e dot dot dot
a mostly about the Internet blog by

May 2021
Sun Mon Tue Wed Thu Fri Sat
           
         


Peloton Is Having A Rough Week: Product Safety Recalls And News Of Customer Data Exposure

Furnished content.


Peloton is, as they say, having a rough week. While the company has been something of a pop culture darling for several years, it also got a nice boost from this lovely COVID-19 pandemic we've all been suffering through for more than a year now. Still, no company gets through its full lifecycle unscathed and this week has been a week I'm certain the Peloton folks would love to forget. We'll get started with the less-Techdirt centric part of this, which is that Peloton recently had to recall two of its treadmills after it turns out those treadmills occasionally enjoy eating people, especially very young children.

Peloton has received at least 72 reports of adults, children, pets and/or objects getting dragged under their Tread+ treadmill. In those incidents, 29 children suffered injuries, which included second- and third-degree abrasions, broken bones, and lacerations, the US Consumer Product Safety Commission noted.In February, a father reported to the CPSC that his 3-year-old son was pulled under a Tread+ and trapped. When the father discovered his son and was able to free him, the toddler was pulseless and not breathing, according to the report. Fortunately, the boy was resuscitated, but he “now has significant brain injury.” The boy had tread marks on his back matching the slats of the Tread+, as well as a neck injury, and petechiae (small blood spots) on his face, presumably from blood flow being cut off.When Peloton learned of the “unthinkable” death of the 6-year-old in March, Peloton CEO John Foley sent a note to customers noting the “tragic accident” and highlighting safety warnings for its treadmills. The March 18 note cautioned customers to “keep children and pets away from Peloton exercise equipment at all times.”
Those warnings were glaringly insufficient and the CPSC basically told people to stop using the product. In mid-April, Peloton's CEO informed customers that the company was aware of the CPSC advice, but that the company was not planning to stop selling the treadmills at all. Instead, the company essentially said that if the product warnings were adhered to, there was no problem. It was only this week when the company admitted that this was a mistake in approach and issued a recall for the two treadmills in question. That it should have done so, and subsequently added physical protection to its products to avoid all of this, really should have been painfully obvious once we got to the part where a 3 year old suffered lifelong injuries and treadmarks across his back and another child... you know... died.But the troubles for the company keep on coming. The most recent news is that security researchers found that Peloton had exposed customer data to, well, basically anyone with a little technical know-how and then tried to keep the whole thing silent with an enormously insufficient "fix."
Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.
The reporting indicates that this exposure included customer information such as their user IDs, group memberships, workout information, age, gender, weight, and more. You know, probably not the sort of thing customers that set their profiles to private while trying to exercise and/or lose weight would want exposed to anyone that wanted to take a look. The APIs apparently required no authentication. When Pen Test Partners reached out to the company and informed them of all of this, the company immediately acknowledged the information... and then did nothing for two weeks.Two weeks later, the Peloton rolled out a half-fix without informing anyone.
Rather than providing the user data with no authentication required at all, the APIs made the data available only to those who had an account. The change was better than nothing, but it still let anyone who subscribed to the online service obtain private details of any other subscriber. When Pen Test Partners informed Peloton of the inadequate fix, they say they got no response. Pen Test Partners researcher Ken Munro said he went as far as looking up company executives on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it."I was pretty pissed by this point, but figured it was worth one last shot before dropping an 0-day on Peloton users," Munro told me. "I asked Zack W to hit up their press office. That had a miraculous effect – within hours I had an email from their new CISO, who was new in post and had investigated, found their rather weak response and had a plan to fix the bugs."
This doubling up of a callous response to the physical and virtual safety of its own customers is a horrible look for Peloton. Again, with the exception of a possibly ill-conceived advertisement campaign a few years back, this company is an absolute media darling with a fair amount of good will built up for itself. Simply by not taking its customer's safety seriously, that good will seems to be pretty seriously at risk.And, it's worth noting, breaches and exposures like this almost always turn out to be more serious than first reported. Maybe that won't be the case this time. Or maybe Peloton's bad time is about to get even worse.

Read more here

posted at: 12:00am on 07-May-2021
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



Devin Nunes' Favorite Lawyer On The Hook For Over $20k In Sanctions

Furnished content.


Last month we wrote that Rep. Devin Nunes' favorite lawyer, Steven Biss, who has been filing frivolous, vexatious SLAPP suit after frivolous, vexatious SLAPP suit, was finally facing some sanctions. The specific case did not directly involve Nunes, but rather one of his aides, Derek Harvey, who had filed a ridiculous SLAPP suit against CNN. As we wrote last month, the court had easily tossed the original lawsuit and warned Biss not to file an amended complaint unless he had a credible legal theory. Biss did not have a credible legal theory, but he still filed an amended complaint. And thus, the court issued sanctions, saying that Harvey, Biss and other lawyers would be on the hook for CNN's legal fees.The latest filing in the case is the bill coming due. Harvey and Biss need to pay CNN $21,437.50 in legal fees (and an additional $52.26 in costs and expenses). That might not seem like that much in the grand scheme of things (especially for a lawyer who has claimed his client, Devin Nunes, is owed over a billion dollars for defamation, but it is still real money that someone is going to need to pay -- though it remains an open question as to who is actually going to pay it).There's not much to see in the ruling itself, as it basically says that the fees CNN's lawyers outlined are within the standards that the court's local rules say are "presumptively reasonable." The lawyers admit that they're actually asking for less than they normally charge in order to keep them "reasonable" in the Court's eyes, and the Court basically says "sounds good."It does often seem that lawyers who file tons of frivolous and vexatious lawsuits are able to get away with it for a while, with courts giving them many, many chances and being extremely reluctant to issue sanctions. And, even when sanctions are issued, they tend to be relatively low. However, with such repeat offenders, we've often seen that courts across the country take notice, and once one court has sanctioned this kind of behavior, it can open the floodgates. We'll see what happens in other Biss lawsuits.

Read more here


posted at: 12:00am on 07-May-2021
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



May 2021
Sun Mon Tue Wed Thu Fri Sat
           
         







RSS (site)  RSS (path)

ATOM (site)  ATOM (path)

Categories
 - blog home

 - Announcements  (0)
 - Annoyances  (0)
 - Career_Advice  (0)
 - Domains  (0)
 - Downloads  (3)
 - Ecommerce  (0)
 - Fitness  (0)
 - Home_and_Garden  (0)
     - Cooking  (0)
     - Tools  (0)
 - Humor  (0)
 - Notices  (0)
 - Observations  (1)
 - Oddities  (2)
 - Online_Marketing  (0)
     - Affiliates  (1)
     - Merchants  (1)
 - Policy  (3743)
 - Programming  (0)
     - Bookmarklets  (1)
     - Browsers  (1)
     - DHTML  (0)
     - Javascript  (3)
     - PHP  (0)
     - PayPal  (1)
     - Perl  (37)
          - blosxom  (0)
     - Unidata_Universe  (22)
 - Random_Advice  (1)
 - Reading  (0)
     - Books  (0)
     - Ebooks  (0)
     - Magazines  (0)
     - Online_Articles  (5)
 - Resume_or_CV  (1)
 - Reviews  (2)
 - Rhode_Island_USA  (0)
     - Providence  (1)
 - Shop  (0)
 - Sports  (0)
     - Football  (0)
          - Cowboys  (0)
          - Patriots  (0)
     - Futbol  (0)
          - The_Rest  (0)
          - USA  (0)
 - Technology  (1049)
 - Windows  (1)
 - Woodworking  (0)


Archives
 -2024  March  (164)
 -2024  February  (168)
 -2024  January  (146)
 -2023  December  (140)
 -2023  November  (174)
 -2023  October  (156)
 -2023  September  (161)
 -2023  August  (49)
 -2023  July  (40)
 -2023  June  (44)
 -2023  May  (45)
 -2023  April  (45)
 -2023  March  (53)
 -2023  February  (40)


My Sites

 - Millennium3Publishing.com

 - SponsorWorks.net

 - ListBug.com

 - TextEx.net

 - FindAdsHere.com

 - VisitLater.com