IEEE Technology and Society Magazine - June 2015 - 42

guess the password to his remotely accessible web
cam [12]. The BlackHat presentation did not include a
disclaimer, or any statement about the ethics or legality
of the demonstration. The response of the audience can
be clearly witnessed in the video.
Around the same time as Fifield's BlackHat talk, an
anonymous researcher began an ambitious experiment
to go beyond what David Fifield demonstrated, using

Attackers can successfully,
automatically, break into almost
all commercially available home
network devices with weak
or default passwords.

the same techniques as Federico Fazzi, and created a
massive scanning botnet dubbed the "Carna" botnet
[13]. Initial tests proved wildly successful, discovering
over 100  000 vulnerable systems. The botnet customdistributed scanning software that was functionally indistinguishable from the most advanced malicious software
("malware"), and the infected machines became a massively distributed sniffer capable of scanning the entire
Internet in a matter of hours. The scanning results were
published as "Internet Census 2012" [14].
The Carna bot [14] was developed and installed on
systems found to be using four of the most common
default passwords. Carna was programmed to run with
the "lowest possible priority and included a watchdog
that would stop the executable in case anything went
wrong." It had a built in limit of "128 simultaneous connections and had a connection timeout of 12 seconds"
and "a strict set of rules to identify the target devices'
CPU and RAM to ensure our binary was only deployed
to systems where it was known to work [excluding] all
smaller groups of devices since we did not want to interfere with industrial controls or mission critical hardware
in any way." The creator of the Carna botnet used the
same methodology as the lightaidra botnet author, "[compiling] for 9 different architectures using the OpenWRT
Buildroot," producing custom binaries that, "[in] its latest
and largest version [...] was between 46 and 60 kb in size
depending on the target architecture."

Ethics of the Carna Botnet
Some have questioned the ethics and legality of the
Carna botnet [13], and question the ethics of using the

42

data it collected. The author of [13] raises the involuntary nature of the installation of the Carna software,
unbeknownst to the owners of the devices used
for data collection. In biomedical and behavioral
research, the principal of Respect for Persons rests
on the belief that research subjects whose data will
be collected have autonomy to choose whether or
not they will participate in research or provide their
data to researchers. Researchers must honor this
decision without condition. The process is known as
"informed consent." An effort to describe this and
other ethical principles including Beneficence (avoiding harm, systematic analysis and balancing risks and
benefits), and Justice (fairness in treatment, selection
of subjects, and distribution of burdens and benefits) in the context of Information and Communication Technology (ICT) research was initiated in 2009,
sponsored by the Department of Homeland Security,
and known as the "Menlo Report" working group [15].
The Menlo Report [16] and its companion document
[17] discuss stakeholder analysis, autonomy, beneficence, and justice. Based on the principles in the 1979
Belmont Report, "Ethical Principles and Guidelines for
the Protection of Human Subjects of Research" [18],
the Menlo Report includes considerations of autonomy,
beneficence, and justice in ICT research and adds
concepts of respect for law and public interest, compliance with laws, and transparency and accountability.
Although the Internet Census Dataset is not a medical
application, one can draw an analogy between medical
patients and the owners of the device on the one hand;
and between physicians and computer science researchers on the other hand. The physicians and the computing researchers have responsibilities to patients and
device owners, respectively.
The first step in evaluating the ethics of the Internet
Census 2012 is to look at the stakeholders. The largest
group of stakeholders is comprised of the owners of the
networked devices the Carna botnet scanned. Primary
Stakeholders are businesses, government agencies, and
private citizens in countries all around the world. "The
vast majority of all unprotected devices are consumer
routers or set-top boxes which can be found in groups
of thousands of devices" [14]. Secondary stakeholders
are organizations that own and manage the networks
on which these systems reside, including some critical
infrastructure devices. Key stakeholders are the Carna
botnet creator and the criminals who actively exploited
the same weaknesses for their own criminal purposes.
Researchers who obtain the anonymously published
results and use them for further research could arguably be considered either primary stakeholders (who
benefit from the act of publishing the Carna dataset,
thereby obtaining otherwise unobtainable data), or key

IEEE Technology and Society Magazine

∕

june 2015



Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2015

IEEE Technology and Society Magazine - June 2015 - Cover1
IEEE Technology and Society Magazine - June 2015 - Cover2
IEEE Technology and Society Magazine - June 2015 - 1
IEEE Technology and Society Magazine - June 2015 - 2
IEEE Technology and Society Magazine - June 2015 - 3
IEEE Technology and Society Magazine - June 2015 - 4
IEEE Technology and Society Magazine - June 2015 - 5
IEEE Technology and Society Magazine - June 2015 - 6
IEEE Technology and Society Magazine - June 2015 - 7
IEEE Technology and Society Magazine - June 2015 - 8
IEEE Technology and Society Magazine - June 2015 - 9
IEEE Technology and Society Magazine - June 2015 - 10
IEEE Technology and Society Magazine - June 2015 - 11
IEEE Technology and Society Magazine - June 2015 - 12
IEEE Technology and Society Magazine - June 2015 - 13
IEEE Technology and Society Magazine - June 2015 - 14
IEEE Technology and Society Magazine - June 2015 - 15
IEEE Technology and Society Magazine - June 2015 - 16
IEEE Technology and Society Magazine - June 2015 - 17
IEEE Technology and Society Magazine - June 2015 - 18
IEEE Technology and Society Magazine - June 2015 - 19
IEEE Technology and Society Magazine - June 2015 - 20
IEEE Technology and Society Magazine - June 2015 - 21
IEEE Technology and Society Magazine - June 2015 - 22
IEEE Technology and Society Magazine - June 2015 - 23
IEEE Technology and Society Magazine - June 2015 - 24
IEEE Technology and Society Magazine - June 2015 - 25
IEEE Technology and Society Magazine - June 2015 - 26
IEEE Technology and Society Magazine - June 2015 - 27
IEEE Technology and Society Magazine - June 2015 - 28
IEEE Technology and Society Magazine - June 2015 - 29
IEEE Technology and Society Magazine - June 2015 - 30
IEEE Technology and Society Magazine - June 2015 - 31
IEEE Technology and Society Magazine - June 2015 - 32
IEEE Technology and Society Magazine - June 2015 - 33
IEEE Technology and Society Magazine - June 2015 - 34
IEEE Technology and Society Magazine - June 2015 - 35
IEEE Technology and Society Magazine - June 2015 - 36
IEEE Technology and Society Magazine - June 2015 - 37
IEEE Technology and Society Magazine - June 2015 - 38
IEEE Technology and Society Magazine - June 2015 - 39
IEEE Technology and Society Magazine - June 2015 - 40
IEEE Technology and Society Magazine - June 2015 - 41
IEEE Technology and Society Magazine - June 2015 - 42
IEEE Technology and Society Magazine - June 2015 - 43
IEEE Technology and Society Magazine - June 2015 - 44
IEEE Technology and Society Magazine - June 2015 - 45
IEEE Technology and Society Magazine - June 2015 - 46
IEEE Technology and Society Magazine - June 2015 - 47
IEEE Technology and Society Magazine - June 2015 - 48
IEEE Technology and Society Magazine - June 2015 - 49
IEEE Technology and Society Magazine - June 2015 - 50
IEEE Technology and Society Magazine - June 2015 - 51
IEEE Technology and Society Magazine - June 2015 - 52
IEEE Technology and Society Magazine - June 2015 - 53
IEEE Technology and Society Magazine - June 2015 - 54
IEEE Technology and Society Magazine - June 2015 - 55
IEEE Technology and Society Magazine - June 2015 - 56
IEEE Technology and Society Magazine - June 2015 - 57
IEEE Technology and Society Magazine - June 2015 - 58
IEEE Technology and Society Magazine - June 2015 - 59
IEEE Technology and Society Magazine - June 2015 - 60
IEEE Technology and Society Magazine - June 2015 - 61
IEEE Technology and Society Magazine - June 2015 - 62
IEEE Technology and Society Magazine - June 2015 - 63
IEEE Technology and Society Magazine - June 2015 - 64
IEEE Technology and Society Magazine - June 2015 - 65
IEEE Technology and Society Magazine - June 2015 - 66
IEEE Technology and Society Magazine - June 2015 - 67
IEEE Technology and Society Magazine - June 2015 - 68
IEEE Technology and Society Magazine - June 2015 - 69
IEEE Technology and Society Magazine - June 2015 - 70
IEEE Technology and Society Magazine - June 2015 - 71
IEEE Technology and Society Magazine - June 2015 - 72
IEEE Technology and Society Magazine - June 2015 - 73
IEEE Technology and Society Magazine - June 2015 - 74
IEEE Technology and Society Magazine - June 2015 - 75
IEEE Technology and Society Magazine - June 2015 - 76
IEEE Technology and Society Magazine - June 2015 - 77
IEEE Technology and Society Magazine - June 2015 - 78
IEEE Technology and Society Magazine - June 2015 - 79
IEEE Technology and Society Magazine - June 2015 - 80
IEEE Technology and Society Magazine - June 2015 - Cover3
IEEE Technology and Society Magazine - June 2015 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2023
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2022
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2021
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2020
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2019
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_december2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_september2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_june2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_march2018
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2017
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2016
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2015
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2014
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_winter2013
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_fall2013
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_summer2013
https://www.nxtbook.com/nxtbooks/ieee/technologysociety_spring2013
https://www.nxtbookmedia.com