Our worst hacking fears came true on Friday as criminals deployed millions of everyday objects ― internet-connected cameras, printers and so on ― to launchan attack on a critical part of the Internet. The attack was a success, crippling the websites of major companies likeAmazon,Netflix and Twitter for hours at a time.
We now have a handle on what happened: hackers used publicly available source code to assemble a bot-net army of internet-enabled devices, and then directed those devices to send massive waves of junk requests to a DNS provider. The attack meant the provider, New Hampshire based Dyn, could not carry out its job of acting as a switchboard for the internet, and consumers could no longer reach popular websites.
The compromised devices, which make up the bot-net army, are still out there and unpatched, which means other attacks are likely on the way. This makes it a good time to ask who’s to blame for this debacle. We can start, of course, by fingering the hackers themselves, who appear to have unleashed the attack with profit motives in mind.
But we can also assign much of the blame to the companies whose sloppy security standards made the attack possible:
Wondering which IoT device types are part of the Mirai botnet causing trouble today? @briankrebs has the list: https://t.co/bETefDMa4Y
― Eric Skinner (@EricSkinner) October 22, 2016
We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure https://t.co/Gj4S5Hj0xV
― Christopher Mims (@mims) October 22, 2016
A list of alleged culprits , compiled by security researcher Brian Krebs, include familiar names like Panasonic, Samsung andXerox printers. The names also include lesser known makers of routers and cameras, which reportedly made up the bulk of the bot-net army.
It’s a good bet these companies are scrambling to update their product lines in a way that requires users to change the passwords (widespread use of default passwords are the main reason the devices got hacked in the first place). But it’s not fair to lay the entire blame squarely on the companies. Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in.
Finally, it’s time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well. No one think it’s acceptable for consumers to be clueless when they operate products like automobiles or propane tanks ― so why is it okay for them to be careless with routers and security cameras?
On another note, there’s other security news this week, including a couple cool fin-tech features by Robert, which can read about below. Thanks as always for reading. And, for heaven’s sake, lock down your devices.
Jeff Roberts
@jeffjohnroberts
jeff.roberts@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’ s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter , Cryptocat , Jabber (see OTR fingerprint on my about.me ), PGP encrypted email (see public key on my Keybase.io ), Wickr , Signal , or however you (securely) prefer. Feedback welcome.