71 comments

[ 2.8 ms ] story [ 134 ms ] thread
Wow, is there an article for this yet? Just happened to me. Not good.
A bunch of people got the single digit 1 as a notification.

Sounds pretty benign to me. I can think of a half dozen ways to accidentally do that (assuming an environment without adequate safeguards)

> assuming an environment without adequate safeguards

This is the bit that worries me.

Last year some time I got about half a dozen ‘test message’ notifications from a ride share app in the middle of the night. It’s a pretty easy mistake to make.
They just obtained the location of EVERY phone - you don't think that wasn't an invasion of privacy
There's no evidence of that.

I got the '1' on one of my Samsung Galaxys before I saw this. I tried using FMP from another device on the same Samsung account. I got separate notifications regarding that it reported my location and reported nearby WiFi servers it could find.

The '1' notification indicated no such detail.

(comment deleted)
I’d say “you get what you pay for” but it’s Samsung; I don’t know what you’re paying for.
Same here. I saw it literally 1 minute ago and there is already a hackernews article.
That's hilarious, this happened to me right before I saw this was my top story. (I use the hide feature a lot.)

Anyway I guess no one's targeting me personally, so I'll just wait for the post mortem.

I don't know the best way to handle customer worries after sth like this, but I'm sure "a samsung care ambassador replied on page 22" is not the best way.

At the very least, ensure that a google/bing/ddg/... search ends up in that thread, where a pinned note explains it.

Genuinely curious who comes up with titles like: Samsung Care Ambassador
I wouldn't be surprised if that's one of those unpaid / volunteer things -- you know, where the company allows one to provide free support to other customers for, um, the "prestige" or "recognition" or something. Dell used to do that with their forums and such, not sure if they still do.

Kinda like how years ago [0] folks who wanted you to design a web site for them for free would try to bullshit you into believing that "the exposure" would be worth waaaaaaay more than any money that they might pay you.

---

[0]: I'm assuming enough people finally said "FYPM" that this doesn't happen so much anymore but I would not be shocked to find out I'm wrong.

The same person who decided to rename helpdesk/support to "Customer Success Executives"
Either a dev was playing around and oopsied or they got hacked.
Almost certainly the former. Careful people need to be in charge and keep a tight leash on people who are careless until they are careful.

Also pre-emptive response to “something something about systems something cgpgrey”. At the end of the day we live in the real world with imperfections everywhere. Every system eventually boils down to trust in humans.

1 (number one) is popular in "injection" attacks as it is likely to go through and not throw an error. If you login as admin to your web based control panel and is greeted with an alert(1) you know you are fucked.
I've never been a dev in such a large environment but devs shouldn't even be able to touch such a production environment imo.

They do their testing and then hand over to deployment. After that they're out of the picture until the next update needs to roll out.

They can't have direct access to API keys for live apps in production.

and this is the reason why all my tests are reasonable sane strings which customers could see and not something like "fuck 1", "fuck 2", etc
On the other hand I'd say that having them be that is more incentive to keep things safe.
From a Samsung Care Abassador on page 22 of comments:

> Hey everyone,

> From what I can tell, this is a some test on Samsung's end to assure services are working. U expect Samsung will make an official statement explaining but I want to mention it now to hopefully put some of you at ease.

> I hope this helps.

Samsung Care Ambassador sounds like someone who answers questions in that forum and doesn't get paid
Exactly and it sounds like they don't know why it happened either.
I'm starting to think Samsung is running a social experiment instead
This notification comes from an app that is designed to tell a remote user where you are located. That was enough to spook me.

I dismissed the notification, deleted as much data from Samsung apps as possible, and turned my phone off.

Rough moment to be a Samsung executive. They're just about the only top smartphone manufacturer that doesn't manufacture the vast majority of their handsets in China so presumably they are in position to take some market share from the competition. Yet today we are seeing some fear about contagion in SK, and this very strange notification that -- benign or not -- is going to scare some users (e.g. me). I for one would like to see a formal statement made to the public.

This spooked me as well. I never used any of the Samsung apps on my phone and never created the Samsung account. Since apps come pre-installed, it was in the back of my head that Samsung could access the data anyway, but I dismissed it as company suicide to do something like this.

Since so many people received notification, it could be that some "Samsung God mode" exists.

On the idea that taking and sharing your personal data without an opt-in would be company suicide:

Samsung has already hit this sort of scandal with its smart televisions and nobody really cared.

https://www.cnet.com/news/samsungs-warning-our-smart-tvs-rec...

The expectation that the free market will keep companies from spying on us...well, it would be nice, but increasingly it seems to be wishful thinking.

Samsung can already do OTA updates. Their software runs on the phone. You already have to put some trust on them.
AFAIK, LG also doesn't manufacture in China. It used to manufacture in SK until last year, then it moved production to Vietnam.
LG and Samsung both manufacture a small portion of their handsets in China if I'm not mistaken.

But yes, LG did move South Korean production to Vietnam. Aside from these countries, LG also produces in Brazil and India: https://www.reuters.com/article/us-lg-elec-mobile/lg-electro...

However, Samsung represents approximately a third of the world's smartphone market, while LG is something like 3% -- tagging along behind Samsung, Huawei, Apple, Xiaomi, and Oppo.

My LG G8 ThinQ was made in Vietnam
While remote tracking, bricking, etc is very useful, I do not trust any company to make it secure enough, so the features becomes moot. It would be better if I could create a encryption key myself to be sure that only I had access to those features.
Why was the title changed? This is a samsung specific issue and the loss of specificity detracts from the title.
For sure someone at Samsung is now called "No. 1 Developer" :)
(comment deleted)
(comment deleted)
These companies have an insane amount of control, power and insight into our lifes via our telephones. When we see but a sliver of said power, we freak out.
(comment deleted)
I'm not an Android dev, but isn't it nothing about privacy or remote control (apart from sending the notification) contrary to the reactions in the comments?

AFAIK, Android/iOS push notifications works quite independently from the app itself. Even if the app is not running in the background the app server can send a message to Google/Apple (not to Samsung) and Google/Apple send the message to the device to show the message. Correct me if I'm wrong.

On Android the app needs code to receive the push message and post a notification.

On IOS, the app developer has less control.