back to article VMware warning, OpenBSD gimme-root hole again, telco hit with GDPR fine, Ring camera hijackings, and more

Here's your Register security roundup of infosec news about stuff that's unfit for production but fit for print. Yet another OpenBSD bug advisory Another week, another OpenBSD patch. You're not having deja vu. This time, it's CVE-2019-19726, a local elevation of privilege flaw that could let users grant themselves root …

  1. Tomato42

    German telco hit with fine for lax login protections

    Today's a good day.

  2. Kientha

    Ring is just the latest in a long line...

    I do feel a bit bad for Ring here. It seems every few months a company is hurt by widespread media coverage due to credential stuffing that isn't really their fault. Spotify comes to mind as one who regularly gets reported as being "hacked" when really it's just reused leaked passwords. But because the media don't understand security, Ring gets a load of bad press in a period I'm sure they were relying on sales in because of end user error. Yes what these idiots have done is horrible but that doesn't mean Ring is to blame (for once)

    1. Anonymous Coward Silver badge
      Thumb Up

      Re: Ring is just the latest in a long line...

      I agree with you, but also feel that if they'd implemented 2FA then credential stuffing wouldn't work.

      So they're not to blame but could've avoided it... it's a grey area (or maybe the grey is just in my head)

      1. sbt

        Sweet 2FA

        Apparently they do offer it. It's bad publicity for Ring, not wholly deserved. It's possibly awkward to force 2FA since not every OAP with a doorbell also has a mobile phone.

        But really the best way to ensure users choose secure passwords and don't re-use ones from elsewhere is to generate them for the user, rather than allow them to be chosen. That way complexity/length requirements can be enforced.

        If more providers did this, it would also force people into adopting password managers.

        1. headrush

          Re: Sweet 2FA

          "It's possibly awkward to force 2FA since not every OAP with a doorbell also has a mobile phone"

          What would be the point of owning a ring doorbell without any way to receive alerts or access footage?

          1. sbt

            What would be the point...?

            While many insist on sticking with land-lines for telephony, I know a few that have been dragged into the desktop PC realm, or perhaps accepted an iPad, not all of which have cell/SMS service. Can still get access to footage, I would assume.

            There may not be many, but enough to prevent 2FA being made mandatory.

            1. Carpet Deal 'em

              Re: What would be the point...?

              Sounds like a reason to use real 2FA instead of SMS. Security tokens can be a bit of a pain, but they can be put on computers and mobile devices with no need for internet access.

              1. sbt

                You could make a motza...

                ... if you can work out how to deploy tokens to techphobic retail customers that don't even have smartphones (so that's their level of tech sophistication) and not bring down a complete storm of tech support hell. A lot of old folks will just stick the token in a drawer and plead ignorance when they complain the first factor (e.g. a password) isn't enough to let them in.

                Anyway, Internet access is a given in this scenario, since remote access compromise is what they're trying to protect against.

      2. Kientha

        Re: Ring is just the latest in a long line...

        Ring support 2FA (albeit SMS only) but rely on end users to activate it. Mandating it on end users isn't a great option currently and if they forced you to provide a phone number, you would get a number of people complaining about that instead!

        1. Dan 55 Silver badge

          Re: Ring is just the latest in a long line...

          All the more reason to use proper 2FA as mentioned above.

    2. iron Silver badge
      Thumb Down

      Re: Ring is just the latest in a long line...

      Ring deserve every bit of bad publcity they get for their policies with reguard to turning over footage and getting police departments to push their spy cameras through neighbourhood watch groups.

      1. GnuTzu

        Re: Ring is just the latest in a long line...

        Yes, though I'm not sure "deserve" is the word. They're enablers. But, some company would've fallen into this role one way or another. Either way, it's time to scare the crap out of people. Maybe, lawsuits are needed here. Maybe some kind of legislation. But, there's a dysfunctional relationship between consumers and corporations that needs a serious wake up call, or this shit is going to cascade into some seriously bad... The bile still rises in the back of my throat every time I imagine how bad it could get.

  3. chivo243 Silver badge

    password reuse

    Well, there's your problem... Now I've got a great solution, sigh here... using the same username and password please!

  4. Anonymous Coward
    Anonymous Coward

    Anyone else think Ring is creepy as fuck? Like, literally how can you think it's a good idea to allow a global corporation owned by an evil rich guy who's also really into the media, to put millions of spy cameras pointing everywhere always recording and feeding back into Amazons giant data banks? What when the latest models have multicameras for photogrametric distance estimation? Real time seamless reconstruction in a virtual environment from that data? 24/7 complete and utter godlike strategic overview of everywhere that has a Ring camera and what people are saying and how they're moving and flowing and communicating and associating? YUK. Why would you let that happen? RESIST. Later will be too late :V

    YES and I BET these things have an extra wifi antenna or circuit or timeslice and are CONSTANT sniffing and listening and pinging and recording and feeding that back to amazon too, you can COUNT on it

    Hmm it should ping bluetooth beacons containing its best estimated position of an IR led so other Rings within its field of view can triangulate and fix their location really well too, report all that back to the mothership along with enough pics and eventually they'll have mm precision on everything so long as a Ring can see other Rings hmm

    1. This post has been deleted by its author

    2. Dan 55 Silver badge

      You would also want to beware of customer service, if Ring follows Amazon's usual CRM, the customer service agent can basically rummage round your account and do whatever they want.

    3. PM.


      Samaritan is watching ... :-/

    4. Anonymous Coward
      Anonymous Coward

      You must be shit-scared every time a stranger walks down your street.

      P.S. You aren't that interesting.

  5. RandyC

    I love that NordVPN has released that bug bounty program, people now will use it out of spite and get payed. In addition, NordVPN is going to be only a better company because of it. Really a great choice. also WHO still uses the same password for every account? If you do, don't blame companies for your mistakes

  6. Version 1.0 Silver badge


    All upgrades these days have security issues, go back to Windows 3.11 or XP if you want a really secure and safe environment, there's virtually nothing out there that can hack these system because all the hacks have been upgraded too.

    Note that Putin browses with an XP machine, doesn't that tell you something?

    1. A random security guy

      Re: Upgrades

      XP is still alive. Many PoS and ATM terminals still have it. And they are getting hacked all the time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like