The chatter this week is, once again, about consumer kit being herded into botnets, and it's hard to feel surprised. After the Mirai source dropped in the autumn and the enormous DDoS attacks that followed in October, every fresh report now reads like a sequel nobody asked for. Cheap routers and cameras, shipped with default credentials and an exposed management service, scanned and recruited at scale. The script practically writes itself.
What frustrates me is how unexotic the root cause stays. It isn't some dazzling new exploit. It's the same default admin password and the same management port left open to the internet that we were complaining about a decade ago. The bug, if you can even call it that, is shipping a device that's insecure out of the box and trusting the buyer to fix it, when the buyer doesn't know there's anything to fix.
I went and checked my own boundary the same evening, because casting stones from an unpatched house is poor form. Nothing exposed it shouldn't be, default creds long gone, remote management off. Took five minutes. The depressing thing is that five minutes is four and a half more than most people will ever spend, and the kit ships in a state where those five minutes are mandatory rather than optional. Until "secure" is the factory default rather than a setting you have to know to change, we'll keep reading this same story with a new name on it.