G+: The Internet-of-Things seems to be very quickly becoming …

David Coles
The Internet-of-Things seems to be very quickly becoming the Botnet-of-Things. Today's wide ranging outages was due to a large-scale Distributed Denial of Service (DDos) attack against DNS hosting provider Dyn and affected several major services including Twitter, GitHub, PayPal and PlayStation Network.

This appears to have been the same sort of attack that forced security journalist Brian Krebs offline, when his pro bono DDoS mitigation service Akamai informed him that they would no longer cover the substantial cost of fending off the attack. Such an attack was made possible by the large number of cheap consumer electronic devices such as routers and internet enabled webcams with weak or non-existent security allowing them to be re-purposed into a virtual army capable of spilling Internet crumbling amounts of junk traffic.

One hopes that this will be the kind of wake up call the industry needs to properly tackle this menace.

DDoS on Dyn Impacts Twitter, Spotify, Reddit — Krebs on Security

(+1's) 2
Jeremy Visser
Won't be a wake-up call. Because neither customers nor IoT vendors are impacted by this outage.

The customer's appliances keep working, mostly, and the vendor can simply choose to do nothing, and uninformed non-caring non-technical customers will continue to buy their crap.

David Coles
Right. I think both Krebs and Bruce Schneier have referred to software security as a "negative externality". Customers want it cheap, vendors want to sell more devices (It's a similar problem that plagues the Android ecosystem).

Even if, as a customer, your device is compromised, so long as it continues to work who cares, right? At worst it might be a case of "My computer is slow" problem of the 90s/2000s.

By wake up call, I mean for the wider Internet participants like ISPs, Service Providers and Engineers. Traditionally the approach has been "DDoS mitigation", but that scales poorly compared to the ease of getting collecting more victims. The only way forward I see is that service providers are going to have to start pushing back, be that degrading or outright blocking problematic networks at the AS level. Clearly much easier said than done.

Michael Poloni
Perhaps where some push-back can occur is in the business sector, both with the deployment of such devices and BYOD. I can imagine it would be highly embarrassing (read: reputation loss and future-revenue loss) for some businesses to be implicated in a DDoS if the target is specific and sufficiently high-profile.

David Coles
I certainly agree. One vendor, Ubiquity Networks, the victim of a widely reported worm had recently begun shipping devices with remote administration disabled, but were forced to re-enable it after complaints and pushback from enterprise customers whom relied on the devices being shipped in a mode to allow remote provisioning. However the same default settings makes it painfully easy to exploit if exposed on the internet.

Michael Poloni
+David Coles shakes head and frowns