[HN Gopher] Adafruit requires 2FA to prevent bots buying out Ras...
___________________________________________________________________
Adafruit requires 2FA to prevent bots buying out Raspberry Pi
Author : 7402
Score : 191 points
Date : 2022-03-22 17:49 UTC (5 hours ago)
(HTM) web link (blog.adafruit.com)
(TXT) w3m dump (blog.adafruit.com)
| paxys wrote:
| How does 2FA stop bots?
| tormock wrote:
| ESP8266s can be used for a lot of things that people use RPi
| for... and they are a lot cheaper.
|
| I just sold 2 used RPi that I bought ~10 years ago for more then
| what I paid for them brand new...
| n4bz0r wrote:
| I've been wondering about that myself, but then it's occured to
| me that there are very poor countries where kids simply don't
| have access to no computers at all. The appeal of Pi in this
| situation is that you can program _and_ prototype on the thing,
| and it 's relatively affordable (well, at least it is supposed
| to be). For ESPs you'd need a separate device to write and
| upload the code.
| chmod600 wrote:
| What's the background here? Why is this model so popular? Are
| previous models a viable alternative for some? How long until
| production can catch up?
| wnevets wrote:
| It seems like online scalping in general has skyrocketed since
| the pandemic started in 2020, the most famous probably being
| GPU cards.
| stjohnswarts wrote:
| And the ubiquitous ticket scalper bots.
| sbierwagen wrote:
| Scalping happens when the list price is lower than the market
| price.
|
| Nobody scalps shares of Alphabet, because the price floats.
| Merchants don't want to increase list prices, because they'll
| get yelled at, so instead they run out of stock and middlemen
| collect the arbitrage price. If you don't like it, tell
| stores to increase prices, and tell CNN to stop running
| stories about how awful greedy businessmen are causing
| inflation purely out of spite.
| chmod600 wrote:
| I was interested to hear more about why this model is so
| exciting. Any thoughts, or just faster/better?
| HeyLaughingBoy wrote:
| I think it's just because it's the newest model and for
| many newest == best. Also, they're cheap, so the difference
| between a pi4 and a pi2b isn't that much $$$.
| noobermin wrote:
| It's across the board, with GPUs, things like these pis,
| retro games and accessories even, it's pretty annoying.
|
| Thankfully necessities like TP and masks are no longer being
| scalped but it's still happening in electronics.
| [deleted]
| hashkb wrote:
| I don't understand what's so hard about this problem - if you
| have a platform that's impacted by bots and scalpers, and if you
| want to do the right thing, or give the appearance of doing the
| right thing with almost no cost to yourself or your business, you
| should release your product in a fair lottery with reasonable
| purchase limits.
|
| You have plenty of time before the product is released to
| register and verify everyone. You completely avoid traffic
| issues. Accounting is easy - you'll sell out when you run the
| lottery. You'll build a reputation for releasing inventory fairly
| and without causing undue stress on your customers, and avoid the
| suspicion that you're in cahoots with the scalpers (looking at
| you, Ticketmaster).
|
| I'm accustomed to stressing out over concert tickets and
| struggling to get gaming consoles, and have a deep hatred of
| scalpers and the platforms that enable them, but I had no idea
| that scalpers were ruining the educational/hobby markets too.
| That seems really low.
| n4bz0r wrote:
| Given one of the goals of the project is to allow young people to
| have an affordable PC to learn linux and programming, it would
| make sense to reserve a part of the stock for verified students
| (or teachers) at MSRP.
| cinntaile wrote:
| Fixed pricing with scarce goods tends to lead to this result,
| just let supply and demand sort it out and this problem wouldn't
| exist. Trying to fix this by using 2FA won't change much, it's
| just an arms race where each side keeps investing more and more
| money into fixing a problem that doesn't have to exist in the
| first place.
| colechristensen wrote:
| There are a lot of people who want to play arbitrage with rare
| goods, if you have enough money you can do it with just about
| anything. It is perfectly fair to want your market segment to
| be to deliver cheap rare goods to people without many
| resources.
|
| Sometimes arbitrage helps make efficient markets, other times
| it is just a drag on the economy. It is perfectly fair for a
| provider to not want to only provide goods to people with many
| resources or scalpers.
|
| RPi is also just not a good deal if it is significantly more
| expensive, there are lots of more expensive options out there
| for small computers which have better specs and are more
| readily available.
| teeray wrote:
| > RPi is also just not a good deal if it is significantly
| more expensive
|
| Then the price will fall to the point where it's a good deal,
| but still more expensive than what it is now.
|
| Maybe it's not the $5 Pi Zero anymore, but $50 might not be
| too bad.
| cinntaile wrote:
| > It is perfectly fair for a provider to not want to only
| provide goods to people with many resources or scalpers.
|
| Yes but I doubt this will achieve that goal, at most it'll
| work for a couple of weeks. Also I very much doubt that RPis
| are being bought by financially disadvantaged people to learn
| valuable computing skills. These things are bought by people
| wanting to automate something at home, they're usually well
| off. Schools and training centres don't buy via the Adafruit
| retail channel.
| WheatM wrote:
| zozbot234 wrote:
| As others have pointed out, AdaFruit likely _cannot_ raise
| their selling price for these Pi 's due to prior contractual
| arrangements. They're essentially forced to ration their
| supply, and all they can do is make the best of a pretty bad
| situation by at least trying to act fair (i.e. limited buys
| only) and rewarding their existing customers with preferential
| access.
| samwillis wrote:
| > just let supply and demand sort it out and this problem
| wouldn't exist
|
| That would go against the mission of the Raspberry Pi
| Foundation which is to promote computer science education.
| Accessibility though low prices is an important aspect of that.
|
| Not all problems are solved with free markets.
|
| https://en.m.wikipedia.org/wiki/Raspberry_Pi_Foundation
| lvass wrote:
| There's just no way to look into this and not think they are
| doing an absolute shit job. A raspberry pi 4 costs the
| equivalent of 200 US Dollars in Brazil, more than some brand
| new laptops. Most of our population do not have computers,
| RPi avaliability would be awesome for us.
|
| Allowing some people in some countries to get it for $35 is
| just the lazy solution. I'd be glad to pay $50, because I'm
| able to. Put in some effort so the ones who really need it
| can get it cheap. Sell it at real market value for the rest
| of us. Doing good things require effort.
| Ajedi32 wrote:
| Lowering prices doesn't make the product more "accessible" if
| you can't supply enough to keep up with demand at that price.
| It just turns the purchasing process into a lottery rather
| than a bidding war. I can't say I find the former process any
| more in line with the Pi foundation's stated goals than the
| latter.
| zht wrote:
| so let's say that you target people who can only afford $30
| computers
|
| if it's a lottery, then some of those people would be able
| to buy it at $30
|
| if it's a bidding war, then none of them would be able to
| buy it at $30
| [deleted]
| AussieWog93 wrote:
| >so let's say that you target people who can only afford
| $30 computers
|
| I cannot name a single person who has bought a RPi that
| isn't either a generously-compensated STEM worker or a
| member of their immediate family.
|
| I also cannot name a single person who has bought an RPi
| that doesn't already own a mid-to-high-end desktop or
| laptop.
|
| Poor people buy used smartphones or refurbed ex-office
| PCs.
|
| EDIT: This probably explains why there's a strong
| scalper's market for this, thinking about it. Raspberry
| Pi's typical customers are wealthy enough to not care
| about paying an extra few bucks.
| Ajedi32 wrote:
| That makes sense, assuming "people who can only afford
| $30 computers" are your _sole_ priority. If you also care
| about, for example, "people who can only afford _$40_
| computers ", then a better approach would be to raise
| prices to match market value and use the resulting
| profits to increase supply.
| HeyLaughingBoy wrote:
| As another poster noted, a lot of businesses are basing
| their product lines on the Pi and Pi Compute Module. To
| those businesses, the market price can rise well past $40
| and completely out of the "hobbyist price range" before
| it becomes worth it to them to find alternatives. With
| the difficulty of finding components these days, that
| "increase in supply" that the increased revenue brings to
| the Pi Foundation may not come for a very long time.
|
| I developed a pi-based system for a well-known company
| that now has a few hundred deployed at various sites. I
| can assure you that they wouldn't blink at $200 each.
| There are businesses out there redesigning their products
| because they can't find _any_ at all.
| londons_explore wrote:
| If the goal is 'get it into the hands of students to
| further computer science education', then the lottery might
| end up getting more into student hands than an auction.
| Remember students are pretty poor compared to VC backed
| startups trying to deploy their latest IoT blender with
| Blockchain technology.
| eikenberry wrote:
| Are they selling them at a loss? If not then the market would
| work fine, they just need to increase production. Maybe
| they'll make enough money to give some to students that way.
| cinntaile wrote:
| Yes the free market can't solve everything, but we still have
| to wait for the free market to solve the supply chain issues
| before this situation will improve. They could temporarily
| let go of their fixed pricing rule in the meantime.
| digitallyfree wrote:
| As an aside, used thin clients and industrial PCs are a good x86
| alternative to the Pi if you require similar performance and
| don't need GPIO. They are quite plentiful on ebay, include a
| housing, and consume little power.
| amelius wrote:
| Better let the bots through, let them pay, then say that the
| items are on backorder.
|
| >:)
| dzhiurgis wrote:
| I've recently sold my 2-3 yr old unused RPI and made a profit,
| thats insane.
| cjcampbell wrote:
| Glad they took this step to slow down the bots. The situation has
| been rough since rpilocator.com came along. I haven't been able
| to complete a purchase since the week it hit HN.
|
| I use the pi for teaching, and could previously pick one up every
| couple weeks just by signing up for stock notifications. I was in
| the middle of a purchase in February when rpilocator updated to
| show stock and Adafruit went offline due to the traffic surge.
| The disruption lasted about half an hour.
| syntheticnature wrote:
| Clever way to become the site of _first_ resort for makers and
| engineers.
| ephbit wrote:
| What's this about?
|
| Are the bots operated to manipulate the market, by buying up the
| whole supply to then sell at a higher price?
| throwaway81523 wrote:
| Sometimes the bots are just because people want the items for
| themselves. I know of some companies that bought 1000s of disk
| drives for their data centers that way from retailers, back
| when there was a drive shortage a few years ago.
| teeray wrote:
| The bots are middlemen that ensure proper pricing of scarce
| goods. Their commission is the difference between the retail
| price and the actual market price.
| Karellen wrote:
| It's a roundabout way of stating the 55th rule of
| acquisition, but I'll allow it.
|
| Or is it the 110th?
|
| (The 140th and 144th also seem relevant here.)
| stjohnswarts wrote:
| Sorry, bro, if I'm selling a product, and part of my goal is
| to see "regular people" get a chance to buy it and get a
| decent price it's well within my rights to try methods to
| limit scalping, just like governments prevent gas/food
| overcharging during emergencies. Not everything is a "pure"
| market.
| [deleted]
| dymk wrote:
| The bots ensure that steps are taken such that scares goods
| are distributed in a manner better than "whoever can pay the
| most".
|
| RPis have, and will continue to be, aimed at education and
| enrichment, and the makers/retailers will take steps to
| ensure that as many people as possible can get ahold of them
| at a low price.
| Ajedi32 wrote:
| If you want to start making value judgements about who is
| worthy to purchase your product, wouldn't it be better to
| enforce that by directly verifying the identity/worthiness
| of each individual customer rather than relying on crude
| proxies like "didn't use a bot to make the purchase"?
| unfocussed_mike wrote:
| It's not a crude proxy.
|
| In this case it is a vendor deciding not to sell to a
| customer who is acting in a way they perceive to be bad
| faith. This is their right as a vendor.
|
| In this case it happens that the bad faith is at
| comfortably odds with the objectives of the vendor and
| product manufacturer.
|
| As high incomes diverge even further from low (and even
| median) incomes, we're doing to see this happen a lot
| more.
|
| And I think until this chip shortage is over in
| particular, we will see a lot more measures like this.
|
| I fully applaud this -- I love my Pi 4 and I want more
| people to experience what these little things can do,
| without paying over the odds to cynical manipulative
| stains.
| ryandrake wrote:
| Not sure why you're getting DV'ed. If a product is priced
| such that it is actually profitable to have bots buy it (and
| presumably re-sell), then it's priced incorrectly and the
| bots are a corrective market force.
|
| If a gas station started selling gasoline at half price, it
| would be instantly overrun with everyone from Harry with his
| pickup truck full of jerry cans to empty tanker trucks.
| giantrobot wrote:
| The demand for the Pi has always been about the low price
| coupled with capability. The Pi is impressively capable for
| $35. It's far less impressive at $50. It's downright shit
| for $100.
|
| Scalpers are going to slit their own throats by price
| gouging Pis. Demand for Pis will dry up if the price stays
| at $100.
| colechristensen wrote:
| With enough money you can corner any market and turn an
| abundant product into a rare one.
|
| Tends to make a lot of money for a few people until the
| market inevitably crashes which often puts many of the
| suppliers out of business.
|
| https://en.wikipedia.org/wiki/Tulip_mania
|
| https://en.wikipedia.org/wiki/Onion_Futures_Act
| criddell wrote:
| Wasn't that long ago that somebody tried to corner the
| cacao market.
|
| https://www.nytimes.com/2010/07/25/business/global/25choc
| ola...
| teeray wrote:
| This doesn't always work out, and can destroy the
| speculator too. Imagine how many piles of hand sanitizer
| and toilet paper are out there, bought to resell for
| profit.
| logifail wrote:
| see also https://en.wikipedia.org/wiki/Nelson_Bunker_Hunt
| mardifoufs wrote:
| Attempts to corner markets have always almost resulted in
| disastrous losses for the conspirators. Not that
| cornering the raspberry pi market would even be possible
| or make sense.
| unfocussed_mike wrote:
| I think you're ignoring that there now entire classes of
| wealth where value for money is entirely secondary to
| instant gratification.
|
| Anti-scalping measures are going to be necessary more and
| more often as the super-rich diverge from the merely rich
| and the rich diverge from the poor etc.
| nonameiguess wrote:
| Raspberry Pis are developed by a literal charity that has
| making computing and computing education affordable as its
| mission. That's why he's getting downvoted. This attitude
| is effectively saying charity should be punished and profit
| is the only worthy goal any organization should ever have.
| kube-system wrote:
| If you want to take the pure economics argument -- you have
| failed to account for the present value of future business
| that Adafruit will generate by keeping their repeat
| customers happy.
| postalrat wrote:
| If bots are corrective then what would you call adafruit
| avoiding selling to bots?
| fartcannon wrote:
| Vultures, parasites, vampires.
| jterrys wrote:
| The world isn't a stock market simulation.
| atsmyles wrote:
| This is true. However, it is not the whole story.
|
| 0. Adafruit cannot raise prices of rpis due to contract.
|
| 1. Adafruit makes the same amount of money regardless of who
| buys the product.
|
| 2. It is in the incentive of Adafruit to increase it's
| customers good will. It is considered an asset for Adafruit
| (Companies account for this via 'Good Will').
|
| 3. People generally don't like scalpers, "Scalpers bad"
|
| 4. By providing means to avoid scalpers, they are capturing
| some of the profit that scalpers would be making and
| converting it to a 'Good Will' asset, "Adafruit Good"
|
| 5. 'Good Will' + money > money
|
| Thank you for participating in economic analysis.
| meltedcapacitor wrote:
| Point of order on 2:
|
| Companies do not account for this as "good will".
|
| Accounting "goodwill" is the price an acquiring company
| pays above the accounting value of the business being
| bought, which is a notional number usually (much) lower
| than the economic value of a successful business.
|
| https://en.wikipedia.org/wiki/Goodwill_(accounting)
| MereInterest wrote:
| All hail the free market! The free market is wiser than any
| of us. If you sell at cost, the free market will, in its
| wisdom, increase the price. If you make a good product, the
| free market may move it above your family's means. Any
| charity you give is a distortion of the market, distortions
| which prevent the creation of luxury goods!
|
| All hail the free market! Let it be free, and may our own
| freedom be priced accordingly!
| 34679 wrote:
| https://news.ycombinator.com/newsguidelines.html
|
| > In Comments
|
| > Be kind. Don't be snarky. Have curious conversation;
| don't cross-examine. Please don't fulminate. Please don't
| sneer, including at the rest of the community.
| AussieWog93 wrote:
| I don't think GP's comment is particularly unkind or
| mean-spirited. It could be a cultural thing, though.
| MereInterest wrote:
| While it could be argued whether I was being unkind, in
| re-reading I certainly wasn't being kind, and there was
| no small amount of snark. While I stand by the sentiment
| behind the comment, I don't think it is likely to change
| the mind of the poster I was replying to. There's a
| chance that it would avoid having the conversation turn
| into an extremely capitalist/libertarian echo chamber as
| commonly happens here, but that's about the extent of it.
|
| Partly, the mindset that evident in teeray's post was
| rather frustrating. Implicit in the post was a dismissal
| of the Raspberry Pi Foundation's goals of providing low-
| cost teaching hardware, an assumption that re-
| distribution to those who can pay more is a good thing,
| blame at Adafruit for not having priced out the primary
| target market in the first place, and praise for scalpers
| who are standing between a charity (RPF) and its intended
| recipients. None of those were explicitly stated, but
| those are the implications and results of the philosophy
| in that comment. It's a cruel, unkind, and mean-spirited
| philosophy, which is why I felt it appropriate to respond
| with snark.
| cinntaile wrote:
| So who are these intended recipients and how certain are
| you that they're the ones buying them?
| internet_user wrote:
| Whats your preferred method of rationing scarce resources?
| colechristensen wrote:
| Putting severe limits on people who would arbitrage the
| rarity when the seller doesn't want to raise prices.
| Allowing the seller to determine how they want to
| distribute sales of the item (as long as it isn't price
| gouging essential goods)
| kelnos wrote:
| Why should "whoever has the most money" or "whoever is
| willing to pay the highest price" be the fairest way to
| ration scarce resources?
|
| Speculative resellers don't actually provide any value.
| They just extract extra cash from people who want
| something, when -- absent the retailer with automated
| buying tools that are faster than humans -- those people
| could have acquired the product from the original seller
| at a lower price.
|
| I think "whoever gets through the website order form the
| fastest" is a perfectly reasonable (if often frustrating)
| way to ration scarce resources. You get in line, as a
| person, and get to buy some limited quantity for your own
| personal use.
|
| Certainly no one can outright ban a secondary reseller
| market, but I think it's perfectly reasonable for a shop
| to want to sell to real end-users rather than people who
| will just turn around and scalp people who could have
| been potential customers... customers who are now
| frustrated and get a worse experience.
| teeray wrote:
| > I think "whoever gets through the website order form
| the fastest" is a perfectly reasonable (if often
| frustrating) way to ration scarce resources.
|
| Until you put the FTTH connection in Ashburn, VA sitting
| next door to every major cloud provider against the 3G
| user in Somalia.
|
| Clicking through the form degenerates to an unfair
| lottery where you can buy more raffle tickets by paying
| more to your ISP.
| AussieWog93 wrote:
| > Why should "whoever has the most money" or "whoever is
| willing to pay the highest price" be the fairest way to
| ration scarce resources?
|
| It's not the fairest, but it is definitely better than
| arbitrary. If Alice is willing to pay $5 for a widget,
| and Bob is willing to pay $50, it's likely that Bob
| values the item more than Alice does.
|
| It's also possible that Alice is simply poor, of course,
| but I can't imagine how a practical system could take
| this into account without also destroying incentive
| structures.
|
| >I think "whoever gets through the website order form the
| fastest" is a perfectly reasonable (if often frustrating)
| way to ration scarce resources. You get in line, as a
| person, and get to buy some limited quantity for your own
| personal use.
|
| This is arbitrary, IMO. Might as well hand them out to
| whomever can win a race in Mario Kart.
| kube-system wrote:
| Adafruit isn't "rationing scarce resources", they're
| trying to provide good service to their customers.
| Adafruit is an actor in a "free market" acting in their
| best interest.
| internet_user wrote:
| i don't disagree, adafruit is probably acting in their
| best interest, however they perceive what that interest
| might be, it's not always just "more profit", more often
| than not, it's a matter of survival that is at stake.
|
| My issue was with the comment somehow suggesting the
| entire system (Big Bad Market) is somehow less wise than
| an individual actor.
|
| Yet, the entire system contains much more information,
| that the individual actor does not, and can never have
| access to, e.g. value judgements of other market
| participants he will never meet.
|
| Markets, at the core, are just auctions. It's one way to
| resolve the question who gets the scarce resource first.
| At other times, it's medical triage, a system very
| different from "free markets". It can also be first-come,
| first-serve, which is what currently being attempted by
| Adafruit now.
|
| Many such options. Why is "free market" judged to be
| inappropriate here?
|
| From my experience in markets with severe shortages,
| first-come/first-serve rationing approach never failed to
| produce a poor supply, and free floating markets were
| always oversupplied (to a varying extent, but in general
| there was a trend).
| kube-system wrote:
| Sometimes people express a sentiment that the
| supply/demand curves are more than just tools to evaluate
| a situation, but instead, are a sacred ideal to always
| strive towards. But economists also recognize that
| markets are awful at pricing in externalities, and even
| worse at respecting morals and ethics.
| kelnos wrote:
| This is the core of it for me.
|
| The base Raspberry Pi model is supposed to cost $35,
| because the Raspberry Pi Foundation has decided that
| offering a low cost SBC is important for the world.
|
| Using a bot to buy up all inventory so you can resell it
| at $50 or $100 or whatever is unethical. You have
| provided no added value; you are just a parasite scalping
| others for your own enrichment.
|
| If this is what a "free market" is, as many people here
| seem to think, then free markets are objectively bad for
| the commons.
| cinntaile wrote:
| It's not a free market since the manufacturer determines
| what the stores should sell it for and the result is a
| middleman extracting the value between set price and
| market price.
| MereInterest wrote:
| Exactly! Treating the good intentions of a seller as an
| opportunity for arbitrage is unethical.
| teeray wrote:
| If the resources weren't scarce, this article wouldn't
| exist.
| kube-system wrote:
| I never said they weren't. I am saying that Adafruit is
| not playing economics. They're kicking bulls out of their
| china shop.
| [deleted]
| mfringel wrote:
| My preferred method is overly broad rhetorical questions
| that add nothing to the conversation. Also, spatula.
|
| Yours?
| shkkmo wrote:
| There a many ways to ration scarce resources. Each method
| serves different goals so different methods are
| appropriate in different contexts.
|
| Here's an incomplete list of common tools:
|
| 0) fitness judgement (e.g. grants, scholarships etc)
|
| 1) First come first serve (e.g. most product launches)
|
| 2) lottery (e.g. grand canyon rafting permits)
|
| 3) auction (e.g. broadband spectrum)
|
| 4) third party speculators (e.g. scalping)
|
| You can often use several of these methods
| simulatenously, but if your goals include prioritizing
| egalitarian access to the scarce resource then #4 can
| significantly interfere with that goal. There's a reason
| you aren't allowed to resell grand canyon rafting
| permits.
| NextHendrix wrote:
| >grand canyon rafting permits
|
| Interesting, I had no idea.
|
| More info https://www.nps.gov/grca/planyourvisit/weighted
| lottery.htm
| shkkmo wrote:
| It's actually extremely relevant as the weighted lottery
| system for non-commercial permits was used to replace the
| prior system which was a first-come first-served
| waitlist. It's a great example of evaluating different
| methods of rationing access to a limited resource when
| the primary goal is not maximizing revenue or efficiently
| distributing resources for maximum economic production.
| jabroni_salad wrote:
| Are they actually scarce, though? Is it legitimate
| customers, or botted speculators, that create more
| demand? It seems to me that someone has realized the
| product is slow enough they can afford to just buy all of
| them to resell regardless of actual demand. I used to do
| this with glyphs in WoW and got a lot of hate mail for
| it. I was buying cheaper glyphs in such quantities that I
| would delete a good third of them due to warehousing
| capacity and was still making money reselling other
| peoples products, and even then I was not selling 100% of
| my stock. To me this means that demand was actually lower
| than what the market could bear if it werent for me
| pinning it at 100% by buying literally everything. It's
| totally abusive but nobody can do anything about it.
| fmajid wrote:
| All official RPi resellers are required to sell them without
| forced add-ons, at the list price. The scalper bots are trying
| to arbitrage that.
|
| I think a CAPTCHA in the ordering process would make more
| sense.
| AussieWog93 wrote:
| >I think a CAPTCHA in the ordering process would make more
| sense.
|
| There was another thread here a while back where someone
| shared their experience writing sneaker scalping bots.
| Apparently, CAPTCHA tokens are valid for a minute or so, so
| this guy would solve heaps of them just before the form went
| live and cache the validation tokens.
|
| Then, when the form went live, the real humans who didn't
| have cached CAPTCHA tokens would be slowed down even more.
|
| Net result is that the botters ended up getting an even
| greater share of the supply than without CAPTCHAs.
| folkhack wrote:
| > Apparently, CAPTCHA tokens are valid for a minute or so,
| so this guy would solve heaps of them just before the form
| went live and cache the validation tokens.
|
| I mean there's whole services like 2captcha that give you a
| 24/7 on-demand API for this, and for some of their
| offerings/solvers there are specifically real human robots
| on the other end doing the CAPTCHA.
|
| 2captcha works very very well to the point that CAPTCHA is
| a very much solved problem especially for the popular
| services like Google's reCAPTCHA.
| Scoundreller wrote:
| I wonder how much retail arbitrage is just leaks by the
| resellers themselves.
|
| But always better to blame scalpers. They can't defend
| themselves if they don't even exist.
| folkhack wrote:
| > retail arbitrage is just leaks by the resellers
| themselves
|
| Anecdotal, but IMO lots... just depends on the industry.
|
| It's a good situation for someone to come along and buy up
| some or all of your risk - especially for stuff like ticket
| sales. Many corporations like Ticketmaster design around
| this, and bake this part of the supply chain into their
| pricing/experience.
| bradly wrote:
| FWIW I missed reservations to a national park because I use
| Firefox and Google made me click traffic lights and buses for
| thirty seconds before being able to continue.
| dljsjr wrote:
| I guess you could call it market manipulation but it's more
| just resellers/scalpers trying to take advantage of the chip
| shortage. RPis have always been in high demand and often were
| backordered even when things were fine; now they're supply
| constrained enough that scalpers can buy up in bulk and resell
| at high markup, similar to the GPU aftermarket going on right
| now.
| jason-phillips wrote:
| Yes, in many industries.
| vmception wrote:
| What Adidas did was release 30,000 NFTs and require proof of
| current possession of one of the NFTs (colloquially called
| 'ownership', just hoping to avoid a semantics discussion) to gain
| access to the purchase of some new merchandise.
|
| If bots were not in the sale then they will not be able to
| purchase the merchandise. Bots can purchase one of the NFTs from
| someone else usually at a premium, to participate. The bot
| developer needs to do some additional coding.
|
| In any case, the merchandise buyers now get to feel like its more
| fair, even with the presence of potential bots buyers, since a
| stake was placed. The market has priced the NFTs based on how
| much they think the subsequent merchandise will resale for.
| Currently these are worth $4,300 and Adidas initially sold them
| for $800 and at least $84,000,000 in volume over 4 months.
|
| Adidas gets the proceeds of the initial NFT sale, a commission
| from the NFT resales ("royalties"), as well as the proceeds from
| selling the merchandise.
|
| It's a form of an additional factor.
| shkkmo wrote:
| I sure hope more companies don't adopt this sort of
| gatekeeping, that sounds awful for the people who actually want
| to wear the shoes and great for the speculators who are abusing
| that demand to make money.
|
| If you have limited runs that you want to sell fairly and
| maximize profit on, why not just do a regular auction?
| vmception wrote:
| I think what you're missing is that Adidas and many
| streetware companies have already gone decades without
| acknowledging that their purchasers for certain merchandise
| are scalpers and speculators.
|
| Its a massive scene that has grown by orders of magnitude
| over the last decade like many other scenes.
|
| The only thing new here is that adidas finally acknowledged
| it.
| shkkmo wrote:
| I'm not missing that fact. I think that NFTs are a bad,
| customer hostile solution to that problem.
| vmception wrote:
| Its more of a byproduct of a marketing push than an
| attempt at a solution.
|
| I didn't say Adidas did this _because_ of a problem, they
| did this for fun. The problem is also distorted due to
| it.
|
| In the context of Adafruit's issue, the same model would
| have a result a bit more different than a one-time-
| password implementation.
| shkkmo wrote:
| > Its more of a byproduct of a marketing push than an
| attempt at a solution.
|
| > I didn't say Adidas did this because of a problem, they
| did this for fun.
|
| This, I absolutely agree with.
|
| > In the context of Adafruit's issue, the same model
| would have a result a bit more different than a one-time-
| password implementation.
|
| Adafruit is trying to keep access affordable, so the
| Adidas model isn't appropriate to their goals.
| vmception wrote:
| mmm yeah forgot that was one of the purposes of the
| Raspberri Pi, I just noticed that the 4's are too good
|
| and they noticed it too apparently
| criddell wrote:
| What you call _gatekeeping_ , Adidas would probably call
| _price discovery_.
| shkkmo wrote:
| An auction seems like a much simpler way to do price
| discovery without excluding that part of your customer base
| that doesn't know how to use an NFT (or doesn't want to.)
|
| Edit: The market is for the NFTs, not for the shoes
| themselves. It isn't clear to me how Adidas is able to
| separate demand for the shoes themselves from speculative
| interest in making money off of the NFT. Markets can indeed
| be great price discovery mechanisms, but rampant
| speculation can significantly tarnish the effectiveness of
| that mechanism because the pricing can become more
| dependent of the market's understanding of demand rather
| than on the demand itself.
| vmception wrote:
| > The market is for the NFTs, not for the shoes
| themselves. It isn't clear to me how Adidas is able to
| separate demand for the shoes themselves from speculative
| interest in making money off of the NFT.
|
| The real question is why assume that was a goal?
|
| Adidas and many companies don't raise the MSRP
| specifically because they know they have a price
| sensitive audience and reputation. This gives them
| plausible deniability, the ability to sell an additional
| product and financial exposure to the volume in the
| secondary market anyway.
| shkkmo wrote:
| > The real question is why assume that was a goal?
|
| I didn't assume that. I was disputing as assertion that
| "price discovery" was the goal and that somehow made this
| not "gatekeeping".
| vmception wrote:
| and so do I
|
| Glad to see mechanisms for the primary seller to accrue
| value from the secondary market.
| kelnos wrote:
| I don't think it's ever "fair" when bots buy scarce things that
| humans want. (Assuming, here, that the bot owners are buying
| for speculation, and not for personal use. I think it's a
| little more grey, but more or less ok, when an individual
| writes a bot so they can snag a single unit of something that
| they want.) Putting the sale behind NFT possession (where a bot
| could purchase the NFT in the first place) doesn't really
| change anything.
|
| Adidas' NFT scheme just acts to inflate the price, which is
| probably fine for a limited luxury good; certainly Adidas would
| rather capture more value per sale than leave that value to
| speculators/resellers. But for something like a Raspberry Pi,
| an end-user being able to acquire one for $35 is a key part of
| its appeal. If they're "bid" up to several hundred dollars
| through this auction-like NFT scheme, that defeats the purpose.
|
| While I'm not sure 2FA is the most effective way to weed out
| bots (maybe it is, I don't know), I think it's perfectly
| reasonable to try to set up a marketplace where all buyers are
| individuals who are buying the product for their own use, and
| aren't scaplers/speculators. These latter sorts of people are
| just parasites and usually provide no real value.
| tuxoko wrote:
| How does it change anything other than Adidas getting the
| profit of inflated price? And if Adidas has an idea of how the
| resale price would look like to price their NFT, why don't they
| just price that into the shoes themselves?
| vmception wrote:
| Adidas and many companies don't raise the MSRP specifically
| because they know they have a price sensitive audience and
| reputation. This gives them plausible deniability about the
| real demand and more accurate market based pricing, the
| ability to sell an additional product and financial exposure
| to the volume in the secondary market anyway.
|
| Correct, they get to profit off the inflated price, and they
| finally get to acknowledge their speculator purchasers who
| they've been ignoring for decades. The speculator purchasers
| feel like they have a more even playing field.
| advisedwang wrote:
| What stops automation of grabbing the initial NFT release?
| vmception wrote:
| Nothing and that wasn't the goal, current owners of the NFT
| can also develop bots for when the merchandise is released
| for purchase. It just limits the size of the participant
| pool, how many bots are being competed against and shows what
| those bot owners would be willing to pay for access because
| of what they think they can resell the merchandise for.
|
| Adidas previously never had exposure to the secondary market
| of its goods, now it does and it also discovers the price at
| which people want to buy and sell at. Individuals can attempt
| to buy NFTs from the bot owner, the bot owner _might_ have a
| price. If they do, the individual gets the NFT and can buy
| the merch. In all scenarios, Adidas makes some commission.
| lagrange77 wrote:
| Maybe these are just some pitiful injured robots, trying to get
| hold of some spare parts for self repair. :'(
| charcircuit wrote:
| If you want to prevent scalpers just sell the new units that come
| into stock in a reverse auction. Start the price at $500 and
| lower the price by a dollar every minute. Once all of the stock
| is sold out you charge everyone the price the last unit was sold
| for.
|
| In this system bots don't have an advantage over humans. Humans
| can preinput what they are willing to pay and there will be no
| race against bots like what you see here.
| snapetom wrote:
| For anyone confused in setting this up, the App is Twilio Authy
| in the Apple App Store. The logo in the app store has little
| contrast and the Adafruit blog post just calls it "Authy" which
| returns dozens of 2FA apps.
| cheeze wrote:
| It's just oauth totp. You can use whatever 2fa authenticator
| you want. I like the one built into BitWarden personally.
|
| Authy works fine too (there is a good authenticator app that is
| actually called Authy)
| Izkata wrote:
| > and the Adafruit blog post just calls it "Authy"
|
| Twilio acquired Authy in 2015, but didn't put their brand on it
| until a year or two ago, so a lot of people just call it
| "Authy" out of habit/without knowing Twilio owns it.
| azinman2 wrote:
| You can use any 2FA app such as 1Password
| atlgator wrote:
| Is there a particular use case making the Pi 4 so in demand?
| ohyeshedid wrote:
| *OTP isn't much of a barrier. SMS would've increased the cost a
| little more. Both easily automated. I know retailers are trying
| to fight the tide, but they're going to need more than teacups.
| alexk307 wrote:
| Good. Supply is so limited right now, but everyone should be able
| to get one at MSRP if they want one. The whole goal of the Pi
| project is to make computers affordable to enable learning and
| prototyping. I pre-ordered a Pi 4 about 3 months ago, and I
| should receive it this week if I'm lucky.
| avian wrote:
| > The whole goal of the Pi project is to make computers
| affordable to enable learning and prototyping
|
| Is it still though? They have been pushing into various
| industrial and commercial markets. There was talk about
| Raspberry Pi Trading planning an IPO this year [1].
|
| There are companies now that are basing their entire product
| lines around Raspberry Pi's Compute Modules. This then drives
| demand for other Raspberry Pi products as well. When you're
| deeply invested into that ecosystem you also need Pis 3s and 4s
| for builds, testing, development, etc.
|
| [1] https://news.ycombinator.com/item?id=29392649
| samwillis wrote:
| An IPO of Raspberry Pi Trading Ltd would unlock a lot of
| funds for the Raspberry Pi Foundation which could be
| reinvested into further educational activities. It's probably
| a good move for the original mission of the foundation.
| deadbunny wrote:
| Isn't this how we end up with another Mozilla? No way to
| support the nonprofit and the company keeps doing stupid
| shit.
| folkhack wrote:
| > An IPO of Raspberry Pi Trading Ltd would unlock a lot of
| funds
|
| It would also make every decision that the company makes
| from here going forward one of fiduciary responsibility to
| the shareholders. For a project rooted in affordable open-
| source hardware/software that's a major conflict of
| interest.
|
| I get that "Raspberry Pi (Trading) Ltd" is not the
| Raspberry Pi Foundation, but it is wholly owned by the
| foundation as a subsidiary. IMO, it'd be of major concern
| if any RPI business entities went public.
| skybrian wrote:
| As long as the company can make a reasonable argument
| that it's in the long term interest of shareholders, they
| can do all sorts of things. It just has to be a
| reasonable business expense.
| nothasan wrote:
| Pretty easy to automate this
| bradly wrote:
| Maybe now is now a good time to sell all my Pi's I bought
| through-out the years with good intentions of building something
| one day.
| largbae wrote:
| Indeed. Once you start, you won't stop
| NowhereMan wrote:
| Looks like you can use OATH TOTP, which can be easily automated.
| I don't understand how this is an effective countermeasure
| against bots.
| samwillis wrote:
| This ads friction to the process of automating the buying
| process. Preventing bots is an endless cat and mouse game,
| every protection you put in place will be circumvented
| eventually. You just have to keep changing tactics and adding
| new layers. That's what they are doing here.
|
| Realistically the best protection that they could put in place
| is a rate/qty limit on the credit card being used. It can still
| be automated by using stolen cards, or one of the services that
| instantly creates new card numbers for you. But again it adds
| friction.
|
| Also limiting the number of orders to delivery addresses would
| be a easy mitigation.
|
| It wouldn't surprise me if they are doing both of those already
| though.
| wyager wrote:
| This seems like an especially trivial-to-bypass mitigation.
| kube-system wrote:
| Maybe, but it's also just a good idea to do anyway, so
| might as well.
| samwillis wrote:
| It may be "trivial" to someone with a high level of
| expertise. But the number of moving parts required in that
| automation does add a significant barrier to most the of
| "script kiddies" that are using bots.
|
| You still need to automate account creation and setting up
| of a TOTP token, that's not "easy" for a lot of people.
| spookthesunset wrote:
| Like the poster said, it's whack-a-mole.
|
| These trivial mitigations at least filter out low-effort
| script kiddies. People gaming the system "for real" will
| put incredible effort into getting around your
| countermeasures. You always have to be one step ahead of
| them.
| azinman2 wrote:
| What would you suggest?
| nomel wrote:
| Low device limit per phone number/payment card, with the
| standard checks for VOIP would probably make things
| painful enough for most. Heck, outsource the bot checking
| and require a Facebook/Gmail/Apple/Twitter/whatever
| login. Intrusive as heck, but it works relatively well
| since those companies have already whacked a million
| moles.
| [deleted]
| udia wrote:
| I agree, 2FA seems unrelated to stopping bots. It really seems
| like some form of rate limiting and captcha should have been
| used instead.
| cft wrote:
| https://2captcha.com/
| kube-system wrote:
| I love the "workers banned" stat. It's bots all the way
| down.
| gaius_baltar wrote:
| > $0.50 for 1-2 hours, depending on service load.
|
| Where in the world do they plan to hire people for these
| rates?
|
| In India, the country with lowest the Big Mac Index as in
| [1], it would take 6.48h for the human-bot to pay for a Big
| Mac. And this excludes energy and internet bills and money
| transfer fees. The numbers just don't work.
|
| [1] https://en.wikipedia.org/wiki/Big_Mac_Index#Figures
| londons_explore wrote:
| Perhaps for buying a ras-pi specifically, they'll require SMS
| verification.
|
| SMS is hard to create large numbers of fake accounts because
| getting access to large numbers of phone numbers that aren't
| all in the same block is pretty hard.
| colechristensen wrote:
| A lot of bots are written by really unsophisticated people
| though, often just following online guides. Raising the bar
| lowers the number of adversaries.
|
| You can never eliminate the risk, but it's just one more point
| of friction which is also a not-so-unreasonable speed bump to
| enable for real users.
| bbarnett wrote:
| Maybe, but, no one gets my mobile number, not my bank, no
| one.
|
| It's not in my name, I pay cash for it, I share my contacts
| with no one, etc.
|
| I won't have it linked to me, and with how you can so readily
| be location tracked when someone knows your number, I am
| astonished so many people give it out.
|
| So there goes the easiest 2fa....
| kube-system wrote:
| How is that related to this?
|
| OATH/TOTP does not need your mobile number. It only needs
| the current time, a secret, and an SHA/HMAC function.
|
| There's no phone number involved.
| throwaway81523 wrote:
| Do you mean SMS? I don't see a requirement that you use
| that. Yeah, that would be a pain. My SMS goes to a voip
| number that emails me the message, and that works most of
| the time, but a few jerky sites reject it. I just figured
| that the 2fa slows down requests to 2 per minute or
| whatever, the speed of TOTP codes changing.
|
| I also don't know what a verified account is. If it's just
| email-confirmed then yeah, that is trivial. If it is a
| payment card that worked, or even further a shipping
| address that worked, that can be more annoying to game.
|
| I had thought that it was only the Pi Zero series that had
| strict quantity limits, and that people were supposed to be
| able to buy lots of 4's if they wanted to.
|
| Also, for most users (not all) there isn't really a
| pressing need for a 4, since the 400 has been plentiful and
| is basically a 4 in a different form factor, with an
| attached keyboard. I figured if I wanted a 4 before they
| became available again, I'd just get a 400. What I really
| want is some more Zeros and Zero W's, but I think those are
| both being replaced by the more power hungry and expensive
| Zero W2.
| colechristensen wrote:
| Other people share your contact though, unless you
| exclusively associate with people equally paranoid. You
| simply can't have an anonymous phone number these days
| unless you actively switch numbers all the time which if
| you get accused of something will be used as evidence
| against you.
| loceng wrote:
| And how might voice recognition play into this too? If
| you're not easily identified then you may draw more
| attention and more effort spent to determine who you are.
| bbarnett wrote:
| I have a voip number forwarded for incoming. I have no
| caller id for outgoing.
|
| Thus, even with google having my name linked to a number,
| it does not link to my cell phone.
|
| Reply to comment below:
|
| No one gets my real mobile number, so that is solved.
|
| Why would I care if my VOIP number is in address books.
| That's the point of it, and why I have it
|
| I'm not trying to hide from the government, I am
| preventing Google, FB, etc from linking my mobile to me,
| and preventing random people from tracking my location,
| which is trivial when they know your mobile number.
| giantrobot wrote:
| It only takes one contact to have your real number in
| your name, or even better also associated with your VoIP
| number in their address book, to lose your "anonymity".
| izzygonzalez wrote:
| That was my thought. The value of a piece of metadata is
| inherent in its context as a node within a network. You
| might have disparate pieces of information about a group
| of people, but weighing their connections by
| similarity/proximity/etc. allows you to develop
| assumptions about individuals, even if all you know is
| their phone number and who had that phone number in their
| contact list.
|
| Specifically, from the point of view of network analysis,
| a missing or unknown node becomes suspect when various
| connections point to it. In the era of high
| connectedness, that seems like kicking a goal on your own
| team if you're playing the "be anonymous" game.
| multjoy wrote:
| Your VOIP number can be resolved to your mobile number.
| Your cell provider has the link.
|
| You withholding your caller ID only hides it from the
| receiving handset, it doesn't disguise it from the
| network.
| getcrunk wrote:
| If you host your own pbx, you can consider it as a proxy
| to your cell phone, and even do it over vpn. You cant
| track that further than the pbx server ip
| colechristensen wrote:
| Then why do you care? Get another forwarded number for
| giving out.
| 7402 wrote:
| Actually, they don't allow new use of SMS verification.
| [deleted]
| nextaccountic wrote:
| Get another phone number, get a phone with dual sim,
| disable this sim card and only enable to answer 2FA queries
| swiftcoder wrote:
| Unless you cycle across town every time you swap SIMs, I
| don't think this will help much. Just the fact that those
| two SIMs ping the same cell towers is enough for a bunch
| of data aggregators to correlate the numbers back to the
| same person.
| bbarnett wrote:
| Plus, IMEIs are often sequential, and can be queried
| (like a mac address) in a DB. This helps prevent theft.
|
| So they have one IMEI, they have all for that phone.
| bbarnett wrote:
| 2FA is not even remotely secure via sms, as shown 100
| times over. The only reason google loves it so much, is
| it links your real life name to your accounts.
| littlestymaar wrote:
| You'll probably be interested by this other article[1] on
| the front page of HN today, but you're not going to like
| it.
|
| [1]: https://news.ycombinator.com/item?id=30765223
| Terry_Roll wrote:
| You dont need to hand over your mobile number, just get a
| raspberrypi, install freeswitch and sign up to a free voip
| number which happens to be in the range of numbers used by
| mobile phone operators. https://www.sipgatebasic.co.uk/
|
| I really dont know how they think they can use 2FA to stop
| all but the most basic of bots from buying up rpi's.
| bbarnett wrote:
| I have SMS capable voip numbers, and also ones ported
| from old phones. Many 2fa services have a db of these,
| and refused to send.
| esoterae wrote:
| Easiest to pwn 2FA
| evan_ wrote:
| You're misreading, you have to "verify" your account first as
| well as set up MFA.
|
| Verifying just consists of confirming your email via a one-time
| token. Setting up MFA presumably just makes sure there's no
| impetus to hack a bunch of old accounts.
| adolph wrote:
| Adafruit does have stock of Pi Zero WH in the form of Google AIY
| vision kit. Kinda spendy for what it is tho.
|
| https://www.adafruit.com/product/3780
| Seattle3503 wrote:
| I'm surprised they didn't require Phone # verification given the
| issue they are having.
___________________________________________________________________
(page generated 2022-03-22 23:00 UTC)