42 comments

[ 0.22 ms ] story [ 116 ms ] thread
Well right off the bat,

"find new friends and exchange messages and images. Given the nature of this app, it’s quite interesting that Google Play allows everyone above 13 to download and use this app." -- gross and disturbing, since other users can control the device.

Edit: haha, apparently downvoted by two pedophiles

Serious question: Does Google Play support/allow 18+/adult-only apps? Not via those apps' terms but through the Play Store itself. Because if - as I suspect - they don't, your comment seems mostly like a pedantic application of terms that obviously don't really apply in this particular situation.
The Play Store in the US users ESRB ratings including "Mature" (17+) and "Adults Only". But it doesn't allow apps that "contain or promote pornography". It's possible there's a carve-out for actual sex as a health-related app category if it's not too erotic.
Allowing 14 year olds to use an app to control a sex toy is still disgusting, and a policy allowing it is equally disgusting. Policy should be changed then.

And anyone downvoting dare to actually have a conversation about what you find so acceptable about allowing kids to use this app? To be clear, I don't care about votes, but it's certainly a curious topic to downvote quietly

It’s been a few decades, but I’m pretty sure I was self-pleasuring by around that age, which seems fairly normal and healthy to me.

This seems like a reasonable accessory that some people might choose for that valid purpose.

(For clarity I didn’t downvote.)

sex toys yes, internet-enabled sex toys no. teens can use regular magic wands with nothing more sophisticated than a oscillation dial. morals aside, underage use of this would probably fall afoul of child porn laws, even if both parties to the teledildonics session were minors (see the litigation on sexting)
I should have been clearer that the big part of my issue is that it is connected to social media, so it's not just a 14 year old with a toy, it's likely going to be a 40 guy and a 14 year old, "hey let's meet up this weekend, I'm 14 too"
Uh, what's wrong with teens using sex toys?

I mean, it's widely agreed that people under 18 cannot consent to sexual contact, but this is the first time I've seen someone extend this to sexual contact with themselves.

(Sex toys are largely used for masturbation.)

> I mean, it's widely agreed that people under 18 cannot consent to sexual contact

Where? The age of consent varies wildly. Even within the U.S.

Nothing! but this is social media connected device, allowing kids and adults to share a sex toy, share photos, etc...I have a hard time seeing it appropriate in that context
I can't edit it now, but in retrospect, calling other HN users outright pedophiles was inappropriate, and uncalled for. I should have chosen a better retort
Kudos for displaying some remorse. It’s rare to see that online.
This brings a whole new meaning to the term “pen testing”.
This article does not seem to use the word "dildonics". :(
> Based on the debug messages, I’ve started to build a file that can be flashed on the device. I’ve lost interest in that shortly after

ohboy. Aftermarket retuned lovebot firmware. "Celebrity personality" modes, maybe.

An Open Source firmware for these things already exists: https://buttplug.io/
Great choice of a domain.
Certainly more dynamic than buttplug.in
... Welp, guess what domain I own now. :|

Our new documentation website is going to be how.do.i.get.the.buttplug.in

a friend owns lv2plug.in but that's all about FLOSS audio plugins :)
On a similar note... is there an ".out" TLD?
The buttplug.io project lead posts on hn sometimes.
He also maintains the btleplug Rust crate, one of the more popular cross-platform BLE central libraries. A coworker started testing it recently, and so far it seems pretty great.
Oh, awesome, thanks! There's been a lot of action on the crate recently, it's been really wonderful getting all of the contributions in and having the system work across multiple OSes.

Hopefully we'll have Android support soon! :D

The buttplug.io project lead posted this article. :3
“Who does Number Two work for!?” — Austin Powers
>06/18/2021: Received notification that this issue might be addressed in the future.

What a reply to a vulnerability notice. It has been two months since then, have they fixed it?

So, why is IoT security like this?

Is it just people who aren't used to deploying to a maliciously hostile environment suddenly having to deal with that?

I've heard that hardware-side pay tends to be lower than software-side, so is it hardware companies not wanting to pay for experienced software people?

Is it actually not any worse than typical software, but just more noticeable because meatspace?

It's because people who aren't used to deploying to a maliciously hostile environment don't deal with it and deploy anyway
In my experience it's a combination of a few things. First is time. Consumer electronics has very aggressive release schedules and development cost constraints. That means the software is usually the cheapest, quickest junk someone could throw together. There usually isn't the time or the money to create the kinds of process infrastructure that allows you to produce secure code. Worse, vendor support on much of this stuff is usually outdated garbage and the more deeply embedded, the worse it is.

Also there are just some plain bad practices floating around. I once had a manager who refused to allow version control and would simply remote into my computer overnight to delete any files they didn't personally like. Think any careful, security-conscious work got done in that environment?

I think part of it too is that they don’t have to care. Most customers don’t know enough to care and they don’t have any legal obligations with respect to security so why bother?
Wow. My commiserations!

Ironically such paranoid control of file use must have left you wanting to "back up" your work onto alternate storage. Naturally said backups would go offsite with you each night.

I ended up just using a personal git server. I believe the company dissolved not long after I left, so those private repos may be all that's left of it.
> "So, why is IoT security like this?"

Cheap consumer IoT devices cut corners on everything so the developers too just do the absolute minimum to make it work, security be damned.

For industrial / commercial IoT devices, you have both low-level (e.g. device driver) devs who know squat about running a secure network making design decisions and customers with extremely low quality IT staff who also make poor design decisions with respect to security and also ignore firmware updates even when they contain security fixes.

It's just a mess all around.

Hardware side anything will always have higher fixed costs (unit production, physical QA, more healt & safety &compliance testing) and lower margins compared to a 100% software company.
In the early days of Android smartphones, there were a lot of very basic security holes: https://forum.xda-developers.com/t/root-security-root-exploi...

I always attributed it to consumer electronics company developers who'd never previously had to touch the icky internet not realizing how dangerous it was; this was the sort of mistake that the likes of Microsoft were making in the late 90s.

I expect the state of IoT security is similar; as it matures it'll improve.

>It seems that 66 is the maximum value for the vibration level.

Missed a huge opportunity to make it 69.

One can not be too anal about security.