back to article Child tracker outfit uKnowKids admits breach, kicks off row with security researcher

The developers of child-tracker app uKnowKids have responded to reports of a data breach, admitting an issue had also exposed its proprietary IP. uKnowKids goes on to accuse the security researcher who uncovered its problems of "hacking" its data. The researcher involved, Chris Vickery, maintains he was acting in the public …

  1. Turtle

    Leaving Aside The Obvious.

    "Steve Woda, chief exec of uKnow and uKnowKids, admitted the issue while criticising Vickery and expressing doubt about his motives in an advisory to customers. 'The hacker claims to be a 'white-hat' hacker which means he tries to obtain unauthorized access into private systems for the benefit of the 'public good'".

    And the basis for impugning Chris Vickery's motives are, aside from a desire to misdirect the attention of observers, what, exactly?

    1. Christoph Silver badge

      Re: Leaving Aside The Obvious.

      "And the basis for impugning Chris Vickery's motives are, aside from a desire to misdirect the attention of observers, what, exactly?"

      Security researchers are less likely to check out that site, find problems, and report them. And if nobody reports problems that proves that there are no problems, doesn't it?

    2. Triggerfish

      Re: Leaving Aside The Obvious.

      If you throw enough shit, you can hope no one looks your way.

    3. I ain't Spartacus Gold badge

      Re: Leaving Aside The Obvious.

      Also, I guess it's quite useful if/when some of the data turns up in nefarious hands. As then you can say, "look! It was that hacker what done it! And in no way was it our pisspoor security. Oh no! No Indeedy. Look! Over there! A squirrel!"

    4. Graham Marsden
      Pirate

      @Turtle - Re: Leaving Aside The Obvious.

      > And the basis for impugning Chris Vickery's motives are, aside from a desire to misdirect the attention of observers, what, exactly?

      Obviously, if you shoot the messenger who brings you bad news, it deters others from doing the same...

  2. 2460 Something

    Nearly there

    It is pleasing that they moved so quickly to get the breach fixed but even if they suspect that the person who found it had ulterior motives why does that need to be the the press bulletin, it just makes them look petty. A simple 'It is with significant regret that I share with you the news that uKnow had a private database repeatedly breached on February 16, 2016 and February 17, 2016.' followed up with specifics and full disclosure of the impact would have been much more grown up.

    1. Nevermind
      Pint

      Re: Nearly there

      Kids database security SNAFU and " followed up with specifics and full disclosure of the impact would have been much more grown up."

      I see what you did there, have an upvote.

    2. FuzzyWuzzys Silver badge
      Facepalm

      Re: Nearly there

      Kids protection information database run by a bunch of childish adults!

    3. I ain't Spartacus Gold badge

      Re: Nearly there

      Perhaps it makes them look petty, because they are petty? So useful PR.

      For example, whenever I see the "only a limited number of our customers have been affected" statement, I know that a) management don't give a shit, and; b) lessons will not be learned. Particularly given that "limited number" doesn't mean small, and is technically correct so long as all but one customer have been affected...

      Of course when I see "lessons have been learned" I also know that no they bloody well haven't been.

      Whereas our cloudy accounts are with a company who had an incident where their datacentre had a problem, which killed some hard drives, the fail-over didn't work and they lost a few hours of data. This was about a year before we signed up. After the event they published a decent discussion of what had happened, within a day or so to explain the problems to the customers. They then had about 10 further articles, over the following 3 months, giving a breakdown of what went wrong, what mistakes they'd made, what they'd learned and what they were doing to fix it, as they did it. Plus set up a system where you could have a backup sent to you each week, for peace of mind. They screwed up, but I've a lot more confidence they're doing things better now.

      1. Triggerfish

        Re: Nearly there

        "Lessons learned" yeah the amount of excercise I have seen done like that, only for it to be then out away and no learnt lesson ever being taken from it. basically any file marked lessons learned should be written on soft ply, because its usually so much arse paper.

      2. Anonymous Coward
        Anonymous Coward

        Re: Nearly there

        > only a limited number of our customers have been affected

        I would go further and suggest that the number representing *all* the clients is "limited".

        It is a meaningless word used to imply that the damage is small and could only be inappropriate when describing "infinity".

        1. Justicesays

          Re: Nearly there

          Other "useful" statements

          A small number of our customers <- Meaning, all our customers, but that is a comparatively small number compared to , say, everyone on the planet

          Only a percentage of our customers <- 100%

          A fraction of our customers <- 10/10's

          Save up to 30% <- Save somewhere between 0% and F.A.

  3. Halfmad

    Half hearted thanks and a bit of spin

    Seems to me they're more interested in painting the hacker here, who has DONE THEM A FAVOUR as the culprit.

    Typical knee-jerk defensive posture by the company, we see this all too often these days when they forget they should be busy apologising for the error, making good any fixes and shacking the hackers hand for having saved them from a world of ICO butt hurt.

  4. Terry 6 Silver badge

    no financial information or unencrypted password credentials were vulnerable.

    They always seem to say that when they get caught, these days. As if that makes it OK. But on a site like this who cares about financial details, it's kids' safety they compromised with poor security, not a few f*ing credit cards.

    1. Halfmad

      Re: no financial information or unencrypted password credentials were vulnerable.

      From their perspective it's worse, they put their IP on the line along with their core business.

      1. I ain't Spartacus Gold badge

        Re: no financial information or unencrypted password credentials were vulnerable.

        Also, rather worryingly, their statement sort of suggests that they regard their customers' data as part of the company's IP.

      2. Anonymous Coward
        Anonymous Coward

        Re: no financial information or unencrypted password credentials were vulnerable.

        From their perspective it's worse, they put their IP on the line along with their core business.

        .. which makes me wonder why on earth they had not put in proper segregation. It's not like they were still starting up.

  5. Doctor Syntax Silver badge

    Don't shoot the messenger.

    Woda had better be sure that his site really is secure now and that it stays that way. For a couple of reasons. Firstly, any subsequent visitors who find security holes aren't going to be the sort who report them back to him. Secondly by raising a bit of controversy he's painted a target on his back.

    1. Just Enough

      Re: Don't shoot the messenger.

      That's the main thing to take away from this story.

      If you're going to cause a fuss about someone exposing a hole in your security, with even the slightest suggestion that they're the one at fault, you better be damn sure you're bomb-proof first. You've just attracted everyone's attention and a fair number of the people attracted aren't going to be half as nice. They're going to love making an example of you.

      1. Triggerfish

        Re: Don't shoot the messenger.

        Yep there considerable value in a email along the lines of, "Thanks mate we cocked up there and will sort it asap, heres a few quid buy yourself a pint, and let us know if you see anything else."

        1. Anonymous Coward
          Anonymous Coward

          Deliver the message anonymously

          Or they will shoot you.

          As for uKnowKids, there's no good reason to store all that private data in an internet-facing database in the first place. Sheer lazyness or apathy.

  6. Captain Badmouth
    Coat

    Woda or Yoda?

    "Important to us your security is, all possible measures taken have we "

    Mines the one with the book of common prayer,the Boy scout manual and the nonce's guide to hacking in the hidden pocket.

  7. tiggity Silver badge

    From the website

    from the uknow website (quote about Steve Woda)

    "he brings 15 years of Internet security, eCommerce, big data analytics, and entrepreneurial experience to the uKnow team"

    Maybe they should remove the 15 years of Internet security claim

    1. caffeine addict Silver badge

      Re: From the website

      To be fair - it doesn't say that it's useful experience. I have 25 years experience of drunken dancing but it doesn't mean it's useful...

      1. Anonymous Coward
        Anonymous Coward

        Re: From the website

        I have 25 years experience of drunken dancing but it doesn't mean it's useful...

        Pictures or it didn't happen :)

        1. Darryl

          Re: From the website

          The pictures would have to be redacted to ensure no personally identifiable information.

          1. caffeine addict Silver badge

            Re: From the website

            It's okay - they're pseudoanonymised. I've had my hair cut since then.

  8. Anonymous Coward
    Anonymous Coward

    Pedobear seal of approval

    Tell me more about "keeping kids safe" using mass surveillance.

    1. I ain't Spartacus Gold badge
      Happy

      Re: Pedobear seal of approval

      I keep my children locked in the drawers of a filing cabinet. My kids are safe, are yours?

      1. Mark 85 Silver badge
        Devil

        Re: Pedobear seal of approval

        Locked drawers of a filing cabinet? Woefully insecure as the locks are easily popped. May I recommend an all steel safe with combination lock that only you have the combination to? Also immerse the safe in a large tank of seawater filled with hungry sharks. That should do it.

        1. Anonymous Coward
          Thumb Up

          Re: Pedobear seal of approval

          I hope they have Laser heads!

    2. MrDamage
      Joke

      Re: Pedobear seal of approval

      I keep mine in easily manageable 1kg chunks in the chest freezer.

      Sliced thin, with a bit of wasabi, and they're indistinguishable from Dolphin Sushimi.

      <- Icon, because some people on this site will actually take me seriously if I don't include it.

  9. Anonymous Coward
    Anonymous Coward

    I can't help but imagine the head set from "Child abduction is not funny" south park episode everytime I see this story,

    Along with "uKnowKids, well we do now!"

  10. xeroks

    inaccurate statement?

    I don't understand how the hackers methods "unnecessarily puts customer data and intellectual property at risk."

    Did I miss the bit where he published the information he'd found to the wider community?

    Surely the company not securing the database in the first instance "unnecessarily put customer data and intellectual property at risk"?

    At least the company did acknowledge that he had helped them out.

    1. Crisp Silver badge

      Re: inaccurate statement?

      That was the line that got me as well. "we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk"

      Their customers data was already at risk. If it had not been at risk, his methods would not have worked!

    2. caffeine addict Silver badge

      Re: inaccurate statement?

      It's possible (unlikely, but possible) that he meant that someone poking at SQL injection risked trashing everything in the db. Which, I guess, is putting the data at risk. It just wouldn't have been at risk if they hadn't left the front door open. :/

  11. Will Godfrey Silver badge
    Unhappy

    Rules

    Rule 1 Shoot the messenger.

    Rule 2 The message wasn't really important was it?

    1. allthecoolshortnamesweretaken Silver badge

      Re: Rules

      "The medium is the message."

  12. Anonymous Coward
    Anonymous Coward

    Black hat

    If I'd found that backdoor, I'd have ex-filtrated all the data, and leaked it anonymously, destroying the company for great justice.

    Android (google play store), apple, instagram, facebook, twitter, and all other PRISM members ARE the bad guys. You don't fix that fundamental flaw by pouring security snakeoil all over it. You've just exponentially increased your (and your kid's) attack surface.

    1. Anonymous Blowhard

      Re: Black hat

      "If I'd found that backdoor, I'd have ex-filtrated all the data, and leaked it anonymously, destroying the company for great justice."

      At first I was thinking that you sound like a cure that's worse than the disease, but then I thought you sound like another disease that's worse than the original disease; ever heard the phrase "two wrongs don't make a right"?

      1. Anonymous Coward
        Anonymous Coward

        Re: Black hat

        Nonsense. This is like a vaccine. A weakened version of the disease to prime the immune system (people's blind trust in useless corporations with a baked in culture of insecurity).

        Several doses of vaccine will be needed for full immunity.

      2. Androgynous Cow Herd

        Two wrongs don't make a right

        But two rights can make a U turn.

    2. JayB

      Re: Black hat

      Paranoid much?

      Ok, they were dumbasses, but a proportionate response is NOT to make the records of those kids and families available by leaking it anonymously.

      1) Crusading for Justice does not involve potentially putting those kids at risk (does the phrase "we had to destroy the village to save it" ring any bells?), that is just stupid and malevolent.

      2) Acting to deliberately take down a company you perceive to be recklessly incompetent is just vigilantism of those most cowardly order (doing it under "Anon"????).

      3) As others have stated, 2 wrongs don't make a right.

      A more responsible way to do it would be to notify the firm, allow/help them to fix the issue, get on with life. Which more or less is what happened. The company however might have been a tad better served not being such tools about it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Black hat

        "Market forces" are academic. Laws insufficient.

        Talktalk should have been disassembled on the molecular level, yet they're still in business today. Maybe a little vigilantism is actually required.

        1. Pascal Monett Silver badge

          Re: Maybe a little vigilantism is actually required

          Maybe, but in that it would be preferable that the vigilant be a responsible adult, not a vindictive little brat.

    3. Triggerfish

      Re: Black hat

      You don't fix the flaw by pouring petrol on the fire as well. You may think cool screw the company but in this case it's not cliche to say think of the children.

    4. allthecoolshortnamesweretaken Silver badge

      Re: Black hat

      Ah, the Mike Hammer approach. Judge, jury and executioner rolled into one... One question, though - doesn't it get lonely up there, all alone on your pedestal?

  13. Will Godfrey Silver badge
    Unhappy

    Losing track

    Just remembered something. This is the second (third?) instance of exposure of a large child database in as many months.

    If I was parent/guardian of young children, I'd be getting worried right now.

  14. Anonymous Coward
    Anonymous Coward

    Mixed feelings here

    I know it's a knee jerk reaction to protect the researcher, but where I come from, people seek permission before they attempt to break or affect a site because they could otherwise be accused of attempting to break in (which they are) and thus committing a crime.

    If you stray into a site because you're investigating something else (for instance, something using that site as a router or as a malware trap) you *still* ask permission, not only is it polite but it will also keep you out of jail longer.

    That does not mean I fully agree with the companies' reaction, but the fact remains that our intrepid security researcher has taken possession of information that does not belong to him, has done so without permission and is hanging on to some of it for reasons I find not very convincing. "To keep them honest" - really? How is that going to work? The awkward question remains why he was seeking a vulnerability in that specific system in the first place.

    Even just a quick note "my kids are in your system, do you mind if I have a look - happy to sign an NDA" is better than "Hey, guess what, your database leaks and here is a copy I made just to prove it to you - look at all the child pics I could grab" :).

    If you want to be a white hat, it is best that you develop an approach that will avoid making you look like a black hat. "I'm a security researcher" can be seen as an excuse, so getting permission is a good move. If the site doesn't want to give it, leave them be. It's their loss.

    1. Will Godfrey Silver badge

      Re: Mixed feelings here

      While nice in theory, I've heard of times when a researcher has done exactly that and immediately been hit with a gag lawsuit.

      P.S.

      In this case it's not their loss. It's potentially putting a lot of vulnerable people at risk.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mixed feelings here

      Unscrupulous companies generally do not consent to white-hat hacking attempts, nor do they obtain the informed consent of their innocent victims. If protecting the innocent is your goal, you have to play hardball.

      Speaking as a sysadmin, an anonymous hacker could get my attention by shutting down services. If I see signs of intrusion, I'll shut down the server and raise the alarm. I believe my current clients would do the right thing. Some site owners, however, would just fire me and find a code monkey willing to do the bare minimum to get the site running again.

      In lieu of strong privacy laws, you have to wage a PR war against these jokers. It's not easy. You can't just leak everything. You can't announce that the site is insecure, thus inviting black hats. Probably the best you can do is to grab all their code/config to find more holes, and install backdoors, then keep taking the site down while anonymously leaking redacted evidence all over the internet, until the company closes up shop.

      Again, easier said than done. Ideally "we" should legalize hacking (and grant immunity from lawsuits) and criminalize sloppy security/privacy practices instead. With prison time for proprietors, officers, directors, managers, sysadmins, devs... I guarantee nobody would touch other people's private info after that.

  15. Anonymous Coward
    Unhappy

    > Child tracker outfit

    Does it say something about me that I read this as "Child trafficking outfit"?

  16. Anonymous Coward
    Anonymous Coward

    If they only took 90 minutes to identify the issue and apply the patch then it must have been a known vulnerability so why wasn't the fix already in place. I wonder if they do regular pen tests, design reviews etc?

    Maybe the 15 years Security was as a door man, not in IT?

    1. Jack of Shadows Silver badge

      Also of interest is that the researcher changed IP addresses at least once. Either said researcher moves around or, probably, it took longer than 90 minutes.

    2. MrDamage

      Maybe the 15 years Security was as a door man, not in IT?

      Not the door man. Even the most dense mouth-breathing door man wouldn't have a go at anyone who told them that people were sneaking in via the fire exit while they were guarding the front door.

      He is more akin to the prat in the control room supposedly eye-balling the monitors, but instead has his face stuffed in a Victorias Secret catalog and giving himself a gentle rub.

  17. Cynic_999 Silver badge

    I've never been quite sure of what specific risks people are thinking of wrt a leaked database containing children's names & addresses (or even photographs). What dastardly use might a pedoterrorist make of such information?

    1. Swarthy Silver badge
      Childcatcher

      Not so much a pedoterrorist

      But perhaps the concerns are more about estranged family members who see children as an indirect way to hurt/attack the custodial parent (EG: kidnapping the child during/after an ugly divorce). Or they could be concerned about kidnapping in general.

      I would be a bit more concerned about someone getting that information and using it to set up a disposable credit history in the kids' names. If you think it's hard starting out with no credit history, imagine trying to start out "owing" several hundred thousand of the currency of your choice. - Which is why my kids' info will not be going into any tracking database as long as I can avoid it.

    2. Intractable Potsherd Silver badge

      On the other had, I've never been quite sure of what specific risks people are thinking of wrt thinking that tracking their children is a good idea. The risks from paedoterrists are small, and very unlikely, so why surveil your children?

  18. John Tserkezis

    "Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk..."

    And now that it's public, it means we *have* to fix it, rather than, well, not.

  19. bellaj
    Thumb Up

    BBC News Tells the Other Side of the Story

    As always, there are two sides to every story, and it looks like BBC News just shared the other side of the story.

    Pretty interesting revelations.

    Chris Vickery may have some explaining to do too. Calling yourself a “researcher” does not automatically make you ethical.

    Just sayin.

    uKnowKids defends response to data breach alert

    http://www.bbc.com/news/technology-35659828

    1. Scoured Frisbee

      Re: BBC News Tells the Other Side of the Story

      I must have missed it, what was the other side? The story I saw on the BBC was:

      - fellow found obvious site error using search tool

      - site owner reacted with threats and bluster on the initial report

      - fellow was concerned his issue would be swept under the rug

      - site fixed a problem and is no longer indexed by the search tool

      Which is exactly what I got from this article, too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019