Despite plentiful advice online about how to protect your privacy and keep your data safe, we all make mistakes now and then. We leave that text file of passwords in our Dropbox folder. We forget the password of our home router set to 'password.' But at least most of us can say we never left extensive software and documentation for one of the most powerful codebreaking systems in the world—a supercomputer collaboration between IBM, NYU and the Department of Defense—casually lying around on a completely unsecured public server. That's a pretty big oops, especially when someone finds it.
The Intercept published a fascinating story today about WindsorGreen, an encryption-breaking computer designed by brilliant mathematicians and likely used by the NSA. Specifically, the fascinating part is how easily a security researcher, with a hobby of poking around the internet looking for out-of-place files, found some pretty high-level Department of Defense stuff. Under the alias Adam, he told The Intercept "The fact that this software, these spec sheets, and all the manuals to go with it were sitting out in the open for anyone to copy is just simply mind blowing."
"All of this leaky data is courtesy of what I can only assume are misconfigurations in the IMAS (Institute for Mathematics and Advanced Supercomputing) department at NYU. Not even a single username or password separates these files from the public internet right now. It’s absolute insanity," Adam wrote to The Intercept over email.
The only tool Adam used to find the NYU trove was Shodan.io, a website that’s roughly equivalent to Google for internet-connected, and typically unsecured, computers and appliances
Adam didn't find this server full of secrets by hacking through NYU firewalls or anything so complex. According to The Intercept, "the only tool Adam used to find the NYU trove was Shodan.io, a website that’s roughly equivalent to Google for internet-connected, and typically unsecured, computers and appliances around the world, famous for turning up everything from baby monitors to farming equipment. Shodan has plenty of constructive technical uses but also serves as a constant reminder that we really ought to stop plugging things into the internet that have no business being there."
That last line is the kicker here. You may have read about how botnets comprised of Internet of Things devices are being used in massive DDOS attacks, like the ones instigated by squabbles over Minecraft servers last year. Shodan.io is a reminder that anyone could easily find a hole through your weak home router, and more importantly, your internet-connected refrigerator or lightbulbs could someday be used to DDOS a website you care about, like Steam.
In other words, Juicero wasn't just a sign that Silicon Valley spends millions of dollars reinventing basic shit we already have, but with internet connectivity. It's a harbinger of a bleak, bleak future where your coffee maker and your $400 juice bot can and will be taken hostage by a 17-year-old and next thing you know we're living a version of Maximum Overdrive we made for ourselves.
Adam informed NYU about the unsecured server and the files were removed, but experts have reviewed the documentation (which was the property of IBM and didn't appear to be classified by the DOD) and suggested that WindsorGreen is likely the best cryptography system in the world. The NSA is doubtless giving it a workout.
