Correction: 220,000 kids weren't exposed in VTech mega hack – it's actually 6.4 million Toymaker VTech has admitted that millions of kiddies' online profiles were left exposed to hackers – much higher than the 220,000 first feared. On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 …
6.4 million sets of:
"parents' names, email addresses and home addresses, and the birthdays, names, and genders of youngsters."
Plus pictures and voice recordings of said kids and parents, all spaffed across the Internet with little or poor protection, and that's just what they'll admit to so far.
Welcome my friends, to the bright new world of the IOT!
At some point, reams of stupid people came online who don't know this.
on the contrary... "ignorant people" is the proper phrase... ignorance can easily be cured by education... the only cure for stupidity is hot lead at high velocity... i'd much rather be ignorant than stupid... the really sad thing is that there's a lot of ignorant people out there that don't know the difference :(
So it is your contention that one should not buy a Speak 'n' Spell nor accept one as a gift if one is not a System Administrator or possessed of a CS degree?
Hard to argue with the logic.
Next up: why you shouldn't have access to a domestic electricity supply if you aren't a chartered electrical engineer.
@Stevie
"why you shouldn't have access to a domestic electricity supply if you aren't a chartered electrical engineer."
Except there are standards organisations that govern electrical devices to make sure they don't blow up in your face.
Nobody seems to care enough that the software is liable to blow up, though... nor that it can be routinely updated without you knowing, even if it starts off secure.
Imagine if your cooker received instructions over the ether to randomly electrify on of the knobs, a different one each day. Knob roulette... it'd be like knowing Charlie Sheen...
Which is my point. Not stupid buyers, just educated by the extremely dangerous yet reasonably safely deployed technologies of the past to expect better from the venal and/or stupid manufacturers and the software "engineers" who work for them.
As for "safety" standards, how are they expected to come about when the first thing confronting anyone who opens a box o' software or a make bundle is a linear mile of legalese announcing that there are no warranties, nor any assumption of responsibility, and that whatever you have in your hands is in no way, shape or form guaranteed to do what it says on the box it came in? Even Apple wave their hands in the air and mumble on this point, and they have at least made (an extremely unpopular in the early days) an attempt to get control of the chaos. Difficult to say you have a safe electrical system if everyone and his dog is encouraged to rewire the sockets at will, as it were.
To get the types of standards we are speaking of in place there has to be some admission that the vendor bears responsibility for what happens when you switch whatever it is on.
"Regretfully our database was not as secure as it should have been."
Okay, everything else aside, kudos for owning up and saying it plainly. That doesn't make it okay and it doesn't automatically mean that much will change in the future.
BUT, without a frank, open admission, it's very rare that you see real, meaningful progress. You must make yourself accountable others if you really want to change; you go to the people you have failed and you admit that you have failed and that, whatever the circumstances, there were things in your control that you did not attend to properly and you tell them what those things are.
That way, when you promise that those people are 'important to you' and your commitment to them is you 'highest priority', it actually means something.
Compare TalkTalk and their: "We ticket the boxes we had to so it's not our fault".
You can't fix a problem if you don't acknowledge it and you are more likely to actually do so if you acknowledge it to those impacted. Let's hope that we see much, much more of this. No downplaying with "a small subset of users affected" or passing blame talking about "malicious actors" - your security, your responsibility.
I may be on the wrong track here, but are we sure they are doing this for being sorry and not just to be ahead of the "think of the children" brigade as, from the figures, they are the majority of user's compromised and in any society, the most vulnerable to being "socially manipulated" for want of a better phrase, by the sort of characters who troll forums looking to manipulate and "corrupt" (read that any way you like, I cant think of a word to describe them) very young people
@AC
Doesn't matter - once you actually admit to the customers that YOU have made a mistake* and YOU have failed in your duty to them, then you have given them the stick to beat you with if you don't fix that mistake.
That's why admitting your failings is so important here - it tells people that you want them to hold you to a higher standard and that then provides an external incentive for you to live up to that standard. It changes it from an internal guide about general goals into a public promise to make specific changes.
Saying things like: "we constantly work to ensure our customers can continue to use our products with confidence and are committed to their safety" is great and all but it means nothing because it doesn't identify a single task that you will do to achieve that end. On the other hand, saying "our database was not as secure as it should have been" identifies something that you will actually do.
Of course, the question of how secure the database "should have been" is not precise but I'm not sure that you could go into specifics in a non-technical release, nor would it be a good idea, from a security perspective, to explain how your systems are set up anyway!
That said, I don't have kids so this doesn't impact me directly but I still think it matter less why they are doing it than that they are. If they are only doing it to mitigate any backlash then so be it because they have now INCREASED their exposure to such a backlash in the future, should they get it wrong again.
Sounds good to me.
* - And that it mistake wasn't just a slip and isn't being blamed on one random scapegoat but was something that was in your control and you didn't do what you should have.
I think Phil's point was that the answers to "secret questions" should also be salted and hashed. Since far too many sites insist on a bog standard set of questions, far too many users choose the same questions and answers on different sites, and far too few think to fake this information, having these answers in plain text potentially opens the password reset facilities for people's accounts on other sites.
If a site doesn't need to either use a piece of information, or show it to the user (i.e. if it's only 'for security purposes' and nothing else), it should be salted and hashed.
And any information not in that category that is not needed (such as an address for deliveries) should not be asked for at all.
I admit and grant that I'm an idiot but I simply don't understand either side of this mess. On the one hand, we have the parents. All I hear is that the children are vulnerable and we must stop them from being abused, I recently saw a judge who said that it was illegal to leave your nine-year-old child alone at home. Parents refuse to let their children out to play on the street, they could be hit by a car, be kidnapped, be hurt in a million different ways... Whether you think this is overkill or not doesn't matter so much just at the moment, but if you think it's great, as many do, why on earth would you let your child's information out of your control? Why would you take any step letting your child on the network without supervision? Obviously, that's the whole point of these kid-friendly apps, they supervise so you don't have to. The broken bone can be fixed, kidnappings are rare, kids often get hurt but they recover. Is there a hospital that can fix your lost anonimity/privacy/profile information? In the absolute best case, you're letting some company market to your kid. In the normal/common case... well, now everyone and not just VTech can make your child's life hard. The easy, understandable, and rare risks are protected against, maybe even overprotected against, while the difficult, unquantifiable, and common risks, are not protected against at all. Is it that you don't really care about the kid and just want to do enough to avoid obvious trouble until the kid leaves home? What are these people thinking?
On the other hand, we have VTech. Is it that their shareholders are satisfied with their current wealth and want no more money? Is it that they thought they were exempt from the usual laws, that they were special unlike, for example, Sony, OPM, Target, Starwood Hotels... Is it that they had some sort of protection from what happens to everyone else? Is it just that they didn't care because nobody cares about personal information and there will be no reduction in sales? Maybe they're right in that, after all, but it still doesn't make sense, surely nobody wants to appear as bungling idiots if nothing worse? Some of these errors are so foolish, so basic, I don't understand the thought processes behind them. What on earth is either side thinking here?
> ... why on earth would you let your child's information out of your control?
Because, the parents just have no clue. The readership here is probably a self selected group fo fairly technically literate people - you just have to read some of the comments against various "spooks" and "privacy" related stories to see that the majority seem to be fairly technically literate and understand the basics of security and privacy.
Once into "the real world", the parents that buy these just don't think of them as other than "a kids toy" with nice extra features. When they signed up, the licence and privacy statements (if presented at all) will have been dismissed with "what's this sh*t getting in the way, lets get rid of it ASAP". I've had conversations around privacy and security where the other person basically responds "I don't care if someone reads my emails" because they really cannot see problem.
So you have a group of (mostly) not technically literate people who really don't understand that these things are computers, who probably do not even connect the fact that messaging works with anything going out into the internet, and who really don't have much grasp of security or privacy or why they are important.
I suspect that if you approached the average parent who isn't bothered by these toys and asked to fit a webcam in the child's bedroom so that strangers on the internet could watch them, then you get a response ranging from a 2 word response ending with "off" to having a chat with the local plod !
Most people could understand the concept of a camera making images and sound available over the internet - and would associate anyone suggesting the camera installation with "up to no good". But once you take away that "easy to see" action (install camera) and "impact" (strangers can watch your child) - then most people can't see the issue.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
