Naff
It can't be just me but I take one look at these toys and equate them to naff over priced tat and run a mile.
Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker's database. And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too. Chinese electronics giant VTech today admitted its …
Our littlun got given one for xmas a few years back by a family member.
They're not bad pieces of kit, per se, but definitely shouldn't go for the price they do. But VTech are out and out robbing bastards (the one cartridge that comes with the tablet is loaded with nothing but ads).
Not received an email, but logged in to check what might have been lost
- kids name: beetlejuice
- kids dob: wrong day,month and year
- account email: dedicated mailbox
- account pass: random string unique to vtech
- address: 200 miles out
Some would say I have trust issues, but time and time again I seem to be being proven right.
Companies need to stop asking for data they don't need and can't protect
"Some would say I have trust issues"
I fail to see how you could possibly have trust issues. You obviously distrust everyone on the interwebs. Why on earth should you trust them anyway?
Seriously, only an idiot would would give valid data to anyone online or offline for that matter where it's not needed.
Have an upvote.
The vTech kit also has the advantage of not needing internet connectivity, so the kids aren't burning your money with micro-transactions or finding their way onto the not quite as child-friendly parts of the internet. That being said, yeah, their prices are fairly ridiculous compared to modern devices.
"Some would say I have trust issues"
As others have suggested, it's others who have trust issues in that they are too trusting with the information they dish out.
Given that this one does have a 'think of the children' slant, we can hope that finally people will sit up and take notice, and begin to question why companies want our data, what they do with it, and whether they can be trusted to keep it safe*.
The first problem is that unless this hits the mainstream news, like the TalkTalk hack, the only people who will ever know about it are the people directly affected, and those who read about it on sites like this one.
The second problem is that even if it does hit the mainstream news (based on what I've heard people saying in response to the TalkTalk problem) most people still won't understand the issues, and will carry on as before.
A side problem is that sometimes we have to give up accurate information - for example if the company needs to do a credit check. That doesn't necessarily mean we trust them with it, though. It just means we swear at the monitor, type the necessary info in, then turn around and bend over. I don't know why keyboards don't come with a detachable 'Enter' key that we can place on the floor behind us. Much easier to drive the point home.
* Answer: nobody can ever truly know that about a company until it's too late, at which point the answer is "no"
The second problem is that even if it does hit the mainstream news (based on what I've heard people saying in response to the TalkTalk problem) most people still won't understand the issues, and will carry on as before.
Especially as VTech are playing the same card as TalkTalk - focusing on direct financial consequences (we don't store credit card details) - rather than acknowledging that losing non-financial data can also be harmful.
As an example, a particularly "entertaining" section from their official statement
In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).
Correct, but they did lose (from earlier in their statement)
- Name
- Secret question and answer
- Mailing address
- IP address
Which is pretty identifying. Given people re-use secret questions all the damn time, that's more than enough for me to get in contact as "your ISP". All I need to find is a phone number, which is fairly simple given the information above.
I'd have more respect for them if their statement simply read "We fucked up"
The question with giving private info to corporations and government is not "are you paranoid", but rather "are you paranoid ENOUGH"?
For instance, can that dedicated mailbox be linked to you in any way, for instance by looking at the admin details for the domain if you happen to own the domain? etc.
So long as they keep asking for details they don't need, I'll keep providing answers they don't want.
And you get hacked, fact of life.
Moving on... A computer is hacked and you can (Daft punk's Technologic sounds in the background) wipe, re-install, format, disinfect, update, remove, inspect, tamper, re-configure, install, copy, compile, code, patch, upgrade paste...
What can you do to your IoT toaster, tv, heating, smart metter?
Answer: NOOOOOOOTHING!
And yes, I'm drunk! It's Friday!
Dad, I'm trying to buy a moped on installments but no shop would pass my credit check, I do not understand why, I just got my first job and I own to nobody...
Junior, I'm sorry your vtech account was hacked when you were 5 and your identity stolen, your mum and I always wanted to talk to you about it... but we know nothing about IT so...
MD5, a particularly weak hashing algorithm
Not really. Yes, you can construct a collision but in this case you are forced to use printable ASCII of limited length to find a text that hashes to the same unknown password. That does not sound practical. Worse is the absence of salt, which leads to a nice rainbow table attack possibility.
I would assume that an attacker would do it the other way around where a bunch of passwords are taken from a dictionary or brute-force algorithm, ran through an MD5 hash, then compared the results to the list of stolen passwords. A modern GPU could burn through about 2 Billion passwords per second (A report found that an nVidia 8800 Ultra could do 200 million per second with approx 576 GFlops of computational power; its modern equivalent, the GeForce Titan X has about 6100 GFlops of oomph), so going through the most common passwords and most of the English language would probably take an afternoon, throw a botnet / AWS at the problem and you could burn through a significant part of the possible table space in a couple days.
Of course this assumes that you don't already have a bunch of rainbow tables sitting around already.
I'm confused, I have a Leapfrog my pal scout. Never registered with VTech and yet I am on haveibeenpwned as being part of said hack (though they would have got nothing)
Leapfrog (NYSE) have no connection to VTech (HKSE) other than selling the same type of toys.
I decided to test this and did a forgot password. I logged in and all they have information wise is country ireland (wrong), no device, no kids, no address.
I then decided to test a spurious email address (bob@bob.com) just to check if it is a way of getting email addresses, no dice for bob.
This leads me to believe that Leapfrog sold my (crap) information to VTech.
Is this legal?
"I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered!"
Yes, you will. You will also be taxed, re-taxed, seized, inflated-away, button-pushed, newspeaked, lawfared, crimethoughted, arrested, re-arrested, terrorised, observed, xkeystored, sold, resold and owned.
... folded, mutilated, and spindled.
The real problem is that everybody here knows what’s wrong with the setup but nobody in the Real World seems to know.
Ordinary adults still still naively submit personal details to morons who don’t know how to keep a secret.
Personally I lie about every non-essential detail, and create a unique password for every new online account. Most normal human beings can’t be bothered or don’t understand the risks.
It’s about time that practical standards of security were created and that all vendors collecting personal information be required to adhere to them, or at least to indicate whether they do or not. In Australia, at least, banking, public transport and trades, to name a few, are all regulated. There is no reason that the same consumer protection can’t be applied to privacy & security.