back to article UK's National Cyber Security Centre sidles in to help firm behind hacked NurseryCam product secure itself

The UK's National Cyber Security Centre is now helping IoT gadget firm FootfallCam Ltd secure product lines following the recent digital burglary of its nursery webcam operation. Company director Melissa Kao confirmed to The Register that the NCSC, a sibling of UK spy agency GCHQ, was helping the company shore up security …

  1. Steve Foster
    FAIL

    "The same practice is also made in platforms such as Facebook, Twitter and GitHub"

    Ah, the old "other people are doing it too" excuse.

    I want to add "EPIC" to the icon!

    1. Martin Silver badge

      Re: "The same practice is also made in platforms such as Facebook, Twitter and GitHub"

      Well, if Facebook, Twitter and Github are also storing passwords in plain text, then that's a serious concern. And if they are not storing them in plain text (which I suspect is the case), then they should expect to see a rapid "You'd better withdraw that statement forthwith" letter from three very expensive law companies.

      1. FILE_ID.DIZ

        Re: "The same practice is also made in platforms such as Facebook, Twitter and GitHub"

        Facebook did.

        It is probably more common than people imagine... a dev working to troubleshoot logon issues for example, flipping a debug bit and forgetting to set it back seems easy enough.

        But their problem is not this.

        1. Anonymous Coward
          Anonymous Coward

          Re: "The same practice is also made in platforms such as Facebook, Twitter and GitHub"

          That's a bit different though - they logged them for debugging purposes, not for the functionality of the system (assuming FB's statement is correct, etc).

  2. Ben Tasker Silver badge

    > "It was a design decision to store passwords in plaintext, which was used for image decryption. The same practice is also made in platforms such as Facebook, Twitter and GitHub,"

    Leaving aside whether FB, Twitter and Github do this....

    There's absolutely no need for the plaintext password to be stored in order to achieve the same thing, you just use something derived from the password (*cough* the hash).

    User has password: imaneasypassword

    You salt it and hash it to: abcdefabcdef

    The input to your encryption function is abcdefabcdef. At the client's end, it salts and hashes the password (it's got it because the user entered it) and uses that to decrypt the images.

    It's still not ideal, because it means you're keeping the user's password in memory for longer at the clients end - but that's true of the approach they went with too.

  3. DevOpsTimothyC Bronze badge

    Passwords in plaintext

    I was going to post a comment in the spirit of "It should be an offence for anyone to sell a product that does not employ reasonable security including one way encryption for user credentials", but then we've got plenty in UK Govt who want to outlaw effective encryption.

    1. Pascal Monett Silver badge
      Coat

      Re: Passwords in plaintext

      Yeah, but now you can say : think of the children !

      Mine's the one with the RSA handbook.

      1. Alan Brown Silver badge

        Re: Passwords in plaintext

        And as always "after all, Jimmy Saville always did"

  4. Potemkine! Silver badge

    It was a design stupid decision to store passwords in plaintext

    FTFY.

    Fits well. Indeed, you need a certain level of intelligence to be able to recognize you made a mistake.

  5. Anonymous Coward
    Anonymous Coward

    "The company needs NCSC's help"

    No, laws need to be put in place so that companies / directors can be prosecuted when "security" practices that are not considered to be "best practice" are used - in a similar way that a death due to faulty software will be considered to be due to negligence if evidence* cannot be provided to show that best practice was followed.

    * created during development, not after-the-fact.

    1. monty75
      WTF?

      Re: "The company needs NCSC's help"

      I’d prosecute them for the grievous brain damage they caused me banging my head on the table when I read their BS excuse.

  6. FILE_ID.DIZ
    FAIL

    Everything sucks at this company

    The point of access was, we were told, a poorly secured Odoo business apps server instance that used a default admin password for its web interface, seemingly relying on security through obscurity.

    If your internal applications don't have their default passwords changed.... how can anything else that you emit be any better?

    One should assume moving forward that everything this company emits is nothing but a turd.

  7. Twilight

    I find it funny that they recently threatened someone who criticized their product for being poorly designed...

    Clearly their product *IS* poorly designed.

  8. FlamingDeath Silver badge

    This doesn’t sound very capitalistic, in fact it sounds very much like communism.

    This is what makes me fucking cringe at hoomans

    Always cherry picking ideals to suit themselves

    So to recap, dumb fucking wanker sets up company, produces turd insecure products, get help from tax payer funded entity to secure their shit products.

    So, in reality we are paying for the competent developers that this company failed to employ / find

    Two words

    Get Fucked

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021