He's providing an economic benefit to society - internalizing (to consumers) the externality of IOT botnets. It's now on the consumers to further internalize to cost to manufacturers through product selection, class action, or both.
Not necessarily. If a consumer's device is bricked within the (usually 1-year) warranty period, then they're able to send it back to the manufacturer for a replacement, which pushes the cost right back to the manufacturer.
Also, if the device is bricked very quickly after buying it and installing it, the consumer will very likely simply return it to the retailer as defective, which again pushes costs back to the manufacturer.
I think that's actually the only solution to the IoT security problem: more people regularly scanning for and bricking these devices, until the return rates make it unprofitable to sell broken devices in the first place
In that case, I think for the vigilantes it's absolutely critical that they figure out how to brick these devices as quickly as possible when they come on the market, because if they're targeting devices that are a couple years old now, that means many consumers will be past their warranty period and may not be able to return them.
I was on the fence about this vigilante bricking until reading your comment. Pushing the cost back to the manufacturer in this case should make considerable difference since these are low-cost devices and therefore the cost to the manufacturer of each return will probably cancel the profit of the last ten sold. Those proportions will become hard to ignore.
How does your opinion change with Phishing attacks? I'm going to steal funds from businesses by phishing vulnerable people, because If I don't capitalize on it, then people won't understand the costs / risks.
These are intentionally-defective products bought by apathetic consumers. They've already been compromised in mass with lots of damage done. Destroying dangerous, defective products isn't the same as conning innocent people out of their money.
The person bricking IoT's isn't getting money from that. If they did, I would hope they or you did, I would hope each of you would donate to charities.
You don't really know that for sure. That person could easily be shorting the shares of IoT device companies that they are targeting, hoping that articles like this one are written critical of the manufacturers.
They could be. But that question of could it be is clearly different from the person outright stealing money directly from victims, for whom it is much more likely they are a scam artist trying to rationalize their bad behavior.
By saying clearly different, I don't mean to minimize the actions of the vigilante. One of the chief characteristics of civil disobedience, for example, is to resolve that could it be question. By receiving the unjust punishment the dissident displays good faith with proponents and opponents. I don't yet see how pseudonymous hacktivism keeps that good faith with the public. And that seems to relegate it either be small scale, symbolic acts like this or large-scale grey hat stuff that brings lots of unwanted risks/cooptation/etc.
What they get is irrelevant, it's someone using their skill set to make others aware of a flaw. I would argue it's the exact same premise. I'm going to phish people & cause them a financial cost to teach them to be safe.
It's actually the main relevant part of the analogy.
It goes to veracity.
There's a person who gave a public talk about manipulating Bitcoins with weak private keys in order to alert the owners that they were vulnerable. But he did it in a way that verified to the owner he hadn't in fact stolen the coins (moving small portions around or maybe signing with the key, I can't remember). He also mentioned in the public talk that the owners of those Bitcoins were totally freaked out by this, and most were never convinced that he was acting in good faith (which is probably a smart assumption on their part).
So the fact that he didn't steal the coins is completely relevant-- it's the very reason he could give a public talk on what is still grey area behavior.
Your hypothetical thief, on the other hand, is clearly mendacious. You have him claiming, "If I don't capitalize on it, then people won't understand the costs/risks." That is clearly false from my real-world example above, and if he tried to give a public talk about how his theft benefited society he'd be arrested.
You're probably talking about me. I actually screwed up when I was moving coins around, and ended up emptying someone's address out, however I put everything back within a few minutes. I haven't had anyone whose coins I touched accuse me of anything unseemly, but of course there are random posters on internet forums who talk shit.
Your point that I couldn't have given a public talk had I stolen the coins is completely correct. I still spoke with a lawyer about it ahead of time, though. :-P
There was another person, who was somewhat less scrupulous, who would simply steal the coins and watch for someone to complain in public about it, then offer to return them. They use a pseudonym and as far as I can tell have vanished.
I am OK with this as well. If you put up a script on github and email an org, asking for help debugging and your script drops an ssh key, then daemonize a reverse tunnel running as that user to a VM you control, then I would blame companies and the maintainers of ssh for allowing this to work. If their board members are unaware of the risk, then shame on any human layers that hid these capabilities or were too inept to fix it. It is their fiduciary responsibility to their investors to take security and privacy seriously to protect their investments. Companies that are cavalier in this regard need not survive.
