And This Is Why....
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-05-14 16:35 by Karl Denninger
in Technology , 166 references Ignore this thread
And This Is Why....
[Comments enabled]

If you're looking to enter the home security, control and monitoring business (or are already in it) you want to email me right now.

Amazon purchased Ring for $1 billion in February. According to reporting by The Information, a security flaw in the software allowed people who were logged into the doorbell app to stay logged in even after the password had been changed.

A "flaw".

In other words someone didn't pay attention to basic design.

However, the company’s CEO Jamie Siminoff said Ring doesn’t kick users off immediately because that would slow the app down.

It would slow the app down?

What sort of monkey wrote that code?

Want to market and sell a package without such problems?

Check it out at http://homedaemon.net, yes, there's an app for Android at http://homedaemon.net/manual.html now up and available, and then email me using the contact information to the right.

The entire kit-n-kaboodle is for sale -- in source.

This sort of "problem" isn't found in my code.

Oh, and it doesn't push anything to or require a connection with the "cloud" either -- so nobody can pick off credentials from there.

Finally, it'll cost you a HELL of a lot less than a billion to have a functional system that doesn't let someone you revoked credentials from spy on you.... hint-hint Jeff (or even better, one of Amazon's competitors!)

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info And This Is Why.... in forum [Market-Ticker]
Lenguado
Posts: 2271
Incept: 2010-01-12
A True American Patriot!
Orlando, FL
Report This As A Bad Post Add To Your Ignored User List
Daymn. SPAMAzon now has video/audio inside and outside peoples houses.

Mrs Lenguado and our oldest daughter had never seen Idiocracy. Watched it last night over our Mother's day meal of Lenguado cooked steak and lobster (awesome meal by the way!!!!)

They BOTH agree that we are at or past the tipping point of being there . . .

----------
I just realized... they aren't saying, "Keynesian Economics"
they're saying "Kenyansian Economics". Grass Huts for everyone!
smiley
Welcome to historys first Double Dip Depression
Vernonb
Posts: 2091
Incept: 2009-06-03

East of Sheol
Report This As A Bad Post Add To Your Ignored User List
Who needs to have soldiers or police harbored in your home illegally when you Voluntarily consent to such devices as Alexa being there?

Yet most people are unable to realize the peril they place themselves and everyone else. Others just don't care.

How long before they are forced in every home as part of a 911 program- for the public good of course. Insanity is seldom limited.


----------
"Mass intelligence does not mean intelligent masses."
Tickerguy
Posts: 152887
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
The outrageous stupidity of this sort of thing astounds me.

When you revoke someone's privileges you often need to do it RIGHT NOW. And incidentally this implies that the app is doing some sort of authentication token caching and not re-validating it on each request, which is ridiculously stupid.

I can see where if you have a valid, CURRENT session to the camera AT THE MOMENT THE ACCESS IS REVOKED it remains valid until closed, because most of these devices use RTSP or similar.

But for that to be cached somewhere (either in the cloud or the app itself) means there's something far more serious going on here that's not immediately obvious -- like the camera ITSELF is not secure AT ALL.

HomeDaemon's app doesn't store the login or password at all, anywhere. It's sent to the server when you sign on and the server (if it likes the credentials and validates them against a hashed password) returns a very long, randomly generated token (cookie.) The app caches THAT. When a command is sent whether it's something to do or a monitoring session request that cookie (or a new authentication set) has to be presented. Each "session" is short in duration (monitoring sessions are 90 seconds if the phone is locked, just looking for changes, and up to 5 minutes if the screen is on, since it's more-efficient if you're active to leave the stream up), the duration is enforced by the server (NOT the client!) and if the cookie is revoked (because you killed the account or changed the password) then as soon as the current "thing" is over you can't re-authenticate because the token isn't valid any more. As the server-side owner YOU choose how paranoid you wish to be (how long those tokens are valid for) at which point you MUST re-enter your credentials because the SERVER wipes the randomly-generated entry it is holding in RAM on whatever interval you have set.

It's pure LAZINESS to not do this sort of thing right. My 30-second guess is that they're doing a lazy cloud-sync of authentication credentials which is both outrageously insecure in the first instance AND leads to this problem.

----------
Winding it down.

Lobo
Posts: 469
Incept: 2013-12-25

Report This As A Bad Post Add To Your Ignored User List
Quote:
How long before they are forced in every home as part of a 911 program- for the public good of course. Insanity is seldom limited.


There was a 60 Minutes story about one of the US defectors to North Korea. In the story they mentioned that every apartment had a speaker that played propaganda 24/7. You could turn it down, but not off.

Send and receive? At that point I turn a box upside down over it with a speaker playing nonstop porn movie sound tracks. The government will end up thinking I'm one busy MF.smiley

----------
Village Idiot
Login Register Top Blog Top Blog Topics FAQ