Not a Good Look

Full disclosure–a phrase that’s highly relevant to today’s post–here: I have a Wyze camera. We use it for monitoring cats. At various times, it’s been the RufusCam, the LeftyCam, and the MeezerCam. Currently, it’s pointed at the Backyard Bowl, so we can see who shows up to indulge in gooshy fud and catnip.

So, given the background, you can easily understand why I’m rather perturbed by the recent reports of a significant security flaw in Wyze’s equipment.

Brief pause to remedy a potential knowledge gap: Wyze started out making amazingly cheap wi-fi cameras. Where most companies were selling cameras for $100 and up, one could buy a Wyze camera with most of the same features for $20. Obviously, they quickly became popular with people who wanted to keep tabs on pets, property, and progeny.

Wyze has since branched out into related products (video doorbells, door locks, camera accessories, for example)–and some not-so-related products like vacuum cleaners and headphones. Their focus has remained the same, though: most of the same features, but at a fraction of the cost.

A company selling security products should take great care to make sure their products are, you know, secure. Right? Maybe not. The latest reports suggest that Wyze not only knew about a bug for years before they fixed it, but Bitdefender, the security company that found the issue, kept quiet about it as well.

This isn’t the first time Wyze has been involved in security issues. As recently as 2018, there were reports that their cameras were sending information–metadata, if not actual video–to servers in China. Wyze eventually confirmed the reports, but blamed a third-party that was part of their backend infrastructure. In 2019, they accidentally removed security features from an internal customer database, leading to information on 2.4 million customers being exposed to the Internet.

To me, this latest failure is the worst. Not because of the severity of the bug. As I understand it, it’s not an over-the-Internet vulnerability; any attacker would need to be close enough to get onto the same wi-fi network as the target camera. My concern is that Wyze sat on the bug for three years before fixing it; even after it was fixed, they didn’t give their customers any information about the bug or how they might have been affected; and, arguably worst, they somehow persuaded Bitdefender* not to release any warning to the world about the bug until after they had finally fixed it.

* Highly annoying: Bitdefender’s much-delayed press release even suggests people should use Bitdefender’s products to identify vulnerable devices on their home networks.

More full disclosure: I recently started using Bitdefender’s “Total Security” software and like it. Ironically, the thing I like most about it is that it gives more information about threats it’s blocking than the anti-malware package I used to use.

As a society, we don’t require companies to reveal security breaches in a timely fashion, or to accept meaningful accountability–“Oopsie, my bad. So sorry we let hackers get your personal information,” is not accepting responsibility, right [insert the name of darn near every company in the world]?

But companies that specialize in security need to be held to a higher standard. They need to keep their clients in the loop when things go bad. And they have to make up for their errors. Not necessarily fines, though in some cases that might be the right thing, but something that makes them share the pain they’ve inflicted on their customers.

I’m not quite ready to toss out my Wyze camera–though I doubt I’ll be buying any more of them–and I’m not uninstalling Total Security either. Yet.

Nor am I urging anyone else to dump Wyze or Bitdefender. But I am considering it, and you should too.

Multiple Responsibilities

Sachiko, as I’ve said before, is the junior member of our home security force. The Ooki Brothers, Watanuki and Yuki, concentrate on external security, alerting us to intruders in the back yard. Sachiko’s remit is internal.

She can often be found on the landing halfway up the stairs. The security station there gives her a clear view of the upstairs hallway…

and the foyer downstairs.

As the youngest member of the security team, she’s also been given responsibility for our digital security. Here, for example, you can see her watching over Maggie’s abandoned laptop. Sachiko will guard it against theft, accidental damage, or unauthorized posts about lesser species, especially dogs, squirrels, and raccoons.

Note, by the way, the mouse carefully positioned in front of her. Mice are, of course, a prey species. Sachiko her secondary role as Gravity’s Little Helper just as seriously as her other security duties. She’s more than happy to defenstrate any rodents she finds in the vicinity of valuable electronics.

Who’s Keeping Watch?

Yes, the turkeys are still hanging around the neighborhood. If decades of Thanksgivings haven’t scared them off, a few coyotes aren’t going to do the trick.

And besides, there’s safety in numbers. That is, after all, why birds flock and herbivores herd.

And the turkeys have it down to a science: we’ll often see a few birds hanging out away from the main flock, keeping watch. Human miscreants do the same thing, assigning a member of the group to keep an eye out for the authorities while the rest of them get on with their anti-social activities.

That made this seem like just another day in the neighborhood.

Until I looked again.

No sign of the rest of the flock. No other lookouts.

This lone turkey seems awfully well positioned to watch our house. Was he casing the joint in preparation for a future prank? We have had mass turkey landings on the roof before (they’re not graceful fliers or landers; it sounds like a box of bowling balls being dropped on the shingles). And Halloween is coming: the traditional time for tricks.

Still, the bird was on public ground–or, more precisely, public tree–so it’s not like I could chase him away.

And it’s probably just as well I didn’t, because a little later, I found this charming little scene.

That’s Watanuki, head of our internal security force, trying out a new role as an in-home recycling adviser.

I’m still not sure if ‘Nuki is having a mid-life crisis and trying out a new career or if he’s just bored and looking for new challenges.

But either way, it seems he’s more responsible than we thought. During this time of transition, he’s obviously contracted with the turkeys to keep a skywatch on the house.

Now that’s security done right.

Ready, Aim…

Joel Stein’s LA Times piece on Nextdoor is worth reading.

Not that he’s saying anything new–Oakland residents have been fighting Nextdoor’s rather lax and inconsistent approach to policing content for years. But he does say it entertainingly.

Nextdoor, for those of you who haven’t heard of it or were smart enough not to join, is supposed to be the electronic town square. Think Facebook, but strictly limited by geographic neighborhoods. You can see posts in your own neighborhood* and in adjoining neighborhoods, but nothing else.

* There are a number of methods used to verify that you live where you say you do. Some are of rather questionable utility, but at least Nextdoor is making an effort.

In theory, it’s a combination local bulletin board, neighborhood watch, and community chatline. In practice, well, as Joel says

In the alternative reality that is Nextdoor, people are committing crimes I’ve never even thought of: casing, lurking, knocking on doors at 11:45 p.m., coating mailbox flaps with glue, “asking people for jumper cables but not actually having a car,” light bulb stealing, taking photos of homes, being an “unstable female” and “stashing a car in my private garage.”

And he’s right on the money.

Except that he missed a couple of items. Roughly half the posts on any given day are pet related. “My dog/cat/parrot is missing.” “Somebody’s using the public park to train attack dogs.” And, of course, “All of you better stop letting your dogs crap on my yard!”

And then there’s the inevitable response to any post, frequently from multiple people:

“Someone claiming to be from PG&E knocked on my door.” “That’s a scam. He was just trying to see if anyone was home. If he comes back, shoot him.”

“There’s a strange man walking along the sidewalk. He had a camera and was taking pictures.” “He’s casing houses to break into later. If he comes on your property, shoot him.”

“I’m sick and tired of cleaning dog droppings off my lawn.” “Next time you see a dog on your lawn, shoot it.”

Are you seeing a pattern here?

Yes, even the missing pet posts get responses like “Don’t expect to see Fluffy again, ’cause I’m gonna shoot her if she keeps messing with my chickens.”

Don’t even think about reading any thread related to gun control, unless you really enjoy repeated regurgitation of the NRA’s favorite talking points, wild exaggerations, and outright lies, all mixed with threats of violence against anyone who “comes to take my guns.”

I don’t know, maybe it’s just here. According to Nextdoor, there are 237 people signed up in my neighborhood, and I can see posts from 6,756 people in the adjoining areas. That’s a small enough group–given that more than 90% of people on any social network rarely post more than once or twice–that a few lunatics may be disproportionately represented. Anyone else, especially in larger neighborhoods, seeing the same thing?

Not Just No

Not just no, but hell no. I’d use an even stronger word, but I try to keep this blog within shouting distance of being safe for work.

As anyone who reads this blog regularly has probably guessed, I’m talking about the just-announced Amazon Key service.

For those of you who haven’t heard about Amazon Key, it’s the Big A’s take on an idea Walmart introduced recently: a way for delivery people to put your packages inside the house, so they can’t be stolen.

Walmart’s version, by the way, is a little creepier: they’re offering the service for groceries, and it includes putting them in your fridge. For now, Amazon Key seems to be limited to setting your packages inside the door and leaving it at that. I say “for now” because it’s apparently their way of getting a foot in the door (sorry) and will be expanded later to offer services such as dog walking and housekeeping.

The way the service will work is relatively straightforward: you (well, not you, because I hope everyone reading this blog is smart enough to give Amazon Key a pass) buy a particular Wi-Fi camera and smart lock. Once they’re installed, if you don’t answer the door, your friendly package delivery peon can contact somebody at Amazon HQ, who will remotely unlock the door. You get an alert on your phone and can use your phone and the camera to watch the peon put your packages inside. Presumably the door will lock again when it’s closed.

Amazon claims they’ll be vetting the delivery people. That’s nice. They also claim to vet the current delivery people. You know, the ones who park in the middle of the street and hurl packages over the fence. (A side note: since I wrote that post, I’ve seen several female Amazon delivery peons. Most of them were accompanied by males who were, unlike the women, not wearing any Amazon logo-bearing clothing. Does Amazon also vet those security ride-along people?)

Amazon also says they’ll be carrying insurance to cover you against delivery issues, property damage, or theft. That’s nice. They also explicitly warn against using the Amazon Key service if you have pets who might come to the door. So, clearly they don’t think the insurance will cover lost pets–nor do they want to deal with lawsuits from their gig economy, vetted delivery peons seeking to make the Big A responsible for their dog bites and/or allergic reactions.

But leave that aside.

Remember last year, when a researcher found that “twelve of sixteen locks he bought at random had either no security or absolutely horrible security“? I’ve seen nothing to make me think matters have improved in the last fourteen months. Granted, Amazon is better than many companies about issuing software updates to products they sell under their own name. But it’s not entirely clear to me whether the lock will be Amazon-branded, let alone Amazon-built.

Then there’s that camera. Look back another year, when reports were going around about baby monitors. At that time, nine out of nine popular baby monitors were found to have serious security flaws. Don’t think camera manufacturers have improved their security in the past two years: cameras have been prominent contributors to the waves of zombified Internet of Things attacks we’ve seen in the past year, beginning with last October’s Mirai malware-controlled mess.

But leave that aside, too.

Suppose everything works perfectly according to Amazon’s plan. Amazon is already a huge target for hackers. Do you think giving them the ability to remotely unlock doors will make them less of a target? Do you believe their security is that much better than, say, Target? Experian? Hell, a quick Google search should remind you that the National Security Agency can’t keep their own data secure.

As far as I’m concerned, a massive security breach at Amazon exposing the personal information of millions of customers is only a matter of time.

I’ll pass on Amazon Key, thanks. I hope you will too.

Another Failure Mode

Oh, goody! A whole ‘nother way the Internet of Things is getting security wrong.

Last month, security researcher Charles Henderson wrote about his experience trading in his car.

Briefly, both he and the dealer wiped all of his personal information out of the car–phone book, garage door opener, list of authorized devices. And yet, months later, the car still showed up in the app on his phone.

It’s not that the dealer and the manufacturer were unaware of security. Henderson makes it clear that they took the correct steps. But the focus of the team that designed and built the app and integrated it with the car’s systems was obviously on the “first owner” scenario, and not enough attention was paid to the possibility that someone might want to sell their car.

And it’s not just auto makers who have that problem. Henderson mentions another researcher who purchased a used home automation hub and found that doing a factory reset only wiped the configuration on the device itself; it didn’t touch the cloud-based configuration which included, among other things, the list of devices authorized to control the hub.

Right: even after wiping the device, the original owner would still have had access to every light bulb, every thermostat, and every door lock connected to the hub.

Still feeling cheerful about your Amazon Echo or Google Home giving you voice control over your house? After all, you’re not planning to sell that device, are you? No? Well, what if something goes wrong and you have to send it in for service? Are you certain you’re going to get the same device back? How confident are you that your original device won’t wind up being refurbished and resold?

Let’s face it: this isn’t a new problem, and we should have seen it coming. How many stories have you seen in the newspaper about someone buying a used computer and finding porn on the hard drive? Henderson notes that early smartphones lacked a way to wipe them for resale, and it was only after many well-publicized tales of people buying used phones for nefarious purposes that a wipe command was added.

Nor is there a good solution. Even if every new IoT device was designed with security as the first consideration, there are still millions of gadgets out there that have no security and no way to upgrade them to add it. In many cases, the company that made them isn’t even in business any more.


So many of my posts only show one of the cats, you all must be getting a false impression. Yes, I’ve shown you several of them using each other as pillows, but beyond that, not much.

But they really do hang out together when they’re awake, too.

Case in point.

Mid-afternoon. The mail had already been delivered, which meant there was no reason to hide in the closet, so several of them decided to sprawl on the stairs and watch the world go by.

That’s Sachiko on the lowest step, by the way.

As you can see, she’s not nearly as relaxed as that first shot would suggest. Even when she does relax, she’s still usually on alert; I’m not sure I’ve ever seen her sleeping, at least not so soundly that anything larger than a moth could sneak up on her.

Which is, of course, part of the reason she gets along so well with ‘Nuki, our self-appointed Chief of Security.

Naturally, any time we open the sliding door, it calls for a two-member security team to ensure that nothing gets through the screen door. They’ll stay on duty for hours until we come to our senses and lock the house down again.

Such dedication! Such comradeship! Such gratuitous self-indulgence!

Insecure Things

OK, enough cheerful peanut-based posts. Back to the usual cynical doom and gloom.

Multiple sources are reporting depressing news about baby monitors. A company called Rapid7, Inc. tested nine devices from eight different companies. They found that every single one had serious security flaws that would allow an attacker to view the video stream from the camera, change its configuration, or launch attacks on other devices on the owner’s Wi-Fi network.

If you’ve been paying any attention to security matters in the last few years, you probably aren’t surprised about Rapid7’s findings. Just as there’s no such thing as a bug-free program, there’s no such thing as a secure Internet-connected device.

What is surprising to me is just how bad the manufacturers’ responses were when they were informed of the vulnerabilities. Philips–or rather, Gibson Innovations, who hold the license to sell baby monitors under the Philips brand name–is working on a fix, although no timeline has been set for its release. None of the other seven manufacturers is planning to fix the flaws in their products. According to the article on Ars Technica, Rapid7 couldn’t locate one manufacturer, several didn’t even acknowledge receipt of Rapid7’s notification, and some stated flat-out that they saw no reason to look at the report.

If it were just baby monitors, it might not be a big deal, but let’s not forget that consumer electronics manufacturers are pushing more and more Internet-connected devices into the market. It’s not just TVs and video players (many of which have had their own security failings) anymore. Refrigerators that monitor their contents and nag you to go shopping–or simply place orders for grocery delivery themselves. Clothes washers and driers, dishwashers, ovens, furnaces, lights, smoke and carbon monoxide detectors, and door locks all have network connections.

Keep in mind that the baby monitors weren’t cheap models from fly-by-night companies. They included well-known brand names and some of the most popular models. Yet only one manufacturer is apparently willing to stand behind their product and resolve the problem. If that attitude carries over into other appliances, well, you might give some thought to buying up a stock of locks and light bulbs now while you can still get ones that don’t require a network connection.

“But wait,” I hear you say. “What if I just don’t set up the network connection? Won’t I be safe then?”

Probably not.

First, many “Internet of Things” devices are designed to set themselves up–scan for a network and join it automatically, or in some cases, they establish their own network parallel to your regular Wi-Fi.

Second, some devices won’t work until they’ve been set up. I recall a review of a Bluetooth-controlled door lock, which unfortunately I can’t find at the moment, which will not lock until you pair it with a smartphone and run an app to set the combination for the manual push-button mechanism. (At that, it’s arguably safer than a lock that comes with a default combination printed in its manual.)

Third, if the device doesn’t self-configure and you don’t set it up, it will remain in its default configuration. Most likely, it will have a default password–or not password at all–allowing anybody who scans for Wi-Fi signals to find it and configure it for their own purposes. Do you really want your next-door neighbor to control your thermostat? How about your dishwasher? Better go apologize for that loud party last month before you install your new app-controlled garbage disposal.

Fairness In the Media

I was looking at the site stats the other day. Sounds thrilling, doesn’t it? I’ll admit, it can be boring, but it has to be done. After all, you never know when it will let you correct a serious social injustice.

No, really!

Specifically, I was looking at the number of times I’ve posted about the feline members of the household. Observe:

  • Kaja – 27 articles
  • Watanuki – 26 articles
  • Rhubarb – 25 articles
  • Kokoro – 20 articles
  • Yuki – 19 articles

Can you believe it? It’s a wonder the Poof and the Floof are even still talking to me. And yet they do. She still spends the night curled up on my lap or behind my knees. He still does his best to ensure that my elbows are squeaky-clean. OK, usually he starts licking my elbow in the middle of the night when I’m trying to sleep, but I’m pretty sure he means well.

So, to redress the balance a little–and make sure I stay in their good graces–here are a few pictures.

Kokoro has a crowded schedule of sleeping on the bed,

sleeping on the floor in the sun,

helping Maggie solve computer problems,

and manning–well, felining–the home laser defense turret.

Yuki is even busier, what with sleeping on the stairs,

sleeping on the bed,

helping me develop plot points (“And then what happens? Uh-huh. Sounds fascinating. Really.”),

and watching baseball (although he’s easily distracted–I believe this time it was the sound of a can of gooshy food being opened).

Still, despite their differences and their busy schedules, Kokoro and Yuki still find time to relax together over a nice bowl of catnip tea.

Well, OK, maybe not.

They’re At It Again

Time for another roundup of cat-related news from around the world.

Adriana Lee reports that her cats didn’t take it well when she installed a home monitoring system to keep tabs on them.

We’ve talked about the risks of insufficiently-secured home monitoring systems before, but we missed this one. According to Adriana, the system had been in place for less than a day when the motion sensor alerted her to feline activity in the bedroom. She switched on the camera just in time to witness one of the cats lying down on her pillow, looking at the camera, and then coughing up a hairball on her side of the bed.

Clearly the cats were up to something nefarious and didn’t want her to catch them at it. We all know from the movies that premature revelation of a villain’s plans for world domination are the most common reason why the plans fail. Surely the cats are well aware of that fact too.

Or maybe they’re not after world domination. Maybe they’re members of the growing class of feline masterminds. Adriana doesn’t say where she lives, but it could be that her cats are controlling James Lawlor of Clearwater, Florida. Mr. Lawlor was arrested when he tried to walk out of Walmart pushing a shopping cart filled with cat food.

He claimed that he planned to sell the food to a friend with 300 cats, but how likely is that? It seems obvious that his claim is really a cover story to avoid revealing his feline controller, who’s attempting to set up a food supply independent of any human. Stocking a secret command post is an expensive proposition; any savings you can realize through control of weak-minded humans is money you can put into catnip-infused champagne for your victory party.

A bit of sad news on the subject of feline overlords: The infamous Colonel Meow passed away last week. The Colonel’s minions request that memorial contributions be sent to Seattle Persian and Himalayan Rescue. My presumption is that SPHR is a front established by the Colonel’s successor, and the funds will be used to further the Colonel’s dream of world domination.

Not all cats are as blatant in their methods as Colonel Meow. Take a peek at this post by Devan McGuinness. The post, clearly ghost-written by a cat, makes it clear that humans should dump their spouses and lavish all of their love on their feline overlordscompanions. Her ten reasons why a cat is the perfect valentine are a frightening peek into the way cats want us to think of them. I’m particularly taken by number 4: “Hanging out at home is also their idea of a really good time.” Forget all the times the cats have tried to dash past your feet when you open the door or squeeze out of a barely-opened window. They don’t want to get out to further their nefarious plans at all. You clearly are hallucinating. Your cat wants nothing more than to stay at home and watch “Love Actually” with you (per reason number 8).

One last note. Our feline masters are figuring out that sometimes it’s worthwhile for them to team up and work together to extend their control over humans. Case in point: there are currently two groups competing to open the first “cat cafe” in the U.S. Both groups are in the SF Bay Area, and one suspects that the competition between them owes as much to the rivalry between San Francisco and Oakland as it does to the battle for market- and mind-share. Both groups are affiliated with rescue/adoption organizations, so the potential for the feline masters to use the cafes to infiltrate formerly cat-free homes is obvious.

The race to open first–both groups are targeting this summer–is still neck-and-neck. Both groups have tentative approval from the appropriate zoning and health departments, both have secured partial funding, and both are still looking for appropriate spaces.

KitTea, in San Francisco, seems to be somewhat ahead in website development, but Oakland’s Cat Town Cafe has an active Indiegogo page for funding, as well as pledged support from Pet Food Express.

Stay tuned. When (or if) either group manages to get their venture off the ground, I’ll be sure to do an on-the-spot report.