tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.

via consolecowboys: Swann Song – DVR Insecurity.

Interesting read.  Obviously, a device like a DVR should be placed inside a NAT and possibly have its traffic monitored at the firewall.  Then if port 9000 is open for telnet you just have to worry about an attack from with access to the LAN — not the entire Internet.