(Dis)honesty

It’s very hard to differentiate between stupidity and intentional dishonesty. Yesterday, I made a mistake of posting an inaccurate portrayal of statements made by another blogger. I removed it from my blog almost immediately. But subscribers to my blog had received the post, and one reader quickly accused me of “defamation”, and told me that I was “on notice”.

Mistakes are made, I attempt to correct them as quickly and as best I can, but sometimes people just crave confrontation.

I’d like to take the opportunity to talk about true dishonesty. I’m a big fan of Dan Ariely, who studies behavioural economics. When Salty Features wanted to crowdfund a movie about dishonesty, centered around Dan’s work, I did not hesitate to sign up, and I can only recommend that you go watch (Dis)honesty (it’s on Netflix in Denmark and most other places I would imagine).

Dan and his team tries to establish a baseline for how dishonest people are, in general. The experiment is quite simple. They hand out math tasks. The more tasks are solved, them higher the reward (a few dollars). But, instead of handing the papers over for verification, they are to send them straight to a paper shredder. Then proceed to the controller’s desk, and simply state how many tasks were solved. No chance of verification.

The rigid financial theory says that there is 0% chance of being caught, so they might as well say that they solved all the tasks, and reap all the reward.

But that’s not what happens. A lot of people cheat a little bit, some not at all, and some go all in (in accordance with the rigid theory). The completely honest and completely dishonest people are outliers.

How did they know that the students cheated? The shredder was rigged. Some people might have suspected this, but even if they did, there would be no repercussions to go all in on the cheating, so some people are just naturally honest, while some use every opportunity to the fullest.

The experiment was then changed, so that instead of direct payment, the students would receive tokens, that would then be exchanged to real cash. Most people would probably assume that this made no difference at all, but as it turns out, this added abstraction of cheating = cash, increased the cheating substantially. The end result was the same, but one step was interjected that really should have mattered, but it did.

So, what if we look at the business world? Dan argues that the abstraction of money in high finance might be a contributing factor in what he describes as cheating, but it’s not just banks. As Dan’s research shows, a little bit of cheating is common – natural – even.

We can also illustrate the principle in another way:

Here’s an example of something that everyone will agree is problematic:

Company A pays B (who claims “independence”) to write about competitors of Company A.

Anyone in their right mind would say that B is hardly independent, and who would ever trust anything B has to say regarding companies in A’s domain? I know that a few would. There’s always a few. But most wouldn’t.

How about this, then:

Company A pays Company C to sign up to a service from Company D that is owned by B.

The end result is the same, but we’ve inserted a few layers of abstraction between A and B. And as Dan’s research show, there’s always a few that exploit this as far as it can go.

I highly recommend Dan’s books. And may I suggest you visit his sites too.

 

NSFW: Let’s talk about 2009

This motion picture article is protected under the copyright laws of the United States and other countries throughout the world. Country of first publication: United States of America. Any unauthorized exhibition, distribution, or copying of this film article or any part thereof (including soundtrack?) may result in civil liability and criminal prosecution. The story, all names, characters, and incidents portrayed in this production are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred.

2009, to some people, seem like long ago. I remember it vividly. It was the nadir of the financial crisis (the great recession) and the central banks were in panic mode. Their attempts to calm the waters with lies, omissions and cover-ups had failed. Jim Cramer had had a meltdown on live TV and Jon Stewart later took him through hell, in what was a rare glimpse of honest journalism on mainstream TV. Incidentally, the show was taped down the street from where I used to live.

Today the market are at an all time high, and to most of the bankers, the year 2009 probably seems like a distant, vague memory. Not something to consider anymore. We’ve moved on etc. Other people have other reasons to distance themselves from that anno horribilis.

I don’t remember the exact date, but I was a little hung over and I had stumbled into some sort of marketing-integration-pep talk-show. At first I thought I was at a church, as I saw a man with a squeaky voice perform a very strange sermon. As the fog of yesterdays gin/tonics lifted, and I could see more clearly, I discovered that the man on stage was just getting started. What followed next, made me question my sanity.

As the man rambled on about how “we can squeeze out cost and squeeze out Verint”, he seemed to drive himself into a state of trance; as the man heard his own voice, it triggered a sort of feedback loop, that in turn caused the mouth to make even more outrageous statements. Tourrettes causes involuntary expressions of vulgarity and noises, but this was not Tourrettes. The steady flow of depravity and vulgarities was entirely voluntary and the man seemed anxious to drive himself into ever higher states of madness.

In my recollection (admittedly rather faint due to over-consumption of stimulants), I stumbled back to my hotel room, Thinking that I had just witnessed a male version of “heavy splash” in Japanese. I showered for 45 minutes. I submerged myself in scalding hot water, but I still felt dirty. I assumed that the man had received the king’s ransom in order to put on that kind of show.

While the memories from that fateful day had started to fade, they were always present in the back of my mind. I had to remind myself that we had just gone through a financial crisis that had driven people to desperation. Many years of over consumption, and debt fueled spending had come back to roost. As the tide went out, some people, it turned out, were naked.

When I recently sat outside my local watering hole, sipping a cup of detoxicating green tea, and nibbling on some gluten-free, fully organic biscuits from a farm just a few miles from Copenhagen, I ran into the same man.

It was a shocking sight. The man had gathered a following that were carrying him around town. He was wearing thick makeup, heavy rouge and pink lipstick. His disciples placed a wooden crate on the ground, and placed the man atop. He locked eyes with me, and there was a long awkward pause.

He prodded one of his lackeys with a stick, and whispered something inaudible in his ears. The lackey then cleared his throat, and proceeded to address me.

“We are not happy with how you portray things” he said. He then pulled out a scroll, and handed it to me. It was hardly legible, it had either been written by a 5 year old child, or a very old man. It stated that they were going to tell their herd about me and my evil deeds.

I was confused. In front of me stood, what would appear to be an adult male, wearing clown makeup, surrounded by a group of escapees from an asylum, announcing that he would “tell on me”.

This was the same man I had seen perform unspeakable acts of depravity just a few years ago.

I asked if his flock knew about his past, thinking that the desire bow down to their high priest would be somewhat diminished. But I also suspected that most people in the flock had never heard of the internet or google, so I genuinely wasn’t sure.

To my surprise, the clown decided to speak. He cleared his throat. His eyes rolled to the skies, and when I once again heard that squeaky voice again it all came back to me. It’s still surprising so vividly you remember things, under the right circumstances. Like hearing a long forgotten pop-song from the 80’s and remembering every detail from that summer in Spain.

But this was no summer in Spain, and the man announced that he was fed up with me bringing up his performance many years ago. He straightened and lifted his arms, palms facing the sky and proclaimed “I received no payment, I did it all for free”. There was a pause. Everyone waiting, breath baited, and then, with a deep voice (well, not that deep) he ceremonially announced: “I am clean”.

As he said those words, my biscuit fell to the ground and broke into 1 large and 4 smaller pieces and some crumbs. My jaw dropped. He had done it all for free!?! It was hard to fathom. My mind started racing. This was unexpected. Why on earth would you do what I had witnessed a few years ago, for free?!!! This was not a man who did anything for free, unless there was something to be gained later.

I later realized that the guy published some sort of periodical that people had to pay to read. It mostly contained self praise, and descriptions of what happens when completely inept people attempt to use high tech equipment. I suppose it could be thought of as a mildly entertaining break from the daily humdrum at the office and you can always call it “working”, because it is kinda, sorta, related to what you do.

I suspect that direct payment, would probably be considered prostitution and therefore illegal. Instead, as payment for his performance on that fateful day, the host of the show would instead purchase a lot of “licenses” to read the “news”.

And that, ladies and gentlemen, how you stay “clean”.

 

I Am Myself

Well, well, well…

This weekend I posted a piece on IPVMs crusade against Hikvision which seemed to suggest a lack of technical comprehension and perhaps – general assholery.

1 minute after posting, I receive a visit from Ghana. I have also had visitors from Mali and other nations in Africa that seemingly have a keen interest in what I have to say. Another option is that someone thinks they need to use Tor (or some other anonymizing browser) to read my blog.

This morning, I woke up to an email, asking me to ensure that the folks from some obscure blog understands that this blog is in no way, shape or form affiliated with OnSSI. A strange coincidence that writing about a sensationalist blog fucking things up, triggers a request for clarification about the independence of this one.

So let me make that absolutely clear, so that even sensationalist bloggers running fake universities, and his “associates” can understand it.

This blog, has nothing to do with OnSSI.

While I have written specifically about the mobile app OnSSI released a while ago, other people in the software development industry (not IP video), have the exact same experience. Next generation apps face an uphill battle as loyal users of the old app discover that things may have changed, and they are much more likely to post a very negative “review”, than people who will eventually benefit from the improvements. Since posts that are anchored in real experiences are dangerous to my livelihood (the blogger is using them as a vector to try and shut me down), I will remove that type of content from the blog (but I am confident that the Ghanaian visitor made a copy before reaching out to protect the innocent, so just ask him for a copy).

So, just to be clear, what you read in these posts, is the opinions and thoughts of the person Morten Tor Nielsen. I submit ideas and thoughts that are founded in a general understanding of the world as I see it.

I suppose that if you are consumed with deranged ideas about infiltration of corner shops and jiffy-lubes by the Chinese government, and your every living hour is spent on thinking about how to attract more subscribers to your rumour-mill, then this might be hard to fathom, but I work on a wide range of things (including overhauling my old Suzuki Bandit 600), and so among the exposure of incompetent asshats (from my humble computer here in Copenhagen), jot about a lot of things.

If you follow my blog, you’ll know that I have been working on micro-PC‘s, I have set up Axis cameras to provide health state information, I have done a lot of GPU work (yes, for OnSSI) and many other things. I have called out BS here, and here, and here  and many other places. I have mused over how companies can improve and what danger signs to look for. I have critiqued buzz-word-driven development (as a response to VR goggles being passed out at a convention). The list goes on…

You have to be senile, demented or sociopathic to think that this blog would somehow reflect the “thoughts” of a company. So if you suffer from any of the 3, and that’s the reason you contact OnSSI rather than writing a comment refuting claims, then you’re excused.

If not, you’re just a sad, over-extended sphincter.

But I think you (and everyone else) know that already.

In Defence of Hikvision

Look at this nonsense!

Brian Karas reported on March 2 that he was hearing from multiple Hikvision security camera and DVR users who suddenly were locked out of their devices and had new “system” user accounts added without their permission.

Karas said the devices in question all were set up to be remotely accessible over the Internet, and were running with the default credentials (12345). Karas noted that there don’t appear to be any Hikvision devices sought out by the Mirai worm — the now open-source malware that is being used to enslave IoT devices in a botnet for launching crippling online attacks (in contrast, Dahua’s products are hugely represented in the list of systems being sought out by the Mirai worm.)

[I cut out some text from here (I’ll tell you why)]

According to Karas, Hikvision has not acknowledged an unpatched backdoor or any other equivalent weakness in its product. But on Mar. 2, the company issued a reminder to its integrator partners about the need to be updated to the latest firmware.

OK, so Brian hears that people who a) expose their IP cameras directly to the internet, and b) are using default admin credentials “suddenly were locked out of their devices”. My God, what kind of evil genius hacker is behind this, and there were new “system” user accounts!!?!

This must be the Chinese government’s work. Only a government organisation would be able to crack into IP devices with default passwords that are directly exposed to the internet.

When people got their shit “hacked”…. actually, let’s not call it hacked. Someone logged in, as admin, and changed things, so, not hacking. Someone had done something similar to mirai (which will take any script kiddie 30 minutes to write up, but Karas and Krebs pretend to not understand that). Hikvision sees this, and then reminds people to update their firmware, and as the new firmware does not allow default passwords (as far as I can tell), it seems prudent advice, and what you ought to do.

Krebs seems to want to play a part in all this “dangerous Hikvision camera” bullshit, so instead of posting a meaningful timeline, he spices things up, and injects this little tidbit (which I removed above to ensure a comprehensible timeline).

In addition, a programmer who has long written and distributed custom firmware for Hikvision devices claims he’s found a backdoor in “many popular Hikvision products that makes it possible to gain full admin access to the device,” wrote the user “Montecrypto” on the IoT forum IPcamtalk on Mar. 5. “Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.”

OK, so on the 2nd the n00bs at IPVM and their subscribers are “hacked” by a genius hacker, who is able to guess the password and add new accounts, and then on the 5th, a guy who re-compiles the hikvision firmware discovers a vulnerability. In fact, he tells John Honovich that Hikvision has been very responsive in fixing the issue!! This seems to get lost somewhere between the sensationalist blogs (I think, because I am banned from IPVM).

How the hell do you make a connection between morons who exposes their cameras with default admin credentials, and someone discovering a bug in the validation of a reset packet (I guess that is the vulnerability, because I don’t know the details). You make that connection, if you think it will bring in more subscribers, and by extension, more filthy lucre.

Full disclosure: I am not paid in any way shape or form by Hikvision or any camera manufacturer for that matter. I receive no payment from this blog either, the ads you might see are put there by wordpress that hosts the blog, as compensation for hosting and traffic cost (and profit I guess), but I receive exactly $0.

Why Products Go Bad

The simpleton will equate commercial success with quality.

I don’t.

A product can be well made, even if it is not commercially successful and vice versa. The Microsoft Zune HD, for example, was a great product. Hell, Microsoft’s Phone OS is/was good too. In contrast, Kinect is/was a terrible product. It promised the world, and it was shit. Johnny Lee proved that Nintendo’s controllers were fucking awesome, and Microsoft wanted some of that goodness. Most people at Microsoft knew how piss poor Kinect was, most devs knew too, but  management did not want to be upstaged by Nintendo, so they released this fine piece of junk. Molyneux flat out lied about the capabilities of the thing (and he was not the only one I’m sure).

Sometimes, and perhaps too often, see products that have the potential to be “good”, and perhaps they are already good, but then, gradually as time passes and new generations of the product are released, it turns to utter crap. Why does this happen? You would expect the opposite to be true. You’d expect that the next generation of a product improved on the old.

My own experience is that I am generally considered “an overthinker”. Instead of just shutting up and doing what “the customer asks”, I think about the ramifications over the longer term. I try to interpret what the real problem is, and I spend a long time thinking about a good solution. I spend a lot of time talking about the problem with my peers, drawing on whiteboards. I think about the issues as I drive drove to the office, while I fly flew across the Atlantic. And sometimes, I change my mind. Sometimes, after long discussion, after “everyone agrees”, I see things in a new light and change my mind. And it pisses people off.

In the general population, I believe that there is a large percentage who just want to be told what to do, do what they are told and then at 5.15 pm drive home and watch TV, happy and content that they did what they were told all day. To the majority, “a good day” is doing as much of what you’re being told as possible, regardless of what the task is. They do not want to be interrupted by assholes that can’t offer them a promotion or a raise, who critique the “what” or the “how” – regardless of merit. The “customer” to them, is not the user of the product, the “customer” is their immediate supervisor. Make that guy happy, and you move upwards.

Telling people that unchecking “always” does not mean “never” makes people angry. They can understand the logic (not always = sometimes), but they are angry that you can’t understand that their career is jeopardized if they pointed that out when their supervisor told them to make that change. They will correct the problem if a supervisor tells them to – even if screams them in the face that this is useless to the end user. Doesn’t matter. The end user does not dish out promotions or raise their salary.

As these non-thinkers move up, they get to supervise people like me (JH: No, this has not happened at OnSSI). And that’s where it gets really bad. Now they are in a position where they are told what to do, and they are telling someone else to do that thing (nirvana), and then they learn that the asshole doesn’t want to listen and do what he is told, like “everyone else” does, so eventually the “overthinker” is replaced with a non-thinker, and this continues until all the thinkers are gone, and the company or branch then does exactly what the customer asks.

When you see features that flat out do not work and never did work, and there’s no motivation to fix that issue, then you have to pause, and consider if you have enough thinkers among the non-thinkers.

Because you need both.

You need lying sales and marketing people (that know just how far the truth can be stretched, or who can make a reality distortion field), you need asshole genius programmers who knows iOS, gstreamer, ffmpeg and Qt, you need vain and arrogant designers who can draw the best damn icons and keep everything consistent across the apps, you need dried up, mummified sysops to run IT.

But most of all, you need to make sure that these people think, and care about the end user, instead of just title on their business-card.

 

Influencers

When Netflix* just started rolling out their Internet streaming service I used a VPN service, and streamed a wonderful movie called “Human Centipede”. It’s a surprising accurate portrayal of how things work in my industry, except the labia tua to sphincter connection is entirely voluntary, whereas the victims in the movie were not given an option.

I wonder if the toilet paper industry celebrates “influencers“?

Because, frankly, most people need IP video like they need toilet paper, and it should be just as simple to use. I’ve been to many places on God’s green earth and not once did I encounter toilet paper that wasn’t compatible, or was complicated to work with.

Yet, we “celebrate” leaders that take something that ought to be just as simple, and turn it into a nightmarish ordeal to install and maintain. If you are influential, then you must share some of the blame for the pile of shit that this industry is serving up again and again.

* It’s hard to fathom that a mail-a-DVD-business would be a major driver of the entire US economy, but there you go)

Hikvision Feeds a Troll

It’s possible to turn someone towards the light, and eventually lead them to salvation.

A prominent member of the Westboro Baptist Church, Megan Phelps-Roper made a TED speech about it. What saved Megan was not someone yelling in her face. She was conditioned to expect exactly that from the misguided heathens of the world. Instead, someone approached her with curiosity, warmth and civility and lead her out of the congregations grasp. The “enemy” is rarely a mindless drone out to do evil. Although, our leaders would prefer we see things that way.

Our industry has a variant of the WBC, and Hikvision has chosen a different approach to liberate the members of the sect.

a site that has always trafficked in nefarious insults and innuendo. Hiding behind a keyboard, the tabloid’s staff takes unfounded potshots at our entire industry, bullying one company at a time.

and

Instead, he chooses to distract manufacturers with his pursuit of financial gain and efforts to fulfill his delusions of grandeur.

The problem with this sort of message is that the hardcore members are expecting exactly this sort of rhetoric, thereby further entrenching them in their beliefs. Ultimately the blogger will surely capitalize of the increased attention being paid. I thought it was common knowledge that trolls have an insatiable appetite for the kind of copy Hikvision just released.

jh

More please!

Members of the sect can attend a “university” (not at all like this one) and even make the “dean’s list“. This is impressive stuff, and these people are not going to be swayed by a manufacturer having a breakdown in their public relations department. Furthermore, I suspect Hikvision has several active subscriptions, thereby directly funding the site.

I think Hikvision is correct in calling it cyber-bullying. It has all the traits of schoolyard terrorism; the ring-leader points out an arbitrary enemy, then manipulates the enemy to react. Steps in to protect the flock from the aggressor. If it gets too hot, the ring-leader can count on his 3 or 4 lackeys to do the dirty work.

In this case, the sin of the “enemy” is that the company is partially owned by the Chinese government. Therefore, every vulnerability found in a Hikvision camera is proof positive that the Chinese government is spying on us. I don’t buy that. Governments don’t have to own a company to assert influence over it.

You might remember Stuxnet a vulnerability in SCADA equipment was exploitable by governments and for-lulz hackers alike. Vulnerabilities will continue to exists as long a fallible humans write the code. As long as fallible humans install and (fail to) maintain the equipment we will continue to see flaws and problems. Unfortunately, a lot of companies have deployed small time-bombs with terrible security in place, not just Hikvision.

When I was in the army, we had padlocks on our lockers. On the first day, we were instructed to get a hair-cut “to not look like faggots” (I kid you not, that’s what he said), and then to make sure our lockers were safely locked. The reasoning (for locking up) is that you can’t really trust anyone, and giving the bad apples the opportunity to steal was almost as bad as the guy stealing. At a company I worked for a long time ago (starts with an M), someone shat on the toilet seat in the offices restroom. Someone we had lunch with, talked about code, movies, politics and music with, went to the bathroom, and shat on the seat, leaving it there for some poor soul to find.

Same thing goes for your IP camera. Sticking that thing on the internet, REGARDLESS of manufacturer ownership is like leaving your locker unlocked. You are tempting the swines of the world to mess around, and when they do, we all lose.

madness

Tagged , ,

Listening to Customers

In 2011, BlackBerry peaked with a little more than 50 million devices sold. The trajectory had an impressive ~50% CAGR from 2007 where the sales were around 10 million devices. I am sure the board and chiefs were pleased and expected this trend to continue. One might expect that ~250 million devices were to be sold in 2016 if the CAGR could be sustained. Even linear growth would be fairly impressive.

Today, in 2017, BlackBerry commands a somewhat unimpressive 0.0% of the smartphone market.

There was also Nokia. The Finnish toilet-paper manufacturer pretty much shared the market with Ericsson in Scandinavia and was incredibly popular in many other regions. If I recall correctly, they sold more devices than any other manufacturer in the world. But they were the McDonalds of mobile phones: Cheap and simple (nothing wrong with that per se). They did have some premium phones, but perhaps they were just too expensive, too clumsy or maybe too nerdy?

ngage

Talking on a Nokia N-Gage phone

Nokia cleverly tricked Microsoft into buying their phone business, and soon after the Microsoft gave up on that too (having been a contender in the early years with Windows CE/Mobile).

I am confident that BlackBerry was “listening to their customers”. But perhaps they didn’t listen to the market. Every single customer at BlackBerry would state that they preferred the physical keyboard and the naive UI that BlackBerry offered. So why do things differently? Listen to your customers!

If BlackBerry was a consulting agency, then sure, do whatever the customer asks you to. If you’re selling hot-dogs, and the customer asks for more sauerkraut, then add more sauerkraut, even if it seems revolting to you. But BlackBerry is not selling hotdogs or tailoring each device to each customer. They are making a commodity that goes in a box and is pulled off a shelf by someone in a nice shirt.

As the marginally attached customers are exposed to better choices (for them), they will opt for those, and in time, as the user base dwindles, you’re left with “fans”. Fans love the way you do things, but unless your fan base is growing, you’re faced with the very challenging task of adding things your fans may not like. Employees that may be prostrate bowed but not believing, will leave and eventually you’ll have a group of flat-earth preachers evangelizing to their dwindling flock.

It might work as a small, cooky company that makes an outsider device, but it sure cannot sustain the amount of junk that you tag on over the years. Eventually that junk will drag the company under.

Or, perhaps BlackBerry was a popular hotdog stand, in a town where people just lost the appetite for hotdogs and had a craving for juicy burgers and pizza (or strange hotdogs)

Tagged , ,

Clickbaiting Copycat Caught

It’s pretty damn hard to make secure software. Years ago I commented on Shodan and worried that the IP video industry was next.

Run of the mill ignorance, carelessness, greed what have you, is so common that we scarcely care to click the link. Recently (or not) and old bug was discovered in Intel products that allowed remote control.

Now if you are commercial blogger (or “analyst” if you prefer), you’re not going to try to shed light on the issue. That just doesn’t trigger enough clicks and drama. It’s better to make some unsubstantiated claim that an “Intel backdoor is confirmed”.

ipvm

I can guarantee that someone is now looking up the word “backdoor”, I’ll save you the trouble (it’s in the link above too)

A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.

Wikipedia

So, yes, it is probably not a lie to use the word “backdoor”, but it sure is manipulative, something people with a certain mental defect excel at.

For l33t hackers, finding back-doors is sometimes a fun pastime. The purpose can be to cause extensive damage for lulz or filthy lucre, sometimes for companies, sometimes for governments. Usually, it’s a challenge to find vulnerabilities and defects that let’s you crawl into systems that should be locked down. But to the n00b, a backdoor might suggests that it was intentionally put there. After all, you don’t “accidentally” install a backdoor in your house.

Backdoors in code, however, come in various flavours,

  • Deliberate backdoor intended to give an unknown user remote access after the user has deployed the device/software, thereby granting the attacker access. These can be baked into the device, or installed later as a trojan.
  • Accidental backdoor caused by unexpected side-effects of the code. In the olden days, you could mess around IIS servers by using unicode strings in the URL.
  • Accidental backdoor caused by gross negligence/incompetence on the manufacturers side. Hardcoded credentials is an example of such foolishness.

Today you are not going to get away with #1 and #3 for very long. The hackers at blackhat are not like mortal programmers, they understand assembly code, and will locate a hardcoded password or a backdoor in a few days.

But it’s a gradual scale from #2 to #3. For example, HTTP used to have something called “basic authentication“. It used Base64 encoding to hide the credentials in flight, and plenty of cameras and VMSs would use it. 15 years ago, basic authentication would probably have been considered a #2 issue, but today it’s clearly a #3 (a certain unmentionable blog used it not long ago).

You can make up your own mind if CWE-287 is a #1, #2 or #3. It could, conceivably, be a #1. But it will be very difficult to prove, unless you have network captures showing malicious activity initiated by someone associated to the manufacturer (US tech companies and NSA for example).

Another company was notified of a vulnerability on March 5th 2017, on the 12th a security bulletin is released, and the hacker then states :

“I have been communicating with Hikvision since I notified them and they have actually been been quite responsive.”

Quite responsive indeed.

Eventually we will have software in IP cameras that is safe enough that you can expose it to the internet. But for now, I would be extremely careful about opening my CCTV system to the internet.

In Hikvisions case, I think one of the issues is that to reset the cameras password you need to send a specially crafted payload to the device. This causes a lot of issues for lots of users and it strikes me as a potential attack vector. And rest assured that this is not the only issue in the cameras.

As time passes hackers find ways into older cameras that have long been discontinued, but have been deployed and are still operational, they may get more sophisticated in their attacks and find more complex ways of breaching the software.

I guess this was not as exciting a post as you had expected. I’m sorry. You will have to go somewhere else for BREAKING NEWS about the evil Chinese shell companies set up only to spy on you.

 

 

 

Tagged , ,

LinkedIn is Worse Than Facebook

I suddenly realized I spent too much time on LinkedIn, and it dawned on me that LinkedIn is even worse than Facebook.

From time to time, people post virtue signalling memes that tell other people to not let LinkedIn turn into Facebook. The want to keep LinkedIn “professional”. That makes me wonder: If your primary interaction with business partners is through LinkedIn, are you really a professional?

The feed that LinkedIn thinks I should look has a few types of posts: Politically correct trivialities, annoying riddles, links to wise words written by someone else, and outright ads and appraisal of yourself or the company you work for.

The ads (not paid ads, but companies hawking something via LinkedIn) are tolerable from my standpoint. It’s pretty easy to filter those out, and move on to something with a little more substance. When I see someone saying “See why widget XYZ from SomeCompany is leading/helping/solving…. ” then you kinda know you don’t need to continue reading. If I see a post that starts with “visit us at …” I just move on. It’s not that I would recommend the company (I still work) for to not post these things, but I wonder who is genuinely impressed by this. It seems to me that this is a lot of choir preaching, with people – who most likely already know what you’re releasing – hitting “like” on a post that tells them nothing new.

I get pointers to good copy from Twitter, co-workers and friends, and from time to time there’s a good read on LinkedIn, but to find those, it feels like an online version of walking through a large bazar looking like a gullible tourist, red-faced from too much sun, complete with selfie stick and tasteless clothing. Every single vendor grabbing your arm, telling you about their wonderfully crafted pieces of shit. If you are willing to endure this torture, you might eventually find something worthwhile, but the chances are slim, and I am getting weary of wandering aimlessly around this crazy market.

Because LinkedIn is considered a “professional” network, i.e. a network between people who only want to engage with others if there’s money to be made. That means that the posts are even more self-censored and manipulative than on Facebook, Instagram, SnapChat or what have you. Every word is carefully chosen, you remember to “like” posts, not because of their content, but because of who wrote them. You might even make a positive comment, like a quick kiss on the old sphincter: “Well done”, someone will say, when a CEO praises his own ability to turn an advantage in currency exchange into revenue growth.

Maybe, just maybe, it’s the business that I am in that is fouling up my LinkedIn feed. In any event, the remedy is quite simple. I really shouldn’t go there..

 

 

 

Tagged