Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Gets Threats Over Amazon Review (techcrunch.com)

Posted by msmash on from the topsy-turvy-world dept.

Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.

47 of 153 comments (clear)

  1. Your shitty product kills jobs? by Opportunist · · Score: 5, Insightful

    Then I guess you should have made a better product.

    Killing the messenger won't make your product any less shitty.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Your shitty product kills jobs? by HeadSoft · · Score: 5, Insightful

      Agreed. If her job depends on good reviews and no bad reviews, her days were numbered the day she started work anyway.

    2. Re:Your shitty product kills jobs? by Opportunist · · Score: 4, Insightful

      If your job depends on someone else not fucking up who you have no control over and cannot influence in any way, you're sitting on an ejector seat and someone else holds the trigger. Get out of that chair as soon as you can.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Your shitty product kills jobs? by djsmiley · · Score: 2

      I'm wondering if I captured some of those packets and replayed them over and over, really fast, maybe I could kill someone for real! :O

      --
      - http://www.milkme.co.uk
    4. Re:Your shitty product kills jobs? by Opportunist · · Score: 3

      That will eventually become a very real threat with the IoT. Think of all the various things we have in our home that could be dangerous if they run without supervision.

      As soon as stoves get wifi, we'll get to see quite a few more fires.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Your shitty product kills jobs? by Anonymous Coward · · Score: 3, Insightful

      Much more likely her job depends on her ability to manipulate reviewers into taking down bad reviews. She might not even actually be a she, just posing as a woman because women get more sympathy.

      The correct response to her is, "Tough shit, princess!"

    6. Re:Your shitty product kills jobs? by __aaclcg7560 · · Score: 2

      Get out of that chair as soon as you can.

      Or reach over and press the trigger yourself. When a boss gave me "his way or the highway" motivational speech, I left the company. Wasn't long before a dozen senior coworkers headed for the exit after me. The boss road the company all the way into bankruptcy and got fired after the reorganization.

    7. Re:Your shitty product kills jobs? by ShanghaiBill · · Score: 5, Informative

      The correct response to her is, "Tough shit, princess!"

      Even better would be to append your review to say that they contacted you and tried to intimidate you into changing the review. That is relevant information, and future buyers should be aware of what they are doing.

    8. Re:Your shitty product kills jobs? by Hognoxious · · Score: 2

      Fuck, this ain't the half of it. This one got found, how many do you think didn't?

      Compared to this, icebergs hover over the ocean with it all out on show.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    9. Re:Your shitty product kills jobs? by theskipper · · Score: 5, Informative

      Yeah and not limited to insecure transmissions to foreign servers, embedded stock passwords and keys too. If you check out his other reviews, he actually outs them on another product. For example:

      Morjava®MJ-SmallK Intelligent Smart Wifi Plug Socket Wireless Switch Timer Wifi Socket Wifi Smart US Plug for iPhone iPad Android Smartphone APP
      https://www.amazon.com/dp/B01F...

      "The ugly:

      Oh this is all pretty terrible. To start: the security on this device is a joke. The communication between the app and the device is encrypted with AES, but the encryption key is the same for all devices and is contained within the app - it's "fdsl;mewrjope456fds4fbvfnjwaugfo". This means that it's easy to decrypt any traffic you can see other people send, and also easy to encrypt your own commands. This isn't too much of a problem on your local network (the majority of smart devices will allow anybody on your wifi to control them), but it's awful when it comes to the cloud interface. By default, anyone in the world can send a command to the plug and it'll just perform it. That means anyone can just turn your plugs on and off, and also set the timer. You can avoid the worst of this by setting a password in the app, but there's no sort of rate limiting on the queries so if someone has identified your plug it won't take too long for them to crack your password.

      But wait! There's more!

      It runs ssh by default and has a default root password (" p9z34c"), so anyone on your network can log into it and run whatever they want on it. Anyone who can see your network traffic can decrypt the commands and extract the password, so don't use the app on any untrusted networks. It downloads app updates and plug firmware updates over http and doesn't do signature validation, so anyone can man in the middle you and get you to flash backdoored firmware onto your plug."

      Needless to say, a big thank you to Mr. Garrett for exposing these issues. This is the kind of thing I might buy on a whim and certainly don't have time to figure out what level of security these things are operating at. He's performing a much needed public service.

    10. Re:Your shitty product kills jobs? by anarcobra · · Score: 3, Interesting

      If I have to jump through hoops and block traffic from this device just so it's not a security risk, it's not reliable or secure.
      If this device were free I wouldn't complain so much, but in this case you are paying for it.

    11. Re:Your shitty product kills jobs? by Anonymous Coward · · Score: 3, Informative

      Not to mention that company is violating the GPL. The next paragraph from his review lays it out:

      It's also running Linux and various other pieces of GPLed software. The GPL is a software license that requires that you either include the source code to the GPLed components when you sell a device, or include an offer to provide the source code on request. This does neither, which is a violation of the license. Unless you meet the requirements of the license, you're breaching copyright. So this device breaches international copyright law. The manufacturer told me that they were unable to provide the source code.

    12. Re:Your shitty product kills jobs? by Obfuscant · · Score: 2, Informative

      If I have to jump through hoops and block traffic from this device just so it's not a security risk, it's not reliable or secure.

      Reliability is a different issue than security. And it's not a big hoop. It's a hoop that you should be jumping through whenever you add a device that you don't want talking to the outside world to your net. You have no reason to believe that any device you use isn't trying to talk to someone somewhere these days and especially if the device is advertised as "IoT" and controllable from a mobile device from anywhere in the world. It shouldn't take a bad review on Amazon to tell you this. If you do the blocking automatically, it won't matter if the device tries to phone home or not, you'll be covered.

      If this device were free I wouldn't complain so much, but in this case you are paying for it.

      Yeah, you usually have to pay for physical hardware. You don't have to pay for the network connection to China, though. You can block that for free.

      As for Opportunist, who writes:

      So a product being crap doesn't really matter that much if you can easily take care of it?

      Being insecure in the manner this one is doesn't mean the product is crap. It means there is a security issue that can be trivially solved.

      So glad you agree that VW shouldn't be required to pay that ridiculous fine.

      So glad you're happy putting words in my mouth and trying to compare apples to oranges.

    13. Re:Your shitty product kills jobs? by MrKaos · · Score: 2

      Pulling the "heartstrings" with security researchers is usually a pretty bad move.

      We have none. What you mistake for them is the strings that makes us drop the shit on you.

      Another way to look at it is you are protecting the people who would be subject to the consequences of their incompetence. Most of the people buying those products or services don't have the technical knowledge to make an informed evaluation and simply 'trust' the vendor is doing the right thing.

      Well it is proper that a security researcher does not have that trust because their duty is to the people who do have that trust so that they don't get hurt or ripped off as a result of those with just enough knowledge to be making dangerous or stupid products. Will you not get blamed for not pointing out the issue or missing it if it was your company making that product?

      Stupidity, nonfeasance, malfeasance and negligence have caused a lot of harm in the community and though my days in that role have long past, I have little tolerance for it as we see ordinary people suffering the consequences of it every day. Dropping the shit means you may have stopped someone suffering those consequences.

      Having witnessed the devastating consequences on some people lives first hand I wouldn't frame it as not having heartstrings, just that your loyalties are in the right place and you are doing your job properly.

      --
      My ism, it's full of beliefs.
    14. Re:Your shitty product kills jobs? by Impy+the+Impiuos+Imp · · Score: 2

      The boss road the company all the way into bankruptcy

      Rode. If you think "road" is the right word, ask yourself - "would putting "highway" in instead work?" If the answer is "no", then "road" is the wrong spelling.

      "The boss Hershey-highwayed the company all the way into bankruptcy" works, though.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  2. Another review by orlanz · · Score: 4, Funny

    Now you write another review about how horribly the company treats its employees.

    1. Re:Another review by nitehawk214 · · Score: 4, Insightful

      Or how it's employees lie about losing their jobs over bad reviews in order to get sympathy.

      Either are likely with a shady organization like this.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  3. The days of Chinese crap inundations by vikingpower · · Score: 3, Insightful

    are not over, yet. By far.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    1. Re:The days of Chinese crap inundations by Opportunist · · Score: 2

      That's only the start.

      The IoT hasn't even taken off yet, and I can already tell you that it is going to be ugly. It will be a data harvesting hog, and security and data protection will never be a core element of it until legislators get hit hard by it, and then we'll get laws that make the ones we have concerning the internet look sane in comparison.

      This is going to get very ugly very fast.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. market rewards price, not security. by Anonymous Coward · · Score: 4, Insightful

    The AuYou representative insisted she would be fired if the review was not updated

    Sadly, that is probably true, and some poor engineer will lose their job, but that engineer probably was under severe pressure to get the thing out the door with absolutely minimal development time in the first place. She probably knew it wasn't great, but had no real choice due to pressure from above.

    Maybe in the end it comes down to the fact that the market does not reward security, it rewards low price. Proper security costs money. The online marketplaces are brutal.

    1. Re:market rewards price, not security. by DarkOx · · Score: 2

      See this is problem with free trade right here though. If this thing was manufactured in the states, then the company could probably be held to account one way or another for repairing or replacing faulty products. Sure they might decided to get rid of the engineer who designed this thing, but ultimately they would have some incentive to fix their internal process and try and do some QA.

      Being its a no-name Chinese made product the company will likely just rename itself and be quite beyond the reach of the people it sold faulty products to, at least out of reach of any reasonably effort to hold them to account. So there are really no consequences for bad behavior. Shove a bunch a crap out the door than disappear, its how these guys operate.

      Now am all for buyer beware - laissez faire - but its not fair to engineers, and workers in the developed westernized world to have to compete against this sorta crap. The typical consumer does not know IoT electrical socket might have an appreciably different quality level depending on from whom they buy a few.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  5. Update the review with AuYou responses by jishak · · Score: 5, Insightful

    Update your review with the responses from the company. Be fully transparent to future customers whoe might be mislead by the company's products. Don't feel bad if someone loses their job because they weren't doing it properly to begin with. I would go so far as to tell the company that if they keep pushing it I would start investigating the security of their other products and possibly educate them about the Streisand Effect with other companies who have tried to do the same thing.

    1. Re:Update the review with AuYou responses by Opportunist · · Score: 3, Insightful

      The sad part is that this will not cost the head of the culprit but of the scapegoat. What most likely happened was that some beancounter decided that this piece of crap has to hit the market damn right now because being first trumps being good, every engineer and their dog knew that the product isn't ready for prime time by any stretch, management decided to release it anyway and the engineers will now get to take the heat for the crappy product because, well, weren't they the ones who made it?

      Who should get fired are management and finances, but they will fire the ones who were actually doing the work.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Update the review with AuYou responses by geekmux · · Score: 2

      The sad part is that this will not cost the head of the culprit but of the scapegoat. What most likely happened was that some beancounter decided that this piece of crap has to hit the market damn right now because being first trumps being good, every engineer and their dog knew that the product isn't ready for prime time by any stretch, management decided to release it anyway and the engineers will now get to take the heat for the crappy product because, well, weren't they the ones who made it?

      Who should get fired are management and finances, but they will fire the ones who were actually doing the work.

      This, I do agree is woefully sad, but none of it excuses a shitty product. Expose an ,i>entire product line, and even those at the top will be affected.

      Common sense needs to push back against shitty time-to-market decisions, especially when it comes to IoT, which can and will affect human lives, not merely jobs.

    3. Re:Update the review with AuYou responses by The-Ixian · · Score: 2, Insightful

      I don't believe you are correct.

      People buy insecure crap all the time. Security is not a priority until they are burned by it.

      The thing is, the average user probably isn't going to even know that they have been burned by an insecure IoT device. Even if they realize that they have been hacked, they will never put 2 and 2 together. As in, they will never figure out that the vector into their network was the "smart" light bulb they connected to their wifi last year...

      --
      My eyes reflect the stars and a smile lights up my face.
    4. Re:Update the review with AuYou responses by Opportunist · · Score: 3, Insightful

      How long have you been on the planet to still believe that bullshit?

      People don't give a shit about security. Facebook pretty much shits on your privacy and flaunts it in your face, and people still use it. Flash is an insecure piece of rubbish that has a multi-year track record where every month at the very least one critical remote code execution flaw is found and still it's being used widely.

      You can produce the most insecure, most horrible piece of crap, as long as it's cheap and easy to use, you will find people who don't know better who will buy and use it. And when the shit hits the fan they will accept it as if it was a law of nature that "this cannot be made secure".

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Re:Cry me a fucking river by Anonymous Coward · · Score: 5, Funny

    Other than that, 5 stars. Will buy again.

  7. Internet of Temerity by StandardCell · · Score: 5, Interesting

    The idiocy surrounding IoT is mind boggling at nearly all levels in the chain. Ease of use and security are almost always at odds with each other, and the former typically wins at the expense of the latter. Secure device enrollment, VLANs, air gapping...who needs this crap when you can download an app, put the device on your home network with a button press on the router, and go?

    In this case, we have a bunch of designers without a real background in and/or regard for infosec putting out products that use the "security by obscurity" model and get called out on it. To top it off, it is also the model of personally identifiable information being shipped overseas for who knows how many violations of privacy, and subject to violations of rights by governmental entities monitoring the same information. That this is now common with so many Chinese-made products (especially web cams!) is particularly galling. Even better, the "threats" against this man would normally result in automatic termination of the threatening employee in most Western countries. I suspect this company is like the uncountable numbers of cockroaches on Alibaba, Ebay and Amazon hocking their trash - they'll sell it until they can't, then they'll re-form under a different name and do it again, and think that they're right until they get called out like these idiots did.

    Last year a recruiter presented me for a job at a lighting company in Eastern Pennsylvania for their IoT product efforts with my background in security and cryptography as well as electronics. They passed on me because I didn't have enough of lighting background (which is a hell of a lot easier to pick up than security). When I countered to the recruiter that security was the most important thing for them, he agreed wholeheartedly but said there was nothing he could do to convince them otherwise.

    If this is the future of IoT, I want no part of it.

    1. Re:Internet of Temerity by MobyDisk · · Score: 2

      Actually, it sounds like you should start an IoT company. In a few years, everyone will wake-up and realize that the wave of cyber-attacks on poorly-defined IoT devices has to stop. And a company with products that are already secure will have a serious leg-up on the competition.

  8. Will anyone learn? by Dega704 · · Score: 2

    Streisand Effect: Hello there!

  9. Re:Cry me a fucking river by HornWumpus · · Score: 5, Funny

    You should post that as an Amazon review of the product.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  10. I'd be worried about my network security by hawguy · · Score: 2

    I don't care if someone in China can flip my light on and off. Some people are excited excited when that happens.

    I'd be more concerned about a device on my network creating a persistent connection to a server in China... who knows what packets it's capturing or what it's relaying to that server - maybe it's giving them a full TCP tunnel back into my network?

  11. Dealing with threats and deception by Bruce+Perens · · Score: 5, Insightful

    I recently posted a similar review on Amazon, although mine was regarding a burglar alarm which connects to a server in China and has no encryption. To their credit, the manufacturer has not challenged the review.

    First, it's entirely possible that the management did not realize that the device was not encrypted or that they specified encryption and that the programmer involved provided something very lame like exclusive-OR with a byte. This, however, indicates a failure of due diligence on the part of the management.

    Globally, the quality of employees performing embedded-systems programming for consumer products is dismal. This doesn't mean just China, it's also really bad in the U.S. and South Korea in my personal experience. The employees can not be expected to have any concept of proper security. I have seen lame attempts at encryption, stripping the executable as an anti-reverse-engineering strategy (!), and many other things a competent systems programmer would face-palm upon encountering.

    Firing the employee as a condition of your not removing the review is deceptive. If the employee actually did something wrong (which we can't tell from here) that is the cause of their firing and it should be independent of whether your review stays up or not.

    It's clearly just an attempt to lay guilt upon you for doing the right thing. But the people you should be protecting first are the consumers who could buy this device and rely on it having more security than it actually does. Go on and do the right thing by making this review available wherever people would purchase the device.

    --
    Bruce Perens.
    1. Re: Dealing with threats and deception by Bruce+Perens · · Score: 2

      Point taken. I really would have preferred a software update implementing TLS. And with proper per-device keys.

      --
      Bruce Perens.
    2. Re:Dealing with threats and deception by Solandri · · Score: 2

      I recently posted a similar review on Amazon, although mine was regarding a burglar alarm which connects to a server in China and has no encryption. To their credit, the manufacturer has not challenged the review.

      You do not get credit for not doing the wrong thing. You get credit for doing this right thing. In your case, that would be addressing the flaws you uncovered, or at the very least thank you for uncovering them.

    3. Re:Dealing with threats and deception by eth1 · · Score: 2

      Globally, the quality of employees performing embedded-systems programming for consumer products is dismal.

      It's kind of scary, really. My dad spent decades as an electrical engineer designing ASICs. He lamented that almost the entire last 10 years of his career, he spent following the new generation of EEs around fixing all of their stupid mistakes. And this was for "important" stuff; stuff that he was never able to provide any more detail to me about than "I'm designing a DSP chip" because of classifications; stuff that if my speculation is correct, might get our soldiers killed if it goes awry.

      I'm sure some of that is just the natural order of senior people backing up the less experienced, but he was getting to the point that he wondered what would happen to his projects after he retired - all they hired was fresh college grads.

  12. Re:Yep. by nitehawk214 · · Score: 2, Funny

    Wait, shitty IoT security is going to let me become a hawt cyborg?

    In light of this, I may reconsider my position on IoT.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  13. So, did this guy actually receive threats? by bistromath007 · · Score: 5, Informative

    I only see begging in the summary. Way to go, editors.

    1. Re:So, did this guy actually receive threats? by Obfuscant · · Score: 2
      It's in the headline from Techcrunch, too, and I see no threats towards the author of any kind. Begging, yes. Attempts to guilt him into changing the review, yes. But no threats. It is the fault of the slashdot editors for passing along fearmongering, but not inventing it this time.

      And if you read the Techcrunch article, you'll see what the brouhaha is about, and some pretty amazing statements by the product reviewer. He claims that all you need to know is the MAC address. "If anybody knows the MAC address of one of your sockets, they can control it from anywhere in the world." I'm guessing that the "access code" to control the device through the Chinese server is just the MAC address of the device, since the MAC address would never normally appear outside your gateway.

      Then he says this: "and a normal home router configuration won't block this. You need to explicitly firewall off the server (it's 115.28.45.50) in order to protect yourself." No, actually, it is as simple as blocking the DEVICE, whose address you know, from the WAN, and every home router I've ever used has that capability. Probably for just such situations.

      "and if you do this then you'll also entirely lose the ability to control the device from outside your home," If you can control it from your device while it's on your WiFi inside the gateway, then you can use a VPN from outside into your network and control it just like you were at home, if you even need to go that far. "Entirely" is hyperbole.

      I've come across internet power switches like this* before, and all it took to stop the carnage and destruction of the known universe is to ... block the device at the router. Did I "entirely lose the ability to control" them? Of course not. I put a port forwarding inbound rule in my router so that a port I know on the WAN forwards the control commands to the device, and I can control it from anywhere in the world. The control uses basic HTTP auth so bad guys can't just figure out that port X at address Y is an internet switch and turn it on and off. It just doesn't have the ability to create outbound connections to China anymore. This is such basic stuff that I can't imagine the author of the review didn't know this.

      * 3gstore says that the connection was intended to allow remote control through some google interface, but it wasn't implemented. It doesn't matter, the device doesn't talk to China anyway. A much worse problem was that the NTP server addresses were not configurable so I could not tell the device to use the local stratum 1 server -- until I put the names of the hardwired NTP servers into the hosts table for the DNS server on that network and pointed them to it. Oila, another seemingly unsolvable problem resolved.

  14. Perhaps it was intentional? by MobyDisk · · Score: 2

    Perhaps, this was not a mistake, but a "feature" they just never thought anyone would notice.

    Years ago, a friend of mine used Radio Shack plug-n-power AKA X10 modules to control things in his house. The nice ones even had a wireless option where you didn't have to plug-in to a wall socket. One day I went over to his house and, rather than knocking on the door, I toggled the lights in his bedroom repeatedly. Security holes are priceless :-)

  15. He'll quit me! by wonkey_monkey · · Score: 4, Funny

    he will quit me

    I wish I knew how to quit you.

    --
    systemd is Roko's Basilisk.
  16. Fucking true, read it on the EU website by Hognoxious · · Score: 2

    Bizarrely, if you write "AuYou Wi-Fi Switch" in Han Chinese it's only two little ticks different from "Streisand Effect".

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  17. Re:Yep. by Qzukk · · Score: 4, Informative

    The original Catcher in the Rye quote was about being so uninteresting/difficult to interact with that nobody would ever bother you.

    Laughing Man's trick was managing to achieve that while still participating in human society.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  18. At least Garrett's review was real by reboot246 · · Score: 3, Interesting

    Too many reviews on Amazon are blatant fakes. I've gotten in the habit of looking at a reviewer's other reviews to try to figure out if they're a real person or just reviewing that one product.

    A couple of weeks ago I noticed that 13 out of 15 reviews of one product were by people who had reviewed only that one product, and all were 5 star reviews. Kinda obvious, wouldn't you say?

    I applaud Garrett's honesty. It's so rare nowadays.

  19. The real truth is probably worse than we think. by Grog6 · · Score: 3, Insightful

    The common thread for all these phone home vulnerabilities are all going to servers in China.

    Nothing really happens there without the government's knowledge, and probable support.

    Would our government do any less?
    Hell, Their backdoor traffic probably doesn't even show up in the logs, lol.

    The people talking to the security researcher are probably being threatened by the people who designed the backdoors.

    --
    Truth isn't Truth - Guliani
    1. Re:The real truth is probably worse than we think. by St.Creed · · Score: 3, Insightful

      The common thread for all these phone home vulnerabilities are all going to servers in China.

      Nothing really happens there without the government's knowledge, and probable support.

      There is a nice Chinese saying (Tian gao, Huangdi yuan) that basically says "Heaven is high and the emperor is far away". It's still very much in vogue. It means most Chinese know that as long as they don't draw attention, they can do a lot of things you might get arrested for - but won't. Demonstrating on Tianmen square is a good way to get that attention, but just being one of a gazillion small electric shops isn't.

      Never attribute to malice what can be adequately explained by incompetence.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  20. Your post makes me think I'm right. by Grog6 · · Score: 2

    I have friends who were in Tienanmen Square that day.

    Some were tortured; some were not.

    --
    Truth isn't Truth - Guliani