Apparently the law of nature that states "if you can imagine it, someone had already put it on the Internet" applies not only to content.

This audience was clueless. Do they NOT understand that all of this work was done by one guy, in his spare time? They’re asking questions that would take teams of people many months to do. When he offered to provide answers to their questions if they were willing to pay for it, I didn’t see anyone open their checkbook. Nothing here needed to be quantified. The whole message here is that we have a HUGE problem and it needs more attention. No more, no less. There should have been someone at the entrance pulling these people’s heads out of their asses before they entered the room.

I'm not sure the people understood early on that Dan was talking about publicly open stuff, with either default or no login credentials. As in you can just walk in and do whatever you want, don't even need to "hack" it.

"What could possibly go wrong?!" Famous last words...

I never did anything this guy is talking about but I did find an open webcam one time that was filming a baby giraffe and its mom in some weird container.

Love the "No Food or Drink Zone" sticker, and the cup just above it next to the laptop ;o)

For any people who don't understand what's going on, basically the security researcher used a specialized search engine to search for non-password protected VNC sessions, basically VNC is a in a way quite similar to Windows Remote Desktop, it allows you to remotely control a computer as if you are there. The reason why this talk is important is that in these examples, the people who installed VNC or made it public deliberately decided to remove password protection, meaning anyone (on the Internet) could theoretically access and even control the equipment mentioned if they searched for them with the tool mentioned without permission of the people who are in charge of running those computers/devices running VNC. This is a hacker's dream come true, there is no password to crack and you can potentially do all sorts of things on these exposed devices.

license plate reader in lithuania! it says "PL" right there...

24:07 I did the same thing, poked a hole in my home firewall so I can access the lights in the house (Insteon system running on s Universal Devices ISY-99 controller) over the internet. Sometimes to turn random lights on and off on vacation or to make sure I didn't forget and leave a light turned on when I left, but mainly because cause it's cool and geeky. I guess I'm not worried about a random stranger finding it and turning my kitchen light off, and my lighting controller is the only device that I opened a port for.

Man, I was really feeling your pain by the end of it. The part about CERN (and a couple others after) had me making little involuntary squeaks of darkly amused surprise. But just how the hell do you even go about getting DOS 6.22 online? Presumably someone who had bridged its serial-terminal redirectability into a Telnet session or something?

The DOS one was probably KVM over IP which tends to have integrated VNC.

When you live in Philly and you're like... I'm not surprised SEPTA does shit like that.

Oh jesus, the Polycom VCs. Place I worked had a whole, dedicated, _physically padlocked_ (I am not even joking) ethernet port for it in a small number of rooms, which were literal hotlines to ports on the WAN interface on the wild side of the main firewall. Because even our combined team of network wizards (who were reasonably sharp in every other regard) couldn't work out how to pipe its various protocols though the firewall. It really hates being NATted for some reason. Horrible piece of work all round (it had a terrible camera, actual video codec, control interface, low resolution, hopeless sound, etc), it was a happy day when we managed to get Skype working instead (after a flirt with some more enterprise grade solutions that were about halfway between the two in terms of quality and hassle), and moreover found webcams with drivers that would work with our AD security policies, and could just transition everyone over to webcamming through their computers like everyone else in the normal world. About a year before I left, whilst I was off on holiday, some bunch of cowboy installers convinced one of the non-IT managers to have a whole new fancy multi camera VC system (I think also a Polycom?) installed into a wholly unsuitable room. Without making any attempt to wire it in properly or set up the network side of things. I never, ever saw it working and in active use. At least two grand spent on something that could have been done just as easily with a couple of cheap all-in-one desktops and webcams, and thanks to the primitive nature of its protocols it couldn't even be used. But I did put USB webcams in there, connected to the desktop PC wired to one of the flatpanel displays, more times than I'd care to count. Embedded tech is such a nightmare for obsolete, insecure, inflexible protocols and procedures that actively encourage you to indulge in wrongheaded practices just to make them work. Given the example of those videoconferencers - which were things specifically _built_ to work on corporate nets (though I got the strong impression it'd have been much happier plugged into a phoneline where its low resolution would match nicely with the 56k bandwidth) - all the other examples of various embedded level systems that are blithely exposing their underwear regions to the world are not really any kind of a surprise.

That Conference Gear screenshot. I used to work at the company which probably did this. And nope it's not the MIT logo.

There is a 3D printer controller program called Octoprint. Runs on a Raspberry Pi, lets you stream G-Code, and it can host a webcam. I was setting mine up, I googled "Octoprint Webcam" and someone's printer webcam was in the top three hits on Google.

10:20 actually it's a Control system for some sort of license plate press

I found a WeatherBug cam once with its interface open to the Internet.

Around the 53 minute mark, Viss is showing slides of some 4.9GHz wireless network equipment, it's Tranzeo, and at least at one point, some of their equipment had a hidden account, and they are Linux systems... root:default ... yeah, that's real secure...

16:23 couldnt be more true.

You would be surprised (or maybe not,) How many businesses are still using outdated operating systems like 2000, ME, XP or 98

no it's not MIT logo.

He look. So familiar to me. Like a friend I knew from 1980ths

It's hard to tell if your audience is understanding the humor, meme references, lingo. If they were laughing with Dan, great, good job. If they weren't, Dan ends up looking like a nut up there! Oh well, I'm laughing along at home!

If you lost the password for the ruggedcom you can run the Mac address through a perl script to obtain the backdoor password.

They did the drinking water attack in 2021, this is still a thing.

quick question i just thought of some of the stuff online that has a touch panel in the building and ur seeing the screen of it online and u have a touch screen on ur computer can u control the touch panel with ur touch screen?

Particle physics? *PHBBBT* CRYPTOCURRENCY!

1:02:00 lol, is that G. Edward Griffin?

Dan,how can you help me With CTTV Footage Camera reading a licence plate,pictures are blurry..

want some fun do a world wide port scan for kali machines...you might want to keep that list and updated i can guantree any default kali system out there is being used to hack somthing by someone who dont know enough to use it

Is the guy in the start speaking sign language

Is he on speed?

9:57 Hey, I know this company...

I think the legal problem mostly goes away since it's open for everyone. It's public

Plays never going give you up on the speakers. and just rick roll who ever is listening.

at the 37:44 mark I spy exacqvision VMS software lol

so i can lookup random ip's and put them on internet and being nosy about everything and its ok ?

birthplace of what we know as the internet #funfact #darpa>=stark industries

Ayyy @viss

I try to tell our Police force here @31:08

France is the EU host ISP off all EU providers, the WAN IP's get stacked i this huge ISP host as having over 50 countrys they provision in a SSL VPN uplink, so we travell data over this UDP layers to that HOST in the provider VPN uplink then routers take over , a package from .be to a .nl travells over france to USA redirects to countrys like korea,UK,Russia,Iran,China,Japan,ending in a middlepoint AMS(Amsterdam Dutch Holland Server ) no Domain nor any info only an IP , but this location is not accidental as it's the peer to Russia, as the arin A IP lays 1 bit higher so the Web is in fact a intranet , governments don't use public IP's but these private peers assigned as 10.0.0.0/32 , simply 100 private IP's provision the ISP's host gateway and that's enough to accessto complete IP4 over a class A private IP , nobody sees this

I see viss, I click

51:13...

This talk looks awesome, but the audio is terribad. I want to hear Dan wreck shit.

If it's public it's not just public, do not take that as advice pls. If you see a house with the door open that does not mean you can go in the house or that the house is public. It's still illegal to go in, and you will get arrested if not cautious.

I can't stand watching presenters like this. He presents like he is a kid.