Slashdot Mirror
Security Researcher Gets Threats Over Amazon Review (techcrunch.com)
Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.
Then I guess you should have made a better product.
Killing the messenger won't make your product any less shitty.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Now you write another review about how horribly the company treats its employees.
are not over, yet. By far.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
solution: plug socket into HR system and send shutdown notice
You can round up your crummy employees and dump them into an incinerator for all I care. I shit on the mass grave where their mothers have been bulldozed into. I hope they die horribly in a gutter of flesh-eating bacteria infection while their kids are sold into sex slavery to cannibals.
Did the author of this piece even read her own words?
It sounds like the threats were to one of the product engineers, not the guy who reviewed it.
I feel bad for everyone involved, but mostly all of mainland China.
The AuYou representative insisted she would be fired if the review was not updated
Sadly, that is probably true, and some poor engineer will lose their job, but that engineer probably was under severe pressure to get the thing out the door with absolutely minimal development time in the first place. She probably knew it wasn't great, but had no real choice due to pressure from above.
Maybe in the end it comes down to the fact that the market does not reward security, it rewards low price. Proper security costs money. The online marketplaces are brutal.
Update your review with the responses from the company. Be fully transparent to future customers whoe might be mislead by the company's products. Don't feel bad if someone loses their job because they weren't doing it properly to begin with. I would go so far as to tell the company that if they keep pushing it I would start investigating the security of their other products and possibly educate them about the Streisand Effect with other companies who have tried to do the same thing.
Ghost in the Shell.
Turning off ALL THE THINGS remotely seems fine when a hawt cyborg is doing it to stop evildoers.
The problem with IoT is that shit programmers and shit companies are going to ensure that everybody is a hawt cyborg.
The idiocy surrounding IoT is mind boggling at nearly all levels in the chain. Ease of use and security are almost always at odds with each other, and the former typically wins at the expense of the latter. Secure device enrollment, VLANs, air gapping...who needs this crap when you can download an app, put the device on your home network with a button press on the router, and go?
In this case, we have a bunch of designers without a real background in and/or regard for infosec putting out products that use the "security by obscurity" model and get called out on it. To top it off, it is also the model of personally identifiable information being shipped overseas for who knows how many violations of privacy, and subject to violations of rights by governmental entities monitoring the same information. That this is now common with so many Chinese-made products (especially web cams!) is particularly galling. Even better, the "threats" against this man would normally result in automatic termination of the threatening employee in most Western countries. I suspect this company is like the uncountable numbers of cockroaches on Alibaba, Ebay and Amazon hocking their trash - they'll sell it until they can't, then they'll re-form under a different name and do it again, and think that they're right until they get called out like these idiots did.
Last year a recruiter presented me for a job at a lighting company in Eastern Pennsylvania for their IoT product efforts with my background in security and cryptography as well as electronics. They passed on me because I didn't have enough of lighting background (which is a hell of a lot easier to pick up than security). When I countered to the recruiter that security was the most important thing for them, he agreed wholeheartedly but said there was nothing he could do to convince them otherwise.
If this is the future of IoT, I want no part of it.
Streisand Effect: Hello there!
Has anyone considered that the representative is merely trying to guilt the reviewer into changing his review? I mean really? They're going to fire this person for something they have zero control over? Not likely...
I don't care if someone in China can flip my light on and off. Some people are excited excited when that happens.
I'd be more concerned about a device on my network creating a persistent connection to a server in China... who knows what packets it's capturing or what it's relaying to that server - maybe it's giving them a full TCP tunnel back into my network?
I recently posted a similar review on Amazon, although mine was regarding a burglar alarm which connects to a server in China and has no encryption. To their credit, the manufacturer has not challenged the review.
First, it's entirely possible that the management did not realize that the device was not encrypted or that they specified encryption and that the programmer involved provided something very lame like exclusive-OR with a byte. This, however, indicates a failure of due diligence on the part of the management.
Globally, the quality of employees performing embedded-systems programming for consumer products is dismal. This doesn't mean just China, it's also really bad in the U.S. and South Korea in my personal experience. The employees can not be expected to have any concept of proper security. I have seen lame attempts at encryption, stripping the executable as an anti-reverse-engineering strategy (!), and many other things a competent systems programmer would face-palm upon encountering.
Firing the employee as a condition of your not removing the review is deceptive. If the employee actually did something wrong (which we can't tell from here) that is the cause of their firing and it should be independent of whether your review stays up or not.
It's clearly just an attempt to lay guilt upon you for doing the right thing. But the people you should be protecting first are the consumers who could buy this device and rely on it having more security than it actually does. Go on and do the right thing by making this review available wherever people would purchase the device.
Bruce Perens.
And people say that companies would never treat employees unfairly.
It probably isn't true. By which I mean the communications from the seller are a bunch of BS. They are just trying to cajole him into changing the review. Note how the communications moves from coaxing to begging to threats.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
If morons wish to give access to the stuff in their house then let them. I will have fun turning off peoples fridges, heaters, air conditioners, lights all turn on at 2am, start your car and just let it sit there running all night...I bet a fire could be started with something pushed too hard....who would want this crap in their house? Even if it had good security, who is so lazy and fascinated with turning on or off some switch with their phone? My stupid phone keeps updating some crap-ware "remote control" but in truth by the time I get my phone out, launch the app and hit the button I could easily just get up and hit the switch. The entire idea of IoT from day one seemed lazy and stupid not to mention your stupid phone is radiating poison 24\7.....is there a remote to turn off the brain cancer your phone is slowly giving you? NOPE.
I only see begging in the summary. Way to go, editors.
Makes it easy to exploit the ignorant, it's sad really.
It works well if you are just selling raw materials and anything above that is a knowledge based thing, but at this high of a level of abstraction from the electron flow (basically that's what is going on here) everyone's taking every shortcut they can because that's a fundamental of ignorance.
I really don't understand why they don't realize how open source + diy solves all of this, I guess it's more fun to be enslaved in a city and rocking on the weekends or something.
Perhaps, this was not a mistake, but a "feature" they just never thought anyone would notice.
Years ago, a friend of mine used Radio Shack plug-n-power AKA X10 modules to control things in his house. The nice ones even had a wireless option where you didn't have to plug-in to a wall socket. One day I went over to his house and, rather than knocking on the door, I toggled the lights in his bedroom repeatedly. Security holes are priceless :-)
Why does the packet go to China?
Why does it need to?
And if it isn't encrypted, anyone could spoof the wifi and turn the socket on/off.....
This is where the rubber meets the road - where a personal cipher key-pair
for each user/home owner would be a handy thing to integrate into the Things.
Initialized and activated by the OWNER, security set by setting the device using HIS cipher key-pair.
Are people and Thing programmers really that dumb?
I've ordered things (non-electronic) from amazon and always end up getting hassling/whining emails from manufacturers if I've given the items a low rating.
Make a better product and you'll get better ratings. AT LEAST don't put your 'alpha' versions online for sale.
Sounds like the employee needs firing. They're not being blamed for the bad PR so much as for their screw-up. The boss is just throwing the "get it taken down or you're fired!" as a punishment for not doing his job. Damage control is the first step in the response, "stop the heavy bleeding". Which isn't the security, it's the bad PR. So that's his first job. If he succeeds at that, his second job will be to fix the problem.
If he can't kill the bad PR, he's out immediately, someone else will come in to fix the app and try to fix the PR.
Sorry dude, you were party to making a product that claimed to protect my security but did not. I can't sympathize with you. "I didn't do my job, caused you problems, and now I got caught, please help!" no. Maybe next time you'll take your job a little more seriously and not place thousands of customers needlessly at risk.
I work for the Department of Redundancy Department.
"The AuYou representative insisted she would be fired if the review was not updated."
Why would I care, as long as my review was factual and accurate?
It's not my problem that her company is run by pieces of shit that fire people for events outside of her control, or that they're making a shitty product, or for the fact that they got caught doing so.
Seriously, it's too bad but I'm not going to lie just because someone somewhere might get fired. Here's a tip: don't make a shitty product and you won't get shitty reviews.
Just cruising through this digital world at 33 1/3 rpm...
he will quit me
I wish I knew how to quit you.
systemd is Roko's Basilisk.
Bizarrely, if you write "AuYou Wi-Fi Switch" in Han Chinese it's only two little ticks different from "Streisand Effect".
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I had the same thing happen to me when buying cheap things from aliexpress - like a $2 faucet aerator that was supposed to illuminate the water with LEDS based on the water temperature. I didn't really have high expectations of it working but for $2 with free shipping - why not?
So I posted a 1 star review and got a series of 10 begging / demanding messages offer the next few weeks asking me to change my review to 5 stars. I just ignored them.
Same thing happened for an ergonomic mouse I bought, which the title of the product said was wireless, although everything else in the description and pictures showed it was wired. I actually wanted a wired mouse, but have them a bad review for misleading their customers. Rather than fix the problem or take my feedback on board, the same sort of sob story about their boss being mad at them, and they offered a partial refund if I changed my review.
In short - don't trust any of the review scores on aliexpress.
I've reviewed several products slamming the quality of a few of them. Every extremely negative, yet 100% truthful review I've posted has been pulled. I guess Amazon doesn't want their customers to know the true low quality of some of the products listed on their site and lets the resellers, who are not even the fucking manufacturers, run the reviews for the products. If it's not positive they try to do everything they can to make you change the review. If that doesn't work, they get their secret army of "reviewers" to get the only truthful (negative) reviews pulled.
I looked at Amazons product page for this. It looks like all the positive reviews were written by the manufacturers own trolls. If you look at the exploded photos of the device, they have the capacitors labeled as resistors, and what might be a heat-sinked resistor labeled as a capacitor. One of the reviews says to ignore the security warning when installing the app (which isn't in the google app store) since it's being side loaded from probably a China website. I myself have done a lot of Amazon reviews, most good, all honest. There was one review that was bad, and it kept getting rejected. I finally got it accepted after carefully rewording it, but within a week I got notice that the review was "redacted". Who the hell redacted it I never found out. It was for a package of live ladybugs that were supposed to be shipped express. It was listed packaged and ready to ship, but sat in a hot warehouse for 3 days, then took another 3 days to arrive 75 miles away, all of them were dead. Didn't even get a refund or response from the seller.
Too many reviews on Amazon are blatant fakes. I've gotten in the habit of looking at a reviewer's other reviews to try to figure out if they're a real person or just reviewing that one product.
A couple of weeks ago I noticed that 13 out of 15 reviews of one product were by people who had reviewed only that one product, and all were 5 star reviews. Kinda obvious, wouldn't you say?
I applaud Garrett's honesty. It's so rare nowadays.
You think the vendor wants to hear the truth? No, they want you to provide free advertising. It's a problem because there's always some idiot who doesn't know how to use the product (even something as simple as a chess set), which no amount of support will fix. Actually that fact is useful: If one can't see those sort of bad reviews on the page, one knows the reviews are being censored.
Why does your boss care? He's probably opened himself up to harassment charges.
That's the consequence of a free market. Why should everyone else compensate for her bad choices? Okay, she didn't choose to release a bad product but she did choose to blame someone else for the consequences of that choice.
Right! I'm sure this is exactly what everybody wants. You are away from home and need to turn on a device in your home so you issue the command via a phone app. And everybody wants these commands being routed through China, right? Betcha China would love to get these gadgets installed in the Pentagon. Anyway the fiasco of incredibly lame security implementations in iOT continues unabated. How long before NSA decides to turn off your iOT connected toothbrush or pacemaker?
These wifi power switches are actually pretty cool and useful, just don't buy this one. I recommend the Orvibo S20. It has better security and can be controlled by an open source python script that runs on Linux. Linux warms up my towel for me in the morning as I wake up :)
The review claims this flaw is minor, it is actually far more serious for the company making the devices.
While one device flicking a light on and off would be annoying to the owner, every device ever made by the manufacturer flicking on and off will bankrupt them pretty quickly. Of course you need to know the MAC addresses. Discovering the MAC for a specific device owned by a single person isn't going to be easy, however MAC addresses are grouped by manufacturer so figuring out all the addresses used by these devices is actually pretty simple.
So yes, lots of jobs are on the line as is the company.
As of now, this Slashdot item has the same erroneous headline
that TechCrunch used on the original:
"Security Researcher Gets Threats Over Amazon Review"
The only "threat" is to "report Garrett to Amazon" which, in
the absence of further information, is not a threat.
Slashdot should change its headline to something less
sensational, like:
"Amazon Vendor Whines to Security Researcher About His Product Review".
The common thread for all these phone home vulnerabilities are all going to servers in China.
Nothing really happens there without the government's knowledge, and probable support.
Would our government do any less?
Hell, Their backdoor traffic probably doesn't even show up in the logs, lol.
The people talking to the security researcher are probably being threatened by the people who designed the backdoors.
Truth isn't Truth - Guliani
I cancelled my Amazon account last year. The last straw was a similar incident: I left a bad review because a seller took two weeks to ship an item I needed to repair a computer. The seller cancelled my bad review because it contained "personal data" (it didn't). I wrote to Amazon's customer service, and they agreed I was right, but the solution they gave me was to leave the review again.
The conclusion: Amazon's review system can be fooled very easily by sellers. Thus, seller rating has no meaning and I can not trust any seller.
what kind of monster are you?
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
the subject was so misleading. The so called 'threat' is by some poor worker in China, whose boss 'will quit me' (sic), if he doesn't amend his review.
So what should have been a subject something like 'Likely underpaid Chinese developer worries about getting sacked for crappy security in IoT wall switch', is this inflammatory subject.
Full disclosure. I wouldn't have read the post had this not been blatant click bait, and instead been the more moderate subject I sugggested.
The IoT is going to make Sky Net look harmless.
"The ferrets, they're every where I tell you!"
I looked into these a couple of years back and I couldn't find a single one which didn't wantto dial home to a server, which could be shutdown at any time.
I want something with a web interface and I can just remap a port on my router to present that (secure) web interface, then I can control it myself.
Perhaps some kind of secure access would be nice, so you could build a basic server which can control all the power points, monitor usage, set timers etc.
It's 2016 (!!) and most of us still have very little control or monitoring over the power sockets around our homes, it's kind of crazy, considering what technology is capable of.
I want something with a web interface and I can just remap a port on my router to present that (secure) web interface, then I can control it myself.
Here. It, too, wants to phone home for some reason, but blocking the device at the router stops that.
It's 2016 (!!) and most of us still have very little control or monitoring over the power sockets around our homes,
I'd suggest X10, but apparently it is an incredible "security hole" that people can actually control outlets around the house. The specific comment was about wireless X10 and how much fun it is to screw your friend by toggling his lights, but if you're standing on the front step of your friend's house you can plug in your wired X10 controller to an outside outlet and do the same thing with no need for wireless at all.
I have friends who were in Tienanmen Square that day.
Some were tortured; some were not.
Truth isn't Truth - Guliani
I genuinely don't understand why I can't get a power reading from every single light AND socket in the house
Current utilisation, total utilisation this month / week etc
Ability to turn off and on, timing
Total house usage
I understand it should cost more to do and it's more complicated but again, 2016! It's madness. I'm actually kind of glad I'm not well off enough to afford a house, because it would frustrate me to own my own place or build my own place and not be able to easily do that yet.
Emotional wording, pleading for good reviews, tales of woe and unemployment from bad reviews...I wouldn't believe this for an instant. It's highly probable that no one's job is actually at stake, and this is a con to get the review changed. I've had them beg me to not leave a bad review after never receiving items, broken items, etc; it's pretty common. Don't be swayed, stick to your guns.
Gawwwd, such a dumb-ass on many levels. I hope the bastard does get fired.
Table-ized A.I.
If this employee is truly in danger of losing his/her job over a negative product review, the company is simply using this employee as a scape goat when design flaws usually are the fault of upper management. If this company cared about their product and employees they would fix the security hole instead of trying to sweep it under the rug and throw others under the bus.
why are you assuming the pleading poster isnt the manufacturing firms manager or owner trying to sham you into changing the review? They have no shame they willing sell poisoned items they know humans will ingest-rem the toxic toothpaste or the ultra lead filled toys?
Chinese do use these antics. Oh thats a male security researcher, lets' send a shemail to seduce him. If it is a women-voice over a phone, it may be more certain it was women seducing, otherwise safe to assume it was shemail - that works out cheaper for Chinese. Btw I hear Mao proposed to send millions of Chinese women to US to improve relations : http://www.theage.com.au/news/...
I genuinely don't understand why I can't get a power reading from every single light AND socket in the house ... I understand it should cost more to do and it's more complicated but again, 2016!
There is nothing magic about 2016. Yes, I understand, "it's a modern world". But it will cost a lot more to do that, and it will require a lot of smarts to configure this all. How do you manage four things plugged into a power strip? Does each thing report its data, does each socket on the strip report, or do you just monitor the socket in the wall and say that's good enough? How do you tell how much that cable set-top-box is using vs. the TV plugged into the same strip? And then you turn on the lamp plugged into the same strip and ...
So, either you have fine-grained monitoring and a headache managing all the connections and data (which nobody is really going to want to do and nobody is going to want to pay for the ability to not bother doing). Or you monitor at the wall socket level with the headache of managing the data about what is plugged into each one. Or you monitor at the circuit level or house level, which is much easier.
I'm actually kind of glad I'm not well off enough to afford a house, because it would frustrate me to own my own place or build my own place and not be able to easily do that yet.
Oh, you can do it if you want to. You can put these or these all over the place and come up with a wireless mesh data collection network using $3 Arduino Nano knock-offs and a $2 wireless module connected to each. They're all plug-in devices, so you can even do it in the apartment you rent, or in the worst case, your parent's basement (kidding.)
And you are three years late, or one year late, with "it's 2016". Here's one from 2013, and one from 2015.
It will cost more and will be complicated, but yes, it's 2016 and it can be done if you want to do it.