back to article This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No - it's by IKEA

If the Target hack – along with all its predecessors – taught us anything, it's that the database isn't the vulnerability. It's the data that's the problem. If you're collecting data, you're a target. That means you have to ask yourself, “do I need this?” Yet in spite of frequent demonstrations that a determined attacker will …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Have you learned nothing from the NSA?

    You need the haystack to find the needle.

    1. Nick Ryan Silver badge

      Nearly... the NSA take on it is that you need every haystack in every farm in every country on the planet. To find a needle that may, or may not, exist in one particular farm. The needle is probably in the sewing kit, on the table.

      1. Evil Auditor Silver badge

        They simply don't know in which haystack there might be a needle so they gather all the hay they can possibly get hold of. What's more, they are not even capable to distinguish between a twitch from hay and a sting from a needle.

        1. Anonymous Coward
          Anonymous Coward

          They know where some needles are

          NSA know where some needles are, and the potential victims whose names are on them, but cannot notify the persons whose names are on , because to do so would alert the outside world that the NSA have been conducting illegal surveillance. (e.g. Boston Marathon bombings)

        2. Michael H.F. Wilkinson Silver badge
          Coat

          Schrödinger's needle?

          The needle is only there when they observe it consciously, before that, the needles' waveform is spread out over all possible haystacks.

          Sorry, couldn't resist. Mine is the one with the original manuscript "Towards a Quantum Mechanical Interpretation of Homeopathy" in the pocket

  2. Tim Jenkins

    The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours

    I get all my kitchen design inspiration from the web, as they are frequently the location for video entertainment which highlights the importance of sturdy worktops, robust cupboard handles and wipe-clean surfaces.

    1. Anonymous Coward
      Anonymous Coward

      Re: The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours

      I'll just clean my keyboard - thanks to your comment - and get on with my day.

      Cheers

      Jon

      1. 's water music

        Re: The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours

        > I'll just clean my keyboard

        Ewww. I see what you did there.

        1. Euripides Pants

          Re: The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours

          "Ewww. I see what you did there."

          I wish I didn't...

    2. Anonymous Coward
      Anonymous Coward

      Re: The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours

      French polishing eh?

    3. Anonymous Coward
      Anonymous Coward

      Re: The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours

      If you knew anything about IKEA's naming policy, you would know they use Nordic names.

      So it's IKEA 'Plask' then.

  3. Khaptain Silver badge

    <Quote>However, that doesn't necessary apply to partners.</quote>

    This is the phrase that says it all........

  4. Splodger

    Surely this is all against the Data Protection Act?

    I thought that companies were only allowed to collect and store relevant data.

    1. Anonymous Coward
      Anonymous Coward

      Presumably only if the data is held in the UK.

    2. Anonymous Coward
      Anonymous Coward

      Only if the data being collected is personal data and I would surmise that much of the data potentially collected by the app wouldnt be personal data.

  5. Michael Habel

    Since when the Hell did Windows Application... (I can only assume that this is a Desktop App), need to ask for any Permission(s), at all?! I thought this was something that only Mobes did...

    1. Filippo Silver badge

      My thought exactly. If it's a desktop application, there's nothing especially strange about it being able to access all of your files, given that desktop OSes simply don't have the same permission model that mobiles have. Chances are that Chrome just shows that warning on any .exe you download - I don't even see how it could possibly know what permissions the program requires. On Windows, pretty much the only choice is whether to require administrator or not, but even that is not something that can be easily learned without trying to run the app.

    2. Anonymous Coward
      Anonymous Coward

      It's a browser plugin? or certainly was last time I used it.

      1. Evil Auditor Silver badge
        Devil

        Re "It's a browser plugin? or certainly was last time I used it."

        Posting anon because all your data is now out there?

    3. jai

      He says in the article that it was only Chrome browser that picked it up. If you weren't using Chrome, it wouldn't ask for permission.

  6. Flywheel

    Presumably (alleged) terrorists will no longer be buying their kitchens at Ikea then.

    1. Nunyabiznes

      So IKEA is closed now? The Security Industrial Complex (borrowed from a comment on Bruce Schneier's blog) thinks we are all possible terrorists based on their collection schemes.

  7. rgriffith

    Likely just means it can read and write files to the local machine. Say to load or save your design. As it also communicates with ikea, the warning is just stating the implications of that access.

    Your web browser itself and pretty much any application should have the same warnings.

    1. Charles Manning

      Hanlon's razor

      "Never attribute to malice that which is adequately explained by stupidity."

      They're not accessing or collecting anything. Some dumb programmer just clicked all the permissions.

      Interesting though that Google Ads are telling me there's a bulk discount on tinfoil down at Costco...

    2. dssf

      Well if THAT'S the Case, then ...

      Why do these damned apps not say, "Access to the app-specific folder created to store contents related to this app. NO OTHER FOLDERw will be looked at..."

      Either their language/wording sucks, or they are being very generous to themselves.

  8. Destroy All Monsters Silver badge
    Paris Hilton

    Kitchen design: Serious business!

    Those sandboxing ideas are NOT WRONG (even if Java on th client makes as hash of it). Where have they gone? Do I need to run the browser in a disposable Virtual Machine?

    1. Paul Crawford Silver badge

      Re: Kitchen design: Serious business!

      Running a browser in a slim VM might be the safest general approach.

      Under Linux there is also the option of having apparmor sandbox the browser and limit reading and writing, though that profile (e.g. firefox) is off by default on Ubuntu. I don't know why that is, probably so users don't see Firefox, etc, crash and burn without warning when they try to save or upload from anywhere other than the Downloads directory.

  9. SuperTim
    Big Brother

    All your computer data for an online tool, or...

    Your soul if you dare set foot in the pallet warehouse itself!

    1. jai

      Re: All your computer data for an online tool, or...

      but, to be fair, in return for your soul, they will give you meatballs!!

      (some even without horsemeat!)

  10. Forget It
    Joke

    Kitchen sink approach to asking permission

    1. Anonymous Coward
      Pint

      damn

      That was funnier the way I read it the first time:

      Sink kitchen approach to asking permission.

      I need another drink.

  11. Refugee from Windows

    Cheap

    Apparantly they'd like my email address, and offer a bribe of 100 tea lights. Come on, I'm not that cheap.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cheap

      200 tealights, a hot dog and one of those bags of sml Daim bars?

      1. Swarthy

        Re: Cheap

        You got me with the Daim candy. Especially if it's the older recipe without the coconut oil.

  12. Anonymous Coward
    Anonymous Coward

    Looks familiar

    As a SQL Server admin I'm tired of seeing third-party applications that ask for an 'sa' level login, but when pushed they can't honestly definitely say exactly WHY. Or the Windows service account that needs to be a local admin, with the same justification: "we always configure it that way".

    Lazy and/or time constrained developers!

    1. Anonymous Coward
      Anonymous Coward

      Re: Looks familiar

      Ugh... We had one software vendor tell us to disable DEP both on client machines AND a server to solve an issue with their software crashing in certain cases. I told them I wasn't turning off a security feature that had (at the time) been around for over 7 years.

      Although it was actually pleasing to hear them suggest something other than "reinstall the software", which was their usual fix.

  13. Anonymous Coward
    Anonymous Coward

    If you've done nothing wrong, you've got nothing to hide.

    1. jai

      but what is 'wrong' in the eyes of Ikea?

      Buying your sofa from DFS? Getting a bedside table from John Lewis?

      1. Anonymous Coward
        Coat

        but what is 'wrong' in the eyes of Ikea?

        Sleeping three in a single bed?

  14. Anonymous Coward
    Anonymous Coward

    You have privacy concerns, yet you use Chrome?

    1. Michael Habel

      You have privacy concerns, yet you use Chrome?

      He shoots... He scores!! OUCH!!

      1. Anonymous Coward
        Anonymous Coward

        a hosts file is all that's required

        To fuck Google's auto-collection...until they build a dns client into their browser. Of course, since I run my own DNS, I can make it autoritative for any domain I choose.

  15. Anonymous Coward
    Anonymous Coward

    Key access

    But nobody will be able to access your data without the key. Which will be an Allen key missing from the flatpack...

    1. I am not spartacus

      I was going with:

      They can have my data. It's all ones and zeros. Now all they have to do is put it together.

      but the missing Allen key is good, too.

  16. Anonymous Coward
    Black Helicopters

    NSA, GCHQ, KGB,...IKEA??

    Obviously, the patriarchy has fiendishly discovered that the hoi poloi can never unite to demand international brotherhood and justice if they are kept busy looking for the sixth screw that the instructions say are needed to complete assembly!

    "Honey!? Did you see another packet of hardware when we unpacked the bookcase?"

  17. Erik N.

    It's not a site

    "Moreover, the warning wasn't raised by the kitchen planning tool. The Register only spotted it because Chrome raised the dialog. No such warning appeared when we accessed the same site on Firefox, for example."

    The warning is raised because it is trying to install a Chrome Extension. All Chrome Extensions must declare the permissions they wish to use (or optionally use). Lazy developers request them all because they can't be bothered to look at the docs and see which ones are required by the API they are using.

    If it tries to install a Firefox Add-on, it will ask if you want to install it. Firefox does not have a permission model for Add-ons. Firefox Add-ons are run as trusted code. It's all JavaScript so if you're a developer you can always download the XPI, unzip it, and see what it does. I know that's not much help to those who are not Firefox Add-on developers. The downside to Chrome is they can put all of their extension code into NaCl so you can't tell what they are doing with the permissions they've requested (well, you could find a disasembler and work it out).

    Neither browser by design allows JavaScript from a website to access anything on your computer (there are flaws that do though). In either case you will be warned before you install an Extension/Add-on.

    For the record, I am a Add-on/Extension developer and I don't find the entire model of these extensions to be entirely satisfactory. I wish all of the browsers had much better/finer access control, but there will also always be bugs that allow the permissions to fail. If you can't live with the state of things, don't install extensions or get a VBox/VMWare image that you can browse with and always roll back to the last good snapshot.

  18. Anonymous Noel Coward
    Trollface

    I always knew IKEA (Information Kommunikation Elektronisk Agentur) was a name for a Swedish Governmental Agency.

  19. mark 63 Silver badge
    Flame

    "It's probable that the developer created the app with the widest possible permissions so it worked easily in the lab, and never went back and changed them to something appropriate for the Internet: I accept that."

    lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy !!!!!!

    and dangerous

    and amateur

    The amout of software i've had to carefully recreate the conditions of the develoipers bedroom in order to get it to work! usually bought by govt depts, schools or colleges

    also software designed for businesses that seems oblivious to the idea of a "roaming profile", or that the user may not have admin rights

    1. A J Stiles

      Well, what else would you expect from a self-taught "developer" in his mother's back bedroom with a pirate copy of Microsoft Visual Studio?

  20. Anonymous Coward
    Anonymous Coward

    Malice possible

    I'm afraid I've known enough people in the industry to treat seriously the idea that this could be a malicious slurp. "Sure," some greasy manager says, "let's try to grab as much as we can. When we've built a good customer base we'll leverage that and sell out."

    It's not evil -- it's just a complete lack of respect and a willingness to throw everybody else under the bus because it's about getting on, innit?

  21. pacman7de

    The lesson of the Target hack?

    "If the Target hack – along with all its predecessors – taught us anything, it's that the database isn't the vulnerability. It's the data that's the problem"

    No, the lesson is don't connect your POS terminals to the Internet and don't run your POS infrastructure without a full irrevocable auditing system in place.

    |The internet is no place for critical infrastructure|

    "The debate topic I propose here can therefore be restated as calling out, “Hypocrisy!” on the claim that the Internet is a critical infrastructure either drectly or by transitive closeure with the applications that run on or over it"

    1. Destroy All Monsters Silver badge
      Trollface

      Re: The lesson of the Target hack?

      So much cussing!

  22. Anonymous Coward
    Anonymous Coward

    Not just ikea

    IKEA is not the only company using the tool from 2020 net; practically every kitchen planner site here in Oz is based on the 2020 plugin (including Bunnings/Kaboodle).

  23. John Savard

    Without the NSA's Budget

    Since no doubt the Försvarets Radioanstalt doesn't have as much money as the NSA, it's not surprising they would have to take short cuts...

  24. tracyanne

    Fortunately I use Linux Mint

    and Ikea don't support Linux based operating systems (apparently we Linux users don't buy anything or renovate our kitchens), so I can't install the plugin, which means I can't inadvertently give away all my data.

  25. Anonymous Coward
    Anonymous Coward

    This is one reason I have a SME router, and loads of security plugins in software.

    My router has several domain and port blocks, my Firefox is heavily secured using several plugins, and I use the SRWare Iron build of Chrome. I tend to run intrusive stuff on a separate browser, even a browser in a Virtual Box OS VM, to stop leakage.

    Don't trust anyone fully until they prove they can be trusted, and never keep personal details where they can be hovered up!

  26. Michael 28

    http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_be_a_spambot/

    hmmm......the p̶o̶t̶ plot thickens!

This topic is closed for new posts.

Other stories you might like