On The Axis Zombiefication

OrwellLabs just released a POC on how to hack Axis certain cameras and video servers (h.t. Gavin Millard). This is just a few days after I received a marketing email from Axis (the July 2016 Axis ADP eNewsletter), containing this verbiage.

Service release for critical security vulnerability
Recently, a critical security vulnerability was discovered in some of Axis’ products that are accessible from the Internet. We have now published firmware service releases for the majority of our products; see http://www.axis.com/support/product-security. Axis recommends users to update the affected products’ firmware as soon as possible, especially if the products are accessible from the Internet.

The very same email contains this message

Taking responsibility
CEO Ray Mauritsson comments on privacy, business ethics, the Axis code of conduct, and how we – together with our partners – are working to create a smarter, safer world

Axis did put out a press release on the 6th of July 2016 about the vulnerability on their security page (about 9 months after Axis was notified by Orwelllabs). But honestly, how many owners of the affected devices will go there? How many owners of the affected devices will get an email about this sort of thing? Even if they do, they have to visit a link to determine the severity. I don’t know if issuing a press release 9 months later, that your company’s cameras may become part of a botnet army is “taking responsibility”. I know it is not uncommon for companies to behave this way, but that doesn’t make it right.

For all intents and purposes, the impact of this bug is not that big. The vast majority of sensible users will not expose their CCTV system directly to the internet. Your camera may access the internet – outbound – to send notifications etc. but that will not make you vulnerable. To be vulnerable, you need to map a port on your firewall to your camera, so that you can see the camera web-interface from a public IP address.

But there are a minority of users who will, and who do this sort of thing. And even if it is the minority, they can do a lot of damage to others (by participating in botnets), and obviously to themselves too (paying $$$ for a useless/dangerous device).

It’s depressing because Axis does a lot of things to improve security : no default passwords is a pain in the ass, but it does make things a little more secure (only just a little because people will put in 12346, pass, or something similar).


It Just Doesn’t Work

A while ago I read a piece about a guy who stopped reading industry news. Reading industry news can be a massive distraction to a long term strategy. Every time your competitors (real or imagined) launch something, there’s a line of pundits ready to hail praise to the “innovation”. You start wondering why you aren’t doing gait-recognition in your app. Then a few months later, it’s psychoacoustic categorization and so on.

The default assumption is that “oh, they got that working?”, and then I remember that people have wildly different opinions on what “works” means. I usually have the opposite point of view; until I have seen the thing, I don’t believe that it works.

I saw some Kinect footage before it was released, and I was pretty suspicious – once I tried it, I wasn’t disappointed. It was shit. There was, maybe, once in awhile, if I was willing to suspend my belief, a few times where raising my arm would make something happen on the screen. You’ll probably find a bunch of people who would tell you that bundling Kinect with Xbox One was a stroke of genius. If selling half the number of devices of your competitor is “genius”, then I wonder what “stupid” is. In any case, they removed the crap completely from Xbox One S (although you can get an adaptor if you are a masochist).

I decided not to get an Oculus Rift either. The dev kits we had were just too shitty for my taste. Sure, it was very odd/cool, to watch myself from somewhere else. But nothing I would pay a large sum of money for, and I predict that there will be a lot of unused VR kits lying around in boxes 12 months from now (Google cardboard is good enough for me, but I am told the HTC Vive is pretty good). The AR “demos” also seems too fake. Tango seems fine, but Hololens and Magic Leap will surely disappoint me.

And the same thing goes for some of the services we’ve tested in the office. A lot of them are just not reliable. There’s a large chasm between, “what a cool idea, and it sorta, kinda works, if you hold it juuuust right”, to “it just works”.  A while ago I did a trial on a ALPR system, and the results were terrible. Sure, from time to time, it would get it right, but too often it would fail. I am not going to buy into a system that promises plug and play, but then, when I test it, I am led down the maze of infinite tweaks and caveats. If you require special lighting, special positioning, external sensors and so on, then I might as well write the damn thing myself. We also tried another product that made marketing and sales people drool, even potential customers were excited. But I could not get anyone to set this stuff up to work the way people imagined that it worked. They were so thrilled about the idea, that they lost sight of the implementation and result.

I have a pet theory that a lot of products are really turds. To mask the smell, the turd is doused in condiments, and the more condiments the better, even if the condiments are tasteless/bitter themselves.

I suggest that the first company to offer real cake will take the price. I bet that a large number of people would rather eat a donut with NO condiments than a turd, regardless of the amount of great stuff pile on top of it.