Do you not have an independent reporting server for running large involved queries? Are you now running any big jobs on production customer facing machines?
Also, your answer to the China question is problematic. Do you send customer data to China? We dont use Alibaba Cloud.
Can you disclose any and all persons or organizations in or having operations in China with whom during 2019 at any point you had a working relationship that necessitated sending user data to them?
I beg to disagree. I have used ES for sensitive data as well and I think ES offers only flexibility and ease of use - it can never be done right with UCI. I know that you can configure ES to do encryption at rest or transit, but my point is any data store hosting the critical should never have the private key to decrypt the data. UCI data should always be encrypted at the client side and it should always be a blob of data that the data store never understands but only stores to provide maximum protection. On the other hand, ES needs to understand the data to be of any use.
For the projects Wyze specified, Wyze should either de-identify the data before loading it in ES or enabled streams in dynamo( since they use Aws, I’m assuming here) to aggregate the data like device deactivations or other user profile data based on updates to their production tables using the same service that has access to that private key. I don’t understand why they have the need for UCI if they only care about business metrics which can be gathered at an aggregated level.
Ps: I have made edits to my original comment to be more explicit.
I’m not familiar with ES, but from the context, it must be great for adhoc queries.
But why didn’t Wyze make it internal access only? From what they say, they were using it for internal research. Or if they have offsite researchers, why didn’t they set up a VPN?
wyze really needs to develop this wishlist item and everything associated with
proper logging
mla/rbac
notifications
ive added another wishlist pending for approval, as i had some cameras randomly switch off, motion tracking tagging disabled. i have no idea if another user/guest has had a fat finger moment and done it, or its a bug, the logs sent to support doesn’t appear to capture this information either.
this is basic auditing that should be provided these days, more so if they want to stay away from the “You pay for what you get”
doesn’t have to be logged for years, even 2 weeks would be enough, as long as email notifications can be done
[edit, to add wishlist of logging and notifications etc]
It’s been said before but worth repeating: yes, perhaps many others have your email address and that in itself is not particularly worrisome. However, IF that email address was compromised in a separate data leak, and IF the password was also compromised in that other data leak, and IF you use the same password for Wyze, THEN the bad guys likely have access to your Wyze account.
Therefore, it if you have re-used the same password in multiple places (or not used strong passwords), then it is strongly suggested that you change your Wyze password to a strong password that you have NOT used anywhere else.
Thank you. All my passwords are unique. And I changed it anyway.
Having said that It would be nice to have a definitive yes or no from Wyze on if our passwords were part of this hack. Also when explaining some of this stuff, as much as possible, put it in non tech speak. I for one, even though I am using Blue Iris and OpenVpn am not very tech oriented when it comes to this stuff.
I don’t think you’re alone most people including myself are not technical inclined.
And most I believe won’t even reply and just read on and try their best to pick up what they can.
After reading the members that are extraordinarily tech savvy professionals sadly many are reluctant in posting here.
I’m learning though … i think age got to do it for me. LOL
Hi Newbie! Apologies for contributing to the tech speak. Please don’t be discouraged from asking questions here - everyone (me included) has the opportunity to learn about these things by discussing them, and I’m sure I speak for myself and the few others posting yesterday when I say we’d be happy to answer any questions in an easier-to-understand fashion without all the industry lingo. It was never my intent to discourage anyone from joining in respectful discourse and the opportunity to learn.
First I haven’t read the 500+ post before this so this may have been covered.
I don’t think posting in this forum is the way to go. Wyze needs to immediately email everyone effected by this breach with a detail explanation of what happened and what data of theirs was breached. Exposing my SSID concerns me.
My Alexa and IFTT account have not required me to relink so something isn’t right there.
Overall I’m extremely disappointed on how Wyze handled this and it has me rethinking my relationship. I initially defended the company but this lack of transparency by only posting on this forum where hardly any of the users are is lame.
Thus far, Wyze has done an incredible job, having performed initial discovery and confirming a data leak - all within a 24-hour period; they are way ahead of the industry curve here. I’m sure email notifications will be forthcoming.
Regarding your SSID, you have every right to feel violated - but I can assure you that your SSID is a non-issue. Every device (cell phones, etc) that have ever come within passing distance of your home have observed it. It can’t be used in any meaningful way, though one way you can feel better about is to change the SSID, and/or the password.
So what if someone knows your ssid. I Can stand out side your house and find it anyway…
Wyze also sent out a msg within the app to say about a security issue…
Wyze are unable to confirm… They are working on it. At least they told us… How many large companies tell people after months and months… So what if an email address and ssid…
They have not said anything about passwords so maybe people should read the original post my wyze
Regarding the general user base (ie users who own Wyze products, but don’t regularly, if ever visit the forums/social media), what do they know at this point following the confirmation?
I myself never received any emails. The information that I received through the app (attached below) does not indicate exposure of any sort.
The original post by 12Security did not mention passwords and neither did Wyze’s announcement. So I’m confident that passwords were not leaked.
While forum users sometimes tend to get very technical, I think Wyze does a good job in their official announcements of keeping the terminology accessible for the average user.
