Am I crazy or does all of that look ridiculously over engineered for what they actually provide? It looks like the 4-5 devs wanted to build something fancy like the big boys would, without having the manpower to deal with the overhead.
These kinds of issues usually arise because complex technologies are introduced, mostly by following some basic tutorials and light googling, without anyone actually understanding what that random NPM package (speaking a protocol of which they have at best a rudimentary understanding) actually does to communicate with the rust crate the other guy pulled.
I don't doubt their entire service could be a monolithic, small, and easily comprehensible node app running on some consumer PC hardware at the company HQ. You're never going to outgrow that in their business. It'd likely run off a macbook with some engineering discipline.
Instead it's probably a confusing mess of microservices in a Kubernetes cluster, each running in its own Docker container for "isolation", glued together with some YAML magic and a few bash scripts, tunneling XMPP over gRPC "because it's faster", behind an Istio mesh someone half-configured, talking to a bunch of managed cloud services across AWS and GCP "for redundancy", with Redis caches scattered around "just in case", logs streaming into three different observability tools (none of them fully set up), CI/CD powered by GitHub Actions triggering Terraform deployments through a Slack bot, autoscaling turned on "with default settings", and of course there's a blockchain component for audit logs - though no one remembers why - and a colocated 96-core fifteen-thousand dollar server running a cron job that updates a config file in S3 every hour "to keep things in sync".
Too bad the entire thing relies on those JIDs containing PII now, which everyone is afraid of changing. The solution? Slap another micro-service in front that translates them to something else. Devs have been unsuccessfully trying to get exactly that deployed for weeks now. But cut them some slack: getting shit done is hard when you're overqualified for your job.
Serious but tongue in cheek. Their product and service naturally requires a somewhat higher level of personal privacy yet they seem to look at their own business as serving the horny freaks who don't deserve better.
They may be right in that their customers are probably not very privacy focused. The intersection between "people who connect sex toys to the internet" and "people who care a lot about privacy" is quite likely to be small.
I agree their attitude is pretty bad though. They should care about customers privacy with something like this.
> their customers are probably not very privacy focused.
Maybe. I think it's more like they are not tech literate (and also this Lovense thing is like google or microsoft for them. They can't not use it if they want to remaing competitive.) If people go doxing a few high profile users, I am sure people will worry about their privacy a lot more.
Assuming everything you reported is true (I'm not doubting you, I just don't have the time to test everything myself atm) this is actually insane behavior from the company.
That is beyond bad; some models using lovense have high privacy needs and probably don't know their equipment is so insecure. Even leaving account takeover aside, it is hard enough to fend off stalkers without them having your email.
This type of behavior should honestly get the leaders of the company criminally charged, this is willful negligence. Assuming this is true (and it the blog post has enough receipts to assume that it is), this company should be forcibly dissolved by the government and the leadership criminally charged. This is absolutely ridiculous behavior in response to a security report.
Am I crazy or does all of that look ridiculously over engineered for what they actually provide? It looks like the 4-5 devs wanted to build something fancy like the big boys would, without having the manpower to deal with the overhead.
These kinds of issues usually arise because complex technologies are introduced, mostly by following some basic tutorials and light googling, without anyone actually understanding what that random NPM package (speaking a protocol of which they have at best a rudimentary understanding) actually does to communicate with the rust crate the other guy pulled.
I don't doubt their entire service could be a monolithic, small, and easily comprehensible node app running on some consumer PC hardware at the company HQ. You're never going to outgrow that in their business. It'd likely run off a macbook with some engineering discipline.
Instead it's probably a confusing mess of microservices in a Kubernetes cluster, each running in its own Docker container for "isolation", glued together with some YAML magic and a few bash scripts, tunneling XMPP over gRPC "because it's faster", behind an Istio mesh someone half-configured, talking to a bunch of managed cloud services across AWS and GCP "for redundancy", with Redis caches scattered around "just in case", logs streaming into three different observability tools (none of them fully set up), CI/CD powered by GitHub Actions triggering Terraform deployments through a Slack bot, autoscaling turned on "with default settings", and of course there's a blockchain component for audit logs - though no one remembers why - and a colocated 96-core fifteen-thousand dollar server running a cron job that updates a config file in S3 every hour "to keep things in sync".
Too bad the entire thing relies on those JIDs containing PII now, which everyone is afraid of changing. The solution? Slap another micro-service in front that translates them to something else. Devs have been unsuccessfully trying to get exactly that deployed for weeks now. But cut them some slack: getting shit done is hard when you're overqualified for your job.
This is crazy bad, malpractice-level bad if this were a regulated profession.
"State-licensed teledildonicist."
This is what I come here for.
Like the author I would expect a lot more attention to privacy and security from a remote operated vibrating dong company.
I genuinely do not know whether you are being serious or sarcastic.
Serious but tongue in cheek. Their product and service naturally requires a somewhat higher level of personal privacy yet they seem to look at their own business as serving the horny freaks who don't deserve better.
They may be right in that their customers are probably not very privacy focused. The intersection between "people who connect sex toys to the internet" and "people who care a lot about privacy" is quite likely to be small.
I agree their attitude is pretty bad though. They should care about customers privacy with something like this.
> their customers are probably not very privacy focused.
Maybe. I think it's more like they are not tech literate (and also this Lovense thing is like google or microsoft for them. They can't not use it if they want to remaing competitive.) If people go doxing a few high profile users, I am sure people will worry about their privacy a lot more.
Good point. I was thinking about normal users, which the site seems to be aimed at, but I can see its a much more of a risk for high profile users.
Assuming everything you reported is true (I'm not doubting you, I just don't have the time to test everything myself atm) this is actually insane behavior from the company.
That is beyond bad; some models using lovense have high privacy needs and probably don't know their equipment is so insecure. Even leaving account takeover aside, it is hard enough to fend off stalkers without them having your email.
Gotta honor high-profile privacy needs.
https://web.archive.org/web/20250728145153/https://bobdahack... hugged to death
Why even have a bounty system in the first place if you're going to do this kind of thing?
This type of behavior should honestly get the leaders of the company criminally charged, this is willful negligence. Assuming this is true (and it the blog post has enough receipts to assume that it is), this company should be forcibly dissolved by the government and the leadership criminally charged. This is absolutely ridiculous behavior in response to a security report.