undefined | Better HN

0 pointsbsamuels3y ago0 comments

Attackers are using hacked IoT devices to do these attacks. These devices have roughly the same computing power as a mid level smartphone. Attackers do not use their own hardware, and don't care about how much energy is used by their bot devices.

In a normal attack, there are maybe 2-3 requests per hour that come from each hacker-owned device. The only thing that hashcat would do is drastically increase power consumption at no cost to the attacker, and turn the application into a battery drainer on mobile devices.

So no, Hashcat is not an adequate solution.

0 comments

throw109203y ago

> Attackers are using hacked IoT devices to do these attacks. These devices have roughly the same computing power as a mid level smartphone.

False for a very large variety of low-power IoT devices using chips like the ESP32, which are multiple decimal orders of magnitude slower than a modern computer (or high-end smartphone) and will absolutely take far longer to compute a Hashcash challenge than one of those devices. Your smart light bulb is absolutely not hosting a Qualcomm Snapdragon 450 to change its colors.

Additionally, adding this compute+power load causes the presence of malware to become far more visible on these devices, which increases risk of discovery, which is a significant upside.

Finally, because there's now a significant computational cost to performing a login attempt, the value of individual devices are further decreased to the attacker, which reduces their likelihood of compromising these devices, and for using them for these kinds of attacks against services that use this measure.

So, yes, Hashcash is absolutely an adequate solution, and yes, there is absolutely a cost to the attacker.

bsamuelsOP3y ago

You have no idea what you're talking about. Botnets are almost entirely ISP router/modem combo devices.

Hashcat was proposed over 20 years ago. You really think out of all the tens of thousands of security engineers working on this problem, nobody has ever considered it? Get a grip.

I hate how this website incentivizes people to try to make posts that sound smart instead of posting stuff they're actually knowledgeable about.

wolverine8763y ago

> Botnets are almost entirely ISP router/modem combo devices.

Above you say they are IoT devices. I don't mean 'gotcha', but to learn: What does the population of botnet devices consist of?

2 more replies

throw109203y ago

This comment violates probably about a dozen different parts of the HN guidelines[1]. You should calm down with the ad-hominems and substance-less claims and give the guidelines a read, then come back and make an actual argument.

[1] https://news.ycombinator.com/newsguidelines.html

fennecfoxy3y ago

Yeah the majority of them aren't Wifi lightbulbs afaik it's mostly routers and other similar devices, so they really do have the power of a low-mid range smartphone.

Realistically though as long as it can send a request I think attackers would prefer lower power devices someone's computer may be able to send many more r/s but much harder to gain control of versus the $30 iot device.

smaryjerry3y ago

This is ab irrelevant tangent on the mid level phone comment. We all know you don’t need any compute power at all to make “2-3 login attempts per hour” even on the slowest of IOT devices.

j / k navigate · click thread line to collapse

0 comments

throw109203y ago

> Attackers are using hacked IoT devices to do these attacks. These devices have roughly the same computing power as a mid level smartphone.

Additionally, adding this compute+power load causes the presence of malware to become far more visible on these devices, which increases risk of discovery, which is a significant upside.

So, yes, Hashcash is absolutely an adequate solution, and yes, there is absolutely a cost to the attacker.

bsamuelsOP3y ago

You have no idea what you're talking about. Botnets are almost entirely ISP router/modem combo devices.

Hashcat was proposed over 20 years ago. You really think out of all the tens of thousands of security engineers working on this problem, nobody has ever considered it? Get a grip.

I hate how this website incentivizes people to try to make posts that sound smart instead of posting stuff they're actually knowledgeable about.

wolverine8763y ago

> Botnets are almost entirely ISP router/modem combo devices.

Above you say they are IoT devices. I don't mean 'gotcha', but to learn: What does the population of botnet devices consist of?

2 more replies

throw109203y ago

[1] https://news.ycombinator.com/newsguidelines.html

fennecfoxy3y ago

Yeah the majority of them aren't Wifi lightbulbs afaik it's mostly routers and other similar devices, so they really do have the power of a low-mid range smartphone.

smaryjerry3y ago

This is ab irrelevant tangent on the mid level phone comment. We all know you don’t need any compute power at all to make “2-3 login attempts per hour” even on the slowest of IOT devices.

j / k navigate · click thread line to collapse