In message <20161029180730.GA10801@thyrsus.com>, "Eric S. Raymond" <esr@thyrsus.com> wrote:
You don't build or hire a botnet on Mirai's scale with pocket change.
Proof please? Sorry, but I am compelled to call B.S. on the above statement. This is a really important point that I, Krebs, and others have been trying to drive home: In an era when you've got a half million CCTV cams just lying around without even passwords on them, and in an era when nobody makes any fuss anymore about the dozens or hundreds or people and/or organizations (e.g. Shodan) that are out there scanning your box and my box and everybody's boxes, every damn day, you don't need to be either an omnious "state actor" or even SPECTER to assemble a truly massive packet weapon. Two kids with a modest amount of knowledge and a lot of time on their hands can do it from their mom's basement. It is comforting, for some, to think that this is not the case, just as it is, to this day, comforting, for some, to believe, based on scant evidence, that it -wasn't- just some lone nut case who killed President Kennedy. Psychologically, people have trouble coming to terms with great impactful tragedies unless they can be blamed on large, unseen, but enormously capable dark forces. And the actual available hard evidence relating to such events does not diminish the human yearning for a convenient comic book supervillain to pin it all on.
And the M.O. doesn't fit a criminal organization - no ransom demand, no attempt to steal data.
Allow me to refer you to an alternative possible motivation: https://en.wiktionary.org/wiki/lulz
That means the motive was prep for terrorism or cyberwar by a state-level actor.
Frankly, I am dismayed to see a well-known Internet persona with a respected name spreading this kind of absurd, alarmist, over-the-top, retorical fear- mongering inference, which is without clear basis in either fact or evidence. Even the hardest of the hard-core dyed-in-the-wool Clinton surrogates are too circumspect in their pronouncements (i.e. with respect to Russia's "obvious" connection to the DNC hack) to ever reach anything like this level of unfounded hyperbole. (And for the record, I am no Trump supporter either. I find myself equally disgusted when either side employs the currently fashionable verbal sleight-of-hand that politicians of all stripes have, of late, adopted whenever they want to say something without themselves having to take responsibility for its truth or accuracy. I get angry when I hear Clinton surrogates using the "Some people are saying..." dodge, e.g. when it comes to alleged nefarious Russian involvement with anything and everything evil, just as I do when Trump uses the exact same dodge in reference to... well... everything.)
Bruce Schneier is right and is only saying what everybody else on the InfoSec side I've spoken with is thinking - the People's Liberation Army is the top suspect, with the Russian FSB operating through proxies in Bulgaria or Romania as a fairly distant second.
Yes, but I believe that Schneier was a bit more careful to separate the known facts from his personal speculations. In any case, all of this searching for who is to blame isn't contributing a damn thing towards actually fixing the problem. And if we really need to find someone to blame, I think we should all just look in the mirror. We, society, but especially those of us with more-than-average techno savvy, have for years been only too eager to lap up whatever whiz-bang new techno gadgets industry could crank out, with barely an afterthought given to the longer term implications, like security and also how the hell we are ever going to be able to recycle any of this s***. We've all been doing the exact same thing, since at least Windows 3.1 or earlier, and yet we continue to expect a different outcome. We eagerly grab for new capabilities and new gadgets, thinking about security last or, more often, not at all. In short, to quote Pogo, "We have met the enemy and he is us." Regards, rfg P.S. Even if the evidence were to support the view that only a superpower- level nation-state could have pulled off the Dyn attack... and I'm not at all persuaded that it does... it kills me that everyone seems to jump, within a millisecond, immediately from -that- unwarranted conclusion to the separate unwarranted conclusion that it must have been either Russia or China. Apparently, nobody even stops to consider the *other* elephant in the room, the one that stretches from sea to shining sea, and which itself has been heard to publically brag about its own cyber-offensive capabilities of late. In short, maybe our own guys did this. OK, so maybe this theory -is- worthy of le Carre, but that don't mean it ain't possible. I mean we aren't stupid. We don't build warehouses full of nuclear weapons without at least testing the design once or twice first, you know, to make sure they aren't all gonna end up being duds on impact. (Mike Rogers would probably lose his stripes -and- his pension if an actual cyber-confrontation came and it was revealed that nobody had ever actually tested any of our theoretical capabilities.) And when we do test our strategic weapons, we -don't- test them by dropping one on China, or Russia, or Iran, and then saying "Oh! Sorry. Please excuse us. Just testing." Doing that could come with consequences. So, what's worse? That Amazon and Twitter should be offline for a couple of hours in the middle of October (i.e. for a little test) or that any one of our many enemies should, you know, maybe take them down for days on end in early December, at the height of the shopping season, with us having no real/tested retaliatory capability? (Nutty conspiracy theorists might even suggest that staging a limited attack like this is a rather obvious way for certain three letter entities and/or parts of DoD to squeeze even more out of congress than the obscenely vast sums they are already getting, but I personally won't even go there. As I've noted, there are plenty of pragmatic and entirely non-nefarious/non-self-serving reasons why our own guys might have done a small/short practice run like this.) Anyway, when it comes to attribution, the bottom line is that all anybody has to do is to run their C&C through two or three levels of chained compromised socks proxies, e.g. in Tajikistan, Bolivia, and Singapore, and then, as a practical matter, nobody will ever be able to say for sure who you are. It's all just guesswork, and much of it, alas, isn't even all that educated. Who says that the Russians or the Chinese took down Dyn? Are these the same people who told us the fantasy... later retracted... that North Korea hacked Sony? Are these the same people who told us that Saddam absolutely positively had weapons of mass destruction? I would have hoped that all of us in this country (US) would have become just a little bit more skeptical of press reports and "expert" pronouncements by now. Remember the Maine!