How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in [Washington Post]
This article from the Washington Post is a truckload of bullshit for a few reasons.
1) The author of the article does not understand the definition of “hacking”, or in this case “security hacking”.
If someone logs into one of your online accounts, such as your Nest account, because you use a shitty password or you use the same password over-and-over again on many websites, that is not security hacking.
Hacking is the process of gaining access to a protected system through the exploitation of bugs or other system vulnerabilities. Simply obtaining someone’s account password and then logging into their account is not hacking. It is certainly unauthorized access of an account, but it cannot be called hacking.
2) Nest provides two-factor authentication for their accounts
“Software designed to help people break into websites and devices has gotten so easy to use that it’s practically child’s play, and many companies, including Nest, have effectively chosen to let some hackers slip through the cracks rather than impose an array of inconvenient countermeasures that could detract from their users’ experience and ultimately alienate their customers.”
BULLSHIT. That quote is complete and utter bullshit.
Nest has allowed its users to turn on two-factor authentication for their accounts since early 2017. One could easily argue that Nest was late to the game in providing this feature, but to say that Nest has “effectively chosen to let some hackers slip through the cracks” is a straight lie. Once you turn on two-factor authentication for your Nest account, no one can access your Nest account unless they also physically steal your phone. What more do you want? A Nest employee to visit your home to physically verify your identity???
3) The login process is not examined when companies try to reduce friction for their users
“Nest could make it more difficult for hackers to break into Nest cameras, for instance, by making the log-in process more cumbersome. But doing so would introduce what Silicon Valley calls “friction” — anything that can slow down or stand in the way of someone using a product.”
This author does not understand how “friction” is considered by companies when they design their products. Companies want to avoid friction when it impacts their bottom line. Friction encountered when logging into your account does not, for the most part, affect any company’s bottom line. Sure, you need to be able to access your account, but as long as you’re able to login, almost every company will consider their login process acceptable.
Companies only want to avoid friction for their users when it impacts their money. Checkout processes, search features, and product detail pages are some of the areas where companies invest their resources in reducing friction. They want it to be as easy as possible to give them money or engage in the activities that generate revenue, such as seeing more ads as you use Facebook. Login processes are not part of this thinking. Account creation processes are, but once you are a user you’ve already been captured. The company does not need to spend its time thinking about how you login to your account once you are a user. As long as you can login, the company is satisfied.
This author seems to believe that companies are responsible for the ignorance and stupidity of its users. Following this same line of thinking, car manufacturers are responsible for all of the accidents caused by the drivers of its cars, knife manufacturers are responsible for the injuries and deaths caused by the users of its knives, and water utility companies are responsible for all the drownings of its water users. This line of thinking is unreasonable and senseless. If I am robbed while walking down the street, I don’t blame some company for failing to protect me. Rather, I blame myself for failing to take the necessary measures to prevent or minimize the possibility of a robbery. I am responsible for my own security. Companies cannot be held responsible for the world of stupidity that its users engage in, such as using the same passwords all over the internet.
This article is obviously a hit-piece designed to portray Nest in a negative light, but whatever the author’s intentions, it is irresponsible journalism to lie to readers about the facts which describe Nest’s login process and account security features.
You wouldn’t drive a vehicle without first learning how to drive it. You wouldn’t purchase a pet without first learning how to take care of it. You wouldn’t travel to a country without first researching what it’s like to visit. The exact same lesson applies to the internet: Do not go registering online accounts without first understanding what the fuck you are doing.