Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention.

Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you play MP3s, etc. through your stereo. I got it because it was a cute little system running Linux, had a MIPS processor, a web site for developers, extension and enhancement tools in Java, and so on.

I used it for a couple of months, and played with the Java-based remote control application for it and then decided to do some more serious work on it. I rolled my eyes that it only had telnet to get to it, but telnetted to it and was met with:

#which I just stared at for a moment. It didn't even register for a good twenty or thirty seconds before I had the wit to type

lsand was met with something akin to:

bin dev home mnt proc tmp

boot etc lib usr sbin

and that didn't even register with me until I finally then typed

pwdand was met with

/and I made a loud two-word exclamation, of which the former was "oh" and the latter is left as an exercise for you, Gentle Reader, but there are two obvious candidates.

Yup, for the last couple of months, sitting bear-ass nekkid on the Internet was a Linux box with open telnet and a root shell. No username, no password, just a root shell. I said the other obvious candidate word. I also considered (again) getting a firewall. My network doesn't have a firewall. Part of it is that I like the road feel of the packets whizzing by. Part of it is that by the time I open up enough ports to do useful things, I'm just closing down the ones that don't have services on them anyway. Part of it is also that of the three times I've had serious security problems on my network, one of them was because my IDS box got rooted, and one was because the firewall got rooted. For me, adding a firewall adds complexity, and that lowers security. (That last time was when I was traveling with my SO who wanted to send me an email from an utterly ancient netnews program that knows nothing of SMTP-AUTH. Never reconfigure your email infrastructure from five thousand miles away while jetlagged. A couple of days later, you will ask yourself, "I wonder why the SMTP server logs have gotten so big." Fortunately for me, I caught it before the blacklists did.)

I yanked the music box off the network and connected to it directly (one cable, just it and me). Looking through the thing, I didn't see what anyone who was now using it for anything. I checked the IDS logs and there was nothing that leapt out at me to as suspicious traffic. That seemed odd, because how could it not have been owned? I thought about it for a bit, and thought about it more as I reflashed the critter. Then I laughed, because I realized that the tools that probe for vulnerable boxes are not going to be looking for #. It was then too late to tell, but I allowed myself to think that maybe the box hadn't been compromised, as the evidence suggested.

With the machine rebuilt, I connected to it directly with telnet and started probing around for putting a password (like /etc/passwd). There was none. There was no SSH, either. I fulminated on the developer fora about this security stupidity. I found the instructions on how to build the right cross-compiled Linux setup to build binaries for it, and it was filled full of warnings about how to make sure you did this, set that compiler switch, and if you didn't, things wouldn't work, and you get to reflash the box.

This wasn't how I was wanting to spend my Saturday, so I turned the box off, and went to do something else. As I did, I thought about the situation. I became increasingly amused that (apparently) the box hadn't been compromised. I convinced myself that this is because the bad guys wouldn't recognize the box as vulnerable.

As I grumbled and thought more about how to lock down the box and then something occurred to me -- anyone who wants to own the box has to go to the same trouble to make it be a productive member of their botnet community as I do to do the opposite, but they're at a disadvantage because they also have to protect it from me. Since it's easier to find some unpatched Windows box than it is to set up a MIPS cross-compile sandbox, even if they can tell that has an open root shell, it's not economically viable. Think of it as Mutual Assured Annoyance, Economic-Based Intrusion Prevention, Security Through Stupidity, or proving old adage, "In the land of the blind lion, the one-eyed zebra doesn't have to run very fast."

A couple of weeks later, I solved the whole problem when a new product was introduced that did exactly what I wanted (to be able to play music on my laptop on my stereo) at half the price and no icky telnet. The poor little music box now sits face-down, forlorn, and dust-covered on a shelf.