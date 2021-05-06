 Skip to content
(Gizmodo)   Peloton's quality control problems continue. Their API exposed all user data. Maybe they should have just stuck to overpriced stationary bike hardware   (gizmodo.com) divider line
27
•       •       •

sirrerun [TotalFark]
‘’ 5 hours ago  
IoT = Internet of Take My Identity
 
question_dj [TotalFark]
‘’ 3 hours ago  
this is why your internal api calls all need authentication. just because the api is an internal back-end call doesn't mean it shouldn't be secured.
 
LarrySouth
‘’ 1 hour ago  
It's almost like they were funded/directed by a group dedicated to bring down the maximum number of fools who supported LD2S...
 
steklo [TotalFark]
‘’ 1 hour ago  
I can imagine the board meeting...

CEO: How did this happen?
CIO: Uhm...We forgot to secure the API.
CEO: You're fired.
 
Prank Call of Cthulhu
‘’ 1 hour ago  

sirrerun: IoT = Internet of Take My Identity


The "S" in "IoT" stands for security.
 
Rent Party
‘’ 1 hour ago  
If you are dealing with technology from a company who's core business is not technology, you should just assume the technology is crap.  Say, for example, you deal with a company that sells really expensive stationary bikes that have all kinds of features like "storing stuff in the cloud" you should just assume that "storing in the cloud" equates to "probably isn't going to last long and while it does will be available to anyone that cares to look for it."

There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.
 
ssaoi
‘’ 1 hour ago  

steklo: I can imagine the board meeting...

CEO: How did this happen?
CIO: Uhm...We forgot to secure the API.
CEO: You're fired.


CEO: Also, who the hell is the API?  Fire him too.
CIO: <sigh>
 
Tom_Slick
‘’ 1 hour ago  
So what got exposed the amount of clothes hung on the exercise bike did the clothes ever move?
 
durbnpoisn
‘’ 1 hour ago  

Rent Party: If you are dealing with technology from a company who's core business is not technology, you should just assume the technology is crap.  Say, for example, you deal with a company that sells really expensive stationary bikes that have all kinds of features like "storing stuff in the cloud" you should just assume that "storing in the cloud" equates to "probably isn't going to last long and while it does will be available to anyone that cares to look for it."

There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.


But isn't that why such companies normally hire an outside firm to produce such software?  You know, a company that knows the security and best practices for this sort of thing...

I would think that it was pretty impractical to hire bunch of nerds to build it in-house completely.
 
Atomic Jonb
‘’ 1 hour ago  

steklo: I can imagine the board meeting...

CEO: How did this happen?
CIO: Uhm...We forgot to secure the API.
CEO: You're fired.promoted.  And tell my daughter we will be over at 6:00 for dinner on Sunday.
 
dittybopper [recently expired TotalFark]
‘’ 1 hour ago  
When you get on the bike the data escapes with the help of it's friend, an API named "Mike"
And away it schleps to the dark web nets while Fella and Ursula keep in step....
 
RTOGUY [TotalFark]
‘’ 1 hour ago  

Rent Party: If you are dealing with technology from a company who's core business is not technology, you should just assume the technology is crap.  Say, for example, you deal with a company that sells really expensive stationary bikes that have all kinds of features like "storing stuff in the cloud" you should just assume that "storing in the cloud" equates to "probably isn't going to last long and while it does will be available to anyone that cares to look for it."

There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.


Having seen several furnaces and ac compressors fried from Nest thermostats I don't think IOT gadgets are given any thought beyond "how can we take something that works perfectly well fark it up and add WiFi".
 
caffeine_addict
‘’ 1 hour ago  
I haven't had a gym membership for years and didn't trust THEIR way of securing my data when I did have one.  I was never going to trust a non-Tech company selling an overpriced Wii fit POS on steroids.  I am a simple person - elliptical, total gym, pilates ball, and an inversion table.  If I feel like going outside I can go for a walk or run.  I never and still can't understand why people paid so much for those things plus the monthly membership fee and the majority of them turned into high priced clothing racks

Excuse me.  I have to be at my gym in 26 seconds
 
Don't Troll Me Bro!
‘’ 1 hour ago  

Rent Party: If you are dealing with technology from a company who's core business is not technology, you should just assume the technology is crap.  Say, for example, you deal with a company that sells really expensive stationary bikes that have all kinds of features like "storing stuff in the cloud" you should just assume that "storing in the cloud" equates to "probably isn't going to last long and while it does will be available to anyone that cares to look for it."

There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.


Part of the problem with that last part is caused by programmers. "I can do that in [insert obviously bulls__t short timeline]." My entire career, at every company I've worked, from all experience levels of programmers, there are a disturbingly high number who legit think they are Superman and like to make those claims. Sometimes it fools management in engineering and tech companies, so I can definitely see it fooling a jock who took a gander at making that stationary bike that addressed all the issues they have with all the bikes on the market.
 
edmo [TotalFark] [OhFark]
‘’ 1 hour ago  
I put my data in a thing connected to the world. How on earth does my data get loose in the world?
 
GORDON
‘’ 56 minutes ago  
YOU CANT RUN, YOU CANT HIDE
 
dittybopper [recently expired TotalFark]
‘’ 52 minutes ago  

Don't Troll Me Bro!: Part of the problem with that last part is caused by programmers. "I can do that in [insert obviously bulls__t short timeline]." My entire career, at every company I've worked, from all experience levels of programmers, there are a disturbingly high number who legit think they are Superman and like to make those claims. Sometimes it fools management in engineering and tech companies, so I can definitely see it fooling a jock who took a gander at making that stationary bike that addressed all the issues they have with all the bikes on the market.


I've seen it from the opposite side.

Management:  "We need you to implement A, B, and C, and we need it done in two weeks because the VP in charge of Bullshiat has promised it to Customer Dumbass".

Programmers:  "We can't do that without skipping a lot of checking and testing".

Management:  "Just get it done, or we'll hire people who will".

I've actually had a marketing person promise I would have something done when I told that person explicitly I wouldn't have it done by that day, not by a long shot.  I think she was trying to pressure me into getting it done on her schedule.   Sucks to be her, making a promise she couldn't keep.

/She's gone now, I'm still here.
 
JasonOfOrillia [TotalFark]
‘’ 49 minutes ago  
I'm the hacker who got your Peloton information.  Here, let me prove it: You haven't used it in a month and you currently have clothing draped over it.
 
Persnickety [TotalFark] [OhFark]
‘’ 49 minutes ago  
Probably wouldn't have been so easily discovered if the API wasn't named getAllUserData()
 
Marcus Aurelius [TotalFark] [OhFark]
‘’ 48 minutes ago  

Rent Party: There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.


I have had to explain APIs to high level executives, and it ain't easy.  Their heads are simply not in a place to process the information.  The smart ones get it, but rely on experts for the nuts and bolts.

The hard part is finding (and hiring) these experts.  I'd say 80% of what is out there is Moe, Larry, and Schemp.  Peloton hired the Three Stooges, which is not surprising.  The Stooges land a lot of deals.  Plus they work cheap.
 
TheDirtyNacho
‘’ 47 minutes ago  
Typical of companies that experience explosive growth. Some leftover bit from when they were new, small and broke and employing 20 year olds to write their stuff gets noticed a couple years later when they have become a much bigger target. I was that 20 year old once. Nobody starts out perfect
 
Marcus Aurelius [TotalFark] [OhFark]
‘’ 45 minutes ago  

Don't Troll Me Bro!: Part of the problem with that last part is caused by programmers. "I can do that in [insert obviously bulls__t short timeline]." My entire career, at every company I've worked, from all experience levels of programmers, there are a disturbingly high number who legit think they are Superman and like to make those claims. Sometimes it fools management in engineering and tech companies, so I can definitely see it fooling a jock who took a gander at making that stationary bike that addressed all the issues they have with all the bikes on the market.


If you want to go to root causes, blame management for insisting on knowing how long a software project will take to complete.  Answering that question is often harder than just writing and testing the software.
 
Rent Party
‘’ 31 minutes ago  

durbnpoisn: Rent Party: If you are dealing with technology from a company who's core business is not technology, you should just assume the technology is crap.  Say, for example, you deal with a company that sells really expensive stationary bikes that have all kinds of features like "storing stuff in the cloud" you should just assume that "storing in the cloud" equates to "probably isn't going to last long and while it does will be available to anyone that cares to look for it."

There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.

But isn't that why such companies normally hire an outside firm to produce such software?  You know, a company that knows the security and best practices for this sort of thing...

I would think that it was pretty impractical to hire bunch of nerds to build it in-house completely.


If you mean "contracted a company that completely underbid the job, and wasn't going to pay for the quality anyway, so it got built by some off shore salt mine" then yes, that is what happens.

Your average manufacturing C-level executive just says "Hand it to IT" and the guy that manages the AD server ends up building it.
 
jokerscrowbar
‘’ 31 minutes ago  
https://www.bbc.co.uk/news/business-5​6​993894

If you were dumb enough to buy one then you you have 26 minutes to send it back.
 
Rent Party
‘’ 28 minutes ago  

Marcus Aurelius: Rent Party: There is a bizarre attitude in non-technology based companies that code, systems, APIs, and all that it entails is just going to get written by some dude in the basement in a couple of weeks.

I have had to explain APIs to high level executives, and it ain't easy.  Their heads are simply not in a place to process the information.  The smart ones get it, but rely on experts for the nuts and bolts.

The hard part is finding (and hiring) these experts.  I'd say 80% of what is out there is Moe, Larry, and Schemp.  Peloton hired the Three Stooges, which is not surprising.  The Stooges land a lot of deals.  Plus they work cheap.


Yep.  Companies don't like to pay for architecture.  It is viewed as some elaborate expense.   They never realize the cost of not having any until after their off-shore contractor packs up and leaves when the funding comes out.

I just had a discussion with my management about the foolishness of offering a perpetual software license for our hosted services.  "Who is going to pay for that environment in perpetuity?  Us?"

*blank stares*
 
Rent Party
‘’ 25 minutes ago  

RTOGUY: Having seen several furnaces and ac compressors fried from Nest thermostats I don't think IOT gadgets are given any thought beyond "how can we take something that works perfectly well fark it up and add WiFi".


Holy shiat no kidding?  I have a Nest thermostat waiting at home to be installed.

What is the issue with them?
 
steklo [TotalFark]
‘’ 16 minutes ago  
I watch a lot of TV. A lot. Sometimes I take the time out to really examine some of these commercials for products like this. Exercise equipment is a big favorite...Funny, ya never, not once see a fat person using one.

One would imagine, it's their primary target audience. Yeah, I know it's a marketing ploy, show the thin, in-shape people on them...

but still...

Fark user imageView Full Size
 
