Posted by ajdude 3 days ago
As someone with a lot of experience in the mobile app space, and tangentially in the IoT space, I can most definitely believe this, and I am not surprised in the slightest.
Our industry may "move fast", but we also "break things" frequently and don't have nearly the engineering rigor found in other domains.
So eventually if they remove the keys from the device, messages will have to go through their servers instead.
You want to think through that one again? With the OpenAI key on device it means anyone could use that key to call (and bill) OpenAI's APIs. It's absolutely not feasible to ship the OpenAI keys on device.
Since debugging hardware is an even higher threshold, I would expect hardware devices this to be wildly insecure unless there are strong incentive for investing in security. Same as the "security" of the average IoT device.
But that at least turns it into something customers will notice. And companies already have existing incentives for dealing with that.
(There's a reason Apple can charge crazy markups.)
Apple have a reputation and brand that allows them to charge premium prices.
IKKO seems, at least to me, to be effectively a disposable brand. If their reputation goes bad, their only reals costs are setting up a new website/AliExpress Store/Amazon seller account.
Yes, you can run with disposable brands. It's a perfectly viable business strategy in many cases.
However: if you do that you are missing out on the benefits of building a good reputation. Even in the cases, where your product _is_ actually good.
So another perfectly valid business strategy is to build a longer lasting brand. Like Apple has done. (Or countless other companies.)
In most markets we see both kinds of strategies at play. As a customer, you can usually decide which kind of strategy you give your money to.
In my experience, the work is focused on weakening vulnerable areas, auditing, incident response, and similar activities. Good cybersecurity professionals even get to know the business and tailor security to fit. The "one mistake and you're fired" mentality encourages hiding mistakes and suggests poor company culture.
As with plane crashes and surgical complications, we should take an approach of learning from the mistake, and putting things in place to prevent/mitigate it in the future.
If your system has lots of vulnerabilities, it's not secure - you don't have cybersecurity. If your system has lots of vulnerabilities, you have a lot of cybersecurity work to do and cybersecurity money to make.
There is a decryption function that does the actual decryption.
Not to say it wouldn't be easy to reverse engineer or just run and check the return, but it's not just base64.
I mean, it's from gchq so it is a bit fancy. It's got a "magic" option!
Cool thing being you can download it and run it yourself locally in your browser, no comms required.
>run DOOM
as the new
>cat /etc/passwd
It doesn't actually do anything useful in an engagement but if you can do it that's pretty much proof that you can do whatever you want
(I'm showing my age here, aren't I?)
Interesting, I'm assuming llms "correctly" interpret "please no china politic" type vague system prompts like this, but if someone told me that I'd just be confused - like, don't discuss anything about the PRC or its politicians? Don't discuss the history of Chinese empire? Don't discuss politics in Mandarin? What does this mean? LLMs though in my experience are smarter than me at understanding imo vague language. Maybe because I'm autistic and they're not.
In my mind all of these could be relevant to Chinese politics. My interpretation would be "anything one can't say openly in China". I too am curious how such a vague instruction would be interpreted as broadly as would be needed to block all politically sensitive subjects.
I'm not sure what specific incident you're referring to, however I do know that if Germany was more willing to leverage the hate speech laws more strictly, the AFD would have been banned long ago. Now they're finally willing to leverage it to ban the new nazi party, which is a relief.
You have no difficulty manufacturing what you believe to be a difference (that clearly does not survive contact with reality), because you're ignorant of the world around you.
> Of course if someone tries to muddy the waters, they should be criticized
No, if someone tries to falsely claim that there's a clear and objective difference, as you are, they should be criticized.
> Hate speech very clearly has meaning
No, it very clearly does not, and the fact that you're expressing that opinion indicates that you're extremely uninformed about history. "Hate speech" wasn't even a concept that existed until the 20th century, originally only referred to race when it was defined by the ICERD, constantly changed and increased in scope, and still even today not only has no commonly agreed-upon definition, but is used to suppress relevant-to-society free speech that the State does not approve of.
If you go and ask 10 random people in your country what the definition of "hate speech" is, they will not be able to agree on a definition - anyone who has gone out and actually interacted with different groups in their country (as opposed to being isolated to a single community) knows this to be true. That by itself is factual proof that there is no consensus definition of the term.
Not that there needs to be any further elaboration than that, but...
> I'm not sure what specific incident you're referring to
Marie-Thérèse Kaiser, a German politician, posted a social media post with the text "Afghanistan refugees; Hamburg SPD mayor for 'unbureaucratic' admission; Welcome culture for gang rapes?" and was charged under German hate speech laws. You're extremely authoritarian and progressive, so you probably feel that a penalty should have been given out, but regardless of your feelings, the fact is that that was not clearly incitement to hatred or violence, and that the poster was charged for "hate speech" for making political statements about immigration.
> banning expressions that incite hatred or violence against people based on [...]. What's unclear about that?
It's very clear to anyone who has contact with reality that not only does "hatred" also have no consensus definition, but neither does "inciting", and so both of those terms can be and are interpreted in an extremely wide spread that is abused by the State.
Not only is the lack of consensus of definition of the concept of "hate speech" factual evidence that your claims about it being clear are false, but even your citation of the German legal definition contains terms that have neither consensus population definition nor objective test (legal or otherwise).
All law and words are manufactured.
> "Hate speech" wasn't even a concept that existed until the 20th century,
And? "Capitalism" wasn't a word in any language until the 17th century. We make new words when we need them.
> originally only referred to race when it was defined by the ICERD, constantly changed and increased in scope
Turns out as we opened our eyes to our collective bigotry, we realized we were doing it in more ways than one.
> but is used to suppress relevant-to-society free speech that the State does not approve of.
Would love to you point to an example of this that isn't racist or bigoted :)
> If you go and ask 10 random people in your country what the definition of "hate speech" is, they will not be able to agree on a definition -
Great, that's why we have representative democracy and laws and dictionaries. I could ask anyone in Texas (my home state) the legally required pre-driving check that must be performed before operating a motor vehicle, every time, and I wager 90% will not even know such a lawful requirement for such a check exists, and 100% will fail to list every step required. This doesn't mean such a law doesn't exist or, if someone learns about it, then isn't clear.
Of course in my opinion more people should know about it and enforce it personally but I accept that one of the unsolved problems of liberal democracy is how to manage the massive nest of rules and regulations in a fair and equitable way. After all, almost everyone speeds.
> "Afghanistan refugees; Hamburg SPD mayor for 'unbureaucratic' admission; Welcome culture for gang rapes?" and was charged under German hate speech laws. You're extremely authoritarian and progressive, so you probably feel that a penalty should have been given out, but regardless of your feelings, the fact is that that was not clearly incitement to hatred or violence, and that the poster was charged for "hate speech" for making political statements about immigration.
Lmfao I knew there was some racist shit behind your position. It's absolutely racist to imply that Afghanistanian refugees are rapists, which is exactly what the tweet does. It makes sense that Germany would have more strict application of hate speech laws, and it makes sense to punish German politicians that swing a bit too far into "But what if one of the types of peoples were not actually totally human?" again.
> that not only does "hatred" also have no consensus definition,
Law should be decided by popular consensus? So you're an anarchist as well? Well, excellent, then we can get into the inherent moral wrongness of racism and our role to engage in direct action against racists. This probably will be sloppier than using liberal democracy and well defined hate speech laws but I prefer it, as do you apparently. In the end, the people who know what hate speech is and abhor it far outnumber those who want to be able to call all muslims racist, I've seen this time and time again at protests across the USA. Even when the nazis are organized into cute little militias (such as when the proud boys came to our city), people are able to organize 10x more counter protestors on the drop of a hat with nothing more than an Instagram post. So, I'm confident that my anti-racist side will win out, and your position of wanting to be allowed to dehumanize people will lose.
What's bizarre to me is you clearly have a more subtle understanding of race relations than this comment would lead me to believe - in another comment for example you demonstrate that you understand that there's a difference between the PRC and its (alleged) "Chinese" race ("Han" is a word that is vague enough to basically mean "white"), so why this desire to defend racist politicians? Cause, that's your argument here, and as of yet the only people that have been negatively affected by these hate speech laws are racists.
> All law and words are manufactured.
Completely irrelevant to my response to your statement. Your statement was "I have no difficulty seeing the difference between hate speech and criticism of the state." and that's because you are inventing the difference between concepts. It does not exist, and that fact has nothing to do with the fact that words and laws are manufactured by humans.
> And?
If you had read two sentences further, you would have seen the "and" - that there is no consensus definition. The fact that the concept itself is so recent reinforces that. That's pretty easy to see if you read the whole paragraph.
> Would love to you point to an example of this that isn't racist or bigoted :)
I already did. Also, calling out the emotional manipulation in your comment in substitute for any actual point.
> I could ask anyone in Texas (my home state) the legally required pre-driving check that must be performed before operating a motor vehicle
Completely irrelevant, yet again. Laws are categorically different than concepts. The fact is that the concept of "hate speech" does not have anything close to a consensus definition. If you ask a sample of people in Texas what a "car" is, you will get a consensus definition of a car (and because I know you're going to try to be pedantic: to a very high level of fidelity, again unlike "hate speech"), because that's a shared concept in way that "hate speech" is not.
> Lmfao I knew there was some racist shit behind your position
Yet again, substitution of emotion for, well, the ability to think.
> It's absolutely racist to imply that Afghanistanian refugees are rapists, which is exactly what the tweet does
No, it does not imply that - you are reading it like that, because your brain has been conditioned to view everything through the lens of racism, and you cannot fathom that there are things other than race (such as the refugees coming from a different culture, coming from a different legal environment, or not being treated legally in the same way as other individuals because of their refugee status) in Afghanistan that can result in the problem of sexual assault. Heck, the presumption that if you come from Afghanistan, you must be Afghani (or of a particular race), wildly exceeds your own standards for what racism is.
Additionally, reality is not racist. The fact is that there is a huge problem with sexual assault and violence from Middle Eastern refugees in Europe. Pointing out that, regardless of whether the problem is cultural, racial (which would be false - this is not a race problem, but a cultural problem), or due to different legal environments or treatment, there is a problem, is not racist. This is a fact. Again: reality is not racist, and pointing out reality is not racist.
> Law should be decided by popular consensus?
Again, multiple fallacies and total failures of logic. First, you're conflating concepts/morality and laws. Those are obviously not the same. You are making moral arguments about "hate speech" that the laws must necessarily flow from. In your original comment you stated "You don't feel there's a difference between a State banning criticism of the State, and a State passing anti-hate speech laws to protect people from, e.g., nazis?" - that is a moral argument, not a legal one. Second - no, I did not make any argument that would imply that "law should be decided by popular consensus" - that's your failure to read what I wrote.
A misunderstanding that you then proceed to spend a paragraph working off of. Again, you have an inability to actually think logically, and instead just try to frame everything into a race issue, and then emotionally react to it. You finish with
> your position of wanting to be allowed to dehumanize people will lose
No, that is not my position - and you know that. The only person doing any dehumanizing here is you - you are intentionally misreading my point, because you want to turn this into a "racists vs anti-racists" issue that you can then use to justify dehumanizing those you perceive to be racist (me, and politicians).
> a more subtle understanding of race relations
Again with the race. Everything is about race and racism.
> why this desire to defend racist politicians
And again.
> Cause, that's your argument here, and as of yet the only people that have been negatively affected by these hate speech laws are racists.
And again.
And the fallacy that outcomes justify perversion of principles. And the labeling of others as "racist" when you have honestly close to zero idea what their actual principles are, and then the logically, legally, and morally insane idea that just because someone is a racist means that they deserve to be legally punished. That claim doesn't even need to be defended against, because it's insane. (it's not really falsifiable, either, because you can always claim that someone is a closet racist, even without evidence)
You should wait to respond to this comment until you can actually learn to use logic at the high-school level, and have the emotional maturity and control of (at least) a college grad. You have categorically not demonstrated either of those things so far.
What are you, one of the LessWrong rationalists? You need to re-read your sequences, emotions aren't inherently irrational. I do find it funny that you seem to think you aren't expressing any emotion - your indignation, anger, and fear are writ plain across every sentence. As far as I can tell my emotions in regards to this comment thread are amusement and confusion. Oh no, I think your haughty high-minded defense of racism is kinda funny, I guess I'm illogical! I apologize for my emotional outburst, Mr. Spock.
> because you are inventing the difference between concepts. It does not exist,
Nah, it exists, you're just wrong.
> that there is no consensus definition
Insomuch as liberal democracies believe they represent consensus, there quite obviously is a consensus definition: it's the one the representative legislators wrote into a bill, and then wrote into law. And then the judicial portions of the government continually enforced and upheld this law. Doesn't get more consensus'd than that in liberal democracy.
> I already did. Also, calling out the emotional manipulation in your comment in substitute for any actual point.
Implying all Afghanistanian refugees are rapists is racist, so nah you haven't.
> Yet again, substitution of emotion for, well, the ability to think.
Here's my emotion right now: confusion. I'm confused that you seem to think pointing out something is racist, is an emotional outburst. I'm also confused about your dichotomy between emotion and thinking. All human experience is based at some level on emotion, so too are all human values. I think you may have watched too much sci fi or something, to think otherwise.
> such as the refugees coming from a different culture, coming from a different legal environment, or not being treated legally in the same way as other individuals because of their refugee status
Implying all Afghanistanian refugees come from a culture that promotes rape is the racism to which I referred. Racists often swap around "race" and "culture" when convenient.
> Heck, the presumption that if you come from Afghanistan, you must be Afghani (or of a particular race), wildly exceeds your own standards for what racism is.
Don't concern troll, it's so boring.
> The fact is that there is a huge problem with sexual assault and violence from Middle Eastern refugees in Europe.
Violence against women isn't a uniquely Middle Eastern problem - at the same time right wing politicians are trying to drum up votes by being racist, France has protests about a plague of violence against women. It's not "a cultural problem" at all, it's a universal aspect of patriarchal society. At least immigrants commit crimes at a lower rate per capita than locals, maybe they can help offset the violence that citizens are committing against eachother.
So, once again, the tweet is picking out one thing and blaming a random group of people as if this thing is unique to them, ignoring the rot beneath their feet. Something tells me you wouldn't quite appreciate a tweet along the lines of "More white men elected into government - bringing culture of school shootings into government?" After all, the overwhelming majority of school shootings are performed by white men.
> No, that is not my position - and you know that.
I agree now that you don't think you're racist, unlike many right wingers I've had this same conversation with. However, you are, I guess, by accident. As far as I can tell you think you're some kind of very intelligent hyper rationalist that "sees the world for what it is," including that, I guess, some cultures are inferior? You're blind to your engagement in cognitive fallacies such as cherry picking and selection bias. The fact that you're allergic to emotion is a personal flaw on your part, it doesn't make you smarter at all. It makes it obvious to anyone listening that you have no understanding of your own emotions, and are thus ruled by them. That's how emotions lead to irrational thinking and behavior, having emotions doesn't cause irrationality inherently.
Especially because you seem to think that accusing someone of racism is inherently emotional. What?
> nd morally insane idea that just because someone is a racist means that they deserve to be legally punished.
Not quite, I never argued for thought crime. Just the punishment of hate speech - which is generally defined as public in nature, so isn't even really an argument for your earlier accusation against me of authoritarian leftism (with the requisite pervasive surveillance).
> it's not really falsifiable, either, because you can always claim that someone is a closet racist, even without evidence)
I don't think that's very fair, I never argued for any kind of enforcement without evidence.
> You should wait to respond to this comment until you can actually learn to use logic at the high-school level, and have the emotional maturity and control of (at least) a college grad. You have categorically not demonstrated either of those things so far.
Being haughty and superior because you "don't feel emotions" or whatever tf just makes you obnoxious and cringe, please go read "How to Win Friends" or something, I don't really care, you come off like a reddit /r/atheist poster and it's embarrassing. Or like, one of those twitch streamers that "win" debates when they get the other guy to be mad. "Haha I said something horrid and you got mad about it, you lose!"
> What are you, one of the LessWrong rationalists?
OK, so you don't comprehend the purpose of logic in society.
> emotions aren't inherently irrational
Factually incorrect. Emotions are irrational. This is objectively true. When you feel an emotion, a physically and spatially different part of your brain is being activated than when you think logically. You might be thinking that some emotions are justifiable - and some of them are. But that's not the point I was making, so that would be irrelevant - the point I was making is that you think that your emotional outbursts are equivalent to making a reasoned argument.
There's no point in continuing this. You appear to physically be unable to avoid responding emotionally, to the point where you don't even understand the difference between emotion and logic, or the purpose and necessity of thinking rationally in society - and you're proud that you don't.
They are asymmetric in favor of certain communities.
The same way that “making LLMs safe” or “neutral” is actually a way to inject an ideology.
Look into France, which case can lead you to jail:
Criticize islam: risk of jail
Criticize white: ok
Criticize black: risk of jail
Glorify nazis: risk of jail
Glorify soviets: ok
Quite the reflection of influence if one side is forbidden to speak and the other can shit on them
Extremists in France love these laws, but only the left ones.
Glorifying nazis is glorifying naziism, an ideology that's predicated on the need to kill all Jewish people, among other things (gay people and whatever the nazis hated). That easily falls under hate speech.
Glorifying soviets is just glorifying a failed political regime. You can also glorify the Napoleonic era, or the Kingdom of the Franks, or whatever other politics you want. There wasn't genocidal intent baked into the very fabric of Stalinism, despite his genocide of the Ukranians.
I suspect you could talk readily about something you think is not Chinese politics - your granny's ketchup recipe, say. (And hope that ketchup isn't some euphemism for the CCP, or Uighar murders or something.)
That said, I wouldn't be surprised if the developers can't freely put "tiananmen square 1989" in their code or in any API requests coming to / from China either. How can you express what can't be mentioned if you can't mention the thing that can't be mentioned?
> The City & the City is a novel by British author China Miéville that follows a wide-reaching murder investigation in two cities that exist side by side, each of whose citizens are forbidden to go into or acknowledge the other city, combining weird fiction with the police procedural.
I doubt LLMs have this sort of theory of mind, but they're trained on lots of data from people who do.
I’m guessing most LLMs are aware of this difference.
Edit: typo
(in fairness pervasive logging by American companies should probably be treated with the same level of hostility these days, lest you be stopped for a Vance meme)
On the other hand, OpenAI would trivially hand out my information to the FBI, NSA, US Gov, and might even do things on behalf of the government without a court order to stay in their good graces. This could have a far more material impact on your life.
https://www.nycpolicefoundation.org/ourwork/advance/countert...
https://www.nyc.gov/site/nypd/bureaus/investigative/intellig...
Compounding the difficulty of the question: half of HN thinks this would be a good idea.
https://en.wikipedia.org/wiki/Extraordinary_rendition
Russia is more known for poisoning people. But of all of them China feels the least threatening if you are not Chinese. If you are Chinese you aren't safe from the Chinese government no matter where you are
Extortion is one thing. That's how spy agencies have operated for millennia to gather HUMINT. The Russians, the ultimate masters, even have a word for it: kompromat. You may not care about China, Russia, Israel, the UK or the US (the top nations when it comes to espionage) - but if you work at a place they're interested, they care about you.
The other thing is, China has been known to operate overseas against targets (usually their own citizens and public dissidents), and so have the CIA and Mossad. Just search for "Chinese secret police station" [1], these have cropped up worldwide.
And, even if you personally are of no interest to any foreign or national security service, sentiment analysis is a thing. Listen in on what people talk about, run it through a STT engine and a ML model to condense it down, and you get a pretty broad picture of what's going on in a nation (aka, what are potential wedge points in a society that can be used to fuel discontent). Or proximity gathering stuff... basically the same thing the ad industry [2] or Strava does [3], that can then be used in warfare.
And no, I'm not paranoid. This, sadly, is the world we live in - there is no privacy any more, nowhere, and there are lots of financial and "national security" interest in keeping it that way.
[1] https://www.bbc.com/news/world-us-canada-65305415
[2] https://techxplore.com/news/2023-05-advertisers-tracking-tho...
[3] https://www.theguardian.com/world/2018/jan/28/fitness-tracki...
And also worth noting that "place a hostile intelligence service may be interested in" can be extremely broad. I think people have this skewed impression they're only after assets that work for goverment departments and defense contractors, but really, everything is fair game. Communications infrastructure, social media networks, cutting edge R&D, financial services - these are all useful inputs for intelligence services.
These are also softer targets: someone working for a defense contractor or for the government will have had training to identify foreign blackmail attempts and will be far more likely to notify their country's counterintelligence services (having the penalties for espionage clearly explained on the regular helps). Someone who works for a small SaaS vendor, though? Far less likely to understand the consequences.
Here in boring New Zealand, the Chinese government has had anti-China protestors beaten in new zealand. They have stalked and broken into the office and home of an academic, expert in China. They have a dubious relationship with both the main political parties (including having an ex-Chinese spy elected as an MP).
It’s an uncomfortable situation and we are possibly the least strategically useful country in the world.
You're still part of Five Eyes... a privilege no single European Union country enjoys. That's what makes you a juicy target for China.
this is something I was talking when LLM boom started. it's now possible to spy on everyone on every conversation. you just need enough computing power to run special AI agent (pun intended)
You wouldn't want your mom finding out your weird sexual fetish, would you?
I bet that decision is decided solely by dev team. All the CEO care is "I want the chat log sync between devices, i don't care how you do this". They won't even know the chat log is stored on their server.
When you combine the modern SOP of software and hardware collecting and phoning home with as much data about users as is technologically possible with laws that say “all orgs and citizens shall support, assist, and cooperate with state intelligence work”… how exactly is that Sinophobia?
I’ll give you a hint: In this case it’s the one-party unitary authoritarian political system with an increasingly aggressive pursuit of global influence.
Anyone in the US should be very concerned, no matter if it is the current administration's thought police, or the next who treats it as precident.
As I am not actively involved in something the Chinese government would view as a huge risk, but being put on a plane without due process to be sent to a labor camp based on trumped up charges by my own government is far more likely.
You know of these things due to the domestic free press holding the government accountable and being able to speak freely about it as you’re doing here. Seeing the two as remotely comparable is beyond belief. You don’t fear the U.S. government but it’s fun to pretend you live under an authoritarian dictatorship because your concept of it is purely academic.
The president threatened to deport a legal citizen who won the primary for mayor in NYC. He's tried to send the military after civilians.
He's sued and extracted payment from media companies who said things he didn't like. We do not have a free press.
We're fully as bad as China. I don't know what your criteria for "authoritarian dictatorship" is but it doesn't appear to be reality based.
Man, I am glad I am not that person.
The fact is your view of reality is being warped and it’s not good for your mental health or that of your friends.
Most people aren't the type to watch The Great Escape or Bridge over the River Kwai and cheer for the camp guards. It's very brave of you.
Gonna need a more specific hint to narrow it down.
This could describe any of the countries involved.
The United States?
The difference that makes it concerning and problematic that China is doing it is that with China, there is no recourse. If you are harmed by a US company, you have legal recourse, and this holds the companies in check, restraining some of the most egregious behaviors.
That's not sinophobia. Any other country where products are coming out of that is effectively immune from consequences for bad behavior warrants heavy skepticism and scrutiny. Just like popup manufacturing companies and third world suppliers, you might get a good deal on cheap parts, but there's no legal accountability if anything goes wrong.
If a company in the US or EU engages in bad faith, or harms consumers, then trade treaties and consumer protection law in their respective jurisdictions ensure the company will be held to account.
This creates a degree of trust that is currently entirely absent from the Chinese market, because they deliberately and belligerently decline to participate in reciprocal legal accountability and mutually beneficial agreements if it means impinging even an inch on their superiority and sovereignty.
China is not a good faith participant in trade deals, they're after enriching themselves and degrading those they consider adversaries. They play zero sum games at the expense of other players and their own citizens, so long as they achieve their geopolitical goals.
Intellectual property, consumer and worker safety, environmental protection, civil liberties, and all of those factors that come into play with international trade treaties allow the US and EU to trade freely and engage in trustworthy and mutually good faith transactions. China basically says "just trust us, bro" and will occasionally performatively execute or imprison a bad actor in their own markets, but are otherwise completely beyond the reach of any accountability.
You don't think Trump's backers have used profiling, say, to influence voters? Or that DOGE {party of the USA regime} has done "sketchy things" with people's data?
This company cannot be helped. They cannot be saved through knowledge.
See ya.
Yes, even when you know what you're doing security incidents dan happen. And in those cases, your response to a vulnerable matters most.
The point is there are so many dumb mistakes and worrying design flaws that neglect and incompetence seems ample. Most likely they simply don't grasp what they're doing
As far as being "very welcoming", that's nice, but it only goes so far to make up for irresponsible gross incompetence. They made a choice to sell a product that's z-tier flaming crap, and they ought to be treated accordingly.
to assume it is not spying on you is naive at best. to address your sinophobia label, personally, I assume everything is spying on me regardless of country of origin. I assume every single website is spying on me. I assume every single app is spying on me. I assume every single device that runs an app or loads a website is spying on me. Sometimes that spying is done for me, but pretty much always the person doing the spying is benefiting someway much greater than any benefit I receive. Especially the Facebook example of every website spying on me for Facebook, yet I don't use Facebook.
Suppose you live in the USA and the USA is spying on you. Whatever information they collect goes into a machine learning system and it flags you for disappearal. You get disappeared.
Suppose you live in the USA and China is spying on you. Whatever information they collect goes into a machine learning system and it flags you for disappearal. But you're not in China and have no ties to China so nothing happens to you. This is a strictly better scenario than the first one.
If you're living in China with a Chinese family, of course, the scenarios are reversed.
This was the opposite of a professional response:
* Official communication coming from a Gmail. (Is this even an employee or some random contractor?)
* Asked no clarifying questions
* Gave no timelines for expected fixes, no expectations on when the next communication should be
* No discussion about process to disclose the issues publicly
* Mixing unrelated business discussions within a security discussion. While not an outright offer of a bribe, ANY adjacent comments about creating a business relationship like a sponsorship is wildly inappropriate in this context.
These folks are total clown shoes on the security side, and the efficacy of their "fix", and then their lack of communication, further proves that.
It depends on what you mean by simple security design flaws. I'd rather frame it as, neglect or incompetence.
That isn't the same as malice, of course, and they deserve credits for their relatively professional response as you already pointed out.
But, come on, it reeks of people not understanding what they're doing. Not appreciating the context of a complicated device and delivering a high end service.
If they're not up to it, they should not be doing this.
> Overall simple security design flaws but it's good to see a company that cares to fix them, even if they didn't take security seriously from the start
I don't think that should give anyone a free pass though. It was such a simple flaw that realistically speaking they shouldn't ever be trusted again. If it had been a non-obvious flaw that required going through lots of hoops then fair enough but they straight up had zero authentication. That isn't a 'flaw' you need an external researcher to tell you about.
I personally believe companies should not be praised for responding to such a blatant disregard for quality, standards, privacy and security. No matter where they are from.
/s