I do wish Amazon would vet the stuff they permit sale of on their site though.
I get the impulse, but there's a reason that Amazon offers its A-to-Z guarantee rather than an a priori vetting process. Because the latter is literally impossible.
How does the vetting even occur? Do we have armies of "compu-physical engineers", imaginary polymaths capable of analyzing any imaginable physical and/or software product for characteristics that should be rejected? If we had such mental deities at our disposal, why would we waste their time vetting gummi penguins for a retail outlet?!?
Given that we won't have a magical vetting army, it'll be exactly like the TSA: enormous costs incurred to vet that the overwhelming majority of stuff is just fine, a bunch of horrible side-effects from false positives, and bad stuff will still slip through whenever someone wants it to.
It is possible to filter seller to Amazon.com only after you specify "Department", which is what I do most of the time. Maybe someone can write a greasemonkey script to apply it automatically.
This isn't meant to be snarky: How does a company like Amazon, that sells damn near anything you could want, vet everything that they sell in an efficient manner? Even if you vet everything the first time around, what about updates? Software and hardware devices/gadgets are obvious, but this includes other physical goods that undergo a redesign as well.
I'm not sure. Perhaps charge a vetting fee until your store established a level of trust. Whilst there are some great 3rd party sellers there's now a huge number of awful ones. Amazon is no longer a site that feels trustworthy.
Physical stores have to meet quality and legal requirements on sale of goods and what have you. The retailer can be sued if something isn't as described, or fit for sale. Things can and do get pulled. Mistakes are of course made.
Selling a bunch of stuff under the Amazon brand but disclaiming everything (take it up with the seller in China) except their own supply has taken it a little far. They became ebay but somehow still carry the trust "even Amazon".
> Physical stores have to meet quality and legal requirements on sale of goods and what have you.
Yes, but that's probably the wrong physical analogy. Has a mall ever been sued because one of its stores sold illegal and/or deceptively advertised goods? I seriously doubt it. Now a mall (or Amazon) might kick a seller out if there are problems. This absolutely happens, but it's not very visible, and only occurs after the fact.
I'll argue that the branding issue is a distraction. Shoppers generally understand that Home Depot, Walmart, etc. don't make or comprehensively vet everything they sell, yet they still stand behind the customer experience via returns and support. I find holding Amazon to a higher standard of product vetting as compared to other mass retailers a difficult position to defend.
Holding them to exactly same standard as all retailers. It seems US and EU law may be vastly different on this front. Here it's the retailer held responsible for problems, so it's in their interests to vet as a normal part of the buying process, and they do.
New Company will find product looked at to decide if it's worth putting in the stores, that they meet electrical safety or whatever laws etc.[1] Only once approved will they be placed in store. They'll probably trial in just a few stores first. At least some retailers have an audit process for the factory too.
[1] https://www.homeretailgroup.com/suppliers/how-to-be-a-suppli... 80,000 lines, they say they assess all products, and mention lab testing and pre-shipment inspections. They're a mass market retailer with a lot of product at the cheaper end of the scale.
Amazon is not really much like a mall; insofar as any brock.and mortar analogy is applicable, it's more like a retail store where some of the items on the shelf are sold on consignment for third parties, while some are regular first-party retail. Which isn't an entirely unheard of thing, though in brick and mortar it's probably more common for antiques, etc., rather than new consumer goods.
I'll completely agree that the analogy is imperfect. Yet it only has to stretch this far: it's just as bad an idea for a mall to literally vet every item sold by its retail occupants as it would be for Amazon.
In fact, no retailer does this. Consider any direct seller of a wide assortment of retail goods, e.g. Home Depot, Walmart, etc. None of these have rigorously "vetted" every item that comes through their doors. They certainly get problematic goods, and deal with that after-the-fact two ways: to purchasers via customer returns and support policies, and to suppliers via feedback into their supplier relationships (give us bad stuff, our $$ go elsewhere; contracts; etc.).
The idea that a retailer should be held a priori accountable for third-party goods it sells smacks of the same kind of thinking that suggests ISPs should be held accountable for third-party content flowing across their networks.
Any merchant selling goods is accountable for the goods it sells (implied warranties) and this accountability may not be avoided, in some jurisdictions, even by express disclaimer.
You require the seller to put money into escrow to cover bad customer experiences. This of course makes it harder to become a seller, which could also be a bad thing (for example, to incorporate in some countries requires putting $50k in the bank, which effectively stops quite a few entrepreneurs).
They could at least be _trying_. The impression I get is literally anyone can post literally anything and amazon will put their brand above it. They must realize that their brand is highly legitimizing to any product for sale, and you'd think they would be more interested in maintaining that brand.
I mean I wouldn't say Amazon is a byword for quality and value, but at the same time I would say most people would put it above, say, ebay and there really doesn't seem to be much of a difference anymore.
There is the main Amazon site that everyone is familiar with. You go to Amazon, buy the product from Amazon, pay Amazon, then receive a shipment from Amazon via carrier.
Next is the Amazon seller side. This has two different sides to it. There is the traditional seller model that is akin to eBay's buy-it-now. You go to Amazon, buy from the seller, pay the seller (via Amazon), then receive the shipment from the seller via carrier.
The side to the seller is fulfillment. Sellers have the option to use Amazon as a distributor. It's essentially a hybrid model of the two. You go to Amazon, buy from the seller, pay the seller (via Amazon), then receive the shipment from Amazon (that the seller sent to Amazon) via carrier[1].
My point is that Amazon doesn't exactly put their seal of approval above everything. Just most things.
The point is that buying a thing off Amazon's site that turns out to be something unexpected or a scam devalues Amazon's brand, whether it's vetted by Amazon or not. Amazon make a point of not separating their vetted stuff from their third-party sellers intentionally.
If it gets to the point where it's difficult for me to find products of the quality that I want on Amazon, I'm not going to worry about whether it's Sold By Amazon or not - I'm going to find an alternative.
The seal of approval is implied though. They're carrying it in what is effectively their "store." If you bought something out of a Best Buy and it turned out to be full of malware, you'd go back to Best Buy (justifiably) pissed off, and in my mind Best Buy just throwing up their hands and saying "Well we carry a lot of products, we can't check everything" isn't a very good answer.
True that, but we're not talking an installed SSL cert buried in the system, this guy found it by opening the page and clicking view source. Not exactly well hidden.
Yeah, all you have to do is order a camera from a third party seller, open the box, power everything on, visit the admin page, view the source, and then Google the domain name used in what looks like an ad tracker at the bottom of the page.
Its a good question, is the market maker responsible for the transactions that occur in their market. Probably not but it stains their reputation so its important for them (like it is important for Google's App store) to have some process for collecting feedback on, vetting, and mitigating, bad actors in their marketplace.
One way is to have vendors sign a contract guaranteeing that their products do not contain malware. If the product does turn out to contain malware, then Amazon has contractual and legal recourse to recover damages and refund customers their money.
Sure, this isn't perfect, and won't help much if the vendor is a shell company, but it does put vendors on notice.
Amazon now sells around a billion SKUs. It would take some serious Mechanical Turking to buy products, review them and due-diligence each for malware. The Amazon social features like Q&A and reviews are intended to crowdsource feedback after-the-fact. But until enough people die from being electrocuted from line voltage USB hubs or hoverboard power-supplies burning down their homes, regulators are unlikely to step in until there is greater public pressure on regulators to do so.
> The image watermark makes it pretty clear it's a 3rd party seller.
Officially, watermarks and text on/in images is not allowed on Amazon, per their policy. (of course, enforcement varies). This means not seeing a watermark is not a good indication it's not a 3rd party seller. Better stated, absence of a watermark does not mean the item is sold by Amazon.
Nearly everything sold on Amazon these days is 3rd parties. I'd wager somewhere in the 95%+ range. Same with "Prime" items (these are just 3rd parties that use the FBA option).
> I do wish Amazon would vet the stuff they permit sale of on their site though.
This is simply not possible at this scale. Not to mention, there's no guarantee a product line that was vetted by Amazon doesn't somehow have it's firmware changed/modified/injected after the validation period.
Essentially, there's no way around these issues. They're not "Amazon" issues per-say, but rather product-line issues in general. Same thing could occur (and might already be occurring) from retail brick-and-mortar stores as well.
I ask because I buy many things on Amazon and actively avoid 3rd party sellers. With that in mind, I almost never find something I'm looking for that is not available. There are a few exceptions from time to time, but they are rare.
I have no official source, only experience. My company has been selling on Amazon for over 6 years (we're medium-ish volume, 200+ orders a day on Amazon alone).
We're found majority of customers have no idea who they're buying from. Majority assume it's always Amazon, and often contact us about other orders they've recently placed, etc.
If you browse around Amazon, you'll notice items that have many "offers", clicking this link will show you the seller's who are listing that product. You'll notice how few Amazon.com is actually listed as a seller. Typically they're listing the top 10 items in any given category, but there's millions of products on Amazon, and very few they actually carry. When they are listed on an item, they're not always the best deal anymore.
We don't worry about competing with Amazon.com anymore, we worry about competing with our Chinese manufacturers (sometimes the same ones we source from!), who get USPS/US Gov't subsidized shipping (free shipping from China, and product costs ~1/2 of a US seller).
Amazon is transitioning into a seller platform, not a seller themselves. All the warehouses they keep popping up everywhere are mostly for FBA (Fulfilled by Amazon) warehouses, where 3rd party sellers send their products so that Amazon can warehouse them and ship them when there's a sale.
Amazon FBA is a fairly competitive fulfillment cost, sometimes beating our own internal fulfillment costs (we're stepping up our FBA game because of this, but unfortunately will ultimately result in fewer warehouse staff in our company).
Another secret - Amazon is rarely the best deal for any given item. Officially, policy says you must offer the "best deal" on Amazon, but this is never enforced in our experience. Amazon takes a commission of up-to 30% (depending on the item category), so unless you already have very healthy margins, you end up baking in an additional 30% to the retail price. Customer's pay your commission fees. So, if you find a product you want, see who the seller is, and try to find their website outside of Amazon.com. Chances are, the item will be up-to 30% cheaper (sometimes more!). Of course, this isn't an always guarantee, but it pays to check.
I'm very aware of who I buy from on Amazon, so hearing that people are confused is both surprising and not surprising. I've also done FBA integrations so I know about how all of that works as well.
I guess I can see some merit in your assertion if I consider it the long-tail of online sales. That likely explains why I never notice it as I don't hit that segment often and if I do I venture to other retailer sites.
As an insight into an Amazon customer though, I'm ok paying Amazon slightly more than a third party seller or other website. The reason is fairly simple. Trust. I've almost never had a situation where after contacting Amazon customer service I've been unhappy with the resolution. The only times it has happened are with third-party, non-FBA sales. There is little that Amazon can (or will) do to help you in those cases. Eventually if your are REALLY upset they try will try to make things right, but the initial process falls back to you and the random retailers. So, I really don't mind if Amazon's price is higher (slightly) as long as I know they have such liberal customer satisfaction procedures. This is obviously my experience. I've read of others that had bad experiences as well.
> There is little that Amazon can (or will) do to help you in those cases
Oh how I wish that were true!
As a buyer, your most powerful weapon is the A-Z Guarantee process.
Filing an A-Z is an almost guarantee you'll get your money back, or a new product for free (unless you're obviously at fault or provably pulling some sort of scam).
A-Z's significantly impact sales. They impact search visibility, "Buy Box" share time, and can even get your account(s) flagged for review (during which Amazon freezes all sales). A-Z's can be downright scary.
Sometimes Amazon pulls funds from the seller's account to refund the customer... and sometimes when the seller is obviously not at fault but the customer is still very unhappy, Amazon covers the refund themselves. Both impact the seller.
> So, I really don't mind if Amazon's price is higher
The real advantage Amazon has is the convenience. You can buy groceries, electronics, and clothing all at the same time, from the same website (even if it's multiple sellers you're actually ordering from). You can't get that really anywhere else.
It does pay to check the seller's website if they have one. You'll save money most of the time... but you lose convenience, and it's a hassle for some folks to shuttle around multiple websites.
> I know they have such liberal customer satisfaction procedures
True - but you really should try to support sellers off-Amazon. There's little risk if you checkout with a Visa/Mastercard/AMEX/PayPal. If you're not happy, all of these systems will get you your money back, most of the time (so long as you don't have a large history of chargebacks, etc...). Majority of sellers are out to help customers, not screw them over. Most will bend over backwards to help out a reasonable customer. It's a lot cheaper to keep you as a happy repeat customer than it is to acquire new customers.
> Nearly everything sold on Amazon these days is 3rd parties. I'd wager somewhere in the 95%+ range. Same with "Prime" items (these are just 3rd parties that use the FBA option).
This matches what I see. What's even more annoying is that it seems like every third party seller also has decided it's a good idea to spam me with emails asking for reviews after every purchase. Amazon provides no way of unsubscribing from there (they block one particular seller if you contact them, which is utterly useless)
Amazon, themselves, will send 2 notifications about a week apart, for feedback on the order.
But yes, a lot of sellers have started emailing customers as well. On average, and other sellers agree, about 10% of customers leave order feedback. Order feedback is critical to gaining search visibility on Amazon, so sellers live and die by feedback... this is the main motive behind trying to solicit it where possible.
95% is absolutely not accurate. Amzn's latest annual report (put out April 6th 2016) states ”close to 50% of units sold on Amazon are sold by third-party sellers."
As mentioned, Amazon tends to list the top 10 products in most categories, so naturally they'll get a lot of units sold, but the overwhelming majority of all products listed on Amazon.com are 3rd party sellers.
I'm not sure I agree about Amazon vetting products they sell, but singling them out in this case seems a little unfair, because there's something about this product that ties it to Amazon.
Presumably I could buy the same cameras on eBay or Walmart or somewhere else and also get malware.
Agreed, there's a ton of counterfeit stuff on Amazon. I don't think they could pre-vet everything but they could be more aggressive about kicking off sellers of counterfeit things.
Whenever I saw news like this I began to think: we need an OSS software project for various IPCAM on the market, the way as what Openwrt does to routers. So you can know for sure you're watching, not vice versa.
Most if not all IPCAM run Linux, the trick part is its codec libraries that is tied to some old kernel using some strange toolchains, that can be improved with vendor's help over time.
In the past TI owns the IPCAM chip market, now it's Huawei, whose chip (hisilicon) occupies about 80+% IPCAM on the market nowadays and TI is getting out of this game. The project may only need support one or two chip vendors.
an OSS project is not enough to give us any security, chips that are mostly made super cheaply in sketchy countries and that are complex enough to contain whole computers and OS's... If you are successful with your OSS stopping spying or any other mal-MITM, the spies will be further incentivized to move upstream, and then you discover that even more spies live up at the headwaters.
I'm not saying it's hopeless, I'm saying that the problem needs to be stopped at its root and systemically, with random selections and inspections, 3rd party audits, etc. That's not perfect either (as we see from banking regulation) but unless you start in a civilized country with checks and balances, there is no end in sight.
No flagship SOC in the world is immune to backdoors. Both Chinese & U.S. governments have massive spying programs with corporate participation. Good luck getting meaningful third party audits with highly complex, obfuscated, and proprietary designs that the companies will lobby against deciphering...
OSS software is not enough to ensure security, but it makes doing sketchy stuff a harder. Stopping every malicious actor would be great, but stopping some and making it more expensive for the rest is worth a lot.
Design backdoors at hardware-level could be done of course, but it is at a whole different level, for general purpose IPCAM chips(e.g. Hi3518 series) I don't think it's worthwhile for the vendor to do that.
By the way, Huawei does do excellent chip designs with ARM core these days, which is used in the IPCAM too.It pushes TI out by quality/price ratio.
Most IP cameras use a standard defined by ONVIF (https://en.wikipedia.org/wiki/ONVIF) for all communications. Everything between the camera itself and the local storage/cloud is pretty open and documented.
This is true, however onvif is an application level protocol and is relatively easy to deal with and can be portable and is pretty much low-level/hardware agnostic, so it's of less concern.
It is worth noting, that domain used by the malware (as well as some other domains) was seized and shut down by .pl's registrar's (NASK) security team (CERT). Here's the report of the operation: https://www.cert.pl/PDF/Report_Virut_EN.pdf
Thank you for mentioning this. It's as if the other user comments didn't actually read the article or go to the forum post that was linked to.
Looks like attackers managed to include this in a firmware update to launch DDoS. Amazing. Luckily the malware site is no longer working, so the users are safe. The users of the product mentioned that older versions of the firmware did not have this included.
Not sure how it happened, but to blame Amazon is ridiculous. I would look into the manufacturer a bit more to make sure it won't happen again before buying it.
To sum up. The price of the product is good. Amazon is still good. The company who made the product is now questionable. The firmware is bad.
I got a few of these (related) cameras on Aliexpress a little while back and yes, they also had the same malware. Saw it immediately as Chrome flagged it when I loaded the UI page.
There are some 'vanilla' firmware around that can be reflashed, but it's definitely not into most people's ability to reflash them.
it's too bad, it is very nice hardware, and the price is incredible...
You can also give them DHCP leases that don't set the gateway. That's usually a good idea anyway, and it's pretty easy to do if you use something like dnsmasq.
On my config I have an IP range on my subnet that is the default one and doesn't set the gateway. When I 'trust' the device I add it's MAC to the list of trusted ones.
In response to everyone asking about open standards and standardized platforms, there's already an open standard for networked IP cameras and it's called onvif, run by a non-profit organization (for what that is worth). There are open implementations for OnVif and virtually all cameras shipping from China already support OnVif.
I have found modern support for analog security cameras to really be coming to an end, which is pretty unfortunate, because they're often cheaper and pretty much impossible to come across these sorts of problems with. (I can't even find a PCI-E card with BNC connectors in this day and age.)
If you're going to buy ANYTHING with a network port (or Wi-Fi, or Bluetooth, or heck, USB), you should be wary of where it came from.
This is so unfortunate. I've been wanting to do a security system for awhile now, but it looks like I will have to do it via USB webcam + raspberry pi instead of an integrated IP camera. I really wish there was was cheap IP camera hardware standard where the firmware could be easily flashed with something open source.
There are tons of cameras out there these days that aren't crap, though they are a bit more expensive than the cheap kits you buy from Amazon or Costco. Most of the non-Chinese manufacturers and the largest Chinese manufacturers have good quality cameras depending on the features you want. Good cameras are generally compatible with ONVIF, so they should be compatible with a wide variety of VMS software.
This isn't an easy to answer question - I'd answer differently depending on if you want cameras from home vs. business purposes and differently if you want local vs. cloud storage.
Fair. Just looking for something with decently secure firmware that I can permanently install outside, store locally on a NAS, and live stream remotely if I choose to. It's just kind of difficult to get a clear option because the market is saturated with junk.
Homeboy cameras are great. Can be placed anywhere without a cord (at the cost of having to charge them every couple months or so). Edit: but as another comment pointed out it depends on your needs. I don't want to constantly stream or monitor, I just want something that only starts recording when it senses motion, and only does so I'm not home, and immediately uploads the video to my dropbox.
Bought a brand new foscam HD off Amazon. Plugged it in, network immediately started acting weird. Router confirmed it was sending outbound traffic where it shouldn't.
Raspberry py has direct memory access by a binary blob driver. The 'safest' solution, could include all the kernel/userland code to be audited by the community.
I do wish Amazon would vet the stuff they permit sale of on their site though.