back to article Footfallcam kerfuffle: Firm apologises, promises to fix product after viral Twitter thread, infoseccer backlash

A cautionary tale about the dangers posed by affordable Internet of Things devices turned into a much more sinister story after a company threatened an infosec bod with a police report (since retracted) unless he deleted a Twitter thread highlighting shortcomings in one of its products. The device at the heart of the …

  1. Jay 2

    Vwoosh

    Well, that escalated quickly!

    What a rather bizarre turn of events and default device config (don't think I'd trust going via their servers to re-config either). It's almost as if Footfallcam don't actually know what they're doing at all.

    1. HildyJ Silver badge
      FAIL

      Re: Vwoosh

      It's execrable and would be humorous except this seems to be the new trend in too many businesses.

      When your problems are reported to you, ignore it.

      When your problems are then publicized, attack the messenger.

      When your attacks are criticized, blame rogue employees.

    2. Doctor Syntax Silver badge

      Paging Ms Steisand

      "It's almost as if Footfallcam don't actually know what they're doing at all."

      Not at all. It's an extremely generous gesture on Footfallcam's part to draw the attention of prospective customers to this. Without it such prospective customers could make uninformed buying decisions.

    3. Antron Argaiv Silver badge
      Thumb Up

      Re: Vwoosh

      "It's almost as if Footfallcam don't actually know what they're doing at all."

      You might certainly think that.

      I couldn't possibly comment.

      1. Trigonoceps occipitalis

        Re: Vwoosh

        You might very well think that; I couldn't possibly comment.

        TFTFY

  2. Eclectic Man Silver badge

    Would you buy

    even a new car from those guys? As Arthur Dent said: "if this is the welcoming committee, what's it like in the complaints department?" (HHGTTG, approach to Magrathea).

  3. Anonymous Coward
    Anonymous Coward

    Footfallcam (formerly known as Nurserycam formerly known as Nannycam) Companies House Listing

    The Companies House listing makes for interesting reading.

    https://find-and-update.company-information.service.gov.uk/company/04471557

    1. Yet Another Anonymous coward Silver badge

      Re: Footfallcam (formerly known as Nurserycam formerly known as Nannycam) Companies House Listing

      I think this is going to be the standard for dodgy ad-tech companies - like the double-glazing that offered 20year guarantees but closed and reopened under a new name every year.

      Sleezy-tech_123 is hit by a twitter storm for it selling video from its line of embedded underwear cameras.

      Sleezy-tech_124 is spun up by the Bermudaa Chamber of Commerce equivalent of a Docker container 20ms later

      1. Doctor Syntax Silver badge

        Re: Footfallcam (formerly known as Nurserycam formerly known as Nannycam) Companies House Listing

        Somewhat different. Although the name changes in this case it's the same legal entity. Your double-glazing example would be a new legal entity each time so as to evade the responsibilities of the old one.

        1. Yet Another Anonymous coward Silver badge

          Re: Footfallcam (formerly known as Nurserycam formerly known as Nannycam) Companies House Listing

          On but Sleezy-tech_124 while being in the same business as Sleezy-tech_123 and having the same directors and owner and operating from the same Caribbean lawyers office has no connection with Sleezy-tech_123

    2. Michael Wojcik Silver badge

      Re: Footfallcam (formerly known as Nurserycam formerly known as Nannycam) Companies House Listing

      Surely someone wants to buy our incompetent spyware for some purpose!

  4. JDPower Bronze badge

    OK, I read through Oversoft's tweets and I can't see "a lot of racist comments". That's a pretty serious accusation for any company to make against a customer.

    I hope these guys never get into firefighting, they'll turn up with hoses pumping out petrol!

    1. Robert Carnegie Silver badge

      Are they rude about the country of origin of the product? Insulting a country or its people is quite definitely not "racism", legally at least, and possibly with the exception of any countries that do identify as monoracial. I can probably get away with anything I want to say about the Welsh for instance. I do not feel that that's right, but it is how it is. Fwtfa Llcam perhaps sees it differently. :-)

      "Race" is, broadly speaking, not real, but given that it causes trouble anyway, it's not clear to me that nationality, actual or, for the sake of a word, ethnic, is different from "race" and not meriting similar rules against abuse. It is clear to the British government though, of whichever party, probably because stirring up resentment of Johnny Foreigner is everyday business for them so it would be a bit daft if they made it illegal.

  5. CrackedNoggin

    I admire Footfallcam for making small, cheap, actually useful and practical devices not based on sucking a users personal data. Hopefully they will now see this as an opportunity to improve their product - there really are nasty hackers out there who would use their product to breach a businesses local network

    1. sev.monster Bronze badge
  6. Anonymous Coward
    Anonymous Coward

    And it is contained a lot of racist and subjective quality comments

    What a twatty (sadly typical) way to "solve" what is, possibly, your own business shortcomings...

  7. Blackjack Silver badge

    I like the Raspberry Pi

    But unfortunately most non gaming devices that's sold using it tends to be of questionable safety and quality. Save the Mini PC that one works okay for the price range.

    Heck a simple web search will show more of a dozen Pi Boxes that actually don't do whatever they are supposed to do well.

    1. katrinab Silver badge
      Meh

      Re: I like the Raspberry Pi

      Nothing I've read in the article suggests a problem with the hardware, just with the way it is configured.

      1. Orv

        Re: I like the Raspberry Pi

        To the extent that it's true, I think it's because companies small enough to use a Pi instead of their own bespoke hardware are probably too small and inexperienced to have good security testing.

        1. chuBb. Silver badge

          Re: I like the Raspberry Pi

          Why bother with designg anything bespoke unless you have a need to, just find an SBC that does what you want and add usb peripherals instant product

          From the description the whole product is a simple bash script, footfall detection one of the millions of cctv motion detector daemons out there emitting a +1 and timestamp to a log file, a copy and paste of the street view WiFi snagging bash script logged to file, and curl on a cron job to push the log to (want to bet wide open) s3 account

          Probably took 30mins to panic write after fucking about for 3 months playing games instead of working

          Do love how overpriced digital signage is for what is often no more than a WiFi enabled digital photo frame, or a rpi in a vesa mount case on a tv

          1. EnviableOne Silver badge

            Re: I like the Raspberry Pi

            the point of the RPi is a dev board, if its really going to go into production, and sell in volume, there is probably too much extraneous stuff on an RPi, so you are in the long run, going to find it cheaper to switch to a custome board, with just the componenets you need.

      2. sev.monster Bronze badge

        Re: I like the Raspberry Pi

        I don't think OP is necessarily talking about the hardware. It's very true in my experience that most Pi- or otherwise devboard-based product releases are perfectly fine hardware wise as they're built on an existing, well-developed SBC/SoC core, while the software they write for it sucks massive chode and never sees any updates.

  8. David Roberts

    Interesting

    I mentioned the tweets to El Reg over a week ago (they were already on the case) and I was wondering why the write up was delayed.

  9. teknopaul Silver badge

    _accessing web infrastructure without the owner's permission is a criminal offence under section 1(1) of the Computer Misuse Act 1990. _

    That can't be correct: otherwise visiting http://www.myco.com with a browser would be illegal without consent.

    If you put a website you implicitly consent to access by everyone; including infosec bods who bitch about your use of http.

    1. FeRDNYC

      I mean, you can easily read the law in question for yourself. (And it is, surprisingly, fairly readable and written in plain English.) As currently amended:

      Unauthorised access to computer material.

      (1) A person is guilty of an offence if—

      (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;

      (b) the access he intends to secure, or to enable to be secured, is unauthorised; and

      (c) he knows at the time when he causes the computer to perform the function that that is the case.

      Yes, if you set up a public website then accessing it is not unauthorized. But merely serving content over HTTP does not constitute authorization, if the server in question is not a public internet resource. (Meaning, if it's only reachable by knowing or guessing the device's IP, and there are no links to it anywhere on the web, then it's not exactly "a website" nor is it implicitly public.)

      And attempting to breach password-protected or otherwise secure areas of any service — public or otherwise — is still criminal "unauthorized" access, no matter how laughably weak their security is.

      1. Ex-PFY

        Surely any other website can generate links to every possible url on the web, and at that point you have a publicly linked url without your consent or knowledge, but according to your comment nullifying the lack of permission to access.

        Are there actually any good test cases on this stuff in the UK from the last decade or two?

      2. Anonymous Coward
        Anonymous Coward

        So it's seems there is a loop hole, just be a "she" when doing it.

  10. Missing Semicolon Silver badge
    Facepalm

    Entitlement

    "You don't get to spill the beans that our product is crap! That's the mug's customer's job!"

    This is how business in the IoT space is done.

    1. Michael Wojcik Silver badge

      Re: Entitlement

      Far too many organizations, large and small, fail to deal with external security researchers properly. Attacking them is a sign of a failed company. Don't buy their products; they're not actually interested in security.

      When you're contacted by a researcher, or see a public disclosure of a possible vulnerability in one of your products, you must treat that as a genuine problem in the product until you've evaluated it. And being reasonable and diplomatic with the researcher - even if you feel the researcher is being unreasonable, even if you feel the situation is extortionate - is absolutely necessary. Your job is to get as much information as possible. In the extraordinary case where there's some grounds for a legal complaint, that's a matter for after you have the vulnerability confirmed or refuted, and a fix ready if it's real. And then it should be handled by lawyers, and your lawyers should know how to make a proportionate response that won't turn into a PR nightmare.

      Every company with an IT product to sell needs someone on PSRT duty, and that person needs to be trained appropriately and temperamentally suited for the job. Small firms don't need a dedicated PSRT team, but they do need at least one person who understands disclosure practices and responses. And everyone else, including directors, needs to stay the hell away from these situations.

      1. Graham Cobb Silver badge

        Re: Entitlement

        Every company with an IT product to sell needs someone on PSRT duty, and that person needs to be trained appropriately and temperamentally suited for the job.

        And that will happen exactly when strong and effective product liability laws are in place (including internationally) . Not before.

        Maybe it would be useful to start a campaign (in newspapers and TV) to have a voluntary program where companies provide clearly visible email address for reporting. Even if the public don't use it, it would be something that reviewers could note and people could expect to see.

  11. TheMeerkat Bronze badge

    Interesting how accusations of “racism” are the first reaction of anyone who wants to attack another person.

  12. EnviableOne Silver badge

    At least someone thinks of their customers.

    If every firm put this amount of due dilligence in before stocking products, the internet would be a safer place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022