Researcher Scans All IP Addresses of Austria, Finds a Ton of Things That Shouldn't Be Online

Christian Haschek scanned the entire Austrian IP space and found IP cameras, printers, and industrial control systems and a range of other devices that should not be online.

Annnnd...

[LesFerg]

IT professionals around the world were shocked by this discovery. Not in the slightest.

Re: Teen Porn

[Anonymous Coward]

In prison. Ask for a guy name Ripper. Every prison has a dude like that. And every pedo gets an introduction.

Tell him ole Ollie_Copter sent ya. You'll get a discount on your first five ... eh ... "pics and/or vids", oh and a 100% guaranteed reduction in the length of your prison stay. All free of charge of course because Ripper, he do like that!

Re:

[93 Escort Wagon]

I don’t know about you, but I was sure glad I happened to be sitting down when I read this shocking headline!

Re:

[The Original CDR]

I had a network scan report last year that showed garage door openers for the underground garage on the General VLAN. Didn't surprise me at all. Still waiting to see coffee pots, microwave ovens auto flush toilets to pop up on a scan report.

dotted triple

[quenda]

Austria has 11 million IPv4 addresses. 11.170.487 to be exact

You know you've been in the continent too long when you put periods in the middle of an integer, but not at the end of a sentence.
Sorry to be such a grammar n ... na ... never mind.

Re:dotted triple

[angel'o'sphere]

FYI: in Europe we use periods instead of commas to visually separate long integer numbers into groups of 3 ... a no brainer if you had looked closely and seen he made the "same mistake" twice.

American way: 1,000,000
European way: 1.000.000

Simple, isn't it?

Re:dotted triple

[ShanghaiBill]

American way: 1,000,000

It is not just America. 70% of the world uses commas as separators with a decimal point. We out number the dot-separators more than two-to-one.

Of the nine countries with nuclear weapons, seven use commas as separators. So if you want to fight this out, you are gonna lose.

Re:

[DontBeAMoran]

Both ways of writing numbers are totally flawed.

1.000.000

Did I just write "one million" or "one thousand as a float with a precision of three decimal points"?

1,000,000

Try using that format in parameters, coordinates, etc. It's going to be a mess.

1000000 is just plain easier to read and no mistakes can be made. Of course, if you're programming it has to be 1000000, but still.

Re:

[ls671]

one thousand would be 1.000,000 in their system so in short it is just like driving to the right or driving to the left. Inverse everything ;)

Dots become commas and commas become dots.

1,000.825 == 1.000,825

I have to agree this is kind of silly that we can't all agree in the same notation. This is far worse than metric vs imperial because it is expressing exactly the same value.

There is many websites out there (example: Paypal) that force you to enter an amount or a number in a specific way depending on how

Re:

[Kernel Kurtz]

Lets not even get started on expressing dates.........

Re:

[DontBeAMoran]

And slashdot helpfully removed the non-breaking spaces that I wrote in the first "1-000-000" of my last sentence. <sigh>

Re:

[munch117]

Thus disproving "no mistakes can be made" :)

Oh, and all three ways of writing numbers are totally flawed. The better way is 1'000'000. No one ever misunderstands that, even if they've never seen it before. And /. cannot bungle the formatting, try as it might.

Re:

[Rockoon]

Of course, if you're programming it has to be 1000000, but still.

1990 called and wants its issues back.

In modern languages you can even put separators in base-2 notated values

Re:

[angel'o'sphere]

Since Java 7 you can use _ as separator in an number literal anywhere you want.

Re:

[thegarbz]

So if you want to fight this out, you are gonna lose.

Sure just remember when you fire your nuke we are 8.339 distance units away, and make sure you double check your units with NASA before you fire.

Re:

[kaatochacha]

I'm imagining world war 3 breaking out over a disagreement over comma versus period number separation.

Re:

[ShanghaiBill]

Except the UK is part of Europe, and they don't.

Neither does Ireland.

Luxembourg and Switzerland use both officially.

Re:

[ls671]

So does Canada.

Re:

[Anonymous Coward]

French is one of the official languages and in French, the country's name is Luxembourg.

Re:

[sjames]

They're trying not to be, but they can't seem to find the Brexit.

Re:

[Aighearach]

At this point only Lord Buckethead can save them. The whole rest of the country have their shoelaces stuck somewhere in the middle steps of Barnier's Staircase!

Hail Lord Protector Buckethead!

Re:

[quenda]

European way: 1.000.000

Simple, isn't it?

Doch! (Hope I used that correctly, as we have no English equivalent.)

It is not so simple. British and other English speakers do not do it that way, so commas should always be used as separators when writing in English.

England is still in Europe, no? At least for a few more weeks until it gets towed into the Atlantic.

The number is also funny because, as Trogre said, it looks like a single IP address.
How do central Europeans write dotted quad notation?

Re:

[Aighearach]

How do central Europeans write dotted quad notation?

They're too poor for that to create any ambiguity. They don't have that many of anything.

Re: dotted triple

[phantomfive]

COBOL was created in collaboration between Americans and Europeans, and it nearly broke down over the number seperator, with one researcher emotionally declaring, "I will never use a period as a decimal point!" Eventually they came to a compromise but not before a tombstone was made for COBOL. https://www.computerhistory.or... [computerhistory.org] Next let's tackle the controversy of order of operations! Left to right is of course the proper order.

Re:

[msauve]

Whoooooooooooosh. He knew that.

Re:

[Barsteward]

1,000,000.00 is used in the UK

Re:

[grumpy-cowboy]

French Canadian way (we use space separator): 1 000 000
With decimals: 1 000 000,99

Re:

[Anonymous Coward]

European way: 1.000.000 Simple, isn't it?

You misspelled "stupid".

Re:

[mschuyler]

Quenda, you just embarrassed yourself and the entire country. Thanks a 1.000.000.

Re: dotted triple

[Jesus H Rolle]

Holy fucking whoosh!

Re:

[Trogre]

That's just one single IP address, and not a valid one at that.

I just had an image of an entire country accessing the Internet through a single NAT'd interface.

Re:

[ls671]

I assume that Austria must have more than 65,535 simultaneous connections needs.

Re:

[Aighearach]

That's just one single IP address, and not a valid one at that.

I assumed it was shorthand for a CIDR address aligned to 8 bits.

Re:

[Opportunist]

Not illegal in Austria.

If you try to use the information, it is. But finding out that there are unpatched, insecure servers isn't per se illegal.

Re: Ya don't say!

[Anonymous Coward]

Whoosh

Re:

[LynnwoodRooster]

It's OK, the GP doesn't speak Austrian [youtube.com]...

My former employer did the same

[Anonymous Coward]

They hooked up - let us just call it something very large, handling a lot of energy - to the public internet via a ADSL connection.
I went home and demonstrated I had direct read/write access to everything from home without using any of the passwords (and I could just change them.)

They put in a firewall on that site, but making the product secure was out of the question. That was 15 years ago, they have changes to a OS with some security since then.

Why are most humans so damned dumb?

[Anonymous Coward]

I used to think that people were smart.
Then came the Internet, and I started thinking that people were getting dumber, not smarter, over time.
Then came Internet 2.0, and the Real Truth finally hit me: people have been dumb as a fencepost all along. The Internet just made it obvious.

Look around you: the utter stupidity of our own species will be our undoing.
HELP STAMP OUT STUPIDITY!

Re:

[Anonymous Coward]

Bottom line: You're pretty dumb for not realizing that sooner.

Re:

[DontBeAMoran]

Double bottom underline, why the hell does he need stamps? Does he need to mail something? Doesn't he know he can send electronic letters? It's called email.

Re:

[Opportunist]

The word you're looking for is uneducated. Blame the school system (and homeschooling even more).

We don't teach critical thinking and reward rote learning and saying what the teacher wants to hear. Now what kind of result do you expect from that?

So?

[lloy0076]

In IPv6 every atom (at least - possible even the sub-atomic particles) can have an IP address, right?

Re:

[ShanghaiBill]

In IPv6 every atom (at least - possible even the sub-atomic particles) can have an IP address, right?

No. IPv6 is 128 bits, which is 3.4e38.

The number of quarks in the universe is roughly 1e80.

  So you are short by 42 orders of magnitude.

Re:

[Wescotte]

Yeah but you shouldn't put all quarks online anyway... Some are like printers and smart fridges and need to be behind a NAT.

Re:

[LynnwoodRooster]

42. Forty Two. The answer to life, the universe and everything!

Re:

[DontBeAMoran]

My algebra is a bit rusty... there's only one quark per atom?

Re:

[wierd_w]

3 per baryon. (Proton, neutron, etc)

Take atomic weight, and multiply by 3. Gives average quarks per elemental nucleus. (Not counting highly exotic nuclei with pentaquark configurations.)

Overall, pretty secure

[fermion]

1000 or so windows machines exposed in a country of 8 million, with unclear actual security risk.

DNS servers that actually serve DNS requests. Yes DDOS attacks are a problem, but so are DNS servers that don’t d anything. Agian, very few that appear to be a real problem.

Cameras are an issue, but it s pleasantly surprising there are only two public.

A few people have pen printers. One can imagine use cases security by obscurity might be the best option. Who is going to print on a random printer. An

Re:

[DontBeAMoran]

Option A: Something, something, dark side (of the page).
Option B: Only black pages? What are you, racist?
Option C: Did you tell your boss that your co-worker was wasting ink/toner?
Option D: I am Groot.

Re:

[ls671]

That is what websites should do. A functional website should never return a 404.

I agree, my web site sends a redirect to the Austrian government when a page isn't found. I get about 10,000 request a day for wp-login.php and I don't host any wordpress sites.

Re:

[Opportunist]

Who is going to print on a random printer.

(paper coming out of your printer, reading)

Greetings,
You don't know me, but I have sent this to your printer. Another sheet of paper will be printed shortly, yes, it is a ransom note. You will put this note into an envelope and mail it. Don't contact the police, you and your porn collection would not like what happens next...

(I leave the rest to the imagination of the reader)

Re:

[Obfuscant]

Who is going to print on a random printer.

I have people print to the printer I run for my lab, from other places in the building, occasionally.

And when people learned about the bugs in the HP JetDirect that let people lock them up, assholes went out of their way to do that.

A functional website should never return a 404.

Uhhh, that's how it tells you you've requested an invalid page. The site is functional. It should tell you when you made a mistake.

Wooow.

[DaTroof]

I hope that discovery wasn't shocking enough to give him a palpitation. If he scanned the rest of the world, his heart might shoot out the back of his underwear.

how

[phantomfive]

I really wonder how these things end up online, given that most consumer routers don't accept incoming connections by default. Are people really going out of their way to put this stuff on the open internet, or is something else going on here?

Re:

[DontBeAMoran]

You can test my router all day long if you want to. The I.P. address is 127.0.0.1
Good luck!

Re:

[AHuxley]

They needed PnP with the internet?

this is news?

[bloodhawk]

Seriously why the fuck is this an article? There are no revelations in this and this is nothing that anyone with half a clue is already fully aware of.

Re:

[sjames]

We knew it from statistical sampling, but it's nice to get a comprehensive count from a whole country.

Re:

[DontBeAMoran]

As a non-USAmerican, I'm just glad this isn't about Trump.

Re:

[Aighearach]

They didn't have enough dupes to meet the post quota, so we get this.

Go out and find some news and save us if you don't like it.

Pffft Only one country?

[complete loony]

At a defcon talk in 2014 (talk [youtube.com] slides [defcon.org]) they scanned the whole IPv4 space live, looking for VNC instances. At least, anything that responded to a SYN packet.

Then they took a couple months to connect to each VNC instance, if no password was required, grab a screen shot.

Leading to a series of talks of things that shouldn't be on the internet [youtube.com].

Re:

[Gyorg_Lavode]

This researcher must have a good publicist. shodan.io, project sonar (https://opendata.rapid7.com/about/), https://www.binaryedge.io/ [binaryedge.io], https://twitter.com/ErrataRob [twitter.com], and many more scan the entire internet all the time. https://twitter.com/Viss [twitter.com] does talks about finding wacky stuff on the internet regularly.

Re:

[DCFusor]

Tentler is hilarious. I liked the defcon comedy inception panel version of this (with "and give me a drink" added to the title).
Normally I'd say "and nothing of value was learned" because most of us know that there are all kinds of things on the 'net that shouldn't be.
But evidently there are some people behind the curve of the obvious.
It really got bad, and is getting worse due to the usual "follow the money" issues. Why to I need to use some intermediary for my internet of things stuff? So they can b