Vtech covered up a leak of data on 6.3m children and their families, then tried to force us not to sue - the FTC just fined them $0.09/kid

Vtech is the Taiwanese kids' crapgadget vendor that breached sensitive data on 6.3 million children and their families, lied about it and covered it up, then added a dirty EULA to its products that made us promise not to sue them if they did it again. Read the rest

Armstrong Zoom ISP to 1,000,000 internet subscribers: if you are accused of piracy, you may lose the ability to control your smart thermostat

Armstrong Zoom, a northeastern US ISP with about a million subscribers, has sent its customers warnings that they have been accused of copyright infringement, and that subsequent accusations would lead to having their network connections slowed to the point of uselessness, which could impair their ability to control their internet-connected thermostats. Read the rest

The FBI and the New York Times warn that smart toys are emissaries from the Internet of Shit

One by one, the New York Times warns of the dangers of every hot smart toy your kids are begging for this Xmas: Furbies, Cayla, kids' smart watches, the ubiquitous Vtech toys (they omit the catastrophic Cloudpets, presumably because that company is out of business now). Read the rest

New Consumers Union report catalogs the potential collateral damage from the crypto wars

In a new white paper, Consumers Union (publishers of Consumer Reports) looks at the "consumer stake in the encryption debate": they note that governments want to ban working cryptography so that cops can spy on crooks, but the reprt does an excellent job enumerating all the applications for crypto beyond mere person to person communications privacy. Read the rest

"Friendly" apps are good at maximizing engagement, but their context-blindness is a cesspit of algorithmic cruelty

Designers use metrics and a/b splitting experiments to maximize engagement with their products, seeking out the phrases that trigger emotional responses in users -- like a smart scale that congratulates you on losing weight -- but these systems are context-blind, so they are unable to distinguish between people who might be traumatized by their messages (say, a woman who's just miscarried late in her pregnancy, being congratulated on her "weight loss"). Read the rest

Mirai's creators plead guilty, reveal that they created a DDoS superweapon to get a competitive edge in the Minecraft server industry

Last year, the Mirai botnet harnessed a legion of badly secured internet of things devices and turned them into a denial of service superweapon that brought down critical pieces of internet infrastructure (and even a country), and now its creators have entered guilty pleas to a Computer Fraud and Abuse Act federal case, and explained that they created the whole thing to knock down Minecraft servers that competed with their nascent Minecraft hosting business. Read the rest

Talking Casa Jasmina, a house of the future designed for people, not corporations, with Jasmina Tesanovic and Bruce Sterling

The Casa Jasmina project (previously) is an automated smart house designed to be made of open source hardware, with the needs of the people who live there -- not the corporations who extract rent from them -- in mind. Read the rest

One of the net's most important freedom canaries died the day the W3C greenlit web-wide DRM; what can we learn from the fight?

EFF's long, hard-fought campaign at the World Wide Web Consortium over its plan to standardize a universal DRM for the web was always a longshot, but we got farther than anyone dared hope before we lost the web to corporate interests and cynical indifference in September. Read the rest

Reverse-engineering a connected Furby toy, revealing its disturbing security defects

When Context Labs teamed up with UK consumer group Which? to produce an outstanding report on the surveillance, privacy and security risks of kids' "connected toys," it undertook the reverse-engineering of Hasbro's new Furby Connect, a device that works with a mobile app to listen and watch the people around it and interact with them. Read the rest

Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

Anonymity and privacy researcher Sarah Jamie Lewis realized that a connected sex toy's "email a blowjob" feature had significant security vulnerabilities and has produced an entertaining and delightful Twitter thread explaining how she was able to both fingerprint electronic blowjob description files and disrupt them with code-injection attacks. Read the rest

Hackers can freeze the camera that lets you know whether your "Amazon Key" equipped door is locked and who is using it

Security researchers from Rhino Security Labs have shown that it is trivial to disable the Amazon Cloud Cam that is a crucial component of the Amazon Key product -- a connected home door-lock that allows delivery personnel to open your locked front door and leave your purchases inside -- and have demonstrated attacks that would allow thieves to exploit this weakness to rob your home. Read the rest

The Internet of Shit is so manifestly insecure that people are staying away from it in droves

In Deloitte's new 2017 Global Mobile Consumer Survey, the company notes that "connected home systems—a category that includes home security, thermostats, and lighting—continue to lag behind other connected devices such as entertainment systems and connected vehicles," which the report attributes to "concerns about security and privacy." Read the rest

Consumer groups' labs advise parents not to buy connected toys, claim risk of strangers listening and talking to kids over the internet

Two leading European consumer groups -- the UK's Which? and Germany's Stiftung Warentest -- have published an advisory with the results of their lab tests on the security of kids' connected toys, warning that these toys are insecure and could allow strangers to listen in and talk to your kids over the internet. Read the rest

Lovesense sex toys make accidental audio recordings of your sex sessions, which the company describes as a "minor bug"

Lovesense -- the company that made the Bluetooth-enabled vibrating buttplugs that could be detected and hacked remotely and settled a class-lawsuit over collecting vibrator users' personal information for $3.75M -- has told users of its Lovesense Remote vibrator app not to worry about the "minor bug" that causes it to record the audio of their sex sessions. Read the rest

RIP Teaforia, the $1000 IoT tea-infuser

In 2016, Teaforia raised $12,000,000 in venture capital to manufacture a $1,000 tea infuser that combined proprietary, DRM-encumbered tea pods with a "patent-pending microinfusion technology" and a timer to make cups of tea. Read the rest

Kids' smart watches are a security/privacy dumpster-fire

The Norwegian Consumer Council hired a security firm called Mnemonic to audit the security of four popular brands of kids' smart watches and found a ghastly array of security defects: the watches allow remote parties to seize control over them in order to monitor children's movements and see where they've gone, covertly listen in on them, and steal their personal information. The data the watches gather and transmit to offshore servers is copious and sent in the clear. The watches incorporate cameras and the photos children take are also easily plundered by hackers. Read the rest

A new IoT botnet called Reaper could be far more virulent than Mirai

In 2016, an Internet of Things worm called Mirai tore through the internet, building botnets of millions of badly designed CCTVs, PVRs, routers and other gadgets, sending unstoppable floods of traffic that took down major internet services from Paypal to Reddit to Dyn. Read the rest

More posts