Vwoosh
Well, that escalated quickly!
What a rather bizarre turn of events and default device config (don't think I'd trust going via their servers to re-config either). It's almost as if Footfallcam don't actually know what they're doing at all.
A cautionary tale about the dangers posed by affordable Internet of Things devices turned into a much more sinister story after a company threatened an infosec bod with a police report (since retracted) unless he deleted a Twitter thread highlighting shortcomings in one of its products. The device at the heart of the …
"It's almost as if Footfallcam don't actually know what they're doing at all."
Not at all. It's an extremely generous gesture on Footfallcam's part to draw the attention of prospective customers to this. Without it such prospective customers could make uninformed buying decisions.
I think this is going to be the standard for dodgy ad-tech companies - like the double-glazing that offered 20year guarantees but closed and reopened under a new name every year.
Sleezy-tech_123 is hit by a twitter storm for it selling video from its line of embedded underwear cameras.
Sleezy-tech_124 is spun up by the Bermudaa Chamber of Commerce equivalent of a Docker container 20ms later
Somewhat different. Although the name changes in this case it's the same legal entity. Your double-glazing example would be a new legal entity each time so as to evade the responsibilities of the old one.
On but Sleezy-tech_124 while being in the same business as Sleezy-tech_123 and having the same directors and owner and operating from the same Caribbean lawyers office has no connection with Sleezy-tech_123
Are they rude about the country of origin of the product? Insulting a country or its people is quite definitely not "racism", legally at least, and possibly with the exception of any countries that do identify as monoracial. I can probably get away with anything I want to say about the Welsh for instance. I do not feel that that's right, but it is how it is. Fwtfa Llcam perhaps sees it differently. :-)
"Race" is, broadly speaking, not real, but given that it causes trouble anyway, it's not clear to me that nationality, actual or, for the sake of a word, ethnic, is different from "race" and not meriting similar rules against abuse. It is clear to the British government though, of whichever party, probably because stirring up resentment of Johnny Foreigner is everyday business for them so it would be a bit daft if they made it illegal.
I admire Footfallcam for making small, cheap, actually useful and practical devices not based on sucking a users personal data. Hopefully they will now see this as an opportunity to improve their product - there really are nasty hackers out there who would use their product to breach a businesses local network
But unfortunately most non gaming devices that's sold using it tends to be of questionable safety and quality. Save the Mini PC that one works okay for the price range.
Heck a simple web search will show more of a dozen Pi Boxes that actually don't do whatever they are supposed to do well.
Why bother with designg anything bespoke unless you have a need to, just find an SBC that does what you want and add usb peripherals instant product
From the description the whole product is a simple bash script, footfall detection one of the millions of cctv motion detector daemons out there emitting a +1 and timestamp to a log file, a copy and paste of the street view WiFi snagging bash script logged to file, and curl on a cron job to push the log to (want to bet wide open) s3 account
Probably took 30mins to panic write after fucking about for 3 months playing games instead of working
Do love how overpriced digital signage is for what is often no more than a WiFi enabled digital photo frame, or a rpi in a vesa mount case on a tv
the point of the RPi is a dev board, if its really going to go into production, and sell in volume, there is probably too much extraneous stuff on an RPi, so you are in the long run, going to find it cheaper to switch to a custome board, with just the componenets you need.
I don't think OP is necessarily talking about the hardware. It's very true in my experience that most Pi- or otherwise devboard-based product releases are perfectly fine hardware wise as they're built on an existing, well-developed SBC/SoC core, while the software they write for it sucks massive chode and never sees any updates.
_accessing web infrastructure without the owner's permission is a criminal offence under section 1(1) of the Computer Misuse Act 1990. _
That can't be correct: otherwise visiting http://www.myco.com with a browser would be illegal without consent.
If you put a website you implicitly consent to access by everyone; including infosec bods who bitch about your use of http.
I mean, you can easily read the law in question for yourself. (And it is, surprisingly, fairly readable and written in plain English.) As currently amended:
Unauthorised access to computer material.
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
(b) the access he intends to secure, or to enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
Yes, if you set up a public website then accessing it is not unauthorized. But merely serving content over HTTP does not constitute authorization, if the server in question is not a public internet resource. (Meaning, if it's only reachable by knowing or guessing the device's IP, and there are no links to it anywhere on the web, then it's not exactly "a website" nor is it implicitly public.)
And attempting to breach password-protected or otherwise secure areas of any service — public or otherwise — is still criminal "unauthorized" access, no matter how laughably weak their security is.
Surely any other website can generate links to every possible url on the web, and at that point you have a publicly linked url without your consent or knowledge, but according to your comment nullifying the lack of permission to access.
Are there actually any good test cases on this stuff in the UK from the last decade or two?
Far too many organizations, large and small, fail to deal with external security researchers properly. Attacking them is a sign of a failed company. Don't buy their products; they're not actually interested in security.
When you're contacted by a researcher, or see a public disclosure of a possible vulnerability in one of your products, you must treat that as a genuine problem in the product until you've evaluated it. And being reasonable and diplomatic with the researcher - even if you feel the researcher is being unreasonable, even if you feel the situation is extortionate - is absolutely necessary. Your job is to get as much information as possible. In the extraordinary case where there's some grounds for a legal complaint, that's a matter for after you have the vulnerability confirmed or refuted, and a fix ready if it's real. And then it should be handled by lawyers, and your lawyers should know how to make a proportionate response that won't turn into a PR nightmare.
Every company with an IT product to sell needs someone on PSRT duty, and that person needs to be trained appropriately and temperamentally suited for the job. Small firms don't need a dedicated PSRT team, but they do need at least one person who understands disclosure practices and responses. And everyone else, including directors, needs to stay the hell away from these situations.
Every company with an IT product to sell needs someone on PSRT duty, and that person needs to be trained appropriately and temperamentally suited for the job.
And that will happen exactly when strong and effective product liability laws are in place (including internationally) . Not before.
Maybe it would be useful to start a campaign (in newspapers and TV) to have a voluntary program where companies provide clearly visible email address for reporting. Even if the public don't use it, it would be something that reviewers could note and people could expect to see.