So like a lot of folks I spent no more than 15 minutes this morning googling Shodan for anything interesting. I looked for SCADA protocols (there were none that I could easily find) or obvious field automation devices, so I went back to work. At best I found a bunch of VxWorks systems (and whole lot of ESX servers, shiver) and others like @chrisjager have also commented about the large number of embedded devices directly connected to the Internet, which is, indeed, frightening.
But @taosecurity just made some interesting comments, questioning how long the site will be up and hit upon in the ethical issues of a site which so obviously allows easy amplification of vulnerable systems. This was the first I've seen that even considers this angle. I'm not sure if everybody is getting ready for the holidays, trying to get the last bit of work done, or already gone but at least on the 300+ plus folks I follow on Twitter there were absolutely no questions about the site, and whether or not such as site was appropriate, ethical, etc. Just to be clear, I'm not claiming it is or is not, I'm just surprised it hasn't come up yet either way. Now if and when this happens (perhaps everyone else is so jaded and just does not want to go there) I'm sure the arguments will quickly fall into the typical cliched responses around disclosure:
- The site is raising awareness so is a good thing. Administrators can actually find and fix their systems.
- Anyone who has systems directly connected to the Internet with systems that vulnerable deserves to be compromised.
- The site is irresponsible and we should immediately DDoS it
I don't actually believe any of those arguments. I'm not sure what to think. And I find that troubling. After nearly a decade in information security, I've become weary of all the arguments on either side of these sorts disclosure issue so I resort to know opinion because my opinion doesn't really matter and folks will release 0-days (or not) or more interesting sites like this (or not) and what will happen will happen regardless of any international standards or documented best practice working groups.
So back to trying to find a way to graphviz to generate SVG images within a Django app. That is at least a problem I can solve.