ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Search for Devices - Then Pown them...


I subscribe to Tinman's newsletter, and in it he had this article:

EXTREMELY creepy. It gets worse... linking from there I find this:

A search engine to find devices that you can then try to exploit.

Good grief. It's been around for 2 years.

If you're not scared, then 1 of 3 things:

* You're a competent IT pro and have hardened your system
* You didn't understand any of the above (no shame in ignorance)
* You're an idiot (lots of shame in willful ignorance)
The amount of open information out there is just astounding.

I'd like to flatter myself that I fit into category A.

That said, it's still a major concern for IT pros. You can harden a network till the cows come home. All it takes is one careless user, or a small configuration mistake, or a software bug and it's all for naught.

And yeah, info from shodanhq has been on our radar screens since it went public back around 2010.

But that's not the scary part. The scary part is that it's sure as certainty there are other unpublicized darkhat sites that are also doing this -  plus a whole lot more - as even a quick visit to the deepweb will show.

Am reminded of the following quotes from Joe Armstrong (of Erlang):

It was during this conference that we realised that the work we were doing on Erlang was very different from a lot of mainstream work in telecommunications programming. Our major concern at the time was with detecting and recovering from errors. I remember Mike, Robert and I having great fun asking the same question over and over again: "what happens if it fails?" -- the answer we got was almost always a variant on "our model assumes no failures." We seemed to be the only people in the world designing a system that could recover from software failures.

--- End quote ---

We can't stop our systems and globally check they are consistent and then relaunch them. We incrementally change bits and we recognize that they are inconsistent under short time periods and we live with that. Finding ways of living with failure, making systems that work, despite the fact they are inconsistent, despite the fact that failures occur. So our error models are very sophisticated.

When I see things like Scala or I see on the net there's this kind of "Erlang-like semantics", that usually means mailboxes and message boxes. It doesn't mean all the error handling, it doesn't mean the live code upgrade. The live upgrade of code while you are running a system needs a lot of deep plumbing under the counter -- it's not easy.

--- End quote ---


[0] Message Index

Go to full version