Yes I think colors would be great, while still keeping the UI minimal. Another comment brought it up along with audio feedback for strokes which feels like it would be a nice experience.
I was once investigating an uptick of telnet traffic, when I came across something that looked like a pppoe router web interface.
For shits and giggles, I decided to try admin/admin, and to my surprise, I was logged into this device with full control.
I immediately logged out, but I could have easily changed the password or changed their configuration, knocking them offline...
I'm sure there are legal issues surrounding that, and I have no idea what kind of devices connected to the thing, but you'd be surprised how many random internet junk is out there with default credentials.
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.
The debate has long since been settled comprehensively in favor of openness.
I don't know why you picked a random date 2 weeks before publication instead of the relevant one:
2024-12-27: Current vendor of MESH identified as Hirsch (subsidiary of Vitaprotech Group) and contacted
They were contacted 7 weeks before publication
and
2025-01-11: Hirsch product security responds requesting details and are asked if they intend to alert clients
They responded 5 weeks before publication, and so were aware of the issue for at least 5 weeks before it was disclosed, during which time they did nothing about it
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
The information is already sitting on Google for anyone to find, vendor doesn't give a shit.
Best to get it out there, at least if you're stuck in one of these buildings you can log in and change the admin password yourself till your building management does something about it.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
Windows, like Linux, assumes a certain architecture: one or more processors connected to volatile memory that holds transient data and much slower persistent storage that is required to preserve a consistent state for long periods.
You don't see "Windows for D-Wave computers" and you won't see "Windows for HP's The Machine".
Any new OS will have to, at least, have a POSIX API if it wants to be used from day one, but, from that point, HP is free to invent.
I want this so bad, I have a Kindle DX that's pretty good but I just want to be able to 'print' directly to it and have it automatically turn on and show it. This is getting there with the pen, I love that idea. They should have it sync back after you annotate it automatically. That's friction free.
Also, I had one; think of the hinge. You can't use it on your laptop in a chair like a normal laptop. Check out the Samsung 700TC, it's 12.2 inches and has a removable 'Asus-like' keyboard with a real hinge. I haven't used it in a while(I'm really liking 8 inches for a tablet) but it was pretty good.
You can buy one of those iPad style cases for the Surface that make it easier to use when it's in your lap.
I think the Surface is basically for the segment who either use it on a table like a computer or an iPad when it's not -- like me. The good thing is that there are lots of competing products that satisfy other use cases.
