Linus Boycotts Anker After Security Disaster

Not discounting Paul's work on highlighting the issue, and some of the fancier details he and others found... but the fact that it was there with F12 is enough to get anyone interested, and yet they aren't even a brand new product.
Only 'smart' device i have is a marantz network receiver, and first thing i did was was hook it up via ICS and ran wireshark on it while scanning it, only weird activity was it used port 5001 to check for firmware updates, that port is usually a chess server :D

Spyware is a bit too harsh for a stupidly written software written by dumb engineers and a marketing team who ignore about how their product works.

@@NopWorks it takes pictures of you using facial recognition, and sends those pictures to their servers. Their advertising claims that they never take your data and that all videos and picture are store locally. They lied, and they spy.

@@Sumguysazz i liked your comment, TH-cam didn't. It got shadow banned. You're right though, the company works with the CCP to enforce the uyghur camps.

@@NopWorks And what is the proper name for people like you that are in complete denial of the most basic facts?

What stuff?

@@O1OO1O1 n00dz =P

It is absolutely necessary for data recovery to look at the data. When reconstructing/mixing/XORing/interleaving sectors, you have to verify that the data actually works, and it's not just a recovery program seeing spurious JFIF file headers.
Now I'd recommend to remove any important data from a device that you bring in for repair, but that might not always be possible, in particular not with devices where NAND/SSD is directly soldered on, or where getting access to the hard drive isn't possible for the layman.

"YOUR PRIVACY IS OUR PRIORITY"
You can add custom CSS / Javascript right here.
😂

Now this job offer I can't reject until 1 year later.
How to apply? XD

I think I'll do that, to be completely honest. I've got cams but they're crap

Motioneye

Raspberry Pi's are incredibly vulnerable to opportunistic attacks.
Weak or improper configuration (Eg: SSH, default password / Ports) can allow bad-actors access to an entire network-feed.
Hardening is required on ANY Pi project with a live camera-stream, but the options are often limited due to the performance deficit.
It is much better to setup a wired system that records to a central database.
The great thing about the Pi Project is the open source nature. Just make sure the project has actually been audited before personal/local deployment.

You can look in to Ubiquiti. it's not perfect by any stretch of the imagination. But it does allow you to keep it fully local after first setup. So no network required since all storage is local

@@malthehansen7915 what you described is certainly not exclusive to PIs, and honestly I'd trust a non-standard system I set up myself more than one of those that thousands of people who know nothing about security have installed in their homes. If those have a vulnerability, attackers will know how to exploit it. If my Pi has one, most opportunistic attackers wouldn't even know how to handle it, since most people don't use Pis for that purpose, so it's going to be an unexpected system.
It's a little security thru obscurity, but most people's threat model is the average burglar who would AT BEST only know how to disable mainstream security, not some weird non-standard stuff like a Pi set up without any wireless capabilities unlocked, just wires leading to an internal server somewhere.

or just dont buy anything privacy related from CHAINA

What do you buy. I have been searching for AGES for some decent camera equipment which doesnt have any IoT functionality but no luck

@@MrPaxio ironic since setting something so basic could only came from Chinese camera and parts. There's almost no basic component products marketed in US and EU. A couple that do would almost guarantee double the price for similar specs out of Chinese supplier.

@@MrPaxio ...or the United States of America.

Also IT guy here... Seems unorthadox having to look into the browsing history for that, especially if it's just driver issues. Unless the customer signed a waiver allowing you to do that, the very first thing you would do is to run an antivirus and of course optionally back up prior if there's sensitive data on the drive.

@@0x1EGEN audio suddenly not working is not always a driver issue, it's usually either hardware or a user doing something dumb. Retracing their steps to see if they did a dumb is efficient and can be used to show the user how to avoid issues in the future. Process takes a minute or two and can give great insight into the source of the problem.

@Jceggbert5 Also just asking them what they did wrong would need them to understand what went wrong in the first place. So just asking the customer doesnt really help at all. And some customers suddenly develop short term amnesia for dumb stuff they did..

Right? It's not like all of the solutions are in one place all the time, you have to investigate to some degree
Now I remember the time like 12 years ago I downloaded a virus from the internet and the IT dude asked me what site I went to which gave my PC a rootkit virus 🤭. If my parent took the laptop before I was able to have an over the phone diag done he prob would've done what was asked on the phone

@@jceggbert5 it's like going to the doctor with a std and they start calling your sexual partners to let you know which one of them to avoid in the future. Your job is to repair the thing, don't overthink it.

Yeah I was ready to call BS on Linus but this is really bad. And the company could obviously have been pressured to do it by their government, which would mean they will never fix it

Linus cares about the people and what the people become exposed to by their influence

Linus is a business man, but he’s a principled, consumer-first type of businessman (as opposed to shareholder first or revenue first). So he won’t do anything, or associate with anyone that negatively affects his consumer base.

He did the same to nvidia

He's only principled until the company buys an ad spot from him. And then he magically forgets all wrongdoings.

Honestly just report them to Microsoft, licensing in the tech world is a huge thing.

@@blau.specht hahahahahaha, you seriously think that? When's the last time you heard of them (microsoft) doing anything at all to enforce their license? The days of the BSA and don't copy that floppy tattling rewards are long over. Microsoft lost that war to the rampant piracy of china and russia.

I've bought off the shelf Windows copies that had already had the key used - and when I got in touch with MS to fix my key, guess what the tech used to try and remediate it?
Not sure why turning off updates would make activation work. Smells like bullshit to me.

Hell, report them for fraud;
You paid for something, they didn't deliver, but actively tried to scam you. Thats textbook fraud.
You should be entitled to a full refund, or at the very least, the value of a real Windows key.

This is why you always take your hardrive out when bringing PCs to repair.

@@Aura_Mancer yeah, honestly I'd have to do that nowdays because with LUKS full disk encryption turned on, I really don't trust smaller repair shops to not say they "fixed" my computer by wiping my entire OS and any data on it.

@@BurnerWah i'm sure you could sue them for such damages

Mouse drivers can actually have malware, but you are right they never should have needed to scan for it unless it was blatant while stress-testing (yes booting windows is technically relevant, that said most fan repairs I wouldn't need to load it to know the fan was spinning ok) Most decent IT guys are too busy to look at other ppl's files, I have sometimes had something like malware jump out at me (BTW malware can cause actual damage running the fans etc flat-out) In which case the customer should get a phone call about it. Often when repairing ppls er um 'photos' jump out at you... you try to close it pretend you didn't see to avoid embarrassment (lost customer/return business) But TBH you wouldn't believe...

Did they replace the fans though? 🤔

Yup I was about to drop a couple K to fully cover my place, and after the initial announcement I put it on pause to see if they reacted acceptably. Which to me would be contracting a known third party cyber security company to fully audit their systems to lock it down. Then put their systems up for pen testing with bounties. If they did that I'd happily still throw money at them
But they went the complete opposite direction, hell they basically didn't even go into damage control mode.

right, "caught by the IT dept" with a n00dz folder in the desktop XD
just sigh and change the default browser back to Chrome.

@@endless2239 why chrome though

@@endless2239 hardened firefox is better

they probably just crashed the main server, which then subsequently crashed every bot

@@comet.x From the info in the video from the article, I got the impression that the _malware_ crashed, when sent a malformed command, from the control server it is _listening_ to, and the aspect of the malware which the researchers edited, was the IP the malware was listening to as it's control server...

and if you're peeping through a customer personal stuff, you probably have too much time, get another job.

@@endless2239 Work time doesn't quite work that way. It is extremely rare to be in such work place that would just allow you to switch doing work for a job outside of the company if you get any slack time between assignments.

@@anteshell that's not what I meant, but ok I guess?

@@endless2239 you said "another" which means a second job. And what I said is accurate whether or not you meant how I interpreted it. This kind of job is not "hands full 100% of the work time" type of job. Very few jobs are like that with no slack time at all. There is a lot of waiting for things to happen and the amount of slack time depends a lot on the amount of active work orders.
But regardless of all that, there it is still not possible to do a second job during that as the schedule is impossible to arrange in such way.

@@anteshell he was saying stop wasting time scrolling threw customers shit but you knew that by get another job he meant stop doing the first job but you knew that lol

that is the only way it should be done. sadly most ppl dont even think about their privacy could be exploited like that and dont take measures.

That only applies if the hardware is at fault, if the fault is software or combination of software-hardware you are out of luck.
Hell, once it was just a faulty hard drive causing issues, we just cloned it to a new one and cleaned windows install + drivers.

I keep my hard drive encrypted so they can't even get through the bootloader.

That’s sadly not possible anymore in many laptops with soldered storage :/.

I go so far as to dump stock images of any new device I acquire, and burn them back to the device if possible before RMA. If I can't get a stock image easily, the device goes back anyway. Somehow I've ended up with an army of pi clones.

Oof, reminds me of the time I severely damaged the case of a desktop while disassembling due to me rushing through it. Took full responsibility for that huge mistake, repaired the damage as best as I could and was transparent with the customer about what had happened. The customer was a farmer who was gonna use it to manage some old software so he did not care as long as it was functioning
I learn from my mistakes lesson is: don't rush even if there are multiple computers that needs to be worked on.

dealing with customers compared to dealing with family are way different experiences

@@evilgibson It's about as awful, except customers usually give you money for using your time to fix their stuff.

@@MarktheRude If I had to fix a family member's PC you *bet* I'm giving them my PayPal and saying "Hey, maybe pay or I won't give the PC" or beter yet,
ASK THEM TO PAY UPFRONT

@@WohaoG either your time is really valuable or you arent kind to your family, as i would never ask money for helping family.

@@poplix2704 My time is really valuable as a person who usually sleeps at 2AM due to work

I would not really say that the eufy incompetence extends to everything Anker

@@tomasxfrancoObviously eufy incompetence doesn’t imply incompetence throughout Anker, but it DOES at least introduce doubt in their overall competency which could lead to incompetence in other areas

I just bought an anker 4 port usb hub, now I’m worried that I should return it? Any thoughts?

@@IAmLeutrimTopalli you will be fine

@@IAmLeutrimTopalli what are you worried about with a damn USB hub. What? The hub taking all your USB drive data and sending it to China? Lol.

you should still ask or at least notify the customer about what you do first tho

@@JustPlayerDE i do, i just didn't put in every little step. I was just covering how I document for them EXACTLY what I did and that no hardware changes rooms once I start.
Added: I did say I was upfront about making sure they know in my post. If they didn't agree, I would recommend a tech who would do it without backing up that I trusted. He also sent me some business.

Laws have a habit of backfiring and being used in unforeseen and undesirable ways. I honestly don't believe the problem here is only with the technology or the services exploiting it. I believe the bigger problem here is the people themselves who use those services. Anecdotal, but I've tried to explain security issues related to "technologies of convenience" to many people many times and the depressingly disappointing responses I hear over and over again are "so what?" and "I already know, but don't care". Try explaining to a teenager that TikTok is literally Chinese spyware creating a vast database of every public detail available of them and all of their friends and 99 times out of 100 they'll simply roll their eyes and keep using the service, but will still loudly complain about being negatively affected by it when the day of reckoning finally comes. Most people are addicted to their phones, to social media and to the convenience some of those products provide regardless of potential consequence. A person of low intellect (i.e. most people) will simply refuse to care until it affects them directly. Although some may suffer consequences due to their own actions, I believe it's foolish and degenerative to the evolution of humanity to constantly create news laws which essentially exist to protect dumb people from themselves as it only teaches them that they don't need to ever face any consequences for their choices. The average IQ across the planet is in the low 80s; Changing the world to suit the average fool will only hurt us all in the long run. The real problem with technology is that we made it idiot proof and accessible to the average low IQ consumer. We should have stuck to the command line and kept the GUI locked in a vault of possibilities until such a point that humanity had become intellectually capable of using it responsibly and phones should have stayed dumb forever.

@@pbjandahighfive you know, the IQ actually measures how much deviation from the average you have, so, the average is 100

@@pi4795 Literally incorrect. The MEAN score of the IQ test itself is 100 with a standard deviation of 15, but that does not mean that the average person has an IQ of 100. MEAN =/= AVERAGE. In this case it means the average person will have an IQ between 85 and 115. The AVERAGE IQ SCORE for the human population across all continents is in the low 80s because while the AVERAGE person has a score between 85 and 115, for the rest of the scores outside of the MEAN DISTRIBUTION there are more scores BELOW 85 than ABOVE 115. Educate yourself before trying to educate others next time.

@@pi4795 Yeah I knew you wouldn't reply after being thoroughly slapped with reality.

@@pbjandahighfive not only the mean, but the median and the mode of the IQ was at least designed to be 100. But maybe is not the case anymore (or never was worldwide?) Good to know

*Especially* on Android. (And I say this as an Android "Fanboy")
Me; Installs any app.
App; "Yeeaaahhh, so I'm gonna need access to any and every service on your phone, your personal bank account, and your DNA"

@@The_Keeper Apple does it too.
Hell, they are datamining your phone while you have all that shit turned off

I agree with you.
what charges would apply under such circumstances?

@@mito88 I'd have to ask my lawyer. Though, their employment contracts explicitly state that doing such things would be a breach of our terms. So, at the very least... breach of contract. Which while merely a civil issue, would perhaps help mitigate the money I'd be forced to pay out to the victim. To some small degree.
But, I'd press for more serious charges.
I love my employees though, and none of them would ever do this. So, I don't really have to worry about it. :)

No you wouldn't. If you caught em with nudes sure, but ar eyou going to fire a guy for opening My Documents?
Nah, you're not. Stop chest beating.

Because it's a person looking at your computer... No matter what company you go to, you'll likely have at least one person like that, even with the best hiring practices it would be hard to filter out everyone and it's not as if there's a special breed of person who fixes computers but refuses to look at porn or other material on somebody's PC and only the "good" stores like Apple hires them.

@@vgamesx1 I dunno. It sort of feels like there should be a level of privacy and respect there.
Like I get people have urges but it's like, I should still expect that I can leave my nan at the funeral home, without having to think what they've done to her, you know?
There should probably be some oversight if you don't think you can trust your staff.

@@carrotman There should be a level of privacy there, but humans will do human things. As for oversight, I doubt these people are jumping into their customers porn the day they get hired. People can't be watched 24/7. It sucks, but I wouldn't trust anyone to fix my PC. Ill pull hdd out or just buy a new one before letting a stranger touch mine.

@@carrotman There should, but unfortunately in the world we live in, you have to look out for yourself, if you ran a shop, then how do you spot at a glance the difference between someone doing work and someone goofing around messing with people's stuff.
You can't watch somebody 24/7, that'd be a waste of your time, which you should be using to fix your own queue and even if you did somewhat keep an eye on them, it's unlikely they'll do it to every single PC that lands on their desk.
The best thing you can do is find a shop that you're fairly certain you CAN trust and as others said if you're unsure, then the next best thing is to pull any drives or lock the device and maybe go as far as the reporter to set up device monitoring.

@@vgamesx1 Yes. Practically, I do just remove drives whenever my PC has a Booboo too big for me.
But it's still weird we've just accepted that, hey, IT guys are pervs and will invade your privacy for fun, no biggie.
I mean. Is it impossible to check?
Well, no.
Even if they used a 'Secret shoppers' technique and used the monitoring software like in this video, you'd be able to know if some of your workers did this at least the PC handed in.
But like, they don't even do that. Because everyone's just chill with it....

You mean batteries spying on us ? :0

@@DrumToTheBassWoop We already have USB-C *CABLES* that can contain malware. It really would not surprise me that the controller on the battery charger can be compromised.

@@kennethng8346 for fuck sake...
Is there nothing I can get a minutes peace from spying. 😑

Until for some reason they do a BadUSB.

You're essentially rolling over and letting Anker know you don't care how bad they screw up as long as it doesn't affect you, you'll still give them your money.
I'm not buying another Anker product, period, because of this. They can get fcked

I’m gonna still use their stuff. I’m not buying anymore though

I mean, I would still be sus about it

@@lillywho Would they then explain how it's actually a feature and that they'll make sure to detect when you're away from the computer in the next batch? :)

were looking for this xD

Yup! I covered it a while back. For people interested: www.theverge.com/2021/5/19/22444164/eufy-security-camera-glitch-privacy-feed-exposed-statement-details

Thanks my dude :)

@@Seytonic sir, anything to say about wickr getting turned off on december?

Wow

That doesn’t explain how they can update the code of all the infected machines.

@@Skidday Yeah, they have changed the C&C server address in order to send out syntax error command.

@@Skidday they had the code they could have easily taken the original c2's address and sent the malformed command.

I read the blog post and it seems like they weren’t the ones that caused the crash- the threat actors themselves were after they forgot a space in a command. They just captured the malformed command coming through and were able to replicate it on their own captured instance and spoofed C2.

@@Padgriffin This makes way more sense than the original take. Thanks for the update.

Yeah so what about the new iPhones with no sd card ….

I guess shutting down the phone still applies

@@giorgosterzakis3286 What if there's no pin? And no, a lot of regular people don't even know they can set a pin so that point is moot.

Bro wtf are you even saying this is a cyber security news channel

Yes on the cameras. I also feel like LTT should be more rigorous in evaluating these privacy and security claims. Given their platform, they ought to have the expertise to really in investigate privacy and security claims. Otherwise, they are just reading stuff from the box and website and serving it back to users.

@@jamesregovich5244 i agree, given how they've bought a lab for testing, I see no reason to not do it

People like to see them with there phones cc cameras are remotely viewed by bosses to check on employees as common practices now a days

@@jamesregovich5244 ltt isn't responsible for shitty people they didn't contract with eufy they contracted with anker who owns 30 companys and they don't test door cameras yet

@@ImInSpainWithoutTheS you spend money testing shit then they don't test door cameras yet maybe they will but they don't have to test every product asker sub companies make bec you believe they should

If you know about, and use, VeraCrypt you can probably fix things yourself. Any average person will not be able to do this at all.

@@Amplificator very true, most repair shops are rip-offs either way by asking a ton of money for a small job.

It would have worked but also, if folders exist, you don't have to go in, look at files, copy them to external storage, in order to know that they probably don't want you deleting the folder.
If I brought my laptop to get my speakers fixed and the guy totally wiped it, that would be a bad thing. Even if it was relatively new.

@@carrotman The idea isnt to just wipe and not tell the user. Its to tell the viability of a wipe. If you see files then you know you cant even try a wipe and its going to be alot of work. If its clean then you can talk to the user and tell them a wipe might fix the issue. Its all about the next steps and knowing what your getting yourself into before opening your mouth on a problem.

agreed, I also sometimes do look for "bank statement.exe" in the documents folder, then you know something may be compromised.
another usual is to go through a lot of jpg thumbnails, I have discovered many faulty drivers and ram problems that way.
HOWEVER, browser history peeping? no excuse.

Except you don't know where the user saved their files. Simply looking in the documents folder or pictures folder and seeing them being empty, is no indication that no other data is stored anywhere else on the drive. It's not as simple as that, and if you do what you suggest you'll eventually end up destroying data for sure.

@@Amplificator Most users who are non-technical have a high chance of storing data in these places. So its a good bet. However, this is a simple check to see if its even viable. Not to just do it. If you read the other reply you would know that this is simple a quick check to understand how receptive the user will be to asking about a wipe. If they have ages of data stuffed into the machine then its probably not going to be viable. But if they have just a few things saved then they are going to likely be more receiptive to the idea of wiping the system. No one is saying to do anything without user's permission.

@PPGP News I agree with the last sentence. I used to have a security camera, but then we got rid of it since we’re so bland no one would want to sneak in our house anyway. Same for the camera provider, they have nothing to see. I’m just a bland person with no girlfriend so they don’t even get the chance to record hot-blooded action every night. So yeah, highly relatable.

They *specifically* advertise their products as "No Cloud". That doesn't mean, "well, we run Cloud data *unencrypted* in the background. Oh, and we run your personal data in plain-text."
Nah man, this is either malice or stupidity, not lack of informing the consumer.
Remember, this is enough of a GDPR violation that its bad enough to most likely make Eufy banned in the EU.

funny thing is, this probably applies to "security" devices like cameras and stuff as well. most people would be better of using a custom setup, but most people also don't know how to do that

@Lord_Vertice I agree. My only thing with DIY solutions is that you aren't going to find the most effective hardware for it on a budget. You can make an IP camera with a single board computer like raspberry pi, however the camera you can get for them isn't very good for something like security footage. When it comes to security, you get what you pay for. The currency is either your money or the work and knowledge you put into it.

Take out your SSD for any physical issue

Do you repair your own things then? You just sound paranoid. I don't take my devices to shops because I just do it myself for cheaper, and typically with better results anyway.

What is stopping a mechanic shop from cutting your brakes? Or a supermarket from injecting poison into the products? Are you going to grow your own food? If you apply your logic to other things you seemingly can't trust anyone or anything. It's a flawed way of thinking. And if you only apply your logic to this one single area, then you have a strong bias for some reason.

@@Amplificator I guess the reasoning behind it is that with something like computer repair, it's harder to prove. Cutting the brakes is easily provable because you can physically see the brakes are cut, and the fact that the car won't stop. Installing some sort of malware that deletes itself once it's harvested all your files is significantly harder to prove, for example
I'm not saying the guy is being reasonable in his assumptions, but if that's the logic he's basing it off of it makes a little bit of sense

@@Gatorz_Gaming sure, ill just take the 'ssd' out of my cellphone. Clown

still doesn't make it ok :)

"Boredom" doesn't justify anything. I don't look through peoples drawers if I'm at someone's house and I'm bored. Bring yourself a ball to bounce off the wall, a book, a crossword, etc. Don't breach people's privacy because you're bored.

🤢🤢🤮 I hope that business goes under ASAP

Okay do you know how to prevent it in user level?

@@Redwan777 if you want your computer fixed, no

No it wouldn't be.
Turning off the driver manually would be though.

It's either you lack understanding or you're just a pure hater. As a tech and privacy activist, what is he expected to do? Ride them up like you're obviously doing??? 🤦🏾‍♂️

He trades on his credibility, whenever a product is featured the LTT community basically crashes the website. He doesn't need to keep shady companies around because there's always another waiting and they know people trust their judgement.

Nah, he's just saying he cut ties with them... Like, yeah he's overdramatizing, but that's just yt

He’s pretty much the largest tech channel and it’s not that he’s saying that he’ll put them out of business but instead he’s speaking on behalf of his own company of ltt, “we’re done with anker” we’re not him telling his audience to do anything himself but referring to the company.
He knows that stopping ads with ankor won’t personally affect him, but other channels would be likely to also drop them as a sponsor, which will lead to a large drop in sales in a very competitive market.

He's a tit.
I guess some people need folks like him?
I'm petsonally happier doing my own research.

Me too. :-)

You are 9 minutes ago for me

I have screenshot to prove it. Also only 4 views at that point. ;-)
But yes, I was watching a bit and only later looking at the comments and saw the 13 sec. one.

Wtf dude why didn't you tell management

if the VM had internet access, the command could easily have escaped.

why pull the driver when you can use a Linux live USB, I carry on me everyday.

I had no idea what the pun was, so I asked ChatGPT... Is this correct?
In this case, the pun is using the name of the Canadian band "Simple Plan" and the word "simple" to create a humorous statement about Canadian computer scientists. The joke is that the computer scientists have come up with a plan that is both easy to understand (simple) and also coincidentally shares a name with the band.