Slashdot Mirror
Security Researcher Gets Threats Over Amazon Review (techcrunch.com)
Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.
Then I guess you should have made a better product.
Killing the messenger won't make your product any less shitty.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Now you write another review about how horribly the company treats its employees.
are not over, yet. By far.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
The AuYou representative insisted she would be fired if the review was not updated
Sadly, that is probably true, and some poor engineer will lose their job, but that engineer probably was under severe pressure to get the thing out the door with absolutely minimal development time in the first place. She probably knew it wasn't great, but had no real choice due to pressure from above.
Maybe in the end it comes down to the fact that the market does not reward security, it rewards low price. Proper security costs money. The online marketplaces are brutal.
Update your review with the responses from the company. Be fully transparent to future customers whoe might be mislead by the company's products. Don't feel bad if someone loses their job because they weren't doing it properly to begin with. I would go so far as to tell the company that if they keep pushing it I would start investigating the security of their other products and possibly educate them about the Streisand Effect with other companies who have tried to do the same thing.
Other than that, 5 stars. Will buy again.
The idiocy surrounding IoT is mind boggling at nearly all levels in the chain. Ease of use and security are almost always at odds with each other, and the former typically wins at the expense of the latter. Secure device enrollment, VLANs, air gapping...who needs this crap when you can download an app, put the device on your home network with a button press on the router, and go?
In this case, we have a bunch of designers without a real background in and/or regard for infosec putting out products that use the "security by obscurity" model and get called out on it. To top it off, it is also the model of personally identifiable information being shipped overseas for who knows how many violations of privacy, and subject to violations of rights by governmental entities monitoring the same information. That this is now common with so many Chinese-made products (especially web cams!) is particularly galling. Even better, the "threats" against this man would normally result in automatic termination of the threatening employee in most Western countries. I suspect this company is like the uncountable numbers of cockroaches on Alibaba, Ebay and Amazon hocking their trash - they'll sell it until they can't, then they'll re-form under a different name and do it again, and think that they're right until they get called out like these idiots did.
Last year a recruiter presented me for a job at a lighting company in Eastern Pennsylvania for their IoT product efforts with my background in security and cryptography as well as electronics. They passed on me because I didn't have enough of lighting background (which is a hell of a lot easier to pick up than security). When I countered to the recruiter that security was the most important thing for them, he agreed wholeheartedly but said there was nothing he could do to convince them otherwise.
If this is the future of IoT, I want no part of it.
You should post that as an Amazon review of the product.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I recently posted a similar review on Amazon, although mine was regarding a burglar alarm which connects to a server in China and has no encryption. To their credit, the manufacturer has not challenged the review.
First, it's entirely possible that the management did not realize that the device was not encrypted or that they specified encryption and that the programmer involved provided something very lame like exclusive-OR with a byte. This, however, indicates a failure of due diligence on the part of the management.
Globally, the quality of employees performing embedded-systems programming for consumer products is dismal. This doesn't mean just China, it's also really bad in the U.S. and South Korea in my personal experience. The employees can not be expected to have any concept of proper security. I have seen lame attempts at encryption, stripping the executable as an anti-reverse-engineering strategy (!), and many other things a competent systems programmer would face-palm upon encountering.
Firing the employee as a condition of your not removing the review is deceptive. If the employee actually did something wrong (which we can't tell from here) that is the cause of their firing and it should be independent of whether your review stays up or not.
It's clearly just an attempt to lay guilt upon you for doing the right thing. But the people you should be protecting first are the consumers who could buy this device and rely on it having more security than it actually does. Go on and do the right thing by making this review available wherever people would purchase the device.
Bruce Perens.
I only see begging in the summary. Way to go, editors.
he will quit me
I wish I knew how to quit you.
systemd is Roko's Basilisk.
The original Catcher in the Rye quote was about being so uninteresting/difficult to interact with that nobody would ever bother you.
Laughing Man's trick was managing to achieve that while still participating in human society.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Too many reviews on Amazon are blatant fakes. I've gotten in the habit of looking at a reviewer's other reviews to try to figure out if they're a real person or just reviewing that one product.
A couple of weeks ago I noticed that 13 out of 15 reviews of one product were by people who had reviewed only that one product, and all were 5 star reviews. Kinda obvious, wouldn't you say?
I applaud Garrett's honesty. It's so rare nowadays.
The common thread for all these phone home vulnerabilities are all going to servers in China.
Nothing really happens there without the government's knowledge, and probable support.
Would our government do any less?
Hell, Their backdoor traffic probably doesn't even show up in the logs, lol.
The people talking to the security researcher are probably being threatened by the people who designed the backdoors.
Truth isn't Truth - Guliani