{"id":36224,"date":"2016-11-02T09:06:40","date_gmt":"2016-11-02T13:06:40","guid":{"rendered":"http:\/\/quotulatiousness.ca\/blog\/?p=36224"},"modified":"2016-11-02T09:06:40","modified_gmt":"2016-11-02T13:06:40","slug":"online-security-theatre-we-sell-biometric-authentication-systems-to-people-who-need-a-good-password-manager","status":"publish","type":"post","link":"https:\/\/quotulatiousness.ca\/blog\/2016\/11\/02\/online-security-theatre-we-sell-biometric-authentication-systems-to-people-who-need-a-good-password-manager\/","title":{"rendered":"Online security theatre: &#8220;We sell biometric authentication systems to people who need a good password manager&#8221;"},"content":{"rendered":"<p>Joey DeVilla linked to this discussion of the Mirai botnet and the <a href=\"https:\/\/blog.appcanary.com\/2016\/mirai-botnet-security-broken.html\" target=\"_blank\">distressing failures of online security<\/a> &#8230; not for the brilliance and sophistication of the attack (it was neither), but the failure to address simple common-sense security issues:<\/p>\n<blockquote><p>I\u2019ve written about 1988\u2019s Morris worm, and I wanted to dig into the source of the Mirai botnet (helpfully published by the author) to see how far we\u2019ve come along in the past 28 years.<\/p>\n<p>Can you guess how Mirai spreads?<\/p>\n<p>Was there new zeroday in the devices? Hey, maybe there was an old, unpatched vulnerability hanging \u2014 who has time to apply software updates to their toaster? Maybe it was HeartBleed \ud83d\udc7b?<\/p>\n<p>Nope.<\/p>\n<p>Mirai does one, and only one thing in order to break into new devices: it cycles through a bunch of default username\/password combinations over telnet, like \u201cadmin\/admin\u201d and \u201croot\/realtek\u201d. For a laugh, \u201cmother\/fucker\u201d is in there too.<\/p>\n<p>Default credentials. Over telnet. That\u2019s how you get hundreds of thousands of devices. The Morris worm from 1988 tried a dictionary password attack too, but only after its buffer overflow and sendmail backdoor exploits failed.<\/p>\n<p>Oh, and Morris\u2019 password dictionary was larger, too.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Joey DeVilla linked to this discussion of the Mirai botnet and the distressing failures of online security &#8230; not for the brilliance and sophistication of the attack (it was neither), but the failure to address simple common-sense security issues: I\u2019ve written about 1988\u2019s Morris worm, and I wanted to dig into the source of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":35193,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[15],"tags":[156,58,1030,201],"class_list":["post-36224","post","type-post","status-publish","format-standard","hentry","category-technology","tag-fail","tag-internet","tag-internetofthings","tag-securitytheatre"],"jetpack_featured_media_url":"https:\/\/quotulatiousness.ca\/blog\/wp-content\/uploads\/2016\/06\/favicon.png","jetpack_shortlink":"https:\/\/wp.me\/p2hpV6-9qg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts\/36224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/comments?post=36224"}],"version-history":[{"count":1,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts\/36224\/revisions"}],"predecessor-version":[{"id":36225,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts\/36224\/revisions\/36225"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/media\/35193"}],"wp:attachment":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/media?parent=36224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/categories?post=36224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/tags?post=36224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}