141 comments

[ 2.8 ms ] story [ 131 ms ] thread
What evidence is there that this really is the person responsible for brickerbot?
Someone with more knowledge may be able to corroborate events, or verify the authenticity of the payload he posted.

For what its worth, the name rang a bell and I found this: https://gizmodo.com/this-hacker-is-my-new-hero-1794630960

The writings seem similar, for what little thats worth.

It’s the same person.
You're saying this editor is the hacker or that he fabricated this text? Would he really know enough to sound that credible? If not someone on here should be able to see right through it
> You can download the module which executes the http and telnet-based payloads from this router at http://91.215.104.140/mod_plaintext.py.

Link's not working. Anyone got a copy?

just found this: https://github.com/JeremyNGalloway/mod_plaintext.py

edit: I would recommend extreme caution with that file. I'm still reading, but strings like this are worrying:

    'busybox cat /dev/urandom >/dev/sda &'
Fascinating.

What's up with all the stuff like "if 81 - 81: ..."? Won't that just evaluate to false and never run?

perhaps that's how vulnerable devices were bricked?
Holy obfuscated Python, that's quite the jumbled mess. This is going to be a fun one to pick apart.

I don't think the string is .. worrying on its own given that, you know, this thing is meant to kill IOT/etc devices that are insecure. I'd argue that just given the source (the internet) is enough reason to be wary.

Check this one out:

'GET /cgi-bin/supervisor/CloudSetup.cgi?exefile=(cat%20/dev/urandom%20%3e/dev/mtdblock3%20%26);(cat%20/dev/urandom%20%3e/dev/mtdblock4%20%26);(cat%20/dev/urandom%20%3e/dev/mtdblock6%20%26);(cat%20/dev/urandom%20%3e/dev/sda2%20%26);((sleep%2017;route%20del%20default)%20%26) HTTP/1.0\r\nCookie: SSID=%%CUSTOM1%%\r\n\r\n'

Any tools someone can recommend for de-obfuscating this?
There's no noteworthy obfuscation, aside from weird names of variables.
What's the point of obfuscating then?
Clean exploit code could be used maliciously (or accidentally) by people that might not understand the true nature of the program. There is a tradition when releasing exploit code to obfuscate it or introduce obvious errors that make the code safe{,er}. This prevents script kiddies from immediately using it, while anybody who should be reading the code should be able to see through the obfuscation/errors.
I suppose a better question might be, then, does anyone have any resources for gaining a better understanding of how this exploit works?
Most of the value is in the data (common login credentials). The bulk of obfuscated code is probably stuff doing the network communication and perhaps some other mundane stuff, that you can do manually (over telnet, or whatever) if you like and don't care about creating a botnet.
Mudge mentioned on his Twitter account (https://twitter.com/dotMudge/status/941373739681189888) that a project like this had been requested in the DoD but was held back by politics.

Victor Gevers is cited by Bleeping computer (https://www.bleepingcomputer.com/news/security/brickerbot-au...) as saying there are better ways of solving the problem than forcibly disabling/bricking devices. I'm curious what those are, though, since IoT manufacturers (speaking broadly) don't seem motivated right now to take even basic security precautions with their devices. I know some groups use sinkholes to redirect compromised devices, but while that can be useful for research it doesn't seem like it has the same motivational impact for change.

There's no incentive for manufacturers to do anything. This actually just increases sales, as dead devices are replaced (probably by the same device/firmware). Insecurity converts the equipment to a consumable that generates an annuity.
This is the key problem. The manufacturer might even consider the poor security as a feature (for them)
There's a couple of other problems there too - the "manufacturer" is often some unknown and unfindable usually Chinese contract electronics assembly firm, who had little to do with the design or software. The company who contracted them to do it often no longer exists a few years down the track. The place it gets sold can easily be somewhere like Ebay, AliExpress, or Kickstarter - where the vendor really isn't going to care once your payment has cleared.

(Source: I was the platform security guy for an IoT startup in 2013/14, for a company who no longer exists and who's only product run is still out there somewhere no longer getting security updates...)

If the new device would stop working soon enough after purchase, customers would be more likely to return it to store.

I see the normal manufacturers/sellers responsibility as the only good answer to the problem. I don't like solutions involving fines or large liabilities, because these can create wrong incentives to people/companies.

Doing security properly for these devices is not very expensive compared to scale they are being sold. Therefore I think simple things like increased return/warranty repair rates should provide enough incentive to focus on security.

I don't like solutions involving fines or large liabilities, because these can create wrong incentives to people/companies.

Making manufacturers liable for incidental damage their devices do sends the message that they should avoid such damages as far as possible. That seems like a good message to me.

If device $20 device X does $20,000 damage to the hospital down the road, the fact that the consumer can return the device seems woefully insufficient.

Making manufacturers liable for the damage their products do is do allows the insurance industry to set minimum standards. (i.e. you would have to get some kind of certification similar to UL/CE to get insurance)
> device $20 device X does $20,000 damage to the hospital down the road

If it were able to do that, then presumably that $20 device had eg a good amount of explosive in it, and therefore would be in no condition to return it to the store.

Unless you're alluding to that $20 device being used as a communications proxy, under a mistaken idea that the Internet has some concept of node trust. In reality, the hospitals $20k "damage" would be due to its own developers' negligence and demands for compensation should be placed squarely at the door of its suppliers and integrators.

So what you're saying here, is that you're happy to let me drop a device of my choosing on to any part of your network, and that you'll take full responsibility for any damage caused because it was your (or your own developer's) negligence.
I don't see how you're inferring this, as a consumer's home network doesn't have trusted access to the hospital down the street.

What I did imply is that if I develop a device and put it on my network, then I'm essentially responsible for whatever damage it causes. Eg wiring a RPi to a heating element that will start a fire if left on continuously is a poor idea, regardless if the proximate cause is a cosmic ray bit flip or malevolent Internet noise.

So, you're saying that if random consumer buys $25 dollar IP aware camera, puts it on their WIFI (and hence the Internet) so they can look at their cat at work, it is that consumer who the DoS-hit hospital down the road should look to, when that hospital is hit by massive botnet-drive ransomeware attack.

'Cause certainly random average-consumer should know how dangerous adding crap to their network can be ... for others ... and certainly he/she is capable of making provisions for this.

Fortunately, modern legal theory actually does consider "who are talking about here, what can expected of them." in cases like this. Hospitals could theoretically sue IoT manufacturer on this as far my ianal knowledge goes and it's more that the manufacturers are distant cheap factories in China that prevents this.

> it is that consumer who the DoS-hit hospital down the road should look to, when that hospital is hit by massive botnet-drive ransomeware attack.

Erm, no - the exact opposite. The consumer should look at the camera's manufacturer for their own connection being swamped, incurring overage charges, etc. In your scenario, if the hospital's only problem is that their Internet uplink is swamped, then they should be looking at their link provider for robust upstream shaping, etc. In the case of a simple traffic overload, nothing critical at the hospital should be affected because critical traffic should be segmented, or at least prioritized, over traffic from arbitrary endpoints. If there is more of an affect, then that is due to a further vulnerability that belongs to the hospital!

I referenced the hospital's developers/suppliers for these further vulnerabilities - in those cases they should be looking at their network admins, or at the creators of the failing (defective) equipment. The crux of the End to End principle (ie the Internet) is that edge nodes have the intelligence, and thus requirement/responsibility, for discerning "good" traffic from "bad". And (as I said) coming at it from the other direction, general robust engineering principle dictates that physical devices "fail safe" no matter what noise is presented at their network ports.

"Doing security properly for these devices is not very expensive compared to scale they are being sold."

Not sure that's true. I did a 18 month stint with a tiny (6 person) hardware startup - most of my time was spent ensuring our devices could auto-update their embedded Linux securely without bricking or losing any of the custom hardware specific capabilities. It's not an easy trick to pull off (big thanks to the ARCH Linux team for all their work that I built on), and there's ongoing cost involved to ensure newly discovered vulnerabilities have a process to be evaluated, patched, tested, and deployed to the fleet of devices.

Updates are expensive if you reinvent them from scratch but cheap if you adopt an existing framework.
There aren't any good frameworks for doing so in an embedded space. Traditional linux package managers aren't really great for this (nix is the closest to getting it right, but isn't really ready on embedded yet).

edit- The main objective, of course, being allowing unattended atomic updates with as low a risk of bricking the device as possible. Usually these devices will be updating the whole root filesystem at a time, which is otherwise read-only. Ideally this is also done with as little downtime as possible. There is some work in this space in standardizing a solution, but it isn't really there yet, so it tends to get home-grown for each product.

I got super lucky. Between the design/BOM stage and the actual first manufacturing run, the price of 4Gig micro SD cards dropped below the price of 2Gig ones - so I ended up (at the last minute...) with enough space to do a complete system install on a separate partition. Reduced my fears of remote bricking everybody's devices enormously...
The high expense is caused in part by the current high volume of vulnerabilities.

Vulnerabilities and updates are inevitable, but the current volume of them is not, by orders of magnitude.

The volume of serious exploits could be reduced dramatically if we started to more seriously apply the principle of least authority (and an important technique and way of thinking about that is capability security -- in fact an important technique to make 'brickless updates' easier to achieve too, I suspect).

I think how to kick-start the industry to actually do that is a difficult problem.

If ISPs cut off customers with compromised devices it would create serious motivation. Also serious collateral damage and backlash.
Where I live, ISPs do distribute those devices.
I once got a angry email from my ISP that i have ports open i shouldn't have. If they would be used for DDoS amplification they'd cut my connection.

And if I couldn't fix it or had no clue what any of these terms meant I should pay somebody to fix it for me. (No referrals)

So the DoD wanted to brick devices instead of just declaring companies making these devices a threat to national security, banning their products from sale, and setting a good precedent?

:|

Would the intel community really need a botnet like this to operate?

The thing is that the largest consumers of these devices aren't within the US.

Many of them are from Chinese companies and are being sold throughout Southeast Asia and South America.

(comment deleted)
I don’t think the DoD getting to unilaterally decide what devices can be sold in the US is a good precedent at all. I expect devices with troublesome features like support for end-to-end encryption would be the first to go, and insecure devices would probably stay as long as the vulnerabilities were known to them.
Presumably a state-level actor could not only figure out how to disable these devices, but actually create patches for the vulnerabilities and force-distribute those patches. They would have access to test hardware and could even demand confidential documentation from the manufacturers to facilitate this.
...and include whatever they want into those patches. And they'll want.
Though that does remove a lot of the incentive for the IoT company to change anything.
The better way is to transition to identity networks. The sybil attack is a function of the low cost of identities. In the current stack, IP addresses play a dual role of locators and identifiers. This is bad engineering and leads to the current situation. The Host Identity Protocol (HIP) has been in use by boeing and the US army for years now. The revised version (HIPv2) hasn't seen an open-source implementation yet. If someone with enough time and skill wants to change the world, a good implementation of HIPv2 will have a very positive impact.

https://tools.ietf.org/html/rfc7401

If what this person says is true, this kind of stuff is really dangerous and can get you in jail, even if your intent was just to show potential exploits. I wonder if this person's real identity is one anyone's radar currently.
This is the situation we put ourselves in by constantly complaining that we can’t move fast enough and hiring “talent” straight from coding bootcamps. Brace yourselves, the time to eat your own dogfood is coming! :^)
The devices in this story - routers, cheap IoT devices, etc - aren't products of bootcamp-hiring buzzword-spouting Silicon Valley companies, though. They come from a long tail of decades-old mid-sized electronics businesses with, AIUI, low margins and cultures that don't value software highly. It's not about JavaScript hipsters (for once!); this is much more related to the situation with terrible automotive software.
https://www.deccanchronicle.com/technology/in-other-news/171...

"Paras Jha, Dalton Norman and Josiah were also a part of this normal Minecraft server entrepreneur game until they decided to force players from other servers on to theirs by clogging their networks. Therefore, Mirai came into existence and started performing for them very well. However, Mirai started outperforming the creator’s expectations, affecting the Internet outside Minecraft badly."

"The creators of Mirai found potential in the botnet and therefore went on to fine-tune it to improve its abilities. They even started leasing Mirai to other cybercriminals, who used them around the world for their own vested interests."

https://en.wikipedia.org/wiki/Mirai_(malware)

"Upon infection Mirai will identify "competing" malware and remove them from memory and block remote administration ports."

From an evolutionary perspective its an interesting example of 'fitness'

From an evolutionary perspective it's not that different from any start-up that pivoted from it's original goal after finding out it's real effectiveness. The only difference is the criminality of the activity.
Malware can be reasonably described using evolutionary mechanism (similar to Memetics), AVs and best practises create a evolutionary pressure in which only the fittest and most aggressive malware can win out. A lot of things in computer science and/or on the internet behave in ways not to dissimilar to evolution
My main feeling about all this is that "let it burn" probably is the only way to deal with the mess. It must have been pretty obvious from quite early on that trying to fight blackhats on level field as a single individual is not sustainable, and the time that he has been buying is in no way enough to employ the major cultural shift needed to improve the landscape. Attempting to suppress the attacks seems just to make people complacent, so it might be better just to let the attacks to do their damage and hope that those spur some improvement.
This is how the forests of California dealt with fires before humans started fighting them.

As humans fought fires, there was a buildup of flammable material in the forests, making each successive fire incrementally worse.

I was using this exact same analogy to explain this to someone earlier, although I have to admit that I agree with the person above. Going out and starting forest fires in national forests without official government sanction, even if your intention is to create controlled burns and prevent a bigger fire will still land you with a verdict of arson.
> Going out and starting forest fires in national forests without official government sanction, even if your intention is to create controlled burns and prevent a bigger fire will still land you with a verdict of arson.

No good deed goes unpunished.

If there weren't any forest rangers/firefighters organization to back-burn, then the lone person trying to do some good may be the only way forward. But for forest fires, such an organization does exist, and no-one should be burning by themselves.

There is no such organization for the internet. So we are left with lone white-hats who risk personal safety to do some good. I wish there's a better way.

I'm probably starting to stretch the analogy a bit thin but: In Australia, similar issues, but we've been doing back-burning/fuel-reduction-burns for quite a few years now to deal with these problems (the indigenous population practiced controlled burns for a variety of purposes well before whitefellas arrived). However, some evidence is now starting to emerge that the mode controlled burns is effecting the long term ecology of the forests, and favouring certain species over others, and preventing the build-up of larger, less-flammable trees.

So, to tie it back to IoT: Would a 'controlled burn' (i.e. a bot which bricks vulnerable devices) only destroy the low hanging fruit (i.e easily exploitable devices) and leave the harder vulnerabilities in place, building up for the bigger fire in a years time?

"let it burn", as in a self-correcting feedback present in large dynamical systems (such as forest fires).

major internet disruption potentially larger than anything we've seen before, as in you and I and every single aspect of modern society that relies on the Internet (aka pretty much everything).

do you not see what will burn?

(comment deleted)
The time to let it burn is now, gradually, while we're not that interconnected yet. It may inconvenience a lot of people, but continuing the status quo will lead to a lot of people being ruined or killed in the (not so distant) future.
This is probably the only way to enforce the correct incentive for manufacturers. Build them right or they will fail.

IoT being so hyped right now is specially troublesome since all they will care is time to market, and when the market is filled with insecure devices what else will there be to done?

Correct. The OP was very noble but quite misguided.

0) Let it burn was how CA operated until we started fighting fires and building in unsafe spaces and it worked pretty well. The Thomas Fire is a good example of this problem. You can reduce the damage but there still will be damage.

1) Legal issues if you are detected and someone wants to "make an example" to be malicious doing this, even if you are found "not guilty" the consequences are non-negligible.

2) In any capitalist culture, prevention only becomes "cost effective" when multiple headline making disasters convince people in suits they will look like idiots if they don't pay at least lip service to prevention.

3) If a criminal ever figures out who you are and that you are invalidating their large $$ investment in a criminal attack, they may be willing to engage in criminal acts to stop you specifically and you don't have the legal protection and training a LE organization would have.

https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-h...

> It’s been a remarkable week for cyber justice. On Thursday, a Ukrainian man who hatched a plan in 2013 to send heroin to my home and then call the cops when the drugs arrived was sentenced to 41 months in prison for unrelated cybercrime charges.

If you aren't equipped to handle events like this, tangling with blackhats means a single opsec mistake is going to result in shit like that.

Given the scope of criminal activity using the net now, 3 is surely non-trivial.
a practical demonstration of N.Taleb's Antifragile principle, if you will :)
Do not execute the random, obfuscated python code linked to from this paste. This could be bait, and could PWN you. This must be audited first before anyone runs it.
My thoughts exactly. The "any programmer worth his salt" statement, followed by this link that you have to download to prove as a programmer you are worthy.
say what you will, but this person knows how programmers think
Yes we agree. That's what I am getting at. If he is genuine then OK. If he is trying to get control of your machine then well...
Obfuscated python, asking everyone to run it? Hah. Good one. Perhaps if you run it in VMWare which runs in Virtualbox which runs in Qemu... and even then. Never run such stuff bare on a machine you intend to still use afterwards.

The irony, if running code from a post from the Brickerbot author would brick your laptop...

Curious question: how was the python code obfuscated ? Does there exists some obfuscation programs that obfuscate the code like that ?
If it's true then this is fantastic work. Should really be the responsibility of the government. If a device is compromised it should be disabled.

It could also set up a pretty nice incentive structure. If a device is bricked due to a vulnerability, then the manufacturer should have to either repair or refund the device. Corporations will not respond properly until it impacts their bottom line.

> If it's true then this is fantastic work. Should really be the responsibility of the government.

Imagine the public backlash there would be if people knew that the government was scanning and hacking devices for the purpose of national security...

As backwards as it seems I think people like the story of a rogue hacker more than the government protecting them.

>Imagine the public backlash there would be if people knew that the government was scanning and hacking devices for the purpose of national security...

/s ?

If so, chortle chortle.

So, given that he might have prevented more damage than he caused, if even the part of the recent DDoS reduction can be attributed to his activity, what to make of it? It can be more of a judgement on society if this person ends up in jail, while IoT makers keep making hefty profits being rewarded for their negligence, and ISPs keep making profits being rewarded for lying to their customers when shit happens and causing more damage than he ever could overall.

It all seems to start and end with technical ignorance of the typical customer. There are popular shows that help pepople choose better food, by exposing shenanigans food makers engage in. Perhaps there could be something similar for tech in the future. Something where a hacker comes on TV and makes a total ridicule of some IoT crap device, and the show uses it to constatntly repeats the basics, like changing default credentials, etc. Same schema that works with food shows, expose someone as an example and add some generally useful advice. Perhaps this might become feasible when IoT is more popular.

Wouldn't an intended side-effect of this action be the end-user getting educated about "why the device I bought doesn't work anymore?" and directly impacting the reputation of the company that manufactures that now-bricked device?

I can only see it as a win-win. Except the internet connected medical devices that are insecure which if affected by such purging bots would literally impact lives. I hope vigilante script kiddies don't get involved with good intent and cause havoc.

Hell's Kitchen for startups and tech with lots of quality expletives.
It can be more of a judgement on society if this person ends up in jail, while IoT makers keep making hefty profits being rewarded for their negligence, and ISPs keep making profits being rewarded for lying to their customers when shit happens and causing more damage than he ever could overall.

Masked comic book vigilantes aren't ever going to be a reality on the mean non-virtual streets of cities but on the Internet it seems we're confronted with something pretty much equivalent.

So here can consult all the old issue of Marvel and DC for a compendium of moral dilemmas and result.

>>Masked comic book vigilantes aren't ever going to be a reality on the mean non-virtual streets of cities

Unbelievably, this is actually the case in Seattle.

I believe the "super" in "super hero" refers to super powers, which Jones lacks. Also, vigilantes typically break the law, whereas Jones does not. In the videos I've seen, Jones is usually taking advantage of Washington's "mutual combat" law and challenging wrong doers to a fight. Then, he takes advantage of the fact that he is/was a professional MMA fighter and his opponent is a drunk jerk.
> Masked comic book vigilantes aren't ever going to be a reality on the mean non-virtual streets of cities but on the Internet it seems we're confronted with something pretty much equivalent.

Or maybe a bunch of actual researchers and government agencies working without praise while someone else writes a sensational story to take all of the credit. And the people believe it on the merits of it being the story they want to be true.

Not sure that TV food shows actually teach people anything. All I see is a lot of people going from fad to fad, not really understanding the core principles.
If you aren't a doctor and you start poisoning your friend with cancer's food does it really count as chemotherapy?
I think the analogy is to the entire Internet being a single body, and chemotherapy being a nasty thing done to it that damages it, but destroys even more damaging things in the process.
This is a question of credentials only. Which I don't mean to sound like I'm dismissing it at all - It's actually the whole reason this guy's effort got stranded.

Chemotherapy is essentially controlled killing, to mitigate or prevent uncontrolled killing. Just like (as someone said elsewhere in this thread) controlled burning is done to mitigate or prevent uncontrolled burning. And here we have controlled hacking to mitigate uncontrolled hacking.

Society doesn't support anybody killing, burning, or hacking, unless there's a way to know and recognize, that the person knows what they're doing. Which (the knowing and the recognizing) is a credentialing problem. It's the only difference between (doctors, police, firefighters, cybersecurity experts) and (quacks, vigilantes, arsonists and some-unknown-hacker), respectively. A guy I don't recognize as a surgeon, is just a masked man coming at me with a knife, even if he actually is a surgeon.

If your intentions are good, you should take the trouble to get some kind of credentials, which can take many forms. (If your intentions are not-so-good then it makes a lot more sense to bypass that, but also for the public to put you in the "untrusted" basket.) This guy bypassed credentialing, and that places him in the realm of those who are not trusted no matter what kind of good they do. Now he can't continue. Instead of that, imagine there was a public debate about the relevant issues and this or a similar effort had actual public consensus and resources behind it.

Now of course I'll grant there are numerous problems with the political process and consensus-building and all the rest of it. It takes a long time to get anything done, and learning how to hack is actually the easy part. Good news: This is actually not the emergency he claims it is. What's the worst-case scenario, the whole internet goes down tomorrow? Well, it's only the internet. There are ways of getting food, water and shelter without using a network at all. Nobody has forgotten how to use pen & paper. Even blankets will still work without an internet. (Not if these IoT clowns have their way of course.) Whatever, don't listen to me, I'm older and I lived almost half my life quite happily in a world where nobody had the internet, yet still everything got done.

Anyway, the other thing is, a "state of emergency" is how all sorts of atrocities and shitty decisions are justified by governments, so it's not something to emulate. The attendant issues deserve to be publicly recognized, debated, decided and then tackled. Maybe it's wishful thinking to demand that much from people today.

(comment deleted)
> This is a question of credentials only.

And credentials are merely a way to build consensus around what is due process and who can determine it. The net effect is the same, but the process for achieving it is without consensus. This is another example of no proper channels existing, and individuals taking matters into their own hands.

> individuals taking matters into their own hands.

aka vigilantism. Sometimes it's required, but it signals that a proper channel should exist for such purposes.

but they don't. Would it be better if this person just tried to negotiate with notoriously unhelpful bureaucrats while blackhats run amok?
I actually agree with you to some extent. Its unfortunate this person has to become an outlaw though.
The worst case scenario should really be defined by just how long will the internet be down.

1 day is an inconvenience

1 week is major hurdle but can be overcome

1 month and people may start being laid off because they can't do their jobs and clients are cancelling services that they can't use

Now how many people over-saturating an internetless job market will it take for food, water and shelter to become a problem is something to study.

This may be an exaggeration, but since we are considering worst case scenarios.

From https://twitter.com/GossiTheDog/status/941462338233946112 :

Before anybody else sends me the “Internet Chemotherapy” link or retweets it - it appears to be a wonderful piece of fan fiction. Deutsche Telekom suspect was arrested earlier this year, key details wrong, TR069 modem stuff was bad implementions crashing devices etc.

(I haven't confirmed this myself)

I do regular scans myself and the number of these vulnerable DVR devices, printers, and routers you find exposed out there is mind-boggling!

Run just a single instance something like this [1] (which isn't even well optimized) and within minutes you'll find vulnerable devices. It shouldn't be that easy to build a botnet.

[1] https://github.com/wybiral/dex

Your readme doesn't say much. Looking at the scanner.py code, it appears you just send a GET HTTP/1.0 request and see what comes back. How do you determine vulnerable devices, response headers with versions?
The response headers are kept in a SQLite db that you can perform regex queries on. It's surprisingly easy to find particular devices based on the headers.

And, yes, it's just making basic HTTP requests on port 80 so it's overlooking tons of devices. But I run this from my own devices and doing blast scans of ports other than 80 can look a bit suspicious.

Do you happen to know something similar that just targets LAN subnets?
This made a brief previous appearance: https://news.ycombinator.com/item?id=15931325. You guys will have to figure out what to make of it.
And I'm still wondering why that got flagged while this got 100+ comments so far...
Who can fathom the mystery. That sort of wondering is an async call that will never be called back.
that's a lot of text; could be be used to analyze the authors writing style and match it to public {github, twitter,...} profiles
Aren't people specially concerned to keeping anonymity already keen to this by now?

The author can be deliberately mimicking style or going through translation in order to avoid this kind of analysis.

This guy is a hero. He bricked vulnerable device before they could be used for DDOS, or worse. And he did it at great risk to himself. I say well done.

The one point I disagree with is blaming the consumer. The simple truth is that security protocols have terrible UX, and until that improves nothing will change. Personally, I think it's time IoT was regulated and, in particular, we require a secure protocol at the time of deployment: IoT devices must be provably wiped, and then put into physical contact with an "owning" device before deployment. This, in turn, requires that people start using what I call a "Home Brain", a device who's primary purpose is to coordinate and secure all other devices that you physically own. I imagine simple versions to be as sophisticated as a router, and hackers might want to put together their own, something like a little home theater box. I suppose in a pinch your smartphone could work, too.

I suspected something like that from the beginning
Author sounds like former US law student or someone who likes do do amateur legal research. "Attractive nuisance" is mentioned here and in a past missive.
This guy knows he's in trouble for what he's done and decides to rewrite history to make himself out to be a "good criminal". Re-framed bragging about his criminal exploits and hilarious (in his mind) escapes from detection ensue.

Frame it as ISP "conditioning" or as "criminal attack", fact of the matter is he committed crimes and now he's feeling the heat so he's putting out re-framed confessions to get the jump on his accusers and try to save his skin.

Then again, people can be more complicated than I give them credit for, and he might actually be a good hacker. It has happened before. I don't know. Let the investigators find out the truth. We have no reason to trust him.

From the linked document:

> Deutsche Telekom Mirai disruption in late November 2016. My hastily assembled initial TR069/64 payload only performed a 'route del default' [...]

AFAIK this is not what happened. Deutsche Telekom had one major incident on November 27th 2016, but that incident was caused by a denial of service attack [1]. Given that the routers in question don't even run Linux, 'route del default' is not really an option anyways, making the first claim of the story likely to be fabricated.

This seems to be a good fictitious story, but nothing else.

[1] https://comsecuris.com/blog/posts/were_900k_deutsche_telekom...

Linux isn’t the only is with ‘route’
We as humans are pretty bad at responding to threats proactively. It takes some damage before we'll take action. In this case, IoT devices are going to have to take down some major infrastructure before we start regulating them.

    I'm sorry to leave you in these circumstances, but the threat to my own 
    safety is becoming too great to continue. I have made many enemies. If 
    you want to help look at the list of action items further up. Good luck.
This sounds scary - like it came straight out from a movie