Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In that case, who's responsible for keeping the anti-malware software up to date... and paying for it?

Or maybe that's going too far and the first step is to just have them encourage / force more secure passwords.

(Assuming this is correct [1]):

> Mirai functions by infecting IoT devices by trying to brute force their passwords. The tactic it uses to brute force passwords is entering commonly used and default passwords.

[1]: https://en.wikipedia.org/wiki/Mirai_(malware)



I suggest a gradual approach. Anyway, the manufactuter has more costs so the price is going to be higher. How higher in the long run? Maybe not much. We already experienced the same progression towards safety with materials that don't poison us and appliances that dont catch fire or interfere on the radio spectrum. Every one of those steps cost money. We still have cheap stuff to buy.

The difference here is that those devices must be maintained or retired. So there could be a recurring cost. Eventually there will be ecosystems of companies taking care of the update and maintenance of devices made by their customers (the manufacturers.)

We also have to educate people, to the point that they will feel ashamed to buy unsecure devices and inadvertently help the criminals behind those attacks in the news. Nobody wants to help the mob (or worse) by keeping their stuff at home, right?

This is going to become a matter of national security in every country, because those attacks can be used as a weapon to incapacitate vital infrastructures.


Why isn't there a mechanism for informing device users?


I can't answer because I'm not sure about which mechanism you're thinking about. Would you mind elaborating the concept?

But as any mechanism: who's operating it, who's paying for it, what it's going to do, etc.

An idea is a state owned crawler that tries to get into any device inside the country and tells people that their device X is insecure because of Y and Z. I think there are already many of those crawlers around, but they don't warn people. Quite the opposite ;-)


I'm wondering whether it's possible to log IPs of attacking devices. From targets and from intermediaries. Then inform ISPs, and demand that they inform device owners. But yes, who would do that, and who would pay, are hard parts. Still, this was an expensive day for many providers.


Tells what people? How do you know who owns a device?


If you have an IP address, you can determine what ISP it's been assigned to. And ISPs typically know which accounts had which IPs at any given time.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: