Facebook
Google
GitHub
Linkedin
Privacy lost...
- Thread starter cmartinez
- Start date
https://techcrunch.com/2025/12/03/e...-camera-is-not-actually-end-to-end-encrypted/
‘End-to-end encrypted’ smart toilet camera is not actually end-to-end encrypted
‘End-to-end encrypted’ smart toilet camera is not actually end-to-end encrypted
The basic idea is not that unreasonable at all. A lot of issues, ranging from pretty mundane (you're a bit dehydrated right now) to the potentially life-saving (we've detected something that indicates potential cancer or disease much earlier than you would ever have known had you waited for symptoms to appear, at which point it's too late), can be diagnosed via monitoring of urine and feces. It would seem like a technology like this might be very useful in clinical settings -- physician's offices, hospitals, and care facilities -- but of extremely limited value at the retail level. People with specific health issues and concerns might benefit from having something like this at home, but the overwhelming majority of people wouldn't. Worse, it could lend itself to fostering a false sense of security and result in people not seeing their physicians regularly, or perhaps even when they have symptoms that something it wrong, because their toilet is telling them everything is just fine.
I'm a little baffled by the blogger's assertions -- the other party that the data is being sent to is whomever is providing the service of analyzing the data and communicating the results back to the user. What does it matter that that service is being provided by Kohler? If whatever division of Kohler that provides that service is treated as an independent third party and if the data is being handled the same way that it would be if E2EE were used with that third party, then it should qualify as being E2EE. If not, then it's not. It would also seem like the question of whether the data is being used to train an AI is a separate issue entirely. Again, if the E2EE were being used to convey the data to an independent third party using Kohler as just a messaging service go-between, the third party could still use the data to train their AI, completely separate and independent of whether E2EE is used to transfer data back and forth between it and the user.
If AI is going to be used to analyze the image data (and I don't see much of an alternative in order to be able to provide the service at scale), then the AI has to be trained. But I'm fuzzy on how it would be trained since it seems like it's open loop. It has an image that it classifies, but it has no feedback as to whether its classification is correct or not. I suppose that you could have human experts look at training set images and provide the "correct" classification, but that's also one removed and how do you know that the experts are accurately classifying the images? It would seem that data is needed based on the AI classifying some condition and then the person being tested to determine if that condition actually applies. Plus, data from users that were not flagged by the AI as having any issue but whom testing indicated that they did have some issue that could be detected in the imagery. I would assume that they have such training data from their R&D processes and question the training value of additional open-loop user data.
Where did you see that?
Things just keep getting weirder and weirder.
How about a WiFi camera surgically installed in the colon?
That would be able to detect a lot of ....
There are tradeoffs that come up like this in life from time to time. You accept one thing, put up with the other thing.
https://www.bleepingcomputer.com/ne...-records-accused-of-wiping-96-govt-databases/
Contractors with hacking records accused of wiping 96 govt databases
Contractors with hacking records accused of wiping 96 govt databases
https://www.justice.gov/opa/pr/two-virginia-men-arrested-conspiring-destroy-government-databases
Hackers are hacking?
What if the "deep state" is nothing more than a consequence of hiring the wrong people?
This was a bad contractor looking for cheap workers for a contract.
Them at the job interview: "The several year gap on my CV was for Top Secret work at a government institution that I can't talk about"
Muneeb was sentenced to three years in prison, while Suhaib received a two-year sentence.
https://www.fedagent.com/news/contr...twin-brothers-previously-convicted-of-hacking
The brothers, Muneeb Akhter and Suhaib Akhter, worked as engineers at Opexus, a contractor that provides software services for processing government records. It is owned by the private equity firm Thoma Bravo.
https://arstechnica.com/security/20...lion-users-collect-extended-ai-conversations/
Browser extensions with more than 8 million installs are harvesting complete and extended conversations from users’ AI conversations and selling them for marketing purposes, according to data collected from the Google and Microsoft pages hosting them.
Browser extensions with more than 8 million installs are harvesting complete and extended conversations from users’ AI conversations and selling them for marketing purposes, according to data collected from the Google and Microsoft pages hosting them.
Edit: I just noticed that the article is really an informertial ... but it's interesting nevertheless
OPSEC/COMSEC 101 stuff from way back. If you know or think they are listening, you can use this to your advantage.
https://www.nsa.gov/portals/75/docu...s/cryptologic-histories/history_comsec_ii.pdf
https://www.nsa.gov/portals/75/docu...s/cryptologic-histories/history_comsec_ii.pdf
This is known as signals analysis, which is a part of the broader field of SIGINT (signals intelligence). It has been around for centuries, if not millennia. Just knowing who is talking to who leaks valuable information. Once radio communications became common and message encryption became the norm for sensitive information, it was quickly realized that just the volume of traffic often conveyed actionable intelligence, which is why radio operators were commonly tasked with sending a roughly constant volume of encrypted traffic every day spread throughout the day, even if it was random gibberish. But this also fosters boredom and sloppiness among young radio operators working in very stressful and uncomfortable situations, which is likely what led to a major break in Enigma and the removal of the Spanish navy from the chess board as an effective player.
Today you can see geodesic "golf balls" at military bases and elsewhere. Those are there for one main reason -- to keep onlookers, be they on the ground or in space -- from seeing where the antennas inside are pointing. Just knowing which satellites were are communicating with leaks valuable information.
It's harder to tell now what is junk advertising and what is real information. Advertisers will sometimes use real articles to post their junk sales.
Ha ha
In August 1999, Hotmail experienced one of the most widespread web security breaches of its time. A flaw in its login script allowed anyone to log into any account by entering “eh” as the password. The exploit, publicized by a hacker group called Hackers Unite, exposed millions of accounts in mere minutes. Microsoft quickly patched the issue and denied it was a deliberate backdoor. This incident remains a cautionary tale in cybersecurity history.
Hi,
There are various sayings in security that tell us what to expect sometimes. This mess up is a big surprise because one of the sayings that has been around for quite a while is:
“Obscurity is no substitute for security”
and there are variations on that that mean the same. It's like using a Hida-A-Key under a rock so you don't get locked out of your house. You expect nobody to ever look there, but that's not secure it's an attempt at obscurity. There's also the magnetic car key holder hidden somewhere on the outside body of the car where all the attacker has to do is search to see if there is one hidden somewhere on the body.
If they were working on software that important, they should have known that saying. So much software these days is just so dumb anyway though. Might as well hire monkeys with typewriters
It really wasn't at all a case of using a hidakey, it was a case of inadvertently leaving a development hook in the production system, something that happens all-too-frequently, though today there are more formal and automated ways of preventing it than were around back then. It is very common practice to hardcode things, including credentials, when developing code in order to streamline the development process. Often times, that code was left in place intentionally in the production codes o that it could be used in the future as development work continued. Today, this is less common as development platforms make it much easier to manage and coordinate Debug and Release codebases. Other times, it is only meant to be there temporarily and is supposed to be removed in the final product. This was an example of the latter. A legacy CGI script was used to facilitate code development work and wasn't removed. The script didn't have any normal links to it, but it could be invoked directly if you knew it existed. While exploiting the vulnerability was easy, it was NOT as easy as just using 'eh' as the password at the normal login prompt.
The group that exposed the bug acted extremely irresponsibly. The generally accepted practice is to quietly notify the owner/developer/operator of the system about a bug and give them some time to patch it before going public. But Hackers Unite wasn't interested in improving anything or safeguarding anyone, their primary objective was to shame Microsoft and they didn't care who got hurt in the process. They could have still given Microsoft a black eye by giving them a heads up, waiting a week or so, and then going public. But they clearly felt their agenda was better served by intentionally doing things so as to needlessly expose fifty million accounts to unauthorized access during the three to four hours that it took Microsoft to fix the bug once it was aware of it (and this was an incredibly fast response for those days, when it often took days or even weeks to patch a system and stand it up). Given that Microsoft's response was so much faster than the norm at the time, it's easy to imagine that Hackers Unite had expected, hoped for, and eagerly anticipated there being a lot more damage caused by their actions.
The group that exposed the bug acted extremely irresponsibly. The generally accepted practice is to quietly notify the owner/developer/operator of the system about a bug and give them some time to patch it before going public. But Hackers Unite wasn't interested in improving anything or safeguarding anyone, their primary objective was to shame Microsoft and they didn't care who got hurt in the process. They could have still given Microsoft a black eye by giving them a heads up, waiting a week or so, and then going public. But they clearly felt their agenda was better served by intentionally doing things so as to needlessly expose fifty million accounts to unauthorized access during the three to four hours that it took Microsoft to fix the bug once it was aware of it (and this was an incredibly fast response for those days, when it often took days or even weeks to patch a system and stand it up). Given that Microsoft's response was so much faster than the norm at the time, it's easy to imagine that Hackers Unite had expected, hoped for, and eagerly anticipated there being a lot more damage caused by their actions.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
|
Privacy and security tips for windows android and ios | Off-Topic | 0 | |
| B | Kindle privacy issue. | Off-Topic | 16 | |
|
Indeed and California's latest privacy law | Jobs & Career Advising | 0 | |
| S | Is this a wi-fi system? | General Electronics Chat | 5 | |
|
Internet Privacy Repeal, For or Against? | Off-Topic | 35 |
