85 comments

[ 5.4 ms ] story [ 153 ms ] thread
The job of one employee versus potentially thousand to hundred thousand customers' security being compromised?
Sounds like a classic abusive boyfriend. "You pointed out security flaws? Look what you made me do. You made me fire these workers."
Or just, you know, abusive partner.
Or just you know, an abusive person.
If they just had fixed the flaws I am sure the researcher would have updated his review to highlight the efforts of the manufacturer. Instead, all the manufacturer did here is create a Streisand Effect for their shitty product.
I'm not sure if I'm more scared of a company that makes horridly insecure devices and then tells its employees "do everything you can, be as manipulative as you can, but get this review taken down", or if I'm more scared of a company that actually tells its employees "I will fire you if you don't get this review taken down".
Aren't those things roughly equivalent to the average worker?
I guess I meant the former in terms of it simply being the worker's job to get the review taken down. No actual threat of being fired at all, but the company has given their implicit (or worse, explicit) 'ok' for using that threat as a manipulation tactic.

Both are forms of moral bankruptcy, I was just curious whether the seemingly-desperate employee was a victim or a player.

To me this seems like an odd tactic to use as the manufacturer. Did the boss just pick some random employee and decide that one guy had to get the review taken down other wise he was fired? Also, I'm inclined to believe that this isn't the case because I also don't believe that those "other reviewers" actually complained about his review. Why would anyone else care that he left a truthful review about the product? If anything, they would be glad that he pointed out such glaring flaws with the product that could potentially damage things plugged into this product.

I'll say one more thing, I hope that he contacted the company directly. It's great that he left this review for others so that they would know how insecure this device is, but I think it's important that he also contact the company directly so that he can help solve the problem. Leaving a bad Amazon review isn't exactly the best way to report a dangerous security flaw in something if you want it to get fixed. Although, it seems like this company isn't one to fix such things anyway ¯\_(ツ)_/¯

Dollars to donuts, there is no employee. It's the manufacturer writing him and concocting a story.
It ought to be criminal, the way it's approaching a found security flaw. The sort of review shenanigans they're pulling should be criminal as well.

Company is revealed to be completely incompetent with regards to security. So their reaction is to harangue and pressure the reviewer instead of fixing the problem.

Sounds like the company is Chinese though.
I've been a top Amazon reviewer -- at one point I was #84 -- and at no time have I seen any reviewer complaining about someone else's review. At least not if it's an honest review based on hands-on experience. (There can be quite an outcry if it's obvious the review is fake, such as someone who clearly didn't read the book she's writing about.)

But if you give an honest opinion -- even one with which I disagree -- I'll never even downvote it, much less report it.

> Did the boss just pick some random employee and decide that one guy had to get the review taken down other wise he was fired?

It's what Sun Tzu did with the maidens. :D Not that I believe it here...

"The result is that the unique network ID of your socket is transported in an unencrypted form to the Chinese server"

The use of The word "Chinese" in this article is amusing.

Is it really important or necessary? Would it be preferable if the data was sent to a US server ?

If you're a US citizen, you would be a bit better off if it was a US server, because the records from the server would be available to the US court system. This is helpful if a customer ends up suing the company, or if there is a security breach that is investigated by US-based law enforcement.

I agree, the inclusion does hint at Sinophobia. But it's also a valid detail for security conscious customers to consider.

Why is it "Sinophobia" to state a fact about where the server is located?
because race, gender, and borders do not exist in the new world order. those who acknowledge them will be eliminated.

just some dumb law a pollack jew lady thought up.

The suggestion is that the location of the server wouldn't have been reported if it went to say...Germany. Or Ireland.
Is there evidence to support that suggestion? Like a similar review about a device that uses a German server but refers to it as a "server in a trustworthy country"?
Because it frames the situation in a certain, coerced way.
How is it coerced? The author reports the facts exactly as they are.

If the author had instead attempted to tie this to, say, past security breaches caused by hackers operating out of China, then that would be framing the situation in a coerced way.

Consider the following:

Man kills man.

Man kills black man.

White man kills black man.

Assuming the facts are all the same, do you understand how the selective informing of facts frames the readers understanding or impression of the issue?

Thanks for the downvote though.

Consider the following:

Human kills human.

Life form kills life form.

At what point does it end? You are splitting hairs and I think you know it.

  You are splitting hairs and I think you know it.
No, not really. I'm explaining how a fact can impart bias. Not sure why this is such a difficult concept to understand.
I am replying to your other comment here since it is not possible to reply to that comment for some reason.

I do not think that is a valid comparison. The author did not go out of her way to point out that the server was located in China. There is no mention of China in the title, and the only place where the author mentions China is several paragraphs in explaining how and where the data is transmitted. There are more mentions of China in this comment than in the entire article.

Finally, for the record, I do not have a verified email associated with this account and thus do not have the ability to downvote.

> I am replying to your other comment here since it is not possible to reply to that comment for some reason.

I think HN applies a rate limiter to comment threads, to help reduce flame wars.

> Finally, for the record, I do not have a verified email associated with this account and thus do not have the ability to downvote.

Accounts get the downvote when they reach a karma threshold. I think that's currently 500, or maybe 750.

That makes sense. Thanks for the explanation.
It's still a fact used to frame the issue in a certain way and does affect a reader's understanding of the issue. If someone with a preexisting bias against Chinese security read this, they would form a more negative opinion of the product than if the fact of where the server was physically was omitted.
I don't think it is. Sure, he's pointing out that the server is in China, but I think he would point it out for many, many countries and continents (Africa, Russia, Ukraine, Mexico, etc.)
I don't see how this would be considered Sinophobia given the history of high-profile security breaches caused by hackers operating out of China.

If the article reported that the data were being sent unencrypted to a Russian server, would that be considered Russophobia?

I think the author could have explained why this detail's inclusion was relevant, as you did very well.

The current phrasing is clumsy and reads like a dogwhistle, although I doubt that was the author's intent.

I think it is highly debatable whether this is a potential dogwhistle. The author explained the facts are they are:

> But if you’re not home, your phone sends the command to a server in China, which then passes the command along to the socket.

> The result is that the unique network ID of your socket is transported in an unencrypted form to the Chinese server — and anyone who gets their hands on the ID can then control the socket.

The problem with tying this to the other security breaches caused by Chinese hackers would actually make this article _more_ sensationalist because that would allege that this company is somehow affiliated with the hacking activity.

If the company and server were located in other countries other than the US, it is highly likely that the author would specify the country as well.

It's the opposite. As a US citizen you have to be afraid of DC while Chinese citizens need to make sure they don't get on Beijing's radar and so on for each nation. It's a matter of under which jurisdiction you are and therefore which governing body has the most freedom-limiting power over you.

These devices are developed in China and hence have Chinese IPs for some call-home feature. As much as I want to be skeptical, I wonder what the HN community would say if it'd be a US or French IP.

Conversely, if you get hacked by someone in the US, you have more recourse than if you get hacked by someone in China. Hence the word "Chinese" in the sentence.
That's true for a company with money for lawyers but not random private person. They will be mostly covered by their bank in case of fraud, but other than that, there's not much you can do. It's like burglary. I know first hand that you go report it to the police and a month later you get a letter that they stopped investigating the crime.

I don't live in the US or China and I find it naive to single out Chinese ip address as bad addresses while not thinking twice about IPs in the US. There is no basis to trust a random ip address in the US more than one in Russia or China. And again, these devices are developed in China so it's natural for them to have a call-home ip that's in China. Instead of reading too much into it, let's first consider the most likely explanation.

If the device's operation is dependent on the GFW passing traffic, that's an operational risk not present for devices backed by servers in other areas.
Of note, from the amazon review: "But before we get to that: I received this product at a discount in return for writing an honest review of it. Onwards!"

Could that have anything to do with the manufacturer's attitude?

I sort of wonder if Amazon is the entity providing the discount.

(I spent a minute trying to figure it out and didn't find anything)

No, because these seem to be clearly marked with a Amazon Vine logo and disclaimer.
Up until just now I assumed Amazon Vine had something to do with Vine.co. I didn't realize Vines were only 8 seconds which would be an impractical format for reviews...
Nope, there's a cottage industry of review-for-discount sites that give people discounts/free items in exchange for reviews, but wink wink don't feel obligated to give it 5 stars.
Would the rep who claims to be in fear of losing her/his job be employed from that cottage industry? That would make the claim sound a bit more plausible, assuming, of course malice in the review-for-discount corps.
I bet you are on to something. But I have never heard of this review-for-discount concept.

I have heard of organizations like this: http://revleap.me/ (I'm sure these guys are completely innocent, they just happened to come up in a DDG search for "get positive amazon reviews".)

If you search for "work from home" you will find lots of shady organizations paying people (pennies) to post reviews, for example on Google Maps.

It's not a huge leap to imagine a service which pays random online workers to contact negative reviewers with sob stories begging for the review to be removed. And it's not hard to imagine that a disposable worker such as that would indeed be fired (simply not offered additional work) if s/he fails to get a review removed.

The organization I linked too shows a picture of what appears to be some kind of negative review alert delivered to a smart phone.

No winking is necessary.

Back when I was among the Top Amazon Reviewers, I'd regularly be asked to review products and (especially) books (primarily those that were self published). I rarely said yes, but when I did I treated them exactly the same as I would for a product I'd bought myself. That included 1- and 2-star reviews... though usually I tried to weed out the crap before saying Yes to such an offer.

The cost really never influenced me. I can afford a $10 novel that I'm interested in. So if you give me that book for free, it's no big deal.

In point of fact I learned to say No to most such offers. Usually novels are self-published only when the author cannot find a traditional publisher. And the traditional publishers usually refuse the book for a good reason. I don't want to waste my time reading crap.... not when there are so many good books to read instead.

Also, the self-published authors really didn't like it when I gave their books less than 5 stars, and magically the review would be downvoted -- as well as the last three unrelated items I'd reviewed. Presumably those neginators were from the author's friends and family. So I just said No, and moved on to books from authors I was sure I'd like.

I can second this.

I design, import, and sell products on Amazon, and when launching a new product I offer them for free or at a deeply discounted price to people who agree to provide an honest review. From my experience, across hundreds of transactions, I can say that reviews that are solicited with free or discounted products are much tougher than those received organically. Most people participating in these review groups are so concerned about being viewed as biased that they move far, far in the other direction. If your product can earn decent ratings with incentivized reviews, you'll do very well with organic reviews.

This is deceptive and you should stop doing it.
Would you mind describing what part of this is deceptive?

Amazon offers its own product-to-review system called Vine that is invite-only. Not all sellers can participate in the Vine program as it's available to Vendor Central sellers, meaning that Amazon purchases the products directly and lists them as 'ships from and sold by Amazon'.

https://www.amazon.com/gp/vine/help

Additionally, on each review, the reviewer is required to explain that they received the product in exchange for a review.

How would you recommend getting reviews for a product, apart from offering them at a discount?

Edit: Added link to Vine FAQ

One of the "good reasons" why publishing houses refuses books is because the author doesn't have an established fan base. So as a new author, you're in an uncomfortable double bind: it's really hard to get published if you don't have a fan base, and it's really go build a fan base if you're not published.

Sure, some authors build a fan base by themselves, go viral, and a publisher gets interested in them (see The Martian, or 50 Shades of Grey, etc). But as any viral phenomenon, quality is not necessarily the reason (see 50 Shades of Grey).

What if you're a good author but not a good marketer/salesman, or just not interested in that part?

I'm biased in all this. I have a full time job, I write as a hobby, publishers ignored my queries, so I self-published my novel. It's far from a masterpiece, but according to a majority of people who have read it, it's also far from crap. My main problem is how to get it in the hands of more people, but I don't have the time or the energy (nor the inclination, really) to also do marketing & sales. That's what publishers are supposed to do :(

You're always influenced. No one ever thinks they are, but it's impossible to be truly objective when someone else is doing you a favor. And even if you happen to be immune, you should just assume that you aren't.

Better yet, don't review free products. It's just spam that the rest of us don't want to sort through, and it buries the truly unbiased reviews.

I don't doubt you, but not everything is like this. Newark sent me a few free items (a BeagleBone and a CodeBug) a few months ago, so that I would review them, but on my condition that the review be honest.

I ended up publishing a glowing review of the CodeBug anyway (https://www.stavros.io/posts/codebug-review/), but that's because I sincerely enjoyed it. I didn't get around to doing anything with the BeagleBone, sadly. Maybe that's why they didn't send me anything else, though :P

I'm sure trying that on Matthew Garrett will work out just fine for them.
How is this a 'threat'?
> The representative then said that she would report Garrett to Amazon if he didn’t take down the review, and that other Amazon reviewers had written in to complain about it.
The threat of being reported to Amazon isn't very threatening, and I was going to chide Techcrunch for being alarmist, but as I began to compose my post, I realized I couldn't come up with a good alternative word in this case, and skimming some online thesauri hasn't helped. Any suggestions? The thing is, if the company had followed through on its threat, the resulting headline would be much less attention-grabbing.

I am assuming the employee-gets-fired threat is not plausible.

I agree with you, I thought they were talking about death threats or similar. What happened was more that he got hassled than threatened.
Harrassed?
Definitely an improvement. I also like Stavrosk's 'hassled'.
The employee fired threat is a threat to the employee, not the reviewer (unless you consider a guilt trip a threat). The whole payload reads more like a tantrum than a 'threat'. Given the state of the world, this headline is more than a bit overblown. I would agree with 'harassed'.
I will continue to ignore Amazon product reviews.
Unfortunately, you cannot. Unless you're searching for a known product or brand, it's the review scores that will affect what results you'll get.
Sounds like the classic excuses you get from chinese sellers, they say their boss will punish them if you've left a bad review, aliexpress will punish their store, company will close etc.

It's no problem though, they can just keep sending out free review units to get their 4 and 5 star reviews. 2 verified purchases from 11 reviews, and one of those got it for free or heavily discounted "The AuYou Power Socket arrived very fast & was packaged well. I received it for an honest & unbiased review"

That is what's really killing Amazon reviews, free products in exchange for 5-star reviews.

What is interesting is that Amazon had the "Amazon Vine" Program which clearly listed that people received the product for free (or at a discount). But for whatever reason that has fallen out of fashion, and now manufacturers recruit outside to get unmarked reviews which sometimes don't list the potential conflict of interests.

I wonder if this behaviour violates FTC's rules[0], I know it was a big thing on YouTube (YT channels failing to disclose financial incentives/conflicts of interests).

[0] https://www.ftc.gov/tips-advice/business-center/guidance/ftc...

I have purchased many things from China on eBay and am now getting spam offering me free products if I review them.

I'm sure that Amazon or any site could detect and cull these reviewers, but would it be in their best interests to do so?

Is Vine discontinued? My buddy still does it, at least until recently
A lot of participants quit a year ago when Amazon began issuing 1099s so participants would pay tax on goods received.
Why do so many have that exact wording "honest and unbiased review"? So bizarre
I'm guessing it's lawyer-specified boilerplate that spreads in the same manner as the ALL CAPS type of language you see in software licenses.
What's the deal with ALL CAPS PARTS in certain legal documents, anyway? It can't possibly carry any legal weight...?
I saw someone say once that it is done to fulfil a legal obligation to make certain clauses obvious and noticeable, or a similar phrasing in contract law.
The Universal Commercial Code requires some terms be "conspicuous" in transactions, and says you can satisfy that requirement with all caps text of equal or greater size than the nearby text. There are some other options, like changing color or alternate fonts, but those are generally just more complicated.[0]

An example of a contract term that must be conspicuous is selling something "as is," ie, claiming no warranty that the thing even works at all.[1]

A note on Universal Codes - nonprofits, usually mostly made up of lawyers, will write model codes for state laws and then try to get them passed in each state so that state laws are predictable. Almost all states have adopted some provisions from the UCC, but several states have adopted modified versions or old revisions.[2]

[0] https://www.law.cornell.edu/ucc/1/1-201

[1] https://www.law.cornell.edu/ucc/2/article2

[2]https://en.wikipedia.org/wiki/Uniform_Act

>There are some other options, like changing color or alternate fonts, but those are generally just more complicated.

The all caps thing is a holdover from the era of typewriters. On most typewriters, switching to bold face required changing the daisywheel or type ball; alternate colours would be lost on xerox- or carbon-copied documents. All caps was the most convenient option.

It's now a vestigial convention, like the floppy disk save icon.

Software licences are often written in plain text. There is no bold and no colour in asci text so uppercase is the only option.
Because they are revealing that they are actually fake and one-sided.

It's like the last time I bought a car at a dealership I got the line "I'll be honest, I haven't sold a car all week and I'll really work with you if you buy one today." Immediate tip-off that he's lying through his teeth.

Completely agree. "I'll be honest" is right up there with "I'm not a racist, but..." in the list of phrases that always self-negate.
Unfortunately, someone who reads this might interact with someone who is claiming to be honest, and truly is being honest.

Never trust a salesman because they're salesman, not because you think you can read their speech and body language.

As soon as I see that phrasing, I close the tab and move on to a different product. If you need to buy your reviews, I'm not buying your product. I see it a lot, which is making shopping on Amazon extremely unpleasant. I wish Amazon would crack down on these obviously paid-for reviews.
The article incorrectly states the risk. If the relay is not solid state, or depending on what is connected to the outlet (I have a 1.7kw espresso machine on my wemo), rapidly switching on and off could easily cause a fire.
Clearly I've been very naive but I had no idea people made a living writing fake reviews: https://www.amazon.com/AuYou-Switch-Wireless-Electronics-Any... What is the point of this? I assume they're after the star rating since anyone who actually reads the review text will know it's bogus.

Wouldn't it be in Amazon's interest to shadowban these accounts?

"But if you're not home, your phone sends the command to a server in China,..."

Do any "smart" devices not try to connect to remote servers, automatically, without asking the user for permission?

Do users care that "smartphones" they carry or other devices they put in their home automatically connect to remote servers so various companies can collect data, ..., turn sockets on/off, etc.?

If we do not like this practice and we want to see change for the better, then maybe we should put our comments in Amazon reviews instead on HN, security blogs, etc.

> Do any "smart" devices not try to connect to remote servers, automatically, without asking the user for permission?

I believe this is the point of Apple Homekit. And probably whatever Google has in the works will follow the same path.

Your IoT devices only talk to your Apple TV, and the Apple TV talks to Apple which provides the cloud-connected app on your phone.

That way the million IoT vendors shouldn't have to worry about security as much, becuase their devices are behind your NAT and communicated with through Apple's security.

If the product functioned, but had a security flaw like that (which doesn't reveal personal information, etc, just could allow someone else to turn your item on or off), I would have given it two stars. It is functional, and for some use-cases it could work (i.e., blocked from the outside Internet). One star would be if it didn't work, or opened a back door from your home network to China.

Still, he shouldn't cave in. The 'they'll fire me' story probably isn't true!