Slashdot Mirror
CloudPets IoT Toys Leaked and Ransomed, Exposing Kids' Voice Messages (androidpolice.com)
"According to security researcher Troy Hunt, a series of web-connected, app-enabled toys called CloudPets have been hacked," reports Android Police. "The manufacturer's central database was reportedly compromised over several months after stunningly poor security, despite the attempts of many researchers and journalists to inform the manufacturer of the potential danger. Several ransom notes were left, demanding Bitcoin payments for the implied deletion of stolen data." From the report: CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal's paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets' voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.
Build a bridge, and if it collapses due to poor design the engineers involved go to jail.
Build a crappy piece of software? No liability. That's going to end eventually.
You want to call yourself an "engineer"? Play by real engineering rules.
You're just a script kiddie with your Ruby? Tough.
Because eventually, if you implement something poorly like this, you will be liable.
If that scares you and makes you nervous, GOOD!!!!, because that means you're the type of clown-writing-code that needs to be held to higher standards.
As the right says about it's enemies, "they only understand force".
Avantgarde Hebrew science fiction
While I agree with you, I think it's unfair to always put the blame on the programmer. In many companies that I worked for I remember seeing things that looked like this, I talked with my managers about fixing it, and they said "it is lower priority".
Avantgarde Hebrew science fiction
I wonder how much "code writing" is really involved. More like gluing a few off-the-shelf components together with some bash scripts.. Because the margins are too small and the delivery schedules are too short for anything else. (Gotta pay those CEOs their seven figure salaries, doncha know.)
Also probably put together by some semi-anonymous hack in China. You think you're going to be able to find him and get blood out of that turnip?
The problem will continue until CEOs start going go jail.
You get this - you get cloud. Deal with it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
That still means someone wrote it in the first place. The blame lies squarely on the programmer.
'If that scares you and makes you nervous, GOOD!!!!, because that means you're the type of clown-writing-code that needs to be purged from the industry.'
FTFY
I'm sure some of today's "clowns writing code" do have the capacity to perform if held to a high standard.
You should always make sure you get the manager response in writing. Just tell him to either send his response in an email and then archive this email or log his response to the bug report ticket and notify. Because when the shit hits the fan you will always be blamed, unless you can point to an actual written statement saying otherwise. If you just say "The manager told to me to ignore it", he will just reply "I don't remember saying that".
Everyone else is covering their asses so you should also otherwise it's your ass.
Are forbidden in Germany.
Turns out it doesn't.
I worked for a company with shit security practices. I put my foot down. Was almost fired for it. Had I not had and proven major exploits that would have put them out of business they would have fired me.
Yes, someone wrote that shit. Someone horribly unqualified to do the job they were hired to do. And then every person that came behind them wasn't given the time to fix it and shit got bolted on shit.
Also, this company literally handles children's personal info.
As soon as shit was fixed to my satisfaction, I was let go.
I couldn't be held responsible for having touched some of it before, or even after fixing it. Liability doesn't work that way (at least in Canada) it's 100% on the business.
To be clear. Management is to blame. Management is liable. For having allowed shit work to happen, and for allowing shit work to stay around.
Software developers have no right to say 'no' as engineers do. And I agree. It should be a regulated profession. Its not. Sometimes food for their families is more important than the moral high ground.
No it doesn't. If a bridge collapses the engineer who SIGNED OFF ON IT might be liable. Not all the engineers who worked on it.
Were that to happen, you should prepare for your software to become at least an order of magnitude more expensive, as it will become much more time consuming to write software, much more expensive to work as a programmer, and there will be far fewer people willing to program due to personal risk.
Personally, I'm all for it. My salary would jump commensurate with the mass exodus of hobbyist-turned-professional programmers and I would gain the power over management when it comes time to determine when software is ready to ship and what it takes to get it there.
Last, but certainly not least, you would likely see a renaissance of statically-typed languages. Foisting the responsibility of checking for entire classes of errors onto developers would suddenly become a huge liability, so you'd probably see dynamic languages relegated to scripting-only. We'd finally get something other than Javascript to use in the browser.
This is correct. Anyone who thinks a programmer can be held liable is just wrong. I'm not saying they shouldn't be but as it stands in this circumstance the programmer is not even slightly to blame. Blame the system architect or blame management but blaming anyone lower is like blaming the lift engineer for a shopping centre collapsing due to poor foundations. Unless you can pinpoint a very specific error a single programmer made and prove that he deliberately implemented it knowing the consequences then you have no hope and I don't think that should change. Management and lead developers should definitely be help more to account for what happens on their watches and I agree with the point below that more CEOs should be going to jail!
I am inspired!
IoT vibrators. You can record a message for your loved one, and it plays back to them next time they use their vibrator.
I AM A GENIUS!!!!!
"That's the way to do it" - Punch
What happens to the jr. developer whose first task was to write software that was only supposed to be used internally as a test, when a year later some manager decides to put that code on a public facing, external server?
This is like when we put old 80s rap cassettes in a Teddy Ruxpin.
I checked and their stock is trading in the over the counter market. It's currently at 6/10 of one cent per share. That's right. A share costs less than one penny. At some point in the past year it was worth something like 38 cents a share. Given how even by OTC standards their stock is practically worthless, I would imagine that they don't have the funds on hand to pay the ransom and they probably can't fix the problems either, if they even cared to (not sure that they do). What people are saying about how this worked, when it did actually do what it was supposed to, doesn't suggest that security was given much thought. They probably thought nobody would care enough to hack a children's toy.
"Kids can squeeze the stuffed animal's paw to record a message of their own" - "user reviews are poor, citing a difficult interface" How hard can pressing a stuffed animals paw be?!
The problem is the rigor that is applied to code writing doesn't exist the same way as it does in other engineering fields... something I agree needs to change. If the education standard were higher, then it would be no problem to hold people accountable when their bridges fail and their code leaks personal information.
Which has more power: the hammer, or the anvil?
No it doesn't. If a bridge collapses the engineer who SIGNED OFF ON IT might be liable. Not all the engineers who worked on it.
That's not fully true. If the bridge collapses because the metal was the wrong type but the engineer took all reasonable care to ensure that it wasn't, for example getting test certificates from the supplier then the engineer who signed off the bridge is likely off the hook. The engineer who tested the metal and signed that off, on the other hand, is likely to be in deep trouble.
This is the reason why software engineering literally does not exist. There are no libraries of separate identified components with clear properly specified characteristics that can be lined together in clear specified ways that will then work properly with high reliability. Although there is really interesting work in formal systems and improving this situation, serious serious flaws are still found by testing of the software system in construction rather than by modelling.
Strict liability for software has to belong to a company which is certifying the whole system and has access to the entire source code or passes it down to other companies which are specifically responsible for a defined sub-system. Things like design by contract may well be helpful here. The only way to find out is to try it, starting gently and gradually increasing the liability.
The problem is the rigor that is applied to code writing doesn't exist the same way as it does in other engineering fields... something I agree needs to change.
It needs to change, at least, for software that can kill people. Toyota got dinged for unwarranted acceleration not because they made a mistake or even because it was proven that's what happened. They got in trouble because their code was such garbage that it would be shocking if it weren't causing problems. It did not meet any reasonable programming standards, including the ones typically used within the auto industry. Anyone who hires a programmer who drives a Toyota is hiring a dumbshit.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Heh, while not exactly security related, I worked for a company who dealt in millions of transactions totaling billions in value. All this shoveled back and forth through IBM MQ.... with no transactions. Every now and then the server would up and die, and since it was multi threaded messages would get lost. I suggested switching on transactions to at least stop losing messages while we hunted down the reason for the server croaking, and was told NO. It would be too expensive (it was like 6 lines of code to actually implement) but the TESTING with all the clients would have cost them millions. So as far as I know they are still losing messages. Managements call, I left shortly after.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Toyota got unwanted acceleration because people stepped on the gas pedal, thinking it was the brake. Just like every other "unwanted acceleration" problem in automotive history. It is a design flaw if you let people shift out of park without their foot already on the brake, of course, but not a programmer error.
Socialism: a lie told by totalitarians and believed by fools.
Last, but certainly not least, you would likely see a renaissance of statically-typed languages.
When did they ever fade? Every serious project I've had in my entire career has used statically typed languages, because it'd be foolish as shit not to.
Toy projects or little glue things, sure, makes perfect sense to use languages that spring variables into existence if you mention them - even if they're a typo, or that don't do any kind of static type checking.
When management says to forgoe the security it hardly rests on the programmer.
Heh, long ago I worked for a company that, as a part of its proprietary product, ran open mail relays. That's right! Open relays. It was "necessary" to make the software work correctly. The morons who built the custom solution knew nothing and I was a junior sysadmin back then so I didn't know to correct them. Needless to say we pumped out 100,000 spam emails a day compared to about 4,000 legitimate messages.
One day a new manager put his foot down and turned off the open relay. He was nearly fired. He was removed as my supervisor and put in charge of "special projects". Eventually we got listed on Spamhaus or RBL or one of those, which was very gratifying to report to management. Nothing was ever done though, it would have required rearchitecting the system. The open relay was still going strong when I left.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
As a consumer, I can't measure the security of a webcam, toy or even a website before I buy/use it. If I live in the USA I can't even safely test it after I buy the product. There are 4 companies that have reputations that I would consider trusting their security and to get to four I had to include Microsoft.
So if you are not one of those four companies security will not gain you a single sale. Lack of it might burn you later but even that is unlikely.
We know shit security is a problem. I want to hear some viable solutions.
I don't see certifications for products catching on or being effective. Liability for the software developer would result in the lead developer being some guy in India with no assets to sue. Recall laws that say if your device is used in a DDOS attack you must upgrade it or replace it? What if I buy the device of the net from a company in China and China doesn't have such a law.
Here at a company everyone think of as very open, and after several incidents, we eventually got to do paid pentesting (because we're not allowed to do it ourselves). They got in through the methods we had highlighted as problematic. We are forbidden to talk about it, and it's not getting fixed.
See, the goal of management is to reject blame have zero accountability, and just appear to do stuff. They have no interest in security. Heck, they are no interest in the product. The only interest is to look food to the next management layer by any means necessary - and since it's the same shit one layer above, nobody measures themselves on real world performance. (and that's how companies die)
How does a company pour all that technology, time, and money into something and trip up at the finish line? Was it that hard to find someone that understood security?
Sig. Sig. Sputnik
Regarding the Bridge and the Children: Shouldn't there be someone or an assigned group watching over the events? Analysing the progress to make sure nothing disastrous or malicious happens?? Our world is so money focused.. What good is a signature?? Is a signed piece of paper going to cover a calamity like a band-aid?
Why aren't they being prosecuted under "think of the children" laws, where juvenile netizens do have a right to privacy? The corporation has obviously failed in its duty of care towards its subscribers, by not securing their accounts. Google, who refuses to allow juvenile subscribers into its own cloud services, should have performed some sort of security audit on the app before listing it on Google Play. (A security audit on all apps will reduce malware in their digital ecosystem, so there's even less reason for ignoring their apps marketed to children) I notice the CloudPets app has disappeared from Google Play but a competing app, offered by Spiral Toys, is still listed.
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
take a look at the APK hosts file engine by SuperKendall
Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad
APK is totally right on this count. A hostfile based adblocker makes for a much better experience by chihowa
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
* Hosted & recommended by Malwarebytes' hpHosts!
APK
P.S.=> See subject... apk
See my subject & proof thereof https://developers.slashdot.org/comments.pl?sid=10301689&cid=53949657/
* I look @ it like the Ford family does their mustang 4.6L-5.0L engine block which even 'supercars' like the Koenigsegg chose initially as their powerplant (hence why I called it "V-8 engine build" internally...) - my name's on it, I put pride & hand-craftsmanship into it.
(So much so, the code's virus-proof via every proc/function checking the .exe vs. alteration & central refactored (or inlined) errtrap abend reset (uncrashable pretty much)).
APK
P.S.=> It's all the impetus & inspiration I need - It takes ~6 minutes to do its job on default dataset (& I have a private build that does it in only 4.5 minutes no less)... apk
switching on transactions may not have been the answer. by nature those work by adding locks. when you're talking millions of transactions, you could have just bottle-necked the system, and took the entire service down. Not saying that's what would happen, but you do need to analyze all tradeoffs of the decision.