
Security researcher gets threats over Amazon review - kw71
https://techcrunch.com/2016/07/01/security-researcher-gets-threats-over-amazon-review/
======
Magnets
Sounds like the classic excuses you get from chinese sellers, they say their
boss will punish them if you've left a bad review, aliexpress will punish
their store, company will close etc.

It's no problem though, they can just keep sending out free review units to
get their 4 and 5 star reviews. 2 verified purchases from 11 reviews, and one
of those got it for free or heavily discounted "The AuYou Power Socket arrived
very fast & was packaged well. I received it for an honest & unbiased review"

That is what's really killing Amazon reviews, free products in exchange for
5-star reviews.

~~~
UnoriginalGuy
What is interesting is that Amazon had the "Amazon Vine" Program which clearly
listed that people received the product for free (or at a discount). But for
whatever reason that has fallen out of fashion, and now manufacturers recruit
outside to get unmarked reviews which sometimes don't list the potential
conflict of interests.

I wonder if this behaviour violates FTC's rules[0], I know it was a big thing
on YouTube (YT channels failing to disclose financial incentives/conflicts of
interests).

[0] [https://www.ftc.gov/tips-advice/business-
center/guidance/ftc...](https://www.ftc.gov/tips-advice/business-
center/guidance/ftcs-endorsement-guides-what-people-are-asking)

~~~
tamana
Is Vine discontinued? My buddy still does it, at least until recently

~~~
bayamos
A lot of participants quit a year ago when Amazon began issuing 1099s so
participants would pay tax on goods received.

------
jswny
To me this seems like an odd tactic to use as the manufacturer. Did the boss
just pick some random employee and decide that one guy had to get the review
taken down other wise he was fired? Also, I'm inclined to believe that this
isn't the case because I also don't believe that those "other reviewers"
actually complained about his review. Why would anyone else care that he left
a truthful review about the product? If anything, they would be glad that he
pointed out such glaring flaws with the product that could potentially damage
things plugged into this product.

I'll say one more thing, I hope that he contacted the company directly. It's
great that he left this review for others so that they would know how insecure
this device is, but I think it's important that he also contact the company
directly so that he can help solve the problem. Leaving a bad Amazon review
isn't exactly the best way to report a dangerous security flaw in something if
you want it to get fixed. Although, it seems like this company isn't one to
fix such things anyway ¯\\_(ツ)_/¯

~~~
nostromo
Dollars to donuts, there is no employee. It's the manufacturer writing him and
concocting a story.

~~~
stcredzero
It ought to be criminal, the way it's approaching a found security flaw. The
sort of review shenanigans they're pulling should be criminal as well.

Company is revealed to be completely incompetent with regards to security. So
their reaction is to harangue and pressure the reviewer instead of fixing the
problem.

~~~
nommm-nommm
Sounds like the company is Chinese though.

------
dietrichepp
Sounds like a classic abusive boyfriend. "You pointed out security flaws? Look
what you _made me_ do. You _made me_ fire these workers."

~~~
ddoolin
Or just, you know, abusive partner.

~~~
criley2
Or just you know, an abusive person.

------
bitshiffed
Previous discussion here:
[https://news.ycombinator.com/item?id=12012977](https://news.ycombinator.com/item?id=12012977)

------
electic
If they just had fixed the flaws I am sure the researcher would have updated
his review to highlight the efforts of the manufacturer. Instead, all the
manufacturer did here is create a Streisand Effect for their shitty product.

------
r00fus
Of note, from the amazon review: "But before we get to that: I received this
product at a discount in return for writing an honest review of it. Onwards!"

Could that have anything to do with the manufacturer's attitude?

~~~
maxerickson
I sort of wonder if Amazon is the entity providing the discount.

(I spent a minute trying to figure it out and didn't find anything)

~~~
mmanfrin
Nope, there's a cottage industry of review-for-discount sites that give people
discounts/free items in exchange for reviews, but _wink wink_ don't feel
_obligated_ to give it 5 stars.

~~~
ohjeez
No winking is necessary.

Back when I was among the Top Amazon Reviewers, I'd regularly be asked to
review products and (especially) books (primarily those that were self
published). I rarely said yes, but when I did I treated them exactly the same
as I would for a product I'd bought myself. That included 1- and 2-star
reviews... though usually I tried to weed out the crap before saying Yes to
such an offer.

The cost really never influenced me. I can afford a $10 novel that I'm
interested in. So if you give me that book for free, it's no big deal.

In point of fact I learned to say No to most such offers. Usually novels are
self-published only when the author cannot find a traditional publisher. And
the traditional publishers usually refuse the book for a good reason. I don't
want to waste my time reading crap.... not when there are so many good books
to read instead.

Also, the self-published authors really didn't like it when I gave their books
less than 5 stars, and magically the review would be downvoted -- as well as
the last three unrelated items I'd reviewed. Presumably those neginators were
from the author's friends and family. So I just said No, and moved on to books
from authors I was sure I'd like.

~~~
Peretus
I can second this.

I design, import, and sell products on Amazon, and when launching a new
product I offer them for free or at a deeply discounted price to people who
agree to provide an honest review. From my experience, across hundreds of
transactions, I can say that reviews that are solicited with free or
discounted products are _much_ tougher than those received organically. Most
people participating in these review groups are so concerned about being
viewed as biased that they move far, far in the other direction. If your
product can earn decent ratings with incentivized reviews, you'll do very well
with organic reviews.

~~~
lawnchair_larry
This is deceptive and you should stop doing it.

~~~
Peretus
Would you mind describing what part of this is deceptive?

Amazon offers its own product-to-review system called Vine that is invite-
only. Not all sellers can participate in the Vine program as it's available to
Vendor Central sellers, meaning that Amazon purchases the products directly
and lists them as 'ships from and sold by Amazon'.

[https://www.amazon.com/gp/vine/help](https://www.amazon.com/gp/vine/help)

Additionally, on each review, the reviewer is required to explain that they
received the product in exchange for a review.

How would you recommend getting reviews for a product, apart from offering
them at a discount?

Edit: Added link to Vine FAQ

------
phasmantistes
I'm not sure if I'm more scared of a company that makes horridly insecure
devices and then tells its employees "do everything you can, be as
manipulative as you can, but get this review taken down", or if I'm more
scared of a company that actually tells its employees "I will fire you if you
don't get this review taken down".

~~~
pmiller2
Aren't those things roughly equivalent to the average worker?

~~~
phasmantistes
I guess I meant the former in terms of it simply being the worker's job to get
the review taken down. No actual threat of being fired at all, but the company
has given their implicit (or worse, explicit) 'ok' for using that threat as a
manipulation tactic.

Both are forms of moral bankruptcy, I was just curious whether the seemingly-
desperate employee was a victim or a player.

------
kiba
The job of one employee versus potentially thousand to hundred thousand
customers' security being compromised?

------
mannykannot
The threat of being reported to Amazon isn't very threatening, and I was going
to chide Techcrunch for being alarmist, but as I began to compose my post, I
realized I couldn't come up with a good alternative word in this case, and
skimming some online thesauri hasn't helped. Any suggestions? The thing is, if
the company had followed through on its threat, the resulting headline would
be much less attention-grabbing.

I am assuming the employee-gets-fired threat is not plausible.

~~~
ikeboy
Harrassed?

~~~
mannykannot
Definitely an improvement. I also like Stavrosk's 'hassled'.

------
azinman2
The article incorrectly states the risk. If the relay is not solid state, or
depending on what is connected to the outlet (I have a 1.7kw espresso machine
on my wemo), rapidly switching on and off could easily cause a fire.

------
Paul_S
Clearly I've been very naive but I had no idea people made a living writing
fake reviews: [https://www.amazon.com/AuYou-Switch-Wireless-Electronics-
Any...](https://www.amazon.com/AuYou-Switch-Wireless-Electronics-
Anywhere/product-
reviews/B01FZ0WP02/ref=cm_cr_arp_d_hist_4?filterByStar=four_star&pageNumber=1)
What is the point of this? I assume they're after the star rating since anyone
who actually reads the review text will know it's bogus.

Wouldn't it be in Amazon's interest to shadowban these accounts?

------
davidgerard
I'm sure trying that on Matthew Garrett will work out _just fine_ for them.

------
wai1234
How is this a 'threat'?

~~~
int_handler
> The representative then said that she would report Garrett to Amazon if he
> didn’t take down the review, and that other Amazon reviewers had written in
> to complain about it.

~~~
wai1234
Not exactly terrifying.

~~~
int_handler
That part, I agree with.

------
alwaysdownvoted
"But if you're not home, your phone sends the command to a server in
China,..."

Do any "smart" devices _not_ try to connect to remote servers, automatically,
without asking the user for permission?

Do users care that "smartphones" they carry or other devices they put in their
home automatically connect to remote servers so various companies can collect
data, ..., turn sockets on/off, etc.?

If we do not like this practice and we want to see change for the better, then
maybe we should put our comments in Amazon reviews instead on HN, security
blogs, etc.

~~~
droopyEyelids
> Do any "smart" devices not try to connect to remote servers, automatically,
> without asking the user for permission?

I believe this is the point of Apple Homekit. And probably whatever Google has
in the works will follow the same path.

Your IoT devices only talk to your Apple TV, and the Apple TV talks to Apple
which provides the cloud-connected app on your phone.

That way the million IoT vendors shouldn't have to worry about security as
much, becuase their devices are behind your NAT and communicated with through
Apple's security.

------
HillaryBriss
I will continue to ignore Amazon product reviews.

~~~
pilsetnieks
Unfortunately, you cannot. Unless you're searching for a known product or
brand, it's the review scores that will affect what results you'll get.

------
Girlang
If the product functioned, but had a security flaw like that (which doesn't
reveal personal information, etc, just could allow someone else to turn your
item on or off), I would have given it two stars. It is functional, and for
some use-cases it could work (i.e., blocked from the outside Internet). One
star would be if it didn't work, or opened a back door from your home network
to China.

Still, he shouldn't cave in. The 'they'll fire me' story probably isn't true!

------
pmyjavec
"The result is that the unique network ID of your socket is transported in an
unencrypted form to the Chinese server"

The use of The word "Chinese" in this article is amusing.

Is it really important or necessary? Would it be preferable if the data was
sent to a US server ?

~~~
nostromo
If you're a US citizen, you would be a bit better off if it was a US server,
because the records from the server would be available to the US court system.
This is helpful if a customer ends up suing the company, or if there is a
security breach that is investigated by US-based law enforcement.

I agree, the inclusion does hint at Sinophobia. But it's also a valid detail
for security conscious customers to consider.

~~~
navbaker
Why is it "Sinophobia" to state a fact about where the server is located?

~~~
mmanfrin
Because it frames the situation in a certain, coerced way.

~~~
int_handler
I am replying to your other comment here since it is not possible to reply to
that comment for some reason.

I do not think that is a valid comparison. The author did not go out of her
way to point out that the server was located in China. There is no mention of
China in the title, and the only place where the author mentions China is
several paragraphs in explaining how and where the data is transmitted. There
are more mentions of China in this comment than in the entire article.

Finally, for the record, I do not have a verified email associated with this
account and thus do not have the ability to downvote.

~~~
DanBC
> I am replying to your other comment here since it is not possible to reply
> to that comment for some reason.

I think HN applies a rate limiter to comment threads, to help reduce flame
wars.

> Finally, for the record, I do not have a verified email associated with this
> account and thus do not have the ability to downvote.

Accounts get the downvote when they reach a karma threshold. I think that's
currently 500, or maybe 750.

~~~
int_handler
That makes sense. Thanks for the explanation.

