> “We don’t know who is doing this, but it feels like a large nation-state. China or Russia would be my first guesses.” [Bruce Schneier when Mirai first appeared]
This looks especially foolish now. Schneier is a so-called expert who has testified in front of congress. He should be more careful when engaging in rampant speculation like this. What basis did he have for such an assumption?
I don’t understand why every single cyberattack is immediately blamed on Russia or China. It’s an intellectual embarrassment, and especially worse when it’s coming from experts within the community rather than politicians in congress.
But I’m sure the DNC hack was the work of an advanced nation state. Probably had nothing to do with sharing passwords like runner123 over email...
> > “We don’t know who is doing this, but it feels like a large nation-state. China or Russia would be my first guesses.” [Bruce Schneier when Mirai first appeared]
> This looks especially foolish now. Schneier is a so-called expert who has testified in front of congress. He should be more careful when engaging in rampant speculation like this.
Perhaps by being not a native speaker of English and not living in the USA I miss some cultural subtleties, but I would call Bruce Schneier's statement really cautious:
- He clearly states he does not know who is the culprit (really cautious - as it should be!)
- He clearly states that his statement is based alone on feeling
- He rather clearly outlines that his guesses for China or Russia are based on the correctness of the assumption that a national state is behind it
> People have the responsibility when making predictions that others will take action based on their prediction.
I agree - and this is why Bruce Schneier (in my opinion) formulated his statements so cautiously and clearly pointed out the lack of evidence.
Of course people will take action - but this can mean anything:
- Doing undercover investigation to collect evidence whether China or Russia is really behind it or this was a red herring: I would consider this as a pretty good idea under the given circumstances.
- Accusing China or Russia on the world stage that they are behind these attacks: A really bad idea.
But both are plausible actions based on the "prediction" - and I would call the first one actually a good idea under the given circumstances.
> Schneier is a so-called expert who has testified in front of congress
Schneier has been around for a long time, knows the industry well and has made significant contributions. Not everyone get's things right all the time including Schneier.
Credibility wise he ..
- has a master's degree in computer science
- was awarded an honorary Ph.D from the University of Westminster in London
- is chief technology officer of BT Managed Security Solutions
15 publications, 6 notable books -
- Applied Cryptograph
- Cryptography Engineering
- Secrets and Lies: Digital Security in a Networked World
- Beyond Fear: Thinking Sensibly About Security in an Uncertain World
- Liars and Outliers: Enabling the Trust that Society Needs to Thrive
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
I don't want to throw more shade at Schneier than needs to be thrown, but I want to point out that you've pointed out basically two† real credentials:
* He has a masters degree.
* He wrote a bunch of popular books, and reaped a lot of fame from them.
I work, part-time, in the cryptography space his best-known books cover. His most popular book, Applied Cryptography, is not well regarded in the field. Opinions differ on Cryptography Engineering --- I like it a lot --- but he's a coauthor on that book, alongside a practicing cryptographer of significant renown. The rest of those books are non-technical.
I've worked in security since the mid-1990s, and Schneier has been a presence in the industry that whole time. And his Mirai attribution is far from the dumbest thing he's had to say.
I want to be careful because I'm sure Schneier is very good at what he's good at. My concern is that in addition to that --- without intending to be --- he's also insidiously "famous for being famous", and that his takes on things like DDoS attribution are thus taken more seriously than they should be. There are HN commenters that I think have more reliable takes on what's happening in the computer underground than Schneier.
He should write HN comments rather than pieces that get syndicated into magazines. He'd be an excellent HN commenter. :)
† (You might add that he's a co-author of some well-known cipher and hash designs, and IIRC the sole author of Blowfish, his best-known design. [Don't use Blowfish.])
Schneier decided to leave the academic/technical side and become a pundit.
That‘s nothing to be ashamed of, I‘m sure he didn‘t just do it for the fame, but because he wanted to make things better. I still think he‘s a better cryptographer than writer, but he really seems to enjoy writing.
But it feels uncomfortable when people misunderstand his role.
(And he lost some of my good-will and admiration when he ridiculed Randall Munroe‘s comic and didn‘t have it in him to post a correction for what was basically him not reading the comic, but projecting something he already had in mind. That happens to everyone, it‘s a bit embarassing and not really bad, but sticking to it when he knows full well that the masses trust him is inexcusable.)
Thanks for the perspective. How would you classify him if ranked against the other usual high profile “security personalities?”. Often an individuals ability for self promotion can place a shadow over their true ability making it difficult to discern their true qualities when not a subject matter expert on the topic at hand.
On the book front, would be keen to gain your perspective on the following crypto book that was recently published -
Serious Crypto is strong, and JP Aumasson is the real deal. I might still want both Cryptography Engineering and Serious Crypto; Serious Crypto is far more detailed and up-to-date, but Cryptography Engineering has valuable perspective on a lot of nuts-and-bolts stuff.
Why? If this is just based on it being a massive attack, then there's no basis to automatically blame China/Russia. Have you not noticed this trend? Every time there's a big attack or new strain of malware, it's always China/Russia/North Korea, and that finger pointing is before any concrete evidence?
Honestly, it's xenophobic and will cloud judgement as you'll be looking for evidence that it is China/Russia/North Korea rather than looking for facts.
Even if there's a good chance it is them, should we not believe in innocent until proven guilty?
This is not as much about xenophobia (as xenophobic as USA is) but about not having an egg on your face.
Companies seems to love to throw "state sponsored" around because it sounds better to imply that you were so secure that only North Korea, Russia or China had a chance and at that level of attack (by such a state that openly challenges USA so often) it's not your fault you got breached because it's implied everyone would be. Equifax ran outdated Apache Struts for a few days after a patch and information about the vulnerability was out and now China is being pointed at with really flimsy (IMO) evidence[0].
On the other hand no one probably wants to defend China, North Korea and Russia and it sounds much cooler to be fighting against their state hackers than script kiddies and saying that all these "high profile state attacks" were script kiddies is basically shitting on the security industry in a way.
Occam's razor? If the majority of large, coordinated attacks and malware come from those countries it seems reasonable to suspect them initially, doesn't it? He said they were "guesses". He straight up told you he was speculating. That's not xenophobic, that's statistical probability.
> Even if there's a good chance it is them, should we not believe in innocent until proven guilty?
Yes, but if no speculation is allowed until after a conviction then how would anyone ever be investigated? We would never be able to accuse anyone of anything!
> Occam's razor? If the majority of large, coordinated attacks and malware come from those countries it seems reasonable to suspect them initially, doesn't it?
Not really, just because attacks come from a certain country domain does not mean that said countries government is sponsoring said attacks.
Even the CIA/NSA use hijacked foreign servers for their operations, that's why attribution of this stuff is so difficult.
I'd also be interested in how you define "large and coordinated attacks" because if you track by something like Norse Attack Map [0] then your Occam's Razor would suddenly point at the US, at least right now.
> Yes, but if no speculation is allowed until after a conviction then how would anyone ever be investigated? We would never be able to accuse anyone of anything!
There's a difference between "speculation" and flat out misrepresenting the probabilities. At this point, it should be pretty clear, especially to any expert in the field, that the Internet is a massive force multiplier and the regular rules of "You need big influence to have big impact" have pretty much never applied to it.
People need to account for that in their attempts at attribution instead of going the lazy route of blaming "The axis of evil" for it, which this lazy China/Russia/NK attribution basically boils down to.
He doesn't look silly because he guessed at a state-level attribution --- state-level attacks certainly happen. He looks silly because the attacks he chose to attribute to state actors were in fact being conducted by a small number of teenaged Minecraft players.
While I agree with your basic premise, everybody gets things wrong sometimes, I still feel this was needles dramatization by Schneier when I read it back then.
Somebody with his experience should know better than to throw guesswork attribution haphazardly around like that (at least not without a very big disclaimer), especially in a climate that was, and still is, pretty hawkish on "cyberwar turning hot".
Because it's exactly his experience and prestige which gives the uninformed the impression that his "Russia/China" attribution was based on something solid, and not just mere guesswork without any basis on evidence at all.
Right. The problem is the premise that it would take a state-level adversary to generate that kind of traffic, and not a single-digit number of disgruntled teenaged Minecraft players.
The source paragraph does not mention Mirai at all (nor does the article):
> Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.
You should actually read the whole article to get a sense of where he is coming from.
Yes, but still. I read the article when it was first published and felt it was the usual "evil communism" bs (which I honestly wouldn't have expected from Mr. Schneider), and this time around we actually got a definite answer proving these kind of claims wrong.
Nowadays every time some news pop up revolving around cyber attacks more sooner than later someone points at China or Russia, with some very vague evidence at best. "Oh, we found a Russian text string embedded in the binary, it MUST have been written by the Russian government."
I think we are taking this the wrong way. The situation is "we more or less blamed Mirai on a State sponsored actor", and we focus our attention on "hey, you were wrong! How dare you suspect foreign governments? That's kind of racist!".
I see it as a minor concern, the major one being "Mirai is the definitive proof that your don't need the means and resources of a big hacking team financed by a government to cripple the internet. 3 kids who want to cheat on minecraft can do it". Sure, we already kinda knew that, but this proof is quite scary.
I read the original at the time and again yesterday, along with Brian Krebs' epic article, and it seems pretty clear that he's talking about the same phenomenon Brian Krebs is talking about.
Why do these kinds of investigations only ever stop at the perpetrator of the attack? In rushing to market, these IoT companies pushed out a defective, insecure product. Such an attack would not be possible without vulnerable hosts to hijack, so why aren't the IoT hardware companies investigated or fined?
Actually it's illegal to lock the housedoor, because of emergency situations. In case something happend and the people need to flee, they could be trapped in the house.
Also technically it's not illegal to leave your car door unlocked, Police just handles it that way. The law demands that the car cannot be misused.
It's not illegal to lock your house door, that's only locks that require a key to unlock from inside. Normal deadbolts are fine. You just can't lock people in.
People have used these thinking "Someone could break the glass, reach in, and turn the deadbolt to open the door," but it's really not worth the trade-off of "My house is on fire and I can't get out."
I didn't know that. Is it possible, then, that a person who leaves their door unlocked is punished while the person who stole and dumped the car is not?
It is in some countries. The logic is: if you lock your car, it is harder to steal. If it's stolen because you left it open, it's your fault and you pay for police time and investigation. If a policeman sees your car unlocked they can give you a ticket for leaving that way.
What about those of us that don't want our car window bashed in by some crackhead cause the door is locked? I'd much rather lose a few ones and tens in my coin drawer than buy a new window.
What are you storing in your car that is worth more than your deductible? Here in Seattle, in certain bad areas you'll find numerous car doors unlocked, usually cause the owner doesn't want their window to get smashed by a crackhead over a sub-$100 potential theft.
>Where do you imagine these devices are made / manufactured?
It doesn't matter. If Chinese, Thai, US, Spanic or Russian company wants to sell their device in Europe they have to comply to CEER (Council of European Energy Regulators) regulations, we need similar regulating body for software. Since we have lamps and phone chargers that don't blow power sockets and don't burn houses, we need software that doesn't blow Internet and burn cables.
Are you sure about that last claim? There's a huge load of substandard, fake or not certified electrics coming in, also thanks to big online webshops that send directly to consumers. And the consumers don't care, they have a basic expectation of quality and no idea of things like electrical safety, fire risks or RF emissions.
Yeah, but its akin to banning drugs through the mail. Unless we open and inspect everything mailed into a country (which would be a massive make work program of the likes we've rarely seen), you can't stop it all. AliExpress, Deal Extreme and eBay are going to keep selling goods with fake CE and UL labels that are substandard, despite regulations to the contrary.
If your country does need a make work program, hiring many postal inspectors wouldn't be the worst make work program yet. I think the TSA wins that :P
Your never going to get into the high double digits, as is most postal services have a pitiful catch rate for drugs, expanding that to cover electronics doesn't mean that catch rate will magically improve.
If IoT botnets become more prevalent (and it doesn't seem like IoT makers have incentives to make their devices more secure), I wonder if ISPs will just start monitoring the traffic patterns of their customers for possible DDoS activity and possibly throttle or cut off their internet connection to stop the attack at its source. Probably would even be compatible with most net neutrality regulations around the world, since it's a security issue.
You could probably hide DoS traffic from a single device by making it very low volume, but if the ISPs coordinate, they still know that the device recently sent packets to a victim of a DDoS attack, making it suspicious.
Providers in my country are already doing this. But they simply send an informal letter to notify the user that with high probability his household is part of a botnet.
This was one of the best things I’ve read on wired in a while. It’s a surprisingly excellent write up on the Mirai bot net and the events surrounding it. (The HN headline title is definitely more click bait than I’d like)
The title has been changed since I posted, and unfortunately I didn’t think ahead to save a copy of the original HN title. The current title is much more what I would have been expecting.
> JIIA further participated in a Border Gateway Protocol (BGP) hijacking scheme in which JIIA and co-conspirators fraudulently gained control over IP addresses that were in legitimate use by third parties. JIIA conducted these activities to consolidate and maximize the power of the Mirai botnet. [1]
Great read. Despite the damage they caused, there is a part of me that wishes (hopes) that their crimes are overlooked and instead put to use as white hat operatives in an elite super-secret government black program fighting terrorism and solving the world's most pressing problems; not ruining their lives with prison and all the other baggage associated with being branded criminals. Maybe I have watched too many movies!
DDOS attacks on individual Minecraft players are definitely a thing. As a result players' infosec practices are likely a lot stronger than their peers...
No, savant simply means "a learned person".
Perhaps you are thinking of "idiot savant", which refers to someone with a mental disability and is gifted in a particular way.
This looks especially foolish now. Schneier is a so-called expert who has testified in front of congress. He should be more careful when engaging in rampant speculation like this. What basis did he have for such an assumption?
I don’t understand why every single cyberattack is immediately blamed on Russia or China. It’s an intellectual embarrassment, and especially worse when it’s coming from experts within the community rather than politicians in congress.
But I’m sure the DNC hack was the work of an advanced nation state. Probably had nothing to do with sharing passwords like runner123 over email...