Honeypot.net Profile Photo

Honeypot.net

Extracting chaos from order

amazon

    An Amazon seller tried to bribe me

    I bought a suitcase from Amazon, partly because of its good reviews.

    The suitcase

    The suitcase is alright. It’s not the best I’ve ever seen, but the price was decent and it seems like it should last a while. A couple of weeks later, I got a postcard from the seller offering a bribe. If I sent them proof that I posted a 5-star review, they’d pay me $15.

    Front of the suitcase postcard Back of the suitcase postcard

    I followed Amazon’s instructions to report the bribe. No response. I left a review of the suitcase stating that the seller had offered to pay me for a good review. That action did earn a response from Amazon: they deleted it.

    Amazon's response to my review

    If I can’t talk about it on Amazon, I’ll talk about it here. Amazon doesn’t seem to care if sellers are paying for good reviews. They don’t want you talking about it, though. The takeaway is that Amazon’s reviews aren’t trustworthy. If that seller tried to bribe me, they surely paid other customers for their good ratings.

    You can do better, Amazon. Your product ratings are a big part of why people buy things from you. If we know they’re literally paid ads, we’d be better off taking our business elsewhere.

    Updated 2023-12-26

    Same with a travel steamer:

    Front of the steamer postcard Back of the steamer postcard

    An acquaintance suggested writing the review, cashing in the reward, then updating the review with my genuine thoughts. That’s tempting. I don’t blame anyone who does that. I don’t want a sketchy vendor to be able to say that they’ve paid me for reviews, though.

    Surprise eero hardware end-of-life

    Amazon is ending software support for 1st generation eero devices at the end of September 2022. That’s fine. You can’t support old hardware forever, and five years is a decent run.

    But it’s not OK that I got less than a month’s notice that it was happening, and no email or app notifications. I happened to open the eero app for unrelated reasons and saw a banner telling me my hardware will be obsolete later this month. That’s unacceptably short notice that the hardware is all but dead. Sure, it may keep working for a while, but without security updates or routine bug fixes, it’s not anything I’d want to depend on. If I’d received any other notice whatsoever, I would have been investigating hardware upgrades, reading the various sale emails they’d sent me, and otherwise preparing for the day. Now I have to scramble to fix something that I didn’t know needed fixed, and I don’t appreciate it.

    To the folks at eero: this is a managed system. You have my contact information and know what hardware I’m using. This would have been an excellent opportunity for you to let me know about this a few months ago. You could have suggested appropriate hardware upgrades and turned it into a sales opportunity. As your customer, I would have liked that.

    eero death notice

    Tripping on a Cracked Sidewalk

    Amazon Sidewalk is a new project which allows Amazon devices (like Alexa, Ring doorbells, etc.) with different owners to share their Internet connections. In short, your Alexa talks to your neighbor’s Alexa. If your Internet connection goes down, your neighbor’s device will relay messages for your device so that it can keep working. Similarly, if your Ring doorbell is closer to your neighbor’s Alexa than to your own WiFi router, it can send alerts to you through their Alexa.

    This is a terrible idea.

    This means that a device on your home network — a device you bought and paid for yourself — is letting other devices you don’t control borrow your Internet connection. Amazon claims to have designed this as a secure system, but people in infosec know that a new security protocol written and implemented by a single company is going to be a mess. When (not if, but when) an attacker finds a flaw in the Sidewalk protocol or the devices it runs on, 2 terrible scenarios seem likely to happen:

    • However good and strong your WiFi password is, if an attacker can access your neighbor’s network, they can hack your neighbor’s Alexa and then use it to gain access to your own wireless network.
    • A braver attacker could sit outside your house with a hacked Alexa, or an app on their laptop that acts like one, and use it to connect to your Ring doorbell and then attack the other computers on your network.

    If you have any Amazon devices, I strongly recommend you follow their instructions to turn off Sidewalk immediately. Because Amazon plans to turn this on for everyone who hasn’t explicitly asked them not to, if you don’t follow those instructions, you’ll be allowing people near your home to use your WiFi. Some owners have claimed that they turned off Sidewalk but that it turned itself back on after a software update. If this happens in my home, I will literally throw our Alexas out in the trash.

    Amazon Sidewalk is a solution without a problem. Turn it off. This is a potential disaster in the making.