Friday, 7 November 2014

Your Job Title Means Nothing To Me

Every time someone introduces themselves as a senior developer, senior designer, senior whatever, I cringe.

They are trying to impress people on how talented they are, how respected they are.


Badge of Honour
For some people, they wear their senior title as a badge of honour. They may have worked their way up through the ranks after having joined as a junior. Invariably in these environments they would have worked alongside a senior. Well, not really alongside; the junior would work under the senior. After all, that's what those titles are designed to achieve: a clear definition of the hierarchy.

Senior > Junior.

So like the small fish in a big pond the junior joins a company and looks on enviously as others call each other senior. Look at the respect! That person's a senior don't you know? The small fish should say little and listen lots because seniors know more than juniors.

Except there is a bit of a problem with this system. It turns out that some junior employees are actually very good. Not "good for their age" or "good for a junior" but just out and out good.

Well if some juniors are good, then all seniors must be excellent then. Remember, seniors are better than juniors.


Putting senior before your job title doesn't mean you are good at your job
It turns out that there is a bit of a problem here too. Putting senior before your job title doesn't mean you are good at your job. It indicates more that you want people to think you're good at your job, rather than actually indicating how good you are. That's an important difference.

So if junior employees can be good and senior employees can be bad, what value is offered by the prefix?

Some people become so attached to the prefix once "earned" that they want to tell everyone. It's announced during an introductory handshake. It is on their email signature. It is on their eggshell white business cards. No doubt in Romalian type.

If you want to have some fun with this, find someone who matches the description above. The next time they are meeting someone new introduce them as a junior. Predict how many milliseconds until they shriek "senior actually". Watch their silent rage simmer. You've just made an enemy for life.

If the system makes people join as juniors and work their way up to become a senior, it is a rite of passage. If it is something done to you, you're all the more likely to do it to others. After all, you were assuming that one day all of this would belong to you Simba.

Collaboration is lost
A very real danger of such a system is that collaboration is lost. To work in a truly collaborative environment you need to have mutual respect. In a collaborative environment respect does not flow only in a single direction. Your seniors must trust your juniors and respect their ability to do the job.

When two people have conflicting opinions in a collaborative environment the best idea wins. This is not the same as the senior overruling the junior. This is not the same as giving in to the HiPPO in the room.

Introducing your peer as a junior is highlighting that you don't consider them a peer. They are your underling. Your minion. It is announcing to the room that you should take their opinions and ideas with a pinch of salt. It is truly passive aggressive. You have introduced prejudice and given people a reason for discrediting any idea borne by this person.

An idea should live or die on its own merit; its fate not dependent on who created it.

If you work in an environment where you have a product or service that you are building, the product is king. The product is bigger than your individual egos. The product needs to be right and this often means people in your team will be wrong. 

It is impossible to accept that failure is a necessary part of the process when you're so busy covering your own ass and trying to convince people you are senior. Trying to convince yourself that you are senior.

My job title doesn't tell you if I'm good at my job; it tells you what my job is. If you want know how good someone is at their job you'll learn more by talking to them for 2 minutes than you will be judging them on their job title.


Monday, 30 June 2014

IP Camera Leaks Your Camera Feed to Anyone - And Also Your Home Wireless Network's Password in Plain Text

Tenvis JPT3815W camera shows your video to anyone without a password. It also reveals the password for accessing your wireless network in plain text. 

These exploits are not related to my previous report where devices shipped with default empty passwords. These exploits exist even with a secure password set. The need for a password is completely bypassed.

Today, I received a message from Dimitris Platis pointing me to his blog post here - https://platis.solutions/blog/2014/06/30/tenvis-jpt3815w-camera-a-cheap-network-camera-if-you-can-afford-the-huge-security-holes/. He had read this very review of the Tenvis JPT3815W IP camera before purchasing and discovering the vulnerability and wanted to let me know about it.

He discovered a serious flaw in the camera that would expose private data to anyone without the need for any credentials.

What kind of private data? Well not only can you view the feed from the camera without a password, but shockingly, you can also retrieve the wireless network's password to which the camera is connected.

It is all explained in his blog post, so please spend the time to read it as I won't repeat it all here. Essentially, if you want to see if you are affected, you can add /snapshot.cgi or /get_params.cgi to the end of your camera's IP address and port.

For instance, if you access your camera at 

http://192.168.1.239:81 usually, try:

http://192.168.1.239:81/snapshot.cgi
http://192.168.1.239:81/get_params.cgi

You SHOULD be prompted to enter your camera's username and password. (If you have previously entered them, trying using the Incognito Mode on your browser) However, on at least one model of camera with a specific firmware, no credentials are needed and both URLs return sensitive data.

Working with Dimitris, he provided me with the URL pointing to this camera. This URL is public to the internet but most of the APIs are protected with HTTP Basic Authentication. The problem is that /snapshot.cgi and /get_params.cgi are not protected with HTTP Basic Auth; they aren't protected at all.

So far, the Tenvis JPT3815W 2014 edition camera is known to be affected:
Hardware Version = 1.10
Firmware Version = 1.1.0.5

I attempted the same exploit on my JPT3815W 2013 edition and it did not exist.

The impact of this is massive. Tenvis use a system of DDNS which users are assigned a very short unique ID to separate them from other users. That means that it is very (VERY!) easy to find other Tenvis users. From there, it is again very easy to test if they are vulnerable to this exploit.

At present, there is no newer version of the firmware available for the 2014 model meaning the only advice I can offer is to ensure you keep the camera protected by not using the DDNS functionality, or better yet, request a refund and turn it off altogether.

Saturday, 19 April 2014

Review of the Camera - HTC One M8






This review focuses on the camera of the HTC One M8

Preamble

As part of a competition run by Gizmodo UK, I have won 3 new smartphones. In exchange for keeping the phones I have agreed to write some unbiased reviews.

A version of this review can be read in an article on Gizmodo UK. This blog post is the full, unedited version.

"The HTC One M8 is a brilliant phone and has had a lot of work focussed on making the camera experience great"

Sunday, 6 April 2014

Review of the Nokia Lumia 1320 - Focus on Apps

This review focuses on my the apps available for the Nokia Lumia 1320 Windows Phone. 

Preamble

As part of a competition run by Gizmodo UK, I have won 3 new smartphones. In exchange for keeping the phones I have agreed to write some unbiased reviews.

A version of this review can be read in an article on Gizmodo UK. This blog post is the full, unedited version.

"Nokia appears to be doing as much as Microsoft, if not more, in making Windows Phone an attractive and viable smartphone option"

Review of the Nokia Lumia 1320 - Adjusting to Windows Phone

This review focuses on my experience adapting to Windows Phone using the Nokia Lumia 1320.


Preamble



As part of a competition run by Gizmodo UK, I have won 3 new smartphones. In exchange for keeping the phones I have agreed to write some unbiased reviews.



A version of this review can be read in an article on Gizmodo UK. This blog post is the full, unedited version.


"If you're coming into the smartphone market for the first time, a Windows Phone makes a lot of sense."

Dress up to play with my new phone

Saturday, 22 March 2014

Review of the Samsung Galaxy Note 3 - Samsung Extra Value Software

This review focuses on the Samsung software that is bundled on top of stock Android on the Samsung Galaxy Note 3, a 4G phone with 3GB RAM and a whopping 5.7" full HD screen.

Preamble

As part of a competition run by Gizmodo UK, I have won 3 new smartphones. In exchange for keeping the phones I have agreed to write some unbiased reviews.

A version of this review can be read in an article on Gizmodo UK. This blog post is the full, unedited version.


"You might not realise from the rest of the review but I really love this phone."





Review of Samsung Galaxy Note 3 - Battery Life

This review focuses on the battery life of the Samsung Galaxy Note 3, a 4G phone with 3GB RAM and a whopping 5.7" full HD screen.


"The Samsung Galaxy Note 3 is a mobile which you can use heavily throughout the day without having to worry about when you’ll next find a charger"

Preamble

As part of a competition run by Gizmodo UK, I have won 3 new smartphones. In exchange for keeping the phones I have agreed to write some unbiased reviews. 

A version of this review can be read in an article on Gizmodo UK. This blog post is the full, unedited version.