Hacker News new | past | comments | ask | show | jobs | submit login

Are you denying the existence of an authorised ssh key on each of these beds allowing the holder of the key?

Are you denying there is a config file pointing to a target called remote-connectivity-api.8slp.net?

No there's not enough evidence to prove in a court of law who has access to the private key, or that the config file is enabling a return ssh connection, but it's pretty damning.

The only thing that's not newsworthy about this is that large amounts of IOT shit does this.




> Are you denying there is a config file pointing to a target called remote-connectivity-api.8slp.net?

Under the path ".ssh.endpoint", too. It's not like it's just a mystery hostname; it clearly has something to do with SSH.

> The only thing that's not newsworthy about this is that large amounts of IOT shit does this.

And - just to be clear - that doesn't mean it shouldn't be reported on! Talking about this stuff, and having concrete, specific examples, is good.


"I downloaded the firmware and I found an SSH key and a configuration file that mentions an SSH endpoint; therefore, I know that all of Eight Sleep’s engineers are allowed to remotely SSH into every customer’s bed and run arbitrary code!"

Do you not see a problem with this line of reasoning? That's literally what he says in the article, and he presents it as a near-certainty, not the wild leap of unsupported reasoning that it is.


Is your argument that there may be an internal policy which restricts access to the private key to a subset of engineers?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: