcher called this project the Internet Census of 2012.
Because there was so much data, it was not easy to figure out what to do with it.
The researcher analyzed and calculated and reviewed the data in numerous ways.
Now, I think what this researcher did next was absolutely brilliant.
Yes, the work they did up to this point was brilliant as well,
but if they just published this data in a big spreadsheet and 40-page report,
it would just probably have gone unnoticed.
All this data that's in the database is interesting, but it's boring to read. It's like
reading a really dry technical book that's just too long. Regions of the world are assigned a
range of IP addresses. Africa gets one block, U.S. gets another, and so forth. But even more
specific states and cities are also given IP address ranges. So the researchers started adding geographic locations
to all the data they collected.
Geo-IP lookups were done on every IP address
to determine where that computer was in the world.
Eventually, the data started to tell a story.
The data was showing which IPs were online
and where they were in the world.
So the researcher compiled all this location data
and placed it over a map of the world.
And this had amazing results.
The security researcher compiled all the data
and published it anonymously for the world to see.
This included a lot of details on how the Karna Batna was created,
as well as how all the data was collected,
and of course, the map of all the computers in the world. You know what? You've got to see this
map for yourself. If you can, right now, stop what you're doing, go to darknetdiaries.com,
find episode 13, and let's take a look at this map together. I'll pause for a minute for you to load This episode is sponsored by NetSuite.
What does the future hold for business?
You don't know?
Me neither.
But what I do know is that you don't have to be months ahead of your competitors to be more successful.
Just a few days or even a few hours can work wonders.
So until someone brings you a crystal ball, NetSuite can give you an advantage.
More than 38,000 businesses have future-proofed their business with NetSuite by Oracle.
It's a cloud ERP service, and one that I'd be using if I needed the help.
NetSuite brings accounting, financial management, inventory, and HR into one fluid platform.
When you're closing the books in days, not weeks, you're spending less time looking backwards and more time on what's next. Whether your company is earning millions or even hundreds of millions, NetSuite helps you respond to
immediate challenges and seize your biggest opportunities. And make use of real-time
insights and forecasting, allowing you the opportunity to look into the future with
actionable data. Speaking of opportunity, download the CFO's guide to AI and machine
learning at netsuite.com. The guide is free to you at netsuite.com.
Okay.
On the map, you'll see lots of dots.
There's a dot on the map for every computer and location that was in the database.
And there are billions of dots.
It's hard for me to describe it.
It's truly a case where the data is beautiful and brilliant and magical.
But that probably doesn't describe anything.
So I took a trip to my local hackerspace and asked some friends to describe it. It's pretty. That's true. It is pretty. That's insane.
Pretty cool, pretty cool. Wow there's a lot of dark areas. No real surprise. This
is impressive. Pretty colors. It looks remarkably densely internet-y.
The amount of technology that is on this planet just in a glimpse is insane.
I didn't expect Brazil to have that much.
Brazil's a lot denser than I expected it to be.
Seems kind of surprising that Europe seems to have a greater concentration than the United States.
Yeah, no, I would have expected the United States to be a lot more red than that.
The map they are looking at has billions of dots all over the globe.
And in regions that have a high concentration of computers online, they show up red and very bright.
In regions that have a low number of computers, they show up blue.
And areas that have no computers are completely dark.
The brightness of America doesn't surprise me at all. show up blue, and areas that have no computers are completely dark.
The brightness of America doesn't surprise me at all.
Actually, Australia is like the coast of the world.
I know that Australia is really barren and middle.
It's mostly desert, but it's still nice to see how tightly packed it is towards the water.
But New Zealand?
New Zealand is amazing.
It's like the whole thing.
Look at the islands in the Caribbean.
And I mean, they look almost like they're forming a contiguous line of lands all the way up to Florida.
I'm looking at bright spots in the middle of the water and I'm thinking about what that means.
But this map is even more amazing than just dots on the world.
The researcher had so much data from scanning the internet over and over and over that they were able to create an animated map showing the daytime-nighttime cycle.
And along with this animation, we can see what hour of the day
different regions of the world come online and go offline.
I'm watching the sun shadow pass over the lights and matching that up.
What I'm seeing is that when you look at it, you're seeing how it lights up.
It lights up in almost a cascade.
It goes from bottom to top in a wave, basically, and how it lights up.
It's really interesting.
Well, Italy goes full load earlier than the rest of Europe.
Yeah, it's almost like Italy is a couple hours ahead of the rest of Europe
because it surges earlier and it drops off earlier.
Middle of Australia, this huge area where there's no computers turning on and off.
Notice how also bright that India is.
I love that when you go way up north, like North Pole, Greenland and stuff, you still
see activity like way, way out.
Can we zoom in?
Can we zoom in?
Everybody who I showed this map to marveled at the magnificence of the data they were looking at.
Some people noticed Los Angeles comes online about the same time as New York.
Some people noticed it's completely dark in North Korea.
And other people saw that Canada, Russia, and the northern parts were all dark, except Scandinavia.
Even at extreme northern latitudes, it's lit up. Because this security
researcher created such a beautiful map to display the data collected, this map went viral and spread
across the world and everyone got to marvel at how big the internet was. This is the first map
of the internet and it amazed us all. And now, a half decade later, I still see this map pop up in
my social feeds from time to time
with someone new discovering it and swooning over its beauty.
Most people see this map and have no idea what it took to create it.
But because of how beautiful the map is, to them it doesn't matter how it was created.
It's still marvelous and worth spending a minute to look at.
The creator of this botnet remained anonymous, and nobody ever openly took
credit for this. This is because even though the Karna botnet had good intentions, it was still
illegal since it uploaded and ran programs on machines that weren't owned by the researcher.
So the botnet creator had to stay hidden and anonymous after publishing the data.
And this story probably would have ended right here if it wasn't for one person.
My name is Parth Shukla. I'm currently a security engineer at Google here in Switzerland. And this story probably would have ended right here if it wasn't for one person.
My name is Parth Shukla.
I'm currently a security engineer at Google here in Switzerland.
Previously, before Google, I used to work for OSSERT,
the Australian Computer Emergency Response Team based in Brisbane, Australia.
When I first read about this, I had just started working for OSSERT.
It was my first month. This is my first IT security
job ever. I was still studying at the time. I still hadn't graduated. So I was the newbie.
I read this thing. I went, well, this is interesting. I don't know what we're supposed
to do. I'm looking for guidance from the senior people because I'm not sure what the standard response procedure is within the company.
And I think someone suggested just email the guy.
And I went, what?
And they're like, yeah, just email him.
Maybe he'll give you something.
I think it was actually in jest.
They made a joke.
It was like, yeah, as if you're going to hear back.
And I'm like, okay, I guess I can do that.
And so I found the email that was, I think, on the GitHub page already.
And I sent him an encrypted email saying, hey, can you give us, since we're us cert,
we're supposed to look up the Australian interest, can you give us the compromised IPs
that you used for the botnet scan for Australia only? And I got back a response that said, actually, you're the first person to contact me
and here is everything. I was pretty shocked. So that's how that started.
When he read about the Karna botnet, it was one thing that stood out to him.
Those 1.2 million systems that were on the internet running Telnet
and using default passwords. He thought there should be no reason for this many unsecured
devices to be out there. And he wanted to understand that problem further. And when he
asked the botnet creator for just the vulnerable devices in Australia, the researcher gave Parth
the full list of all 1.2 million vulnerable devices. So the data itself was about 882 megs of, it was a big text file that was formatted
with tabs and it just basically contained MAC addresses, manufacturers, RAM, U-name,
CPU info, IPs, country codes of all the devices, approximately 1.2, 1.3 million.
Parth got busy trying to make sense of the data.
First, he did everything he legally could do to verify the data.
And he organized the data in different ways,
figuring out which countries had the most vulnerable systems
and which manufacturers were responsible
for creating the most vulnerable devices.
And to me, this indicated, for example,
the manufacturer indicated this was like a systemic
issue.
They were building and shipping devices that were vulnerable from the factory, and they
were shipping them en masse.
And that's why there were this one or two manufacturers.
I think there were three really big manufacturers that were overrepresented in the data set.
And for the IPs, it was a little harder because certain countries were overrepresented,
but they also had more devices allocated to them globally anyway.
So percentage-wise, they were not that bad.
So actually, one of the things that I did in my research paper
is I tried to figure out how easy it is,
it would have been to find a vulnerable device.
So if you started scanning a random IP range
in a particular country of interest,
how long would it take you?
And I published a table as part of my paper
of the number of seconds it would take you
to find a vulnerable device,
given the statistics we have.
So we know from all the internet registries,
all the allocated devices,
sorry, all the allocated IP ranges for each of the countries.
We know from KANA, Botnet, all the number of devices in each country.
And so we can do some simple maths to figure out percentages, likelihoods.
And I think, for example,
the device, I think for Australia, for example, what I was interested in,
it would, if you started scanning randomly within just the Australian IP address range,
it would take you about an hour on average to find one vulnerable device.
Whereas in China, it would take you on average about 20 seconds.
When Parth started realizing how vulnerable the internet was,
he decided to do something about it.
And the end result was that I talked to over 20 certs from different countries,
as I notified all the certs that had more than 10,000 devices in their countries.
And I emailed them, I actually emailed them the copy of the relevant data so for example for the us i would have sent them a copy of all the us compromised devices
for china i send them all the chinese compromise devices and the intention there is this this is
kind of the job of the services to try and coordinate with other national agencies who
would know better how to handle the situation in their local country so the chinese would know okay
which manufacturers or which carriers they should go talk to,
and they have their own national contacts.
To me, the responsibility here lies more so with the manufacturer
because they sold you a device with certain promises.
So for the manufacturer's side, I actually contacted the IEEE.
The IEEE is an organization that creates standards
for electronic components.
They are the authority figure for which manufacturer can use which MAC address. The IEEE is an organization that creates standards for electronic components.
They are the authority figure for which manufacturer can use which MAC address.
The MAC address is a local designator assigned to every network interface on every device in the world.
And Parth had a list of 1.2 million MAC addresses as part of the data he got from the botnet creator.
So I went to the IEEE and said, these are the manufacturers we have derived.
This is the top 10 or top 20.
I can't remember the exact number.
And can you give us their contact details?
Because I want to contact them.
You should have the authoritative information on this.
I don't want to just go on name because a lot of corporations can share the same name or have similar names.
I want the authoritative info from you. And
if I remember correctly, they denied the request. They said they can't share for privacy reasons.
But they said if I had something to pass on, they would pass it on. So I remember writing
a letter with my contact details and saying, please reach out to me I have something to share with you and out of the 10 or 15 manufacturers I reached out to why the
IEEE only one replied and that was a one of the Turkish manufacturers that was
quite well represented for Turkey and they contacted me asking for more
details than I contacted them back and I think we did some phone calls to make sure authenticity was good and then I sent them an anonymized version of the data.
So I removed basically the IP addresses but I sent them just the devices that had them as a manufacturer
to help them figure out which of their particular devices are actually vulnerable and I'm hoping the
Turkish one ended somewhere.
I haven't heard from them since.
I gave the data and, you know, fingers crossed that it's only good with it.
With the data Parth collected from the KarnaBotnet,
he made it his mission to try to resolve this problem
of so many vulnerable systems being online.
He thought by contacting certs in other countries,
he could help clean up the vulnerable devices out there. And by contacting the device manufacturers,
he could stop them from creating vulnerable devices. But it didn't seem like very many
certs or manufacturers were interested in helping solve the problem. Path was having a hard time
getting organizations to pay attention to this problem. But there were some people who were paying attention to this data.
Hackers with malicious intent were seeing how the Karna botnet was created
and started making their own botnets using the exact same methods.
Yeah, there's been multiple, multiple.
I'm sure there's hundreds of them running right now.
It was, so the tool called LightAidra
explored the exact same vulnerability and it was released
in parallel i think just a little earlier before the kind of botnet data was released i think it
was independently discovered i mean it's not a complicated issue to be discovered right
and and that led other people in the community to go hey it's so simple i just click and it like
like i said on average about depending on where you point on average, from 10 seconds to 180 seconds, you'll definitely find an IP address that's vulnerable.
That's a really good hit rate.
What I really liked about the KANA botnet data in hindsight is it kind of came before this became a big thing, before many of these botnets started forming,
exploiting the same vulnerability over and over again.
And so we have, I feel like we have the largest,
most accurate data before other botnets took over
and started shutting down the port, Telnet port,
which would stop further
investigation. So this, to me, seemed like a really nice imprint. The 1.3 million devices
vulnerable worldwide, quite accurate at the time because he did it multiple times over a course of
months. I'm referring to the anonymous researcher as he, I don't actually know if that's true.
For the whole year, I worked for Osset for about a year and a half. And out of that for a whole year, I was working on just this.
And I was very lucky, very lucky that OSSET allowed me to spend that kind of time on something
that wasn't actually related to Australia. There were a few people in the security community that
condemned the data that came out of the current botnet, saying that because the data was illegally
obtained, we should not use it for any legitimate research.
I agree it's an illegal abatement.
I think there's no way I can disagree with that statement.
The use of the data, I guess, obviously my position has been clear since you can see
how I've used it.
I haven't really had any big ethical qualms about it.
But in my opinion, the reason I think the researcher even bothered to give us this data is that actually he also wanted this problem fixed.
And that's very clear by the multiple emails.
I sent him quite a lot of questions and he continued answering them.
And when I did my first presentation at the OSSET conference itself, I sent him the slides and he replied.
He was happy with that outcome. And then since then, he stopped communicating. at the OSSET conference itself. I sent him the slides and he replied, Nike replied.
He was happy with that outcome.
And then since then, he stopped communicating.
And my conclusion from those events
is basically he got what he wanted.
He wanted publicity.
He wanted a proper analysis done
from someone that has a good reputation
as OSSET does in Australia.
And once he got all of those, he was happy.
And so I see that the reason he went into this effort
to provide this data to answer these questions
is because he didn't create this botnet
because he wanted to own the world
and destroy things and make a profit.
He created it, he realizes the problem,
and he wanted it fixed.
Parth, do you think you were the only person
to contact the botnet creator?
Yes, the creator said
so um so the last communication i had with the creator we exchanged two three emails and the
last one i just checked i think it was a few months after our initial contact i said hey has
anyone contacted you yet and the response was no you're still the only one and then i haven't i
haven't had any contact with the researcher since. Still to this day, the creator remains anonymous,
but do you have any thoughts on who it might be?
At the time in 2012, storage of nine terabytes of data was not cheap.
He had to store it and he had to compress it using ZPack,
which is incredibly CPU expensive.
So actually related to this, for the internet sensors part,
the public data, I did my undergraduate thesis on it.
And I had to decompress that data to be able to access the raw data
so I can index the raw data and then do some analysis on it.
And that took me, the university had a high performance
computing cluster of, I think, 400 machines, I think 600 CPUs.
And even on that, it took a day to decompress all this data.
From 500 gigs, once you decompressed it, it became 9 terabytes.
And that decompression took me a day on a high-performance computing cluster with 300 CPUs.
So from my mind, I just went,
whoever this is obviously has a lot of money
because the claim was he did it on an Amazon cluster.
This would cost ridiculous.
Back in 2012, with Amazon prices,
you know, try storing 9 terabytes there for more than six months
and then continuous collection and
then cpu cards should compress it so you could upload 500 gigabytes you know i just see that
there's kind of a lot of layers here where my the only conclusion i could come up with was this was
probably an already established researcher who was doing some private home research
and didn't want that associated with his public identity.
That's, I guess, yeah, that's the best I could come up with.
Why did you stop working on this data?
This is a battle that seemed like we should be able to win,
but I made no progress.
And so my focus is now actually,
personally has shifted towards kind of focusing on problems that I can fix at hand.
And whenever kind of industry-wide impacts like these are necessary, you actually have to propose a solution at a specification level.
So, for example, MAC addresses are controlled by IEEE.
So if IEEE made a mandate on something, then these manufacturers will be forced to follow
it. Now, currently, the IEEE is not in the business of making mandates on security.
And that would be an uphill battle. But that's a battle that you could actually,
now you actually know a specific person, a specific entity that you can get involved with
in their subcommittees that are actually open to participation to a certain level of people.
And then now you have some hope of how you can address this systemic issue through one kind of by attaching yourself to the core problem. And so for this particular example, I don't have a
solution, but I'm just giving an example. IEEE is an example. One of the reasons I dropped working
on this a lot, I mean, I left I left also that's for one thing but I also
haven't spent any significant time chasing this up is because I think this is a dead end like
addressing and trying to get manufacturer to pay attention through the public face is actually
a nightmare because what matters to manufacturers most is maintaining good PR and if that's how you
attack them then they are going to be defensive so the way maintaining good PR. And if that's how you attack them, then they are going to be defensive.
So the way to get the problem fixed, if that's what you really care about, is to go through the back channels, to find the engineers, to find the people who know what it is, who actually make these designs.
And a lot of times what I find, there is a tendency in security to go, oh, look at these developers.
They don't know what they're doing.
They're idiots, right?
But what you find a lot of times is
if you talk to these engineers
who actually made these products,
who decided to leave Telnet open with default credentials,
you realize that actually, you know,
given the circumstances they were in,
it was not a stupid decision.
You know, they had deadline crunch.
They had all these other things that were happening.
And there was a,
they had to leave the default cards open in case the device wasn't set up correctly.
So help desk can dial in remotely and make sure that everything works properly for the lame consumer.
There's all these requirements that are imposed on these engineers, and they try their best to convey them.
And sometimes they don't have security backgrounds, nor are they trained to be aware of these security problems.
So when you actually sit down and have a chat with them or convince them, A, I think it's a lot easier to convince them because they can see problems because they have the same mindset.
And then once they see them, they will start looking for a proper solution themselves.
And then you can exclude yourself from this problem now because you've just made the correct people aware what the problem is.
And that's kind of the lessons I've taken away.
This was a brutal entrance to the security industry for me.
It's my first thing I did in the job.
There's nothing more I can do.
I've tried my best.
It's time to move on to something that's not as soul-crushing.
You've been listening to Darknet Diaries.
For show notes and links, check out darknetdiaries.com.
There you'll find the full animated map of the Internet Census,
as well as all the research that Parth has published,
including his full presentation.
A very special thank you to Ted, Gregory, Barry, Kurt, Curtis, Jen, Shanti, Alan, Zach, Michael, and Carlos,
which were the voices you heard commenting about the map.
This show is made entirely by me, Jack, Recider.
Hey, are you learning to program in Python or want to learn?
I've got something for you.
I put together a Python cheat sheet, which is a single page of the most common Python commands.
It's a perfect reference guide to print out and have handy
for when you need to look up the syntax of a command.
I made this for myself when I was learning to program in Python.
And when I made it, I ran it by the Python community
and got an overwhelming positive response.
I even added some of their suggestions to improve it.
You can download this Python cheat sheet at darknetdiaries.com.