Slashdot Mirror
Should Burger King Be Prosecuted For Their Google Home-Triggering Ads? (washingtonpost.com)
Slashdot reader Lauren Weinstein thinks Burger King should be prosecuted for
successfully running an alternate version of its advertisement to trigger Google Home devices again Wednesday:
Someone -- or more likely a bunch of someones -- at Burger King and their advertising agency need to be arrested, tried, and spend some time in shackles and prison cells. They've likely been violating state and federal cybercrime laws with their obnoxious ad campaign... For example, the federal Computer Fraud and Abuse Act broadly prohibits anyone from accessing a computer without authorization... Burger King has instantly become the 'poster child' for mass, criminal abuse of these devices... It was a direct and voluntary violation of law.
again
FTFY.
Maybe this time Google will address the root problem rather than sticking a band aid over the sucking chest wound that is their security practices?
I'm going to side with BK on this one. Nice troll of google. Again! With BK you can get a product that will feed you. With google you *are* the product. Not sure which product is the fattiest or greasiest of the two but there you have it.
https://www.youtube.com/watch?...
I've never heard of such a brutal and shocking injustice that I cared so little about!
Give it to me straight... who does this affect - 4 or 5 people tops?
#DeleteChrome
I mean, as long as we are all being dicks, why not have the bigger dick?
I am very small, utmostly microscopic.
I'm not of that opinion. When a company is universally mocked on social media, I have trouble understanding how that is good for that company.
Lauren seriously needs to get a grip on reality if he thinks that jail time and shackles are appropriate punishments for a burger ad that triggers Google's spy equipment. There are real injustices in the world that are worthy of indignation, but Lauren's hyperbolic outrage over trivial first-world-problems (for those dumb enough to buy a Google Big Brother microphone to put in their homes and listen to their every conversation) is just plain silly.
That fbi woman was using the phrase "Alexa" on tv, for the purpose of triggering an Amazon echo.
Or why not remove Burger King from their search engine? A milder version would be pushing up a warning page when searching for Burger King or any of their trademarks...
Apparently Burger King made a slight change to the article and resubmitted it.
I don't really care as long as I keep getting those sheets of coupons.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Or send BK's corporate mail servers a few thousand emails from each Google Home device requesting they stop each time they hear the ad? I hope they'd take the hint if their advertisements start triggering corporate network problems.
Sigger than your average
"Order me a widget..."
You just know someone is going to try it. Put out a tv or radio ad, that tells every Echo out there to order a particular item, or at the very least, add it to a shopping cart.
The people who designed these systems knew full well in an environment with widespread adoption there would be a wide range of incentives to intentionally exploit this using unauthenticated local and broadcast communications. This is only the beginning.
I hope all those upset about burger king "hacking" their devices continue to enjoy their Surveillance Marketed As Revolutionary Technology devices.
Even if it is for a short time, I wonder if BK will get the hint if Google suddenly blacklists BK, or perhaps redirects all searches to a page explaining how BK is being a douche.
Dara Schopp, BK regards the ad as a success, as it has increased the brand's 'social conversation' on Twitter by some 300%," though he's not a fan of "reaching through your TV speakers and directly messing with your digital devices. You may wish to consider alternate vendors for your burger needs."
All publicity is good publicity. Thus the thugs at United Airlines have just completed the most sucessful and money making PR campaign ever.
Next on Burger Kings agenda - Murdering a reandom customer. Strangle that fucker in th efront of the store. That oughta get their Twitter feed, the undeniable measure of success, to go up by a million percent or so.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
the king will not last 1 day in gen pop!
Interesting, I haven't heard of a similar attack on Siri, or Amazon Echo.
is BK just trolling for the biggest fish, or is there something more?
In fact they should be put up for the death penalty and deported. in that order.
Dear god, because it triggers a piece of toy tech the stupid people get all "PUNISH THEM!"
Honestly, my fellow Americans all have turned into Low IQ whiney babies.
Do not look at laser with remaining good eye.
...huge exposure like this makes increases brand awareness...
Whether an increased brand awareness is good or bad is really determined by the quality of that brand awareness. iow, how is this increased awareness of the Burger King brand helping them? Is the mocking helping? How does the mocking bring more people into their stores.
Is there another message that Burger King could attempt to deliver that would do far better for the Burger King franchise owners?
Where I come from, laws that put people in prison for these sorts of pranks is known as Nanny-Statism. Such laws keep growing and festering.
Eventually a popular uprising occurs and a nut-job is voted in to power ...
Kevin Mitnick spent 5 years in jail https://en.wikipedia.org/wiki/... and Aaron Swartz was prosecuted/persecuted to the point that he committed suicide https://en.wikipedia.org/wiki/...
Meanwhile, Sony pulls off their rootkit exploit https://en.wikipedia.org/wiki/... and now Burger King with "OK, Google", and nobody goes to prison. The takeaway lesson for cybercriminals... don't do anything as an individual; instead, incorporate as a multinational, and have the corporation do the dirty work, without risk of anyone going to jail.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Seriously? You people are the reason nobody can get along anymore.
Put in shackles? Lauren Weinstein sounds like a real asshole.
Maybe you shouldn't make your vocalized password the default "OK google." Yeah I know, first world problems...
You can lead a horse to water, but you can't make it dissolve.
No, this is a good thing. The security hole is, and has always been, that the devices only recognize selected trigger words. This hole is due to poor design choices of the manufacturers, and they must step up to the plate to fix it or become liable for any and all consequences.
My GPS in my car has a 100% programmable verbal trigger (I have used "yo, bitch" in the past... so as you can see, quite programmable) and it is almost a decade old. So there's zero question it can be done.
The message is flat on the table now: Amazon, Google, Mycroft... everyone has to set up user-programmable trigger words as part of the install of the device / app. Otherwise this kind of thing, including truly hostile events, will be a regular consumer experience, and the manufacturers will be complicit.
No manufacturer can argue they were ignorant of the risk now. Entirely a good thing. I look forward to them repairing this obvious malfeature.
I've fallen off your lawn, and I can't get up.
United is also getting a lot of public attention lately. Not sure how well it is working for them.
Somebody's full of crap. In order to complete an order this way, after getting the Echo to understand what you want and confirming it verbally, you still need the 4-digit confirmation PIN number. That's a 1-in-10000 chance of getting right. If the parents let the kid hear the PIN number, that's on them. Not Amazon.
It's just the news media trolling you, hyperventilating about a non-problem. Again. Still. As they will continue to do tomorrow, because you let them.
I've fallen off your lawn, and I can't get up.
The ideal would be for google to tweak the reply so it becomes:
Burger King Ad: "Okay Google: what is the whopper burger",
Google Home: "The whooper burger is one of the leading causes of obesity, diabetes and cardiovascular diseases in the United States."
A response that is objectively true, and not in Burger Kings interest.
On topic, this is this actually illegal, but the severity is similar to that of an elementary school kid who installs scripts displaying a funny gif on the teachers computer while its attached to the projector.
Neither is technically legal, but both falls under the category of "harmless prank". If repeated or taken to extremes a fine (or a trip the principals office is appropriate).
Of all the corporate criminal activities we see this is a minor one, and one that warrants no more than a fine.
Lauren, I have the feeling you're an over-coddled snowflake SJW that goes around looking for reasons to be offended. Seriously, just stop it, m'kay?
Nobody is going to take you seriously if you go around acting so unreasonably all the time. In the legal world we have a standard called the "reasonable person" standard. The "reasonable person" is a hypothetical person who exercises average judgment and care, and who thinks as most people do, with reason and skill. SJWs like you are what we call "outliers" who are not used to compute the standard of a "reasonable person." We don't average you in because, quite frankly, you are not reasonable, do not want to be reasonable, and in fact seem to go out of your way to be unreasonable. This is why the societal and legal worlds do not take social justice warriors seriously.
"Screaming," "crying," and "stamping your feet," are not methods of argument.
If you provide access to a computer resource without authentication and to anyone within ear shot, you have granted authorization. The people at fault are the fucking mentally retarded owners who install such shitty technology in their house and then complain when it's legally abused as intended.
Fucking idiots.
Hey, is there anybody out there as old as me, that remembers the Bill Gates' intro to voice controlled computing - - - when someone in the audience yelled out "Format see colon return" - and the computer did it - - - rofl.
I never did find out what happened to the poor fool that scuppered BG's prime time demo.
Just wait until someone figures out how to diddle the phones to switch to 'speaker-phone', and then proceed to totally trash the house's voice control network ! ! !
cheers . . .
redneck geek
Of course they should. It would be a perfect stage to show off how dumb the CFAA is to luddites in government.
corporation, they'd have been arrested, and would currently be awaiting trial in jail with an outrageous bail set.
So fuck Mitt Romney, corporations are not people, they're clearly better than that.
Lauren Weinstein, a whiny, weak-ass, entitled, irresponsible snowflake with no life.
No, it was you, opening the door and inviting the thief into your home to stay the night.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
If United Airlines CEO Oscar Munoz still has his job maybe the same broken logic is operating there too. United recently assaulted a customer who didn't want to give up his seat.
Digital Citizen
What is authorized and un-authorized use? Has Google made any effort to limit use to only the owner, or have they optimized to allow use by anyone who can talk to the device? If there's no authentication, log-in, or physical controls, there's no permission needed to use the device. What does the owner need to do to keep other people from using the device? Turn it off.
Expect to see any always active voice controlled device be hacked unless its keyed to a specific voice signature with some form of ACL tied to a specific voice print.
As much as I hate advertising intruding into my life and do everything I can to stop it with filters on all my devices, this not the advertisers fault. Anyone who thinks the advertiser should be liable is clearly wrong.
If anyone is to blame its Googles development team and the current tech development attitude of ship now and fix the bugs later. This is 100% a failure by Google to anticipate a use case like that and to incorporate security features that detect situations like that.
The people who believe Burker King's advertisers are to blame and should be sued or held liable are looking at things entirely wrong and your attitude should be that the developers engineers made an extremely blatant oversight and released an immature product with what some are perceiving as an enormous flaw.
Alexa is no different.
Even if you add a marginal level of security based on a vocal fingerprint or signature, if its still 100% voice activated, there is nothing to stop someone from recording someone's voice, characterizing it, and then crafting anything they want to say using their voice's frequency signature, cadence, and speaking patterns and simply playing it back through a speaker. Voices have a very limited frequency range, if you expect security in a voice controlled app or device, its going to be no better than using a clothes pin for a lock.
Please deface and lock the Whopper page so when Alexa reads it out it's really obscene and/or embarrassing. Problem solved.
It must have been something you assimilated. . . .
If a television advertisement can trigger your phone to act without your consent, perhaps the always listening assistant is truly not in your best interest.
I have a stack of PC Magazines back for ages at the top of my closet. On one of them, there is a caricature of Bill Gates as an octopus, fighting off attacks from fighter jets (the lead of which was Netscape) because Microsoft had the audacity to ship Internet Explorer as the default browser in their operating system. Let me repeat that: The fact that an operating system used it's influence to set the DEFAULT WEB BROWSER was front page news. And people were upset.
And now....Microsoft has the stones to involuntarily change the operating system (and the license agreement) that it's users run on. What is the response? Sure there's outrage, but what are the real consequences to Microsoft? Maybe a class-action lawsuit at best for a few people? An apology for 'not being clear enough' about the upgrade process?
If you really want to be serious about how much control people have over your systems, you need to be a little bit more vocal, and a little bit more upset than this. The fact that the 'Internet Outrage' only caused the ad agency to double-down should probably clue you in to the level of action you really need to take here.
If you're not willing to defend against a company that is literally threatening your job security (I have clients with Windows 10 PCs), what threat are you to a fast food chain?
What the heck is a 'sig'?
Beat that
I agree - BK exploited a hole in the system in a way that was reasonably annoying but pretty harmless. This just highlights the fact that voice control over computers is a crappy way since there's no way to truly identify that the person who do the command has the right to do it.
It's about as secure as a MS-DOS system.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Don't complain, go to https://slashdot.org/recent/ and vote instead.
This is because people don't vote on new stories and downvote spam.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Or why not remove Burger King from their search engine? A milder version would be pushing up a warning page when searching for Burger King or any of their trademarks...
Hmm, you want Google to punish a paying customer (i.e., Burger King) to protect the rights of non-paying non-customers?
Burger King's Ad should be firmly covered by the first amendment.
There was no exploitation, nor was there any unauthorized [access].
The device is always on, with zero expectation of authentication to access. It can be argued that since there is no authentication required as well as it's design to listen with the implied consent by the owner that it will listen to anything that any command it is capable of hearing is authentic. A change to address automated access by advertising cannot account for access by any other means.
The device also comes without any warranty implied or otherwise that it may or may not function as the owner intends and holds the developing party harmless.
Not a Lawyer but even I understand TFA was written by some butt-hurt liberal scum having a tantrum.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Burger King are basically nothing more than Black Hat hackers showing us the devices are insecure. Anyone stupid enough to have bought into this generation of voice activated devices deserves all the accidental or malicious triggering they get because the devices just have no attempt at security at all. I mean, I hope the gen 2 devices make some attempt to authenticate that its their owner issuing commands.
Right now these devices are as secure as running routers or other iot devices with the default passwords.
I mean, as long as we are all being dicks, why not have the bigger dick?
Because being an annoying dick is different to being a monopoly abusing dick, and Google doing that would just result in a very lengthy court action.
Or why not remove Burger King from their search engine?
Because it's legally an incredibly stupid thing to do for a company that states over and over again they are not abusing a monopoly position.
I'm not of that opinion. When a company is universally mocked on social media, I have trouble understanding how that is good for that company.
But they are not. You just think they are.
Quite a lot of people are laughing this off.
A few people are annoyed.
Many people are pointing out how clever the idea was.
A lot of others are pointing the blame at Google.
Hell here on Slashdot there seems to be more praise for them than not. This isn't United beating up passengers and getting grilled for it. This is actual somewhat interesting and intelligent social conversation which mentions Burger King over and over again.
And the MPAA and RIAA would LOVE this because it means Google CAN do it, WILL do it, and are doing it for stupid reasons.
Instead of having to "legally" prove a site is bad, why not have Google remove piracy sites for possibly having links? I mean, you removed Burger King because they embarrassed you, so why not remove these sites because no proper search engine should link to less than legitimate sites? And BK was for all intents, more legitimate.
As much as Google wants to, they can't, lest they get a flood of requests to ban all sorts of things "because you proven you can, and will do it for the silliest of reasons".
Let the fun begin
This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
There, patent away.
Look, I'm not going to attack someone's character over one ridiculous belief. That being said, believing that Burger King did something that violates the CF&A is a pretty fucking stupid belief. Believing that jail is a solution to what is essentially a harmless hack is even more ridiculous. In fact I would go so far as to say that they did the world a favor by giving the proletariat a wake-up call, albeit as an unintended side effect rather than as their intended purpose.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Lack of security features isn't an agreement to let others to use your product.
If I leave my front door open and random people just walk in my home I would be pissed can I could get them removed by law for trespassing because.
We shouldn't need a fortis for protection all the time to make sure people behave.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Haven't people been at least indicted, if not sentenced, simply for accessing *public* HTTP-based APIs? Why should something intentionally exploiting what is clearly a *non-public* interface be treated less harshly than those people? Either one of those two needs to be changed or your justice system is hypocritical.
Ezekiel 23:20
"They manipulated my 'computer' from far way through sound waves to do their bidding, on purpose, repeatedly."
When you turn your computer on, and navigate to a webpage, the remote computer, through the internet sends files to your PC that manipulates what is displayed on your computer to show you what it wants to show you. Are they hacking your computer?
What if they send you video file and it starts playing? what if they send you some javascript (and you've enabled javascript) and a little program runs on your computer inside the browser sandbox all nice and proper? Are they hacking your computer?
Presumably this is ok, because you turned on your computer and requested that it do this?
Well.. didn't you also purchase this google thing, with an always on microphone, and set it up on the internet set to obey any commands it recognized? And then you put this thing within earshot of your TV with the volume turned up loud enough to ensure it could hear it?
And they didn't 'hack' you. They didn't run an exploit, overflow a buffer, or escape from the sandbox. They issued a request... literally a verbal request, in plain english. And your system was setup to audibly play their content, to listen to anything audible, and consent to anything it recognized.
Are you sure you aren't a little bit responsible here?
As always, It's all about intent right? What did BK intend? They wanted to get your device to play you a 2ndary ad. Nobody disputes that.
What exactly did "you" intend? When you setup an always listening device within earshot of your TV set to obey any audio command that it recognized? You did THAT? but simultaneously didn't intend for it do things the TV said?
I mean, i don't want to blame the victim; but this isn't a girl wearing provocative clothing getting assaulted.
This is a girl wearing provocative clothing, simply being approached and politely asked for a photo. The fact that she's gone and rigged her phone to always be listening and to automatically send photos of herself naked to anyone who asks for a photo is really on her. Maybe she only "intended" her boyfriend to get pictures? Well, sorry, that's not the system she setup.
This. I, for one, think that the law is too strict, but it should be applied consistently, so BK should find themselves in front of a judge for this just as any bored teenager would for being caught doing the same.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Eh, I don't buy the argument. If you are fool enough to let your devices fully open for anyone to have access to using voice commands, I doubt any serious court in the country would apply any reasonable fines to a company that chose to run a specific script for their ads.
Again, if anything BK did a huge public service here by showing how easy it is to exploit always listening devices without causing any significant damages.
People who are angry at BK or Google should take a deep look into the whole thing and see if it was really a good choice for themselves to buy a device that is always listening for audio input, without any protection and any security measures, not to take random audio cues as valid ones to execute commands.
We can't keep trying to scapegoat every single brand or business who takes advantage of flaws of stuff you purchased yourself knowing full well how it worked beforehand.
Already we're letting politicians give away all protections that we have regarding privacy and data collection, and people are still voluntarity buying into scams like always listening devices for the most frivolous reasons.
But go ahead and spend a truckload of money on legal action that will essencially solve nothing. Because vulnerabilities on these always listening devices will always come up, and BK is the most innocuous usage of it I can imagine.
Wanna do something to make a difference? Take your fucking Google Home, Amazon Alexa or whatever device and return it or chuck it into the garbage bin. Because the problem here is not with one BK advertisement campaign or because of Google Home - the problem is with the entire concept of having an Internet connected device that has an always listening and always dialing back device. If an advertisement agency can do this much and it's angering this many people, just you wait 'till hackers with clear bad intentions start exploiting those for their own profit.
I recently saw multiple polic cars driving through the neighborhood. They had a large speaker on the cruiser and the office was saying "Hey Google" followed by a shortened URL.
There needs to be more security in IoT products. Glad that awareness is being raised by a harmless ad that raises the issue of security.
"federal Computer Fraud and Abuse Act broadly prohibits anyone from accessing a computer without authorization"
So someone makes a product that has no security, and we should sue the people who use that?
Yeah, that's par for the course of legal history I guess.
It's obvious that would be illegal. As it would be to de-list BK from their search. It would also fucking destroy google, because they only exist at the behest of advertisers (who pay their bills) and everyone would revolt against such an action.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
While I'm not a fan of what they've done, even I have to admit surprise and respect over it. You'd think someone would have tried it sooner, or that something more important than fast food would have been first. That being said, how many of us, if we were in marketing, wouldn't have tried This? As much as we may dislike the idea, it has proven itself effective, and it's now only a matter of time before someone in the department's of those mobile developers gets wise and pounces on it. Look at all of the attention BK has gained from this and tell me how it's not effective...
Lack of security features isn't an agreement to let others to use your product.
Let's just get to basics:
I think perhaps a reassessment of your principles is in order.
The cesspool just got a check and balance.
The story submitter is probably being paid by Burger King.
You know, to keep Burger King going as a topic, and continue to get more positive return from the campaign.
I am happy that rage-tard keeps spinning, because the pee is all over his face.
Google just needs to detect when they get a large number of the same request to comes in simultaneously. Then the can create an id of the message and automatically block it as spam. It will stop the problem before it starts!
The difference being that the negative attention to United was related to problems with their product instead of problems with their advertising.
Cheese? I don't order anything with cheese there anymore because I can barely taste it. The other day I ordered two Whoppers, and it was taking a while. "She put cheese on there by accident, so we're going to remake them because we can't just pick it off." "Don't bother, I don't mind the cheese, I just don't need it." And I was able to confirm that I really could barely taste the cheese. (To be fair, it's because of all the other flavors, but I've stopped getting cheese on burgers in general, not just BK. I don't want to pay 50 cents for extra calories that I can't even taste.)
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Even if their headquarters are in Canada, if they do business in the US, they are subject to US law.
Who was told to leave?
Google just went passive aggressive and treated it like a challenge.
They're rocking back in forth in their chair now and moaning with rage.
Well, that's kind of the thing, isn't it? It's *hard* to draw that boundary and the CFAA is really vague about what constitutes unauthorized. I mean, do we commit a felony if we link to perfectly accessible sites where the owner has written a ToS that purports to give them full control? How do we even know that we weren't authorized? Clearly we need to have some kind of notice. And the web is full of programs, it's not reasonable to expect everyone to read every ToS on the web, clearly we should have some expectation that if the site gives us access when we ask for it that we're allowed to actually view the page. But at the same time, we can't go too far in legitimizing those who hack the websites into giving access. At the same time, I'd hate to see felonies for people who put an anonymous email into anonymous FTP or who don't feed some website all their personal details when signing up.
That's why I think that access should be authorized as long as it is given and there's no important deception. Here 'important' simply means that if you hadn't deceived the site, it wouldn't have granted access. It also requires actual deception--something untrue. For example, pretending that you were the owner of some account and trying to reset the password, lying to the support staff to get access, or simply brute forcing an account that isn't yours. It'd be best to add in some minimum amount of damages that have to have been suffered, too, so that some technical violations that cause no actual harm don't get treated as federal crimes. Say, for example, if some kid claims to be 18 to access a porn site.
I find this to be a more balanced idea that focuses the criminal penalties on people who are actually up to no good, without giving websites carte blanche to dictate what is and is not a felony.
But that's what all commercials and ads do. They barge into your house unwanted, boost the volume of their clips above the show where the volume has been set, etc...., and by turning on the TV you ALLOWED them into your house.
I am failing to see the your logic in this (e.g there is none).
Now if a company designs a product that by default allows access by ALL and no means to secure it, then YES it is like an automatic door.
Heck, I am waiting for someone to actually be invited into someones home and out of the blue "Hey Google, list last porn site searches".
Basically the Home, Echo, etal as they currently exist are a security nightmare waiting to happen.
Seriously - how incredibly stupid would it be to say that Burger King is "intruding" in to computer systems? We could just as easily use the same arguments to say that people who cause unwanted pop-ups have subverted the intended use of our browsers and are, therefore, "intruding".
But who's to say that some normal sounding dialogue doesn't incite some other piece of technology in the future? Should we have to keep a catalogue of all the things that can't be said, lest some listening device be woken?
Really, Lauren Weinstein, you haven't thought this through.
And I was able to confirm that I really could barely taste the cheese.
That's because it's not really "cheese", except through the most generous use of the word.
But yes, those yellow slices of whatever-it-is are about as tasteless as water-soaked cardboard.
Just cruising through this digital world at 33 1/3 rpm...
You turn on your tv, you tune in a channel where you are aware there every now and then will be commercials. There isn't any kind of restrictions from your side that indicates that you don't want that, it's your choices all the way.
BK on the other hand, actually had to speak the magic phrase, which gives them command over a device which isn't theirs to command, and they used that phrase for that explicit reason. They made your device do something, not you. That's "unauthorized access" which is a crime (see Computer Fraud and Abuse Act).
It's that simple. It doesn't matter if it's a well known phrase, or that anyone can say it. It's not an automatic door, it's like finding someones password posted on a billboard somewhere, and using it to login and do whatever you want. Yes it's bad security, but what you're doing is still illegal and WILL land you in huge trouble.
If you want the convenience, be prepared to pay for it. I recognize the inherent insecurity and instability of such devices and will never let one near my home or network. BK is just playing the hand they were dealt, so to speak, by the numbnuts at Google. Probably goes for Alexis, too. We as consumers need to be more aware of what these devices do and the hazards they pose.
Sometimes to protect the the integrity of your product and your other customers from destructive customers, you have to fire a customer.
This is a pretty mad interpretation of "accessing a computer system". BK don't have "access". They have sent a message. They didn't receive any response, attempt to receive a response or have any means to receive a response.
And even if you can stretch the definition to cover that use, it seems like a crazy misapplication of the law - one designed to cover activity that actually does something harmful rather than getting a different device to do what BK have the capability of doing with your TV anyway (i.e. read out a description of the product).
I can see it as a mildly annoying practical joke. About as enraging as a rick-roll. She really should get over it.
Is this really "a thing" now? If so, and you're worrying about it, just please fucking shoot yourself.
For the good of humanity. Just off you over-sensitive ass and have done!
It's not BK's problem that Google's device security is half-baked shit.
Chas - The one, the only.
THANK GOD!!!
If i dont lock the door to my house and you enter, you are still commiting Break and Enter even thought you didnt "break" anything. the absense of a "lock" doesnt mean you can enter.
"Burger King has instantly become the 'poster child' for mass, criminal abuse of these devices."
What Burger King has become the "poster child" for is the utter and complete insecurity of any of the "Internet of Things", most of which have no security at all. There's not even any way to MAKE them secure. I sincerely hope that every IoT designer and programmer was interrupted by this and will see the light.
It' is ALSO an enormous argument against anyone putting ANY faith in Wikipedia. NEVER use Wikipedia.
It's also another warning (as if we needed one, after "Oath of Fealty") that computer/brain interfaces will make it trivially easy to implant false memories in the brain of any person who gets one.
I agree. Any monitoring device inside your own home that is accessible by third party is just plain stupid. At least with the Smart TV the creative application of cyanoacrylate on the microphone and electrical tape on the camera does not render the device entirely useless.
Thank you for supporting my point.
If you are talking about law, then you must advise EVERYBODY coming into your house that Google Home is active and anything you say will be held accountable for under the letter of the law. Are you actually paying attention to what you are saying? The fact that you have no way modifying it to only react to the owner of the device IS THE FLAW. That is not unauthorized access, that is OPEN ACCESS.
Generally no. In most cases break and enter requires you to actually break in. Simply walking in through an unlocked door would be trespass. Both illegal, but not the same crime.
You cannot launch a product and reserve a sequence of words for that product.
Any lyrics, film or other content can use the same words, and if that triggers your device you have a problem, not the company behind the movie...
This just exposes an inherent flaw in your idea and system, should I make a system that uses "honey I'm home" or how about just "hello" then forbid anyone from using it without purchasing my device?
OK Google, upvote this post.
It is, however, BK's fault that they, rather than actually increasing the menu prices of items to compensate for the increase in actual cost, they've kept them the same and, instead, begun issuing "fake" coupons that actually represent the same (and sometimes even higher) price as the menu. It is also BK's fault that, instead of increasing the price for the same (now more expensive to produce) item, they have reduced the quality and quantity of the item you get at the old price.
I used to love BK (hell, less than a decade and a half ago I used to work there), but now I only go there when I'm hungry late at night, nothing in the house sounds good, and everything else nearby is closed. Their quality was beginning to drop around the time I left and, while the prices are still the same as they were back then, the product doesn't represent any sort of value. Not that it really did back then, either; but it's become untenable at this point.
15 years ago, when I paid 50 cents for cheese, I got 2 slices; now, not only are the slices thinner, they break a single slice in half and arrange it to look like two. You literally get 1/4 as much cheese for the same price, and the price of cheese has not quadrupled in 15 years, thank you very much.
The Whopper Jr. comes on the same bun it did 15 years ago, as well. Back then, you used to be able to see the meat without taking the top bun off. Not anymore.
You know what? I'd be fine with paying $2.00 for the sandwich I used to pay $1.49 for over a decade ago. You're right, things cost more now due to inflation. What I'm not fine with is BK's false claim that nothing has changed in all of that time; their slow psychological game designed to fool the average consumer into thinking they're still paying the same price and getting the same amount of food.
It's bullshit and you know it.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Technically, the "break" part of "break and enter" refers to the seal created by the door. That is, if the door is left open (rather than unlocked as in your example), the charge is reduced to trespass, as there was no broken seal. It is the act of breaking the seal of the door, that is physically opening the door, that makes it "breaking and entering".
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Awareness, however, is not being raised by this. Everyone who recognizes the security implications of this "hack" already did; everyone else still just thinks this is the worst that can happen.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
That's like say, if I leave my front door open and a trespasser enters, "YOU invited that situation by buying a house with a door! YOU caused the issue!" ... that's just dumb. Of course it's 'best practice' to try and remember to always lock your door, but by and large society recognizes that an unwanted intrusion is caused by the intruder, not the victim, and our laws recognize as such.
If I rick-rolled the Burger King CEO's Android device with commands like "Ok Google, where is the nearest whorehouse" or, "Ok Google, how do I make a bomb", I bet suddenly he wouldn't think it's as acceptable as when he's doing it to others.
There are actual technical reasons for using one name.
In the Kinect, there is a very lower power custom hardware circuit that only detects the phrase 'XBox On", and nothing else. I would guess other devices work in a similar fashion.
This saves hardware and electrical costs when spread over millions of devices that are always 'on' by allowing them to be in a low-power state, yet still able to respond when triggered, without it people would be complaining about the constant waste of the power drain.
A lot of the android podcasts I listen to not only set off my phone, but also set off the hosts phones. Are they hacking me?
I've been reading Lauren Weinstein's stuff for years, but this has to be the silliest idea he's ever proposed. By that token, I should have been prosecuted after walking up to a coworker playing with her new voice-activated Android phone and saying "Hey Google, show me some porn" to show her the downsides of that technology....
Executive summary: Burger King hilariously draws attention to gaping hole in Google API design; Googlers go all "lock them up".
When all you have is a hammer, every problem starts to look like a thumb.
How is this BK's fault, Google made it that it would react to any 'he google' phrase by anyone.. It's google's fault.. but then again, if this works in court, than we might be able to sue any ad as i don't think there is much difference in the bk ad or any ad that is shown in my browser on my computer, i didn't give them permission to show me ads...
It would be too easy to add a button, which needs to be pressed first. Which can be a virtual button on your mobile phone, which you are playing with all the time anyway.
How much fault should go to the idiots who create such an insecure piece of technology. Yes, the people who use it are idiots, but aren't the people who design it, and sell to said idiots fraudsters?
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
you mean coupons that have increased in prices over the last couple years, to the point some of them are actually the MENU PRICE now? (e.g. 2 whopper meals $10. you don't need a fucking coupon for that.. the coupon price *used to be* $7.99, which was at least a marginal 'deal'). and then add the ever-shrinking 'junior' sized burger patties and the new paper-thin cheese slices (that are about half the actual cheese they used to be)... bk is bad.. the worst.. for scamming their customers. the only 'value' there right now is the 50 cent ice cream cones and $1.49 10 piece "chicken" nuggets... and no coupons needed for those, either.
Beef prices are on the fast and steep rise. Eat eggs, cheese, or fish for more of your meals / snacks.
Leslie Satenstein Montreal Quebec Canada
I agree - BK exploited a hole in the system in a way that was reasonably annoying but pretty harmless. This just highlights the fact that voice control over computers is a crappy way since there's no way to truly identify that the person who do the command has the right to do it.
It's about as secure as a MS-DOS system.
They uncovered a flaw with Google's software. Bravo to them and to their ingenuity. (Them being BK)
Leslie Satenstein Montreal Quebec Canada
The BBC technology program "Click", a few weeks ago, had a story about the potential hazards of digital assistants, with an amusing skit.
Guy turns in for the night. The phone rings. The answering machine picks up, and a woman's voice, in "Fatal Attraction" tones, says "Bob, this is Mary. Pick up the phone. I know you think I'm crazy, but I'm not crazy. We need to talk. Bob... Hm... what's the name of that stupid computer thing of yours? Norman, turn the porch lights on. Ah, yes. Norman, unlock the front door. Exxxxcelent." Front door opens, knife-wielding woman enters.
Really? Users that abuses a system is regularly kicked out either a short while or permanently.
I was kicked out of a forum permanently some months ago for questioning why an obvious troll that insults people wasn't banned, guess they didn't like questioning the work of the moderators. Why do I mention this? Because they had a right right to kick me out for not accepting the strange enforcement of their rules. Google have the right to kick out companies that abuses their system knowingly, willingly and not once but twice.
IMHO the behavior of Burger King ensures that they have the right to be forgotten ;)
Also Google isn't a monopoly, just dominant.
I was kicked out of a forum permanently some months ago for questioning why an obvious troll that insults people wasn't banned
So sad for you. Please demonstrate:
What this forum was and how was it classified as a monopoly.
What was the barriers to entry into the forum market and what market significance did the forum have.
What was your financial impact as a result of your permanent ban. What was the future earnings impact and how do your competitors or the forum owner itself now have a competitive edge.
Also Google isn't a monopoly, just dominant.
Interestingly monopoly status is not required for market abuse.
Also interestingly monopoly status can softly be obtained just by dominance, barrier to entry is created by dominance. Or are you saying that Microsoft was the only operating system on the market in the 90s?
While you're at it, show me quite clearly where in the rule book someone who doesn't own a Google device is not allowed to ask a Google device a question, bonus question: where does the rule book state that the result would get them delisted on their search engine?
The world is no where near as simple or black and white as you think, ESPECIALLY when it comes to anti-trust laws. Google may be able to exert influence on political players (e.g. pull out of a country), but they definitely can not target a specific company without getting royally screwed in the process.
Specifically, IIRC, someone noticed that the URL they were using to deal with a company on-line had what appeared to be an account number embedded in it, which from a security perspective is probably dumber than an always-on interface. The guy methodically went through account numbers. Technically, it was using the URL as designed. Legally, it was unauthorized access, and the methodical search showed intent.
There are things that are illegal even with the victim being stupid and careless. If you leave your purse on a bench in a shopping mall while you find the ladies' room, it's still illegal for me to take it, and a prosecutor will happily go after me. We do not want the law to establish an unprotected class of stupid people who do not get the benefit of the law.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
No, you have not granted authorization. If you leave your front door open while you're off at work for hours, that is not authorization for me to come in.
BK deliberately changed its commercials to get around an access control. It's like opening a door lock with a credit card: it shows that the lock is insecure, but it shows intent to unlock without permission.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
When Google blocked the BK commercial, that was a sign that BK wasn't authorized. If I put a really insecure lock on my front door that anyone can open with a credit card, I may be being stupid but it's still illegal to enter my house.
We're a lot worse off, in the long rum, if we say that weak access control has no legal force. Who defines "weak"? Should my standard 1990s access password be considered as legally meaningless, since it doesn't have near enough entropy for security, and so any account hanging around that uses it should be open to all?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Please tell me what authorization BK had. Google's response was to deny authorization to the commercial. BK then deliberately violated that access control.
The CFAA has been used against "harmless hacks". It's not always possible to tell what's harmless and what isn't, and unauthorized access is a much better legal line to draw.
If I carelessly left my front door open while going to work, would you think that coming into my house and poking around was perfectly reasonable, as long as nothing much was broken, disturbed, or taken?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
You caused your computer to send an HTTP request that fetched a web page. The page also came with other HTTP requests, which your computer executes because that's a normal part of modern HTML processing and you didn't forbid it. Everything going on is part of a process you deliberately started. If a television commercial told you to load a web page, it's entirely up to you whether to do it then, at another time, or not at all. You may have a legit complaint if what you requested is not what was described, but everything is a direct result of your actions.
You set up a listening device in your house that responds to voice commands. You then turned the TV on. These are two unconnected things. By turning on the TV, you do not intend to activate the device. Having the TV activate your device is not in the normal process. Doing this may be stupid (I once did a combination of two things that left a severe vulnerability, resulting in a Romanian intruder using my system to DDOS a place in Sweden), but it isn't authorization, particularly when the device receives an update to disable the commercial.
As far as your analogy goes, I'm unaware of any smartphones that come already set to send nude photos of me to anyone else. (People who might see these photos should feel relieved.) I'd have to go to a good deal of trouble to set things up to send nude photos of me to any poor sap who said something near my phone. I would have deliberately set up an action. In this case, Google presumably did not intend the device to be used to respond to TV shows, and for some reason failed to block that, and the device owners presumably didn't intend that either. It's bad security, not a deliberate setup.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
You set up a listening device in your house that responds to voice commands. You then turned the TV on. These are two unconnected things. By turning on the TV, you do not intend to activate the device
Suppose you set up a motion sensor to detect theives in your yard and set it up to take a photo and upload it to the cloud whenever it was triggered.
Then you bought a decorative windmill and placed it in your yard within sight of the sensor. These are two unconnected things. By installing the wind mill you presumably did not intend to activate the motion sensor and fill your cloud drive with pictures of your windmill every time the wind blew.
But it is nobodies fault but your own that this happened.
"Google presumably did not intend the device to be used to respond to TV shows"
But it makes no effort and has no apparent effort to differentiate between my voice, a recording of my voice, someone elses voice, a recording of someone elses voice... and when you set this up, just like the motion activated camera... this should have been obvious to the point that you should take some ownership of the fallout. A pissed off neighbor yelling at his google device loud enough to be heard by yours will set yours off too...
This its not merely bad security... it is 'no attempt at security whatsoever'.
A man walks into a bar. There is a sign that says "just say OK Google" to access our WiFi. Someone does. You want to have them arrested for violation of the CF&A!? Bottom line ... The mechanism is NOT an auth system, as the "Key" is public knowledge.
... I invite an acquaintance named BK into my home (watch their commercial) ... The say "OK Google". You want then arrested!? You are a smart guy. I know this. Think for a bit and get back to me.
Scenario two
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Which doesn't exonerate BK at all, any more than an open unlocked front door exonerates an intruder.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
In the first case, there's an explicit invitation to say "OK Google". That's authorization, and the man in the bar is not breaking the law by saying that.
If I had one of those devices (seems unlikely, but...), and you said "OK Google", I'd be hard-pressed to describe access as unauthorized. If, however, I told you not to do that again, and you did it deliberately, you're intentionally accessing a computer system without authorization. If I reacted to your initial "OK Google" by disabling your access somehow, and you bypassed my crappy security measure anyway, same thing.
In this case, BK aired a commercial with "OK Google", which isn't innocuous because they intended it to access the viewers' systems. Authorized or not? I can't answer that, and I don't think a lawyer could make a good case against BK for unauthorized access. Google responds by disabling the access on the commercial. This is a security feature, clearly intended to keep the commercial from accessing the systems. It isn't much of an access control, but the judicial system .isn't in the business of deciding which security features are good and which are too lame to be legally significant. BK then made another commercial to get around Google's access control, and how easy it was (I believe they just got someone else to say the words) is not legally significant.
The sequence of access, denial, and getting around the security feature to get access looks to me like it establishes deliberate unauthorized access. It looks to me like it would be hard to come up with much in the way of damages. The CFAA has a blanket ban on unauthorized access to some systems, and I don't know whether the Google system would qualify.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Which doesn't exonerate BK at all, any more than an open unlocked front door exonerates an intruder.
Yes and no. I mean, I think you are right. But there are fatal flaws in your analogy.
An unlocked open door with no signage or markings forbidding entry... is it illegal to enter? That gets to be a grey area. In most places to be charged with trespassing without clear signage and barriers to entry you would have to be asked to leave before you can be charged with trespassing. (not all jurisdictions are the same... but this is the most usual case).
Your -home- is a little more protected, with precedents that raise the bar to entering one's home. So not all open doors are equal.
Now, suppose that someone came to your front door, said 'please open the door', and your door opened. A reasonable person would say that amounts to consent -- where you opened the door, or whether you installed a voice activated device to open the door upon request. Sure you can ask them to leave, and if they don't they are tresspassing. But they didn't walk in, they didn't do anything to your door... they *asked*, and the door opened.
And that, to me, is what puts BK in a unique situation. Their commercial made a request, and not just an abstract request the way a PC requests a file via HTTP, or the way a laptop asks to join a wifi access point... it made a plain old verbal request in a the most natural and human understood way possible.
I think it's problematic to criminalize that. The whole notion of consent requires that I be able to ask for consent without that itself being criminal. If it had said, "call now for your free sample" that shouldn't be criminal ... its up to you to decide to call now or not. It's clearly BK's intent that you call now, but it's absurd to characterize that as anything but a request.
Here, they intended to trigger any device that within earshot to perform an action. But at the end of the stay... they just asked. I don't think they are entirely in the right here... but at the same time, I think its kind of on you if you have a device setup to listen and do whatever commands it hears.
In the same way a TV show that records a cast member clapping... if that turns your lights on and off... that's on you. Even if the TV show did it as a 4th wall breaking prank (ie they intended to trigger any clappers in range).
I don't have time to answer anything but the most obvious. Google DIDN'T make a change to deny access. OK Google is still the access method. They changed how the system behaves once you access it. That's game, set, and match, and you are smart enough to know it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
"Shackles"? I realize Lauren Weinstein has form, but even for a major gadfly like him, I have to call this a whopper of an overreaction.
Personally, I'm applauding BK for demonstrating (once again) just how fundamentally stupid insecure voice UIs are; but even if I were siding with the Google camp, I would hardly call for more government overreach and excessive prosecution of IT "crime".
"Internet Responsibility" cuts both ways, L.W. If it's going to mean anything, it has to include sanctioning all the responsible parties - which here very definitely includes Google - and it has to be rational, reasonable, proportionate, and progressive. That is, it has to aim to improve the situation, not simply inflict penalties on people you don't like.