Hacker News new | past | comments | ask | show | jobs | submit login

WRONG!

"Brute force" is literally an attack. However what AT&T did was only use the equivalent of usernames just like http://www.mailinator.com/ does.




We know how to stop brute force attacks; we have known for years how to stop them. I see brute force attacks on my SSH servers all the time, and I ignore them. I am comfortable ignoring brute force attacks because I do not allow password authentication at all. The attacker would have to try to guess one of the users' secret keys -- and that is beyond just a long shot.

So why have we not deployed this "amazing" technology, or similar technology, everywhere? A lack of incentive. If a hacker successfully carries out a brute force attack, the company running the systems does not suffer at all; they just pass it off as "some dark wizard hacker pwned us, sorry!" Nobody is spending the money to deploy smartcards far and wide because nobody has any reason to. It is less expensive to pay the pittance required to clean up after a hack than to stop hacks in the first place. If banks had no legal recourse when some script kiddie hacked a customer account, they would be far more likely to give customers smartcards and use more secure authentication mechanisms.

To put it another way, making a brute-force attack a crime is placing responsibility for securing the system on the people who want to attack it. It should be obvious why that makes no sense.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: