An Open Letter To Balgan 2022-09-25
I'm not a fan of Internet researchers. And I don't think I'm the only one. Various organizations including U Michigan, Shodan, Censys, and BinaryEdge like to scan as much of the Internet as they can looking for security vulnerabilities. They make it sound like they are doing it because they want to improve overall Internet security. But do they? What is their process for informing service admins that there is a problem? Do they tell admins how to fix the problems they find? What accountability do they take when a service is fixed according to their instructions and a service is still hacked? Well, the answer is clearly dingo, because none of that shit happens. They scan for their own information and profit.
Tiago Henriques, also known as Balgan, is the wanker responsible for BinaryEdge. He likes to gas on about blocking scanners like his is futile. Well Mr. Balgan, fuck you. Here's why.
"Hi, can you please stop scanning me ? My IP Addresses are XXX.XXX.XXX.XXX"
For years I received,read and replied to emails like these. As founder and CEO of a company who's in the business of port scanning the Internet it is normal to see these types of emails. I always attempted to explain what we are doing, why we are doing it and why people should consider not having us block their IP addresses.
One thing you do not seem to have done is consider the point of view of the people making the requests. The requests you have been receiving for [in your words] years. There couldn't possibly be a reason to think that their opinions are even remotely valid eh?
Every second, there are multiple actors scanning your IP address. There are multiple reasons for this and the data from understanding who is scanning the internet can be quite interesting as it enables answering lots of different questions blue teams (defenders) typically have.
So you figure you are the gatekeeper of this interesting data? What questions does it answer? How do you make those answers available for people like me to see? How do you make the entire dataset available for people like me to analyze and possibly come up with even more interesting answers than you might? Or are you simply the best person in the world to be coming up with those answers?
What is important to understand is that similar to a lot of topics in infosec there are different shades of color to what the organizations generating this traffic are attempting to do. You have benign players like BinaryEdge, Rapid7, Censys and Shodan but what does benign mean in this context?
They respect blacklisting - if you request one of these organizations not to scan you again they will respect your request
No active exploitation - the scanning is focused merely on identifying services running on the internet, no active exploitation of vulnerabilities occurs at any point in time
Benefit for you - Most of these platforms allow you to check what data they have collected on your IP address. BinaryEdge allows you to check via securityrating.io or via app.binaryedge.io, Rapid7 makes data available via their open data program and other players have their respective platforms.
Bullshit. They do not respect blacklisting. They do not have any kind of opt-in system, and they do not offer any functional opt-out system. It is a "we do as we please" system. With a sign up system like that, why would I even think of believing that there is no active exploitation going on? There is also no way for real people to see fuck all information about their own IP addresses... these are just plain lies. This is not a collection of helpful public service organizations, they harvest whatever information they can and they do it for profit.
You're targeting me on your attacks!
This is a common misconception that we also see people having. Specifically for the people doing internet wide scanning, you are not a special snowflake, this is actually a common factor between benign and malign internet wide scanning organizations. Neither of us cares about your specific IP address. We want to see the global picture. Rather than thinking from the perspective of "How am I gonna hack John Doe, that is behind IP address XXX.XXX.XXX.XX" we think on a global scale.
Snowflake he says. Not a dick comment at all. I'm sure you wankers do think on a global scale. You can't possibly profit from selling information about me, but you can profit from selling information about "global security vulnerabilities".
So are you saying my worries are unfounded for wanting to block internet scanners?
No. Not at all. What I am trying to convey is that you are never going to be able to block them all. For as long as you have a device that is internet connected it will be scanned.
So what you are saying is that since there is shitty traffic out there, then you may as well add to it?
By asking non-malicious actors to block your IP addresses, you are however losing visibility into your own exposure as well. You should try to leverage the tooling that the attackers use as well.
Yeah dude... don't block me, PAY me.
If you're exposing services you don't think should be found by BinaryEdge, Censys or Shodan you shouldn't be exposing them in the first place.
Fuck you. Wanting to expose a service on the Internet should not mean that by default it should be found by you or your whore friends. Being subject to your shit should not be a requirement for running a publicly available service.
If I had to use an analogy, which I typically hate doing, its as if you have your building, with the windows without any curtains, internet wide scanners are the people on the street, and you are asking 5 out of 1000 on the street to cover their eyes and not look at your windows. And it just so happens that these 5 are the neighbors that would be respectful and tell you "Hey, I can see inside your house because you have no curtains".
Utter bullshit. I'm asking all 1000 people on the street to have enough integrity to not stop and stand watching through my window all day as I go about my business. Let alone grab a ladder and stand on top of it like you do. And go fuck yourself for the lie that you have any intentions of informing me that I lack curtains. Your intent is clearly to hang around and see if you can catch me opening my safe so you can sell the combination to someone who has never been outside my window but who wouldn't mind having whatever is in my safe.