Botnets are making use of the Internet of Things, Windows runs on Docker running on Windows, and new attempts to make AI seem like a good thing.

IoT botnets

A couple of events have happened in the past few weeks that shine a harsh light on the security of IoT devices. The first of these was an attack on krebsonsecurity.com, the site of security researcher Brian Krebs.

In his field it’s not uncommon to have attacks aimed at his site, so he was protected by Akamai who have a decent chance of mitigating attacks like that. This DDoS attack was different though, as it was the biggest attack Akamai had ever seen at over 650 Gbps (almost twice the size of the previously biggest Akamai had seen this year). In a second [follow-up article][krebcensorship] Krebs explained that if the attack was sustained it would have cost Akamai millions of dollars to defend him from it.

While interesting in itself, the real meat of this story is that the DDoS attack wasn’t done using traditional methods¹ but utilized thousands of compromised IoT devices. So yes, these are the smart lightbulbs, TVs, cameras, scales, etc. that we’re all slowly bringing into our houses.

Then, a second attack took place against hosting provider OVH consisting of about 150.000 IoT devices, mostly CCTV cameras. The bandwidth of this one exceeded 1Tbps.

So, how can this happen, and what can be done about it? The first of these questions is a lot easier than the second one. In the past I’ve mentioned the lack of security updates for Android phones, because it isn’t worth it for the makers of those phones. These are devices that can cost hundreds of dollars, while many IoT devices (or at least the IoT part of them) are cheap. If a flaw is found in one of them, not only does that give a lot of exploitable devices it is also unlikely they will ever be fixed. How many hardware vendors are going to build a security fix for your lightbulb and then send it out? If they even built in a way to update them? The consequences of this are real though, and this seems to be only the start.

As for what can be done, I hate to say it but I have no good ideas either. While I could say it’s not my field, I don’t think it’s something anyone can really ignore. I’m confident that the companies who make their living guarding people from these attacks are looking into it, and I hope they’ll think of something. In fact, it looks like something is being done on the ISP side of things. In an article posted on Saturday, Krebs details how the botnet used against him is now available as open source but that the author claimed it was getting less effective because ISPs are closing some of the loopholes.

Now, does that mean you shouldn’t get IoT devices? No, that’s not the point of me writing this. First off it wouldn’t make a difference, these kinds of devices will show up everywhere regardless of whether a couple people will stop buying them. And secondly, it won’t stop the underlying problem that attacks like this have such an impact. If someone with enough resources wants to attack, they’ll find a way. Just because these devices are now being turned into botnets doesn’t mean there aren’t alternatives. The same kind of thing could theoretically be done with compromised mobile phones, and I don’t think most people would be willing to give those up.

Docker on Windows

Last week was Microsoft’s Ignite conference where they announced the availability of their new Windows Server 2016. Now, I’m not interested in anything Windows related so I don’t even know what’s new or great about it. The one thing about it that I am interested in is that this version includes Docker support out of the box. Most importantly that means you can build Windows images in Docker. Now, before you jump for joy², this isn’t the same as building Linux images. For a start, the standard base image is about 10GB in size. Which isn’t quite the same as an Alpine Linux base.

Organized AI

The awkwardly named “Partnership on Artificial Intelligence has to Benefit People and Society” was founded, or at least publicly announced, last week. This seems mostly aimed at taking away concerns people might have about the capabilities of AI and their usage. After all, while movies like The Terminator are fun and entertaining³ they don’t exactly show off the best points of AI. So it’s probably a good thing that the truth about this is highlighted. It sounds like most of the big players in AI are represented⁴ and there will be a fair number of people from academia and the non-profit world as well. If these people do their jobs well it should ensure public acceptance of things such as self-driving cars will go smoother so I hope they’ll be successful.

Of course this assumes that Skynet didn’t send someone back to lull us into a false sense of security.