Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Gets Threats Over Amazon Review (techcrunch.com)

Posted by msmash on from the topsy-turvy-world dept.

Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.

15 of 153 comments (clear)

  1. Your shitty product kills jobs? by Opportunist · · Score: 5, Insightful

    Then I guess you should have made a better product.

    Killing the messenger won't make your product any less shitty.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Your shitty product kills jobs? by HeadSoft · · Score: 5, Insightful

      Agreed. If her job depends on good reviews and no bad reviews, her days were numbered the day she started work anyway.

    2. Re:Your shitty product kills jobs? by Opportunist · · Score: 4, Insightful

      If your job depends on someone else not fucking up who you have no control over and cannot influence in any way, you're sitting on an ejector seat and someone else holds the trigger. Get out of that chair as soon as you can.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Your shitty product kills jobs? by Anonymous Coward · · Score: 3, Insightful

      Much more likely her job depends on her ability to manipulate reviewers into taking down bad reviews. She might not even actually be a she, just posing as a woman because women get more sympathy.

      The correct response to her is, "Tough shit, princess!"

    4. Re:Your shitty product kills jobs? by Opportunist · · Score: 1, Insightful

      So a product being crap doesn't really matter that much if you can easily take care of it?

      So glad you agree that VW shouldn't be required to pay that ridiculous fine.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. The days of Chinese crap inundations by vikingpower · · Score: 3, Insightful

    are not over, yet. By far.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  3. market rewards price, not security. by Anonymous Coward · · Score: 4, Insightful

    The AuYou representative insisted she would be fired if the review was not updated

    Sadly, that is probably true, and some poor engineer will lose their job, but that engineer probably was under severe pressure to get the thing out the door with absolutely minimal development time in the first place. She probably knew it wasn't great, but had no real choice due to pressure from above.

    Maybe in the end it comes down to the fact that the market does not reward security, it rewards low price. Proper security costs money. The online marketplaces are brutal.

  4. Update the review with AuYou responses by jishak · · Score: 5, Insightful

    Update your review with the responses from the company. Be fully transparent to future customers whoe might be mislead by the company's products. Don't feel bad if someone loses their job because they weren't doing it properly to begin with. I would go so far as to tell the company that if they keep pushing it I would start investigating the security of their other products and possibly educate them about the Streisand Effect with other companies who have tried to do the same thing.

    1. Re:Update the review with AuYou responses by Opportunist · · Score: 3, Insightful

      The sad part is that this will not cost the head of the culprit but of the scapegoat. What most likely happened was that some beancounter decided that this piece of crap has to hit the market damn right now because being first trumps being good, every engineer and their dog knew that the product isn't ready for prime time by any stretch, management decided to release it anyway and the engineers will now get to take the heat for the crappy product because, well, weren't they the ones who made it?

      Who should get fired are management and finances, but they will fire the ones who were actually doing the work.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Update the review with AuYou responses by The-Ixian · · Score: 2, Insightful

      I don't believe you are correct.

      People buy insecure crap all the time. Security is not a priority until they are burned by it.

      The thing is, the average user probably isn't going to even know that they have been burned by an insecure IoT device. Even if they realize that they have been hacked, they will never put 2 and 2 together. As in, they will never figure out that the vector into their network was the "smart" light bulb they connected to their wifi last year...

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:Update the review with AuYou responses by Opportunist · · Score: 3, Insightful

      How long have you been on the planet to still believe that bullshit?

      People don't give a shit about security. Facebook pretty much shits on your privacy and flaunts it in your face, and people still use it. Flash is an insecure piece of rubbish that has a multi-year track record where every month at the very least one critical remote code execution flaw is found and still it's being used widely.

      You can produce the most insecure, most horrible piece of crap, as long as it's cheap and easy to use, you will find people who don't know better who will buy and use it. And when the shit hits the fan they will accept it as if it was a law of nature that "this cannot be made secure".

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Dealing with threats and deception by Bruce+Perens · · Score: 5, Insightful

    I recently posted a similar review on Amazon, although mine was regarding a burglar alarm which connects to a server in China and has no encryption. To their credit, the manufacturer has not challenged the review.

    First, it's entirely possible that the management did not realize that the device was not encrypted or that they specified encryption and that the programmer involved provided something very lame like exclusive-OR with a byte. This, however, indicates a failure of due diligence on the part of the management.

    Globally, the quality of employees performing embedded-systems programming for consumer products is dismal. This doesn't mean just China, it's also really bad in the U.S. and South Korea in my personal experience. The employees can not be expected to have any concept of proper security. I have seen lame attempts at encryption, stripping the executable as an anti-reverse-engineering strategy (!), and many other things a competent systems programmer would face-palm upon encountering.

    Firing the employee as a condition of your not removing the review is deceptive. If the employee actually did something wrong (which we can't tell from here) that is the cause of their firing and it should be independent of whether your review stays up or not.

    It's clearly just an attempt to lay guilt upon you for doing the right thing. But the people you should be protecting first are the consumers who could buy this device and rely on it having more security than it actually does. Go on and do the right thing by making this review available wherever people would purchase the device.

    --
    Bruce Perens.
  6. Re:Another review by nitehawk214 · · Score: 4, Insightful

    Or how it's employees lie about losing their jobs over bad reviews in order to get sympathy.

    Either are likely with a shady organization like this.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  7. The real truth is probably worse than we think. by Grog6 · · Score: 3, Insightful

    The common thread for all these phone home vulnerabilities are all going to servers in China.

    Nothing really happens there without the government's knowledge, and probable support.

    Would our government do any less?
    Hell, Their backdoor traffic probably doesn't even show up in the logs, lol.

    The people talking to the security researcher are probably being threatened by the people who designed the backdoors.

    --
    Truth isn't Truth - Guliani
    1. Re:The real truth is probably worse than we think. by St.Creed · · Score: 3, Insightful

      The common thread for all these phone home vulnerabilities are all going to servers in China.

      Nothing really happens there without the government's knowledge, and probable support.

      There is a nice Chinese saying (Tian gao, Huangdi yuan) that basically says "Heaven is high and the emperor is far away". It's still very much in vogue. It means most Chinese know that as long as they don't draw attention, they can do a lot of things you might get arrested for - but won't. Demonstrating on Tianmen square is a good way to get that attention, but just being one of a gazillion small electric shops isn't.

      Never attribute to malice what can be adequately explained by incompetence.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)