> Incidentally, now up to three separate emails begging me to remove [the review] or they'll be fired
https://twitter.com/mjg59/status/747866725945737216 contains a screenshot of an email complaining that the review is "unfair" because it is negative and people are marking it as helpful, making it more difficult for other "honest reviewers" to get traction.
About two months ago i tried out some ads automation software. The concept was good, the product was ok, but support was awful and things were buggy. So i waited patiently until one day i got fed up and made my thoughts public in a tweet. I was civil about it. Anyway within a couple of hours the CEO contacts me telling me how he's been ill in hospital and that half his tech team have left and how he might be shutting the company down, but i could a "please remove the tweet of you blasting us". I felt sorry for him so obliged. 2 months later, they've continued to market the product heavily so he was obviously lying just to get me to remove the tweet. After that experience, im never going back on what I say ever again.
At the first link, I'm immediately turned off by his follow-up: Capitalism is fucking bullshit
What's really ironic is that this experience shows how well capitalism does work, more effectively than other systems can: The reviewer found a bad product, reviewed it honestly, and is now helping other people stay away from it. Let's see you try to make that happen when you're faced with poor and disinterested government-provided services.
He doesn't actually clarify his line of thinking. As someone who is also not much a fan of capitalism, my thought at getting those emails might be "this company cut corners trying to turn a quick profit making a crap product, and now some poor shmucks at the bottom are getting fired. capitalism sucks"
Soviet-style five year plans are also not the only alternative to hobbesian capitalism, that is a false dichotomy.
Soviet-style five year plans are also not the only alternative
Actually, what I had in my mind when I was typing that was an experience of my wife, very recently, right here in America. Her job is researching regulations for Medicaid across the country. Her boss came across documentation from State of Illinois that were contradictory, so he tried to call their offices. He logged 11 calls to them two weeks ago today, with no one taking his call, and then had to hand the question off to my wife.
Last Monday she attempted to call, only to get a message saying that: (a) they were replacing their phone system for the entire week so they can't receive any calls; and (b) they normally don't take any calls during the last week of the month (!) but because of the phone system problems, they'd make an exception and open their phone lines for the last week of June. So she started trying again this past Monday, and it still took several days for her to get someone to pick up the phone.
That can happen in any system where there's no market allowing people to reject bad alternatives, and to signal the importance of a product through the price system. But any time you remove the market forces (e.g., any socialist-type system where the government is making the calls), the system quickly stops responding to the needs of its customers.
Can you imagine any capitalist company that would simply take down phone communications for a weeks while replacing the system? Years back, my employer put in a new phone switch, and the outage amounted to hours over a weekend. Even worse, can you imagine any company that would just say "we never take customer calls during the last week of any month"?
I think trying to portray this as a contest between capitalism and socialism only confuses the issue. It's really a question of feedback loops: anyone who's dealt with a large phone company, airline, bank, etc. knows that the same dysfunctional behaviour often happens there as well; conversely, there are also many examples of government agencies where the management is responsible and sets service-level requirements to avoid unwanted behaviour.
That avoids the classic arguments about whether socialism is really diametrically opposed to capitalism (Americans tend to treat it as synonymous with communism, much of the world tends to disagree) and instead places attention directly on the management culture which encourages that bad behaviour or chooses not to invest the resources necessary to provide better service.
It's entirely unclear that the US health insurance market is evidence that capitalism is a good thing, compared to literally the entirety of the rest of the first world, e.g. the UK, where Garrett is from.
Whilst I wouldn't use the word 'devastating', this is certainly a well-written review pointing out the glaring flaws in this IoT device.
It's not devastating because there's enough 4- and 5-star reviews from people who have evidently overlooked these flaws (or who have iPhones or old Android devices that allowed setup to work). This word of caution is likely to get lost among the noise.
The author has done a steller job highlighting the awful quality and attention to security of an innocuous IoT device. Granted, a wifi-controlled socket is likely to only power a table lamp or something similar, so anyone brute-forcing the MAC addresses isn't going to do horrendous amounts of damage, but the inability to prevent someone doing this is a clear illustration of the little control the end user has over 'smart' devices.
Bottom line: if you can't root it, don't put it on your LAN.
You bring up a very good point. I like reading reviews before I buy things, but with all reviewers basically living off the free stuff they get, I do worry that there is a conflict of interest. I don't imagine they get a lot of email like "you gave our thing a positive review while the rest of the Internet appears to hate it. Your reviews are not very thorough so we're not sending you review units anymore."
I bet if you do write a lot of negative reviews, the UPS guy doesn't visit your office as often as the author who writes a lot of positive reviews.
It's time we setup a standard so that everybody can choose there own "cloud" server for these "smart" home electronics. These manufacturers should not be building their own.
Of course the app on your phone could also just connect to the bloody thing itself instead of using these relay servers of the manufacturer. (yes I know, NAT punching is a PITA, but better than this)
Great review, but I'm more excited about the fact that this runs on an ESP8266, presumably controlling a simple relay. This means that I can just open it up, hook it up to my computer and flash my own firmware that will be exactly as secure as I need, all for a rather low price.
Hell, maybe they left the FOTA port open and I can give people a small script with a firmware so they can just run that and flash the plug over the wifi network!
Incidentally, I reviewed a pre-release version of that device a few months back. I didn't try flashing custom firmware to it though - are there any instructions for that that I could link to from the review?
Then you flash it with PlatformIO as usual, except I'm not sure which pins are connected where, that would take some fiddling. I'll buy one to experiment with.
a) the sockets all connect to a central server in China
b) the sockets identify themselves to that server with their MAC address (kind of makes sense, it's a readily available, global unique (more or less) identifies)
c) if you send a message to a socket (identified by its MAC address) from the app on your phone and your mobile phone can't find it on the local network, the app sends a message to the central server in China, which sends it on to the socket, if that happens to be turned on and is thus connected over the internet to that central server
So, it's not that you can suddenly magically access devices by MAC address over the Internet (MAC addresses are still local network only), but since the sockets are all connected to a central server who knows them by their MAC address, that makes it possible to send those messages.
This would all not be a problem with good crypto for authentication (and secrecy), but apparently they put pretty much none of that into the product/app. So it should be realtivly easy to find out the MAC address and then very easy to talk to the central server and tell it to send messages to whatever device.
(It's a little like an open relay mail server, and bad for similar reasons)
One other issue is that MAC addresses are allocated in contiguous blocks to manufacturers. If you know the general pattern (the first N characters are manufacturer-specific), there is precious little stopping you writing a script to loop through all the possibilities and spam the server with them. Most network devices have the MAC address printed on a label (with a barcode for an admin to scan), so it would be trivial to grab an example from a photo.
Sometimes N=9, such as when the address starts 00:50:c2. This block is divided into blocks of 4096 instead of the usual 2^24 so small users can get a block for a few hundred dollars instead of over a thousand.
in the end the relevant things are just a command and the MAC address of the socket. On the local network this is sent directly to the socket, otherwise it goes via the server in China
Anyone can send a command to the server, and the server routes it to your device based on the MAC address in the command.
this is a big problem with customer reviews in general. Only rarely you'll see a review by someone who knows what they're doing; most times the reviews are very superficial and isn't helpful at all.
> In summary: by default this is stupendously insecure, there's no reasonable way to make it secure
That's an honest review? I tend to ignore reviewers who talk about security as an all or nothing proposition. Maybe everyone else will in a few years too.
It is likely possible to take the device apart and overwrite its firmware in some way to be more safe, but that is somewhat unfeasible for the average consumer.
https://twitter.com/mjg59/status/747612713786847232
> Incidentally, now up to three separate emails begging me to remove [the review] or they'll be fired
https://twitter.com/mjg59/status/747866725945737216 contains a screenshot of an email complaining that the review is "unfair" because it is negative and people are marking it as helpful, making it more difficult for other "honest reviewers" to get traction.