undefined | Better HN

0 pointsperching_aix1y ago0 comments

> He has no evidence for this whatsoever and not really any good reason to assume it either.

I'm not sure what kind of evidence or reason you're looking for, I think their assumption is pretty sensible.

> This isn't how SSH works

Maybe I'm just naive, but the wording of it to me seems nontechnical enough that I think the author is skipping over things on purpose. For example, how exactly that "far way" host he thinks is involved.

I'd personally imagine it's a reverse shell type deal going on, although why SSH needed to be involved in that I'm not sure. Could be just a hacky implementation. But it's really not that far removed from sensibility, vendors popping reverse shells without authorization really wouldn't be new.

> It is clearly intended to draw traffic to their company website, which is some kind of venture-backed security startup.

Didn't even notice that. Can't imagine too many other people did either. So maybe not so clearly?

0 comments

avalys1y ago

Please see my reply to another person in this same thread. He didn't even verify that the bed is running an SSH server in the first place!

perching_aixOP1y ago

I saw it. It's not necessary if the process that maintains the reverse connection can just start it as needed.

That said, some actual investigation of that supposed binary would have been a strong support for this whole thing, and indeed an evidence for this theory, so I will give you that.

avalys1y ago

If the bed requires going through some kind of production endpoint interaction in order to set up the remote connection (as is most likely the case), then his claim that any engineer can connect to any bed is simply false, and this is no more of a security hole than the idea of having a cloud-connected bed which is updated OTA in the first place.

1 more reply

j / k navigate · click thread line to collapse

0 pointsperching_aix1y ago0 comments

> He has no evidence for this whatsoever and not really any good reason to assume it either.

I'm not sure what kind of evidence or reason you're looking for, I think their assumption is pretty sensible.

> This isn't how SSH works

> It is clearly intended to draw traffic to their company website, which is some kind of venture-backed security startup.

Didn't even notice that. Can't imagine too many other people did either. So maybe not so clearly?

0 comments

avalys1y ago

Please see my reply to another person in this same thread. He didn't even verify that the bed is running an SSH server in the first place!

perching_aixOP1y ago

I saw it. It's not necessary if the process that maintains the reverse connection can just start it as needed.

That said, some actual investigation of that supposed binary would have been a strong support for this whole thing, and indeed an evidence for this theory, so I will give you that.

avalys1y ago

1 more reply

j / k navigate · click thread line to collapse