https://arstechnica.com/information-technology/2020/09/100000-razer-users-data-leaked-due-to-misconf
In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers' PII (Personal Identifiable Information).
The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you'd expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.
Link to the tweet from the security researcher.
[...] One of the things Razer is well-known for—aside from their hardware itself—is requiring a cloud login for just about anything related to that hardware.
[...] Over the last year, Razer awarded a single HackerOne user, s3cr3tsdn, 28 separate bounties.
We applaud Razer for offering and paying bug bounties, of course, but it's difficult to forget that those vulnerabilities wouldn't have been there (and globally exploitable), if Razer hadn't tied their device functionality so thoroughly to the cloud in the first place.
Reap those cloud benefits.
(Score: 1) by fustakrakich on Tuesday September 15 2020, @05:54AM
that hasn't been said a million times
Just thought I'd say that.
If there is something new, I would love to hear it
La politica e i criminali sono la stessa cosa..
(Score: 4, Insightful) by Spamalope on Tuesday September 15 2020, @06:00AM (1 child)
Are you kidding me?!? Yeah... no... not happening...
They've been on my vendor of last resort list over that since they started...
(Score: 1, Insightful) by Anonymous Coward on Tuesday September 15 2020, @02:29PM
Very true that. Years ago, I bought a Razer mechanical keyboard. I did not know that to do anything with those key light settings, I needed to be online and logged in. I felt so disappointed for something that basic, which I had seen in other keyboards be done with simple simultaneous key press combinations. I only logged in once, changed the setting I wanted, and it has been like that ever since. A few friends since then wanted to buy gaming keyboards as well. To my advice they didn't get a Razer but went for some HP ones. Just as good, half the price, no online needs, simple classic keypress combinations.
Yea, stay away from anything Razer. It is not worth the money and perfect alternatives exist, simpler and less intrusive and imposing.
(Score: 3, Insightful) by Anonymous Coward on Tuesday September 15 2020, @07:17AM (6 children)
The corporate world is addicted to the cloud. It ensures their resources are controlled by their host, or their hacker, but never themselves. And they won't realize how dangerous it is for them until it's impractical for them to have any real control over their IT.
Unfortunately that means private citizens will in most cases be similarly screwed, unless it starts becoming commonplace to use a Raspberry Pi as a desktop.
(Score: 2, Interesting) by shrewdsheep on Tuesday September 15 2020, @09:16AM (4 children)
That's true. However, I think it is not pure ignorance. Rather it is convenience in terms of blame-shifting and covering incompetence by another layer of indirection. Data leaks in the cloud are everyday news and largely ignored. If the fault is with servers of a specific company that is more serious. The incompetence part is that owning the hardware and running it yourself is cheaper, if you are competent. If you are incompetent, however, you buy the wrong hardware, hire an incompetent and expensive sysadmin and end up with something insecure and barely working. Such errors are much more easily corrected in a cloud solution.
(Score: 2) by EEMac on Tuesday September 15 2020, @03:09PM (3 children)
If it's in the cloud, you can have someone else manage it. When it gets hacked, it's their fault, not yours.
(Score: 2) by c0lo on Tuesday September 15 2020, @03:53PM (2 children)
The damage is yours, tho'. And good luck getting back anything from cloud operators with deep pockets to pay for their lawyers.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by Runaway1956 on Tuesday September 15 2020, @05:42PM (1 child)
Is the damage yours, though? The corporate practice of capitalizing profits and socializing risk ensures that the risk is shared by everyone, except the corporation. Spread the liability, spread the risk to include government, vendors, and customers so that CEO bonuses are never threatened.
(Score: 3, Insightful) by c0lo on Wednesday September 16 2020, @12:22AM
Absolutely. The actual and immediate damage is yours.
What is different in the range between a mom-and-pops shop and a big corporation are:
1. the ability to absorb the shock of this damage and survive. A small privately owned company will go immediately under
2. the time/effort required to get to the business as usual state. Small companies that survive will get over with extra money from loans (and the rat race is on for another 20 years or so). Corps? Most of the time is "Meh, shit happens"
3. the means used to recoup the losses. From honest extra work and spitting blood (for small companies) to layoffs, screwing the customers and suppliers, and then "too big to fail" govt money.
Anything in these ranges is gonna happen.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by c0lo on Tuesday September 15 2020, @03:49PM
1. there's no guarantee that having control over their IT will improve security
2. until relatively recent, there cost of a security breach was minor, at best only a hit in reputation. With the ransomware on the rise, it's only a matter of time the insurance premiums will start biting hard enough for all - even if not yet victims - to notice.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Touché) by The Mighty Buzzard on Tuesday September 15 2020, @11:02AM
Linux FTW. FOSS driver written by third parties means no annoying personal info grabbing just to use my macro keys.
My rights don't end where your fear begins.
(Score: 3, Touché) by looorg on Tuesday September 15 2020, @12:13PM (7 children)
People actually register their hardware with the creator? I know the information comes in the boxes when I buy it but it never actually occurred to me that people actually took the time to register them or fill out those "warranty" cards etc. Razer previously mainly made mice, keyboards and headphones etc. What the hell do you need cloud access for with those devices? Perhaps they started making other things that actually somehow for some reason require access to the net but I can't really imagine why. Is this something they require now to push updates? Otherwise it's just a source for more commercials and if you sign up for that you are an idiot and deserve to be leaked out into the cloud.
(Score: 2) by ElizabethGreene on Tuesday September 15 2020, @02:21PM (1 child)
If you get one of the clicky-clicky light-up keyboards then the app that changes the light patterns and hotkeys requires a cloud login. When I found out I told my son to return the keyboard because that was BS, but he chose not to.
(Score: -1, Flamebait) by Anonymous Coward on Tuesday September 15 2020, @06:29PM
that's too bad. maybe talking to him about self respect, not being a whore, the lifelong impact of these (seemingly) little compromises (i mean, if you won't stand up for yourself with such low stakes what will happen when it's something important?) and what it will do to his self esteem and integrity, etc. and then ask him what he is going to do about it? Will he be a man or a mouse? Does he consider himself a coward? would he like to turn into one? becasude that's what happens when you cop out on little shit after a while. you turn into a sycophantic coward. You'd be surprised how well reasoning with them and letting them decide works.
(Score: 5, Informative) by EvilSS on Tuesday September 15 2020, @03:16PM (2 children)
(Score: 2) by looorg on Tuesday September 15 2020, @05:12PM (1 child)
Weird. The last keyboard and mouse I bought was Steelseries, it was just the one that looked and felt least sucky and did what I wanted -- a comfy mouse and a mechanical keyboard with the right feel and pressure. But they also have a lot of that crap with lights and god knows what else. But their software doesn't require you to register in the cloud, you can if you like to but you don't have to for the software to work. That said it is still kinda stupid that I have to run that software in the background to TURN OFF the light in the mouse, cause apparently being ON is the default value. But then at the same time I just disabled all the other weird mouse functions like extra buttons all over and movement-pattern-events (or whatever it's called). So I have to run the software to turn things off that shouldn't be on in the first place. The keyboard has no such issues at all. I know the software tries to call home every now and then to check for updates and stuff but those are not permitted to talk to anything outside my network so it is for not on their part.
(Score: 2) by EvilSS on Tuesday September 15 2020, @08:31PM
(Score: 0) by Anonymous Coward on Tuesday September 15 2020, @05:26PM
Fishing expeditions and witch-hunts. The US-ian government has a burgeoning obsession with hunting down and destroying presumptive 'social offender' suspects.
(Score: 0) by Anonymous Coward on Thursday September 17 2020, @11:37AM
Well keyboards are often used to type passwords and other sensitive information.
"Cloud access" makes it easier to get those passwords and figure out where to use them.
(Score: 3, Insightful) by ElizabethGreene on Tuesday September 15 2020, @02:16PM
This is a clear demonstration of why it is dumb to require a cloud login to change the LED pattern and hotkey layout on a keyboard.