[Updated 02-13-20] Data leak 12-26-2019

Regarding @UserCustomerGwen > THERE CAN BE ONLY ONE!

WyzeGwendolyn posted the number of clones.
/edit - I thought it was here, but it could have been on Fbook, Reddit, or some other forum.
IT WAS A JOKE, those people need a holiday.

So in the former, com.hualai, the ‘com’ refers to an executable program file (like exe)?

And in the latter, hualai.com, the ‘com’ refers to an internet address domain, (short for ‘commercial’)?

BTW, I am not pretending to be dense… it’s genuine. :slight_smile:

com.hualai is the (internal code) name assigned by Android to the Wyze app. hualai.com is a computer currently somewhere in Taiwan.

2 Likes

com.hualai is a common naming converntion for packages used in various languages / services etc…

for example in the android client there is a module name com.hualai.http which deals with http requests in the app… when users have to “register” an app in the playstore etc, you have to give it a “name” / “id” / Key etc. and the common convention is to reverse the “domain” and go with “com.hualai” as they wrote the original app.

2 Likes

Speaking of non-alarmist, I thought developer Alexey’s assessment was interesting:

…as was mailmeoffer’s from earlier in this topic:

1 Like

I’m pretty sure all the users who aren’t on this forum or in the Wyze Facebook group would disagree since they haven’t been notified at all by Wyze.

2 Likes

Software /database engineers should NEVER have access to production servers!!! Even replicating the data on a live production server must be done with extreme caution.

Blaming an employee is not good enough, but rather setting up proper development infrastructure and release processes is key.

It is clear to me that Wyze needs to hire some experienced IT managers.

1 Like

Listen, I’m nothing but supportive of Wyze, but you speak the truth. In DevOps, developers should have ZERO access to production, as that is the forte of the Operations team.

2 Likes

I think @UserCustomerGwen is really some kind of super AI computer that generates cohesive, intelligent answers to WYZE users everywhere. I mean, literally, everywhere … here, multiple Facebook forums, Reddit. No way one person could keep up with all that!

In the next iteration of @UserCustomerGwen, the responses will just be beamed into our brains as soon as we think of a question or a concern, without us even posting anywhere.

7 Likes

AI? I doubt it. Just look at the Xnor.ai fiasco :grin:

4 Likes

And who said this issue was created by a developer? Secondly, those statements are not based on reality… with over 30 years of Software / Ops / Security experience I can personally give hundreds of reasons why they can, should and do have access.

2 Likes

I agree. But, we don’t know if they had access to the live server, do we?

This dataset could have just been used for developers to run tests on, or debug issues without the use of running it on the live server. Either way, someone left that open, and that is a no no.

I myself am a software developer. This maybe off topic, but, how do you debug production specific issues without access to a snapshot of the live database?

Let the beta testers do it? :grin:

Hi dieter

What would distinguish “blaming” from “accurately designating?” Steps two and three?

That is, if an employee IS objectively the cause, then stating that fact would be step one.

Step two would be accepting the blame - the employee was operating within the environment we provided them.

Step three would be pledging remediation and verification of improvement.

1 Like

Ah, good point - no one said the employee was a Dev.

Yeah, I hear you and I’m as ware of the practicality of the situation - Devs with zero access is a utopia found almost nowhere.

Most places I’ve been have a CICD pipeline with multiple enviros DEV > QA > UAT > PROD, and in those experiences, Devs have wide open access to DEV, which decreases up the pipeline, with ZERO direct access to PROD; sure - they can do stuff there, but under the watchful eyes of the Ops folks, as Devs creds are not permissioned access.

Meanwhile, Ops folks have ZERO access to DEV, and their access rights increase up the pipeline towards PROD.

Admittedly, the lesser-environments have copies of PROD data - as it’s the best data to work with - though it’s increases the risk footprint, thereby requiring PROD level protections to all datasets in the pipeline.

EDIT: Also NEXT & HOTFIX enviros. But there are many ways to configure your CICD pipeline.

BA/QA/UAT testers.

I know that, I’m in the field, too. It’s just a forum joke that Wyze test group are the beta testers.

1 Like

Oh boy! I do hope they’ve got some in-house QA going on! :rofl: