Hacker News new | ask | show | jobs
by whisdol 3314 days ago
They seem to avoid mentioning the version of Android they are running - the specs only say "Android".

I'd like to be exited about this, but this uncertainty combined with the fact that their security personnel is a team of dogs[1] makes it quite hard for me.

[1]https://www.essential.com/about
8 comments
dang 3313 days ago
We detached this subthread from https://news.ycombinator.com/item?id=14444305 and marked it off-topic.
link
ericflo 3314 days ago
I thought you were being unimaginably rude until I went to the page and saw that there were actual dogs listed.
link
s_kilk 3314 days ago
I __think__ they mean physical security (as in, Guard Dogs), rather than their Software Security team.

Still, the optics aren't good.

link
deong 3313 days ago
The optics are fine. It's a cutesy "about us" page.
link
jjoonathan 3314 days ago
Wow. For a platform that struggles with security, listing a security team entirely composed of dogs comes across as the equivalent of "I drive better drunk!". One has to wonder whether it was intended as a joke or as a dismissal, and in both cases it evidences an alarming attitude towards a very serious problem.

EDIT: If there were humans on that team in addition to the dogs, I'd not be nearly so upset.

link
yeukhon 3314 days ago
Well professionally I'd like a human photo. If this were a shy photo, I would hope for not a cute puppy photo, but a human animated icon. There is a bit I called professional prsentation vs being cute, but this is a startup and it's someone else's company.
link
pawadu 3314 days ago
or you could just accept that this a cute way to present the office dog, and get on with your life...
link
erpellan 3314 days ago
Android 7.1.1

https://support.essential.com/hc/en-us/articles/115008012428...

link
Gatsky 3314 days ago
Not sure there is an issue here... I think it's just a joke about 'physical security' of the premises.

Most team pages I've seen don't specifically identify people working on infosec aspects of the product. That could be an attack vector if you're really being paranoid.

link
yeukhon 3314 days ago
That's a myth. If someone were to attack your infosec engineers physically or virtually you need to build your company from the moon because only nation states and the 1% richest would be able to afford the ride there. If someone were to do social engineering well it will be done, regardless of title. :)

No seriously I bet you this is just a blunt humor attempt. Someone thought it was cute. Those who prefer to remain hidden from camera just don't want to be seen on the Internet. I probably should go on LinkedIn and look for someone with security title working for this conpany, I might be right.

link
nl 3313 days ago
That's a myth. If someone were to attack your infosec engineers physically or virtually you need to build your company from the moon because only nation states and the 1% richest would be able to afford the ride there.

http://www.spiegel.de/international/world/ghcq-targets-engin...

link
yeukhon 3313 days ago
See my response on another comment.
link
bobsam 3313 days ago
NSA has been known to target sysadmins so I wouldn't call this a myth.
link
yeukhon 3313 days ago
I already said it, social engineering will work regardless whether someone hides their identity. Government knows who works for who. IRS is a good source, so this is a myth that hiding photo can save someone's security. No it is a false sense of security. When I said it's a myth it's satirical
link
dmix 3313 days ago
The less information available about the infosec and (more importantly) the sys admins the better.

Nation states are like any organization. They are resource and time constrained. If you set the bar high you will eliminate the low hanging fruit adversaries. Force them to put the work in... Plus if you show them you are very careful and watching everything you will force them to be extra careful, as not to tip off any surveillance, which expends more resources.

Whether or not they can actually be anonymous is not the ultimate goal. That would require a lot of work and attention to detail. But you can still do some basic stuff to make the lives of hackers hard.

link
yeukhon 3313 days ago
That's false sense of security you and many have. It takes very little time for nation states to identify who works for XYZ company.

If what you suggested is the right practice, then why is Google Zero Project members a public thing? A lot of them are publicly known. If infosec people are vulnerable, isn't your building security guard vulnerable? We got tens of thousands of hackers attending DefCon, Blackhats, and other security events every years and shouldn't we be worried? We got some of the most respected hackers and security engineers on planets attending them. How do you think government (FBI) recruited an anonymous hacker to work for them? Aren't your network engineers not vulnerable? Let's not kid ourselves with this ridiculous and quite frankly stupid obfuscation. If people are easy to fall for social engineering, let's find a solution that address the problem. Your impression of hidhing behind the curtain is basically the sterotype of hackers in basement. History has taught us the only famous computer programmer yet to be revealed is the creator(s) of Bitcoin. We don't knod if any nation states know who created Bitcoin. Otherwise, the government has pretty good hand in finding people. Resource constraint is a joke. If government wants to hack into Verizon they would have the resource assigned.

Sorry to be harsh but this is again false sense of security. Most startups would have developers have access to production so developers are just as vulnerable as infosec folks. Then why reveal the rest of the team? That counters your argument malicious actors would have a harder time to social engineer. So let's really not pretend we are doing better without revealing infosec because that's just nonsense in practice unless you are working on a project that may have serious retialation such as defeating Wanna worm then I understand masking your identity.

link
russellbeattie 3313 days ago
Marketing person: "I think it'll be cute to add our pets to the about page!"

Employees with dogs: "Aww! It'll be so cute to add our dogs! Let's give them fun titles!"

Most people: "So cute! Look honey, they have a picture of a dog named 'Cosmo' that's their 'Head of Security'! Haha!"

Hacker News: "This is an affront to the serious nature of computer security and an insult! I am shocked that a startup would make such an attempt at 'humor' when the OS they use does not have 100% perfect security and our privacy and digital security is being threatened daily by the men in black. I will never buy this product!!!!!11"

link
jjoonathan 3313 days ago
Situation: There are 0 people and 2 dogs listed as the security department on a platform where security has long been a metaphorical joke and is now evidently a literal joke.

HN: What's the big deal?

Most people: It's a little creepy that everyone knows everything about me, and the identity theft epidemic kinda sucks. Not much I can do other than keep an eye on the accounts, chase down fraud as it happens, self-censor, and pray I don't get hit with ransomeware. I have other battles to fight, so I hope the tech industry has my 6 on this one.

link
ovao 3313 days ago
The About page lists a fairly large number of engineers, some of whom who no doubt have responsibilities involving security. But Essential is not Android, and nor are they Google, so they have a much smaller subset of security concerns to deal with as a handset maker.
link
ttam 3313 days ago
why the hell is the about page 1.8MB (when all the resources are loaded)?

and it seems to be buggy with no webgl? using chromium under linux I get "Uncaught TypeError: Cannot read property 'getExtension' of null"

link
Antrikshy 3313 days ago
I had a lot of trouble scrolling through that site on my very beefy work MacBook, which never hiccups on webpages.
link
efsavage 3313 days ago
And the camera person doesn't have a picture...
link
vog 3314 days ago
Moreover, their whole website is not accessible when JavaScript is blocked, leaving the impression that security-minded people are not their target audience at all - which is really a pity!
link
pawadu 3314 days ago
Do you think the guy that designs their web site and the guy that works on phone security are even remotely related?
link
slowmotiony 3314 days ago
Do you think clients will be mapping out their whole corporate structure before making an assumption about their level of service?
link
vog 3313 days ago
If they are not, how can I trust anything written on that page about quality and security?
link
peeters 3314 days ago
What does it matter? If a website for a new router only supported Internet Explorer, I definitely would know either I'm not their target market, or they know nothing about that market, or they don't care.
link
hn_throwaway_99 3314 days ago
I would argue that the percentage of people who care about websites working with JavaScript disabled is so low that no hardware company considers them a target market
link
peeters 3314 days ago
I wasn't saying that no JS support is hurting them. I was objecting to the notion that them being separate teams is relevant. It's perfectly reasonable to judge a product by how it is marketed.
link
pawadu 3314 days ago
Funny you mentioned that, ASUS latest routers try to mimic OSX UI.

It still works on Chrome but you never know what the next firmware upgrade brings...

link