A Gift for the Hackers

2013 ,    »  -   48 Comments
Ratings: 8.87/10 from 62 users.

Increasingly devices like printers and scanners are being connected directly to the Internet. It's all very convenient, but is it safe?

Your mobile, your printer, your hard drive, everything is connected... but it's like a Swiss cheese. Medical files, financial information, and trade secrets, they're all there for the taking.

It's shocking, it should not be allowed. It's a design flaw. Is this vulnerability in tens of thousands of devices compromising your security and your privacy?

Computer security has become a big concern for companies and individuals. As a result it has also become a big business. The world's number one producer of computers and printers, Hewlett - Packard (HP), has an annual turn over of 127 billion dollars.

More great documentaries

48 Comments / User Reviews

  1. AntiTheist666

    A shocking and hugely important documentary. A must watch!

    How secure is our data? A couple of years ago I bought a HP wireless printer/scanner. Thankfully I read the manual and installation instructions and was shocked at the lack of security and stunned at sheer cheek of the company! The installation software almost hid the fact it collects data on its use and contents. I fear that many people will just let these unsecured devices have free access to what could be very sensitive information. Protect yourselves people!

    There is a typo in the doc description that made me think of Laurence Olivier and Dustin Hoffman.

  2. Candace Sturtevant

    Well, all I can say, is it's wonderful to be poor, and have a tracfone, and a wired printer only. It sound's safer.

  3. Johnny Lomen

    Although the 'people are stupid' statement may be bit harsh, I agree that the average user remains naive about installing something like a NAS server.
    The manufacturers are right to put the responsibility on the user for the security measures of these devices, and state so in their EULA's. These manufacturers simply could not survive due to legal litigations because of the 'stupidity' of users.

    Listen, the excuse that people are just not computer literate must become obsolete. Look at your kids and how quickly they pick up on these technologies. They already know how to setup security on wireless routers, etc.
    Claiming naivety must become as 'laughable' as a child saying they refuse to learn English in the school of an English speaking country.

    I simply will always be in favor of self-empowerment rather than the easy road of pointing the finger.

  4. oQ

    Good doc,
    Included in the package box could be a 'red' card with the password information already engaged on the machine (a different one for each machine), with the information of how to change that password.
    The rest is the responsibility of the owner.
    Who reads every note on all manuals for all machines?....certainly not me. They caught this flaw but how many other flaws are there in other manuals undetected.
    This reminds me of people who connect to an internet server and do not put a password on their connection and allow anyone to connect through it, it's fine if it's done on purpose, not if not.

  5. KsDevil

    The average consumer buying consumer goods has been trained by marketing not to think too deeply about the products they purchase. Marketing plug-and-play provides a fasle sense of security to consumers. Why read the documentation (usually a file on a CD or on-line) when you have no trigger to suggest you should?
    The people buying these devices are not the kids of today who seem to be tech saavy (which is also a false belief) but adults who want to make things easier.
    I work at a manufacture of technology and I still have to help employees perform simple computer tasks. I can only imagine how unsecured their home computer equipment is even though I always comment about checking their securty settings. Sometime it's in one ear and out the other. These companies like Iomega should realize this and default their systems as secure. Heck, even my router comes with the security defaulted on...why not Iomega?

  6. Helen F

    what the hell are you talking about?

  7. rahul01

    I have a bigger problem to report. I checked all the locks in my neighborhood and OMG!!! some people leave their doors open, some leave backdoor open, some windows. Some leave their keys under the doormat, in the flower pot on the porch. I should talk to the home builder why they built such houses that are default unsafe, post a video online while I am at it. OMG!!!. OMG!!!

  8. oQ

    What is hell to you, perhaps makes sense to others. We all have our own under standing of things. You tell me what you are thinking about, i may learn something interesting.

  9. oQ

    My friend got called at a grocery store on the speakerphone, she went to the counter and two cops were standing there. They gave her her car keys and said that it is against the law to leave your keys in the car while you are absent. lol

  10. Helen F

    Never mind .. You have said more than enough. TC

  11. oQ

    You have posted on TDF two times and both times you have said nothing. I am ahead.

  12. AllanA

    This is a great marketing opportunity for Iomega. They could get their customers to take the conclusion that their hardware is unsecured and the way to make it secure is to replace it with the latest and greatest from Iomega's product line. Never mind that the only thing the customer needs to do is set their password. I hope these guys negotiated some kind of % on the profits with Iomega.

    They didn't? Oh that's too bad. :-(

  13. wald0

    All you guys foaming at the mouth about the average users less than average security should chill. Most people are like me and couldn't care less if someone gets into their data, after all its just music, movies, and a few harmless pics. Nothing incriminating or earth shattering. Now I do understand that sensitive info is out there, CC numbers, medical information, legal information, etc., etc. and if someone or some entity is storing this kind of data they should be subject to random inspection to assure they are not selling or otherwise misusing the data and of course security standards should be maintained. I think those that are not maintaining accepted security standards should be fined and eventually barred from keeping such sensitive data, unless the data is their own of course.
    The question is whether or not Iomega did enough by including the proper security options or should we expect more? Should we expect those options to be on in the default configuration as well as available? Should we expect manufacturers to offer tutorials to consumers about data theft and how to use their product to avoid it? Or should we expect the consumer, who is in the business of actually storing the data and therefore ultimately responsible for it to know their own business and potential liabilities? I think the ladder is much more feasible and keeps the liability and responsibility where it belongs, with those storing the data.
    If Iomega has a default password, which would be necessary if the security feature was on in the default config., then anyone would be able to get said password and it would be useless. If Iomega is expected to come up with and record a unique password for each device individually- well, that's a whole new ball game that would surely add over-head costs- to say the least. Just the security concerns involved with having the unique pass word to sensitive data at your facility and in the hands of your employees is enough to make any manufacturer very nervous. I'm not sure this is the route to go as I wonder how hard it would be to get one of those employees to give up the pass word I needed, not very hard I would imagine.
    In the end I think all we can really expect of manufacturers is to make the security options available on their products. Its should be up to us whether we utilize these features or not and how we do so. If we choose to leave our doors unlocked and someone comes in on us should we sue the door manufacturer for not making a door that locked all on its own? No, we should take the responsibility of locking our own doors, in my opinion.

  14. dewflirt

    Anonymous hacked the Department of Justice, the FBI and the Scientology website. A 16 year old kid (Cosmo the God) took down the Westboro Baptist Church websites and they claimed to have God on their side. Gary Mckinnon got into US military computers and NASA. Our silly little home computers and our weedy security are not going to pose much of a problem, and what would they find out about you anyway? Most people seem happy enough to plaster the details of their lives all over Facebook and Twitter. If you want to keep secrets, keep them in your head ;)

  15. oQ

    Foaming at the mouth? should chill? Lol
    Iomega is in the digital business and they are making millions, putting a temporary password and a red card in a package would add a few cents to the item.
    You say: " Most people are like me and couldn't care less if someone gets into their data, after all its just music, movies, and a few harmless pics."
    Not so, i know lots of people who don't want others to access their banking and other personal informations on their computer, even by their closest friends.
    I rarely foam at the mouth but i've seen a dog or two do it in my life time. (actually make that never)

  16. wald0

    If you have data sensitive enough that you don't want people accessing it then it is your responsibility to find out how to protect it, period. Computers store data and are susceptible to being hacked, they don't come with any special features already enabled. The operating system is some what secure but far from truly safe, that is unless the user takes the responsibility to learn how to protect themselves, spends the money to do so, and insures themselves against loss when possible. I worked for Motorola for over seven years and we did basically the same thing these guys are doing, we made the security features and the instructions on how to setup the equipment available upon purchase- nothing more. If you didn't want to read you could even call in and we would walk you through it, just like these guys will. In my opinion that should be all that is expected. I also worked for Dell and Gateway at different times and we got endless calls from people upset about their data being lost, stolen, corrupted, etc., etc. The bottom line was then and is now, its your data and your responsibility. All we can do is provide the latest features and the instructions on how to use them, we can't come set up each system and address each costumers individual security concerns. There are companies that do that you know, or you can just go online and learn how for free- people have choices.

  17. Alex

    I am new to this site and found out about it from a friend and after watching some documentaries on this site I have learnt a few things.

  18. StevenLJones

    Iomega is an American corporation. HP is an American corporation. Are Americans as vulnerable? Or is this a European phenomena? Just asking.

    Mind boggling that a product would be sold this way when it's so easy to release the product security enabled in the first place. Let the customer make it not secure consciously.

  19. oQ

    If the senstive data of a person is in the hand of a compagny, doctor, bank, and an employee of those firms loads your information on an Iomega, please tell me, how is this person suppose to protect him/herself?
    Isn't that what the doc is about in large parts?
    My opinion is not based on what i have to protect, i don't. I watched the doc.
    I will add that your approach was a little agressive, i see no one foaming at the mouth in the comments previous to yours.


    Privacy is becoming antiquated.

  21. Mark

    I realize that you were responding to oQ, but your statements about data storage security are just a microcosm of the entire security issues at hand. Motorola, Gateway, Dell, and the like, have little or no security for their clients. The only securities they offer to their clients are third party software. You also mention it is the responsibility of the individual to secure their private data, which I agree with. But whose responsibility is it to secure the information that you provide to doctors, banks, government agencies? It certainly is not the individuals’ responsibility. And let’s face the facts; hackers are not as interested in hacking an individual’s computer as they are a large corporate server. I work as, what we call it in the business, a woodpecker for F-Secure. My job is to find vulnerabilities in a secure system, wherever they exist. The problem will always exist because a vast majority of corporations will hide any breach that exists in their data storage security.

  22. ???? ??????

    Just search:
    Any time & Any where IP Surveillance for Your Life
    in google, unbelievable that google is indexing their web interface.
    Of course most users didn't changed deafult password for admin account.

  23. Vicki_in_Greece

    Looking for a job to pay for college degrees - Cybersecurity is a great place to find a great paying job. There are not enough people as this document makes obvious. I would say it is no fun for hackers because these are easy "hacks" no challenge. I would say it is a great opportunity for a good career.

  24. Robert Whelan

    Lock makers don't tell you that you can't leave the key in the lock when you're not using it. Car manufacturers don't tell you not to leave the doors open with the keys inside. The issue is not with the companies, it's with the user's lack of education, and unwillingness to learn about the things they're using.

  25. Vicki_in_Greece

    Really, Robert? But not everyone is as clever as you are they?
    Most people in companies do not have any idea what to do; they are not simply advertising "Hey, look at us we are stupid" although you may think that is exactly the point.
    Many people that use computers are quite smart and capable at other important & difficult tasks - like performing heart surgery, flying airplanes, teaching children, building homes, etc. . . .
    Cyber-security is a great career opportunity for someone with people skills, brains and energy.

  26. Kateye70

    I started using personal computers not long after they first became available, back in the days when a 'kickstart' disk was need to load the operating system. I set up our company's first office network, using a PC-DOS system. Did I mention my primary job for the company was advertising director? Or that the internet wasn't actually accessible and our remote information from stores came via direct-dial modems on dedicated phone lines?

    We didn't have to worry then about security, because the systems were simple enough that I was able to figure out how to set up the software after someone else in the company figured out how to wire the PC's together.

    Fast-forward to the advent of Windows, and I very quickly had to make a choice between no longer doing my primary job function, or getting the equivalent of a degree in engineering in a field I was only peripherally involved in. And that was back in the early days of the internet when most people didn't access the Web directly, but used dial-up services like AOL or Prodigy that had very limited internet access.

    I'm smart enough to know what I don't know. I stuck to advertising until I moved into management. We hired a network tech.

    As Vicki_in_Greece says, lack of knowledge in one specialized field does not an idi*t make.

    The amount of information--and DIS-information--about computer security is so overwhelming, its no wonder people throw their hands up and try to move on with their lives.

    EDIT: In regards to your key analogy, there actually was a time when security meant turning a physical key that physically locked your computer. No one could even turn the computer on without it. Just like backups weren't made to a 'cloud,' they were on disks that were sneakernetted off the premises. I haven't seen that in quite a few years, though. The days of physically protecting electronic data are long gone.

  27. Jeff Coolen

    and google helps the armchair hacker by caching confidential material, so once the user adds a password and the information is no longer available at the source. Google has got you covered.

  28. Jeff Coolen

    Its not that easy. THey could add default passwords. That adds confusion in setting up the hardware and offers little benefit as the default pw would be easy to find. I can imagine the calls manufacturers would get if they added random passwords printed in the manual.
    I see this documentary offering no solution, just being whiny and blaming manufacturers instead of putting the responsibility on the owner of the information who cared little about security.
    Devices and the internet have been around long enough. This should be as common as the knowledge of not leaving your car running.

  29. Paul Rohe

    I knew there was always a security issue with the net, but on this scale, phew ! This doc is similar to one I watched concerning Online Banking Security, the conclusion of the IT Security Experts was "...never ever use online banking, it`s inherently insecure...". So, if the like of banks, interpol & so forth are insecure, what hope for the likes of mortals like us (e.g. me).... Everything I ever connect to the net has a different password, common sense yes.....just like one has different keys for different doors....makes sense to me, but hey ???

  30. Vicki_in_Greece

    I know!! Even following on the rules isn't enough at this point. Doing chores online is time saving and I get money where it needs to go but I would like to be more confident about security . . but obviously computers have been sold before the design was finished. that is the problem with competition - instead of being the first to put a computer on the market but . . . be the first to be the best quality on the market, that is respectable to me

  31. Wesley

    Why are they attacking the producers of network products?
    They should ask the users why they didn't read the manual or why they didn't do research before using the product.

    I haven't seen a car that restricts speed to 120 km/h by default.
    Or a front door lock that locks itself by default.
    Why is it the producers responsibility to protect the users even more.
    Users don't need protection. They need education.

    It's because of the idea that users need protection, that they stay dumb and ignorant.

  32. hyper

    so go into Cyber security to make money for college? Uhmm, I hope you are not implying that's just something to do on the side while in college. Also try getting a job in cyber security and see how easy that is. NO matter how many people they lack they will not hire you without experience. Actually hacking isn't that easy anymore like it used to be 10 years ago. This is because the IT field has matured. 10 years ago you could be a major in history and start off as a network admin right after you finished college with a major in history. What did you know about computers? Nothing really. Today you better have have not only several years experience and a relevant college degree but also certifications before you can be a network admin. This is true for a vast majority of openings out there.

  33. Jarkko Toivonen

    Average Joes and Jill's chill out, hackers are interested for money, so they hack banks and rich individuals.
    Havent heard any of my friends have been hacked , all of them are from poor to upper middle class , no millionaires .
    In Finland hackers usually try to hack banks (with no succes our banks are well secured) , rich peoples computers and so on. Some of my friends have installed viruses in their PC's but thats their own fault as they have tried to install cracked softwares (from Windows 8 to photoshop and so on) which is most stupid thing one can do as theres no such thing as a free lunch . Result of installing crack is usually dead PC which can be luckily repaired .
    Dont know how paranoid people of USA are, as their secret services , army files etc classified files have been hacked.. Using common sense why hacker would bother to hack average Joe or Jill from any country ?
    (My native language is Finnish so sorry for typos etc)

  34. Vicki_in_Greece

    Thanks Jarkko for your great comment, much appreciated

  35. Vicki_in_Greece

    I totally agree Wesley

  36. ToFew

    Do any of you even know what a real hacker is? An explorer of complex systems for the sake of understanding. Most of you throw the word around due to media misuse. the word you should be using is criminal, scam artist or cracker..

    Robert Whelan has it right. In any industry with equipment (such as complex machines like hydraulic presses, etc.) the techs and engineers have to read the manuals, first. The ones that don't can get people hurt of killed. No one ever said that the net was safe for information, except those who have an investment in it doing so. When did people become so irresponsible for the things they posses? 30+ years ago anyone got a VHS camera and learned how to use it by reading manuals. Bottom line: if it's plugged into the net it is at risk, and been ever since there was a baud! Why would anyone think it's any different now? Either learn to defend yourself, or don't cry when you get mugged - its that simple.

  37. ToFew

    its called a firewall

  38. Highlander

    As an engineer I will make wee reply to those computer experts who have written here to say that we should "read the manual". It is your own fault .....etc .
    Write the b(stard things in understandable English and me and most frustrated folk I know, would !

  39. rbnvndrn

    they should be more physically protected, end of the problem

  40. Engr Nnamso

    They should make their manuals as short and simple as possible. that's the main reason most people do not even try reading it at all because the content is too much. why will you want to read twenty pages of documentation for just a Hard drive. that's insane.

  41. ToFew

    My point wasn't just to say "read the manual". Obviously documentation is an on-going laziness among half of programmers writing for production code, however it were engineers that wrote the earlier manuals, which were real books.

    I was attempting to point out that one should familiarize themselves with whatever tool they choose to work with. In particular, I was attempting to point out the fact that people use internet tools (browsers) without even considering How to use the tool 'appropriately' in the context of security. I was touching on the meme that people want to 'pass the buck' of responsibility when it relates to usability while illustrating that the conversation isn't even clearly defining the correct premise.

    Perhaps I was too abstract, though I stand by my point. Consider how many people ignore proper car care per its manual and the amount of repairs required to service those same vehicle customers in contrast to those that routinely maintain their car to outlast the other group.. The same mindset belong to those that cry 'hacker' for every computer related problem that could be avoided by simply updating the system's software (most 'popular' systems even have an obvious and annoying 'bubble' that urges you to either do it, or the system self-updates.. ). If those same were to include further 'defenses' by using secure browsers (like chrome or firefox) in addition to the standard of updated antivirus/malware, ad-blocking, and by not clicking on every mal-infested ad on some webpage owned by god-knows-who, then the same can run a machine for years without encountering a zero day..

    These terms and concepts permeate culture surrounding the internet experience, so why would one not take the time to investigate the meaning behind it all, at least in the conceptual sense, prior to risking personal information on a medium that is fabled in its vulnerabilities?

    In the case of the manufacturers of network devices, the ones setting up those devices are 'usually' hired IT guys that ought to be versed in not only setting up these devices, but to implement security 101 - change default passwords.

    I interpret this lack of pro-action to mean that people see a 'magical' box that can do x, y, z - assuming some form of hand-held protection built in by design (which is a huge fallacy). To me this is akin to a child looking at any adult and thinking that that adult is just as 'safe' as the child's parent.

    History (and much published, free, accessible, detailed, human-readable, English literature) holds the truth to both scenarios for those willing to take the simple step to investigate...

  42. Highlander

    "These terms and concepts permeate culture surrounding the internet experience " etc. .......I guess you write computer manuals that me and everyone I know , cannot understand . Aren't you the clever dick

  43. ToFew

    You spent all of that effort to earn your engineering degree just to resort to fallacious insults?

    I offer a wise abstraction in exchange: When one hates what one refuses to understand, one becomes slave to the 'it's lasting power - whatever the 'it'..

    I hope you discover happiness again..


    Actually, most of the Americans I know here in FL and elsewhere don't think about anything related to PC security until they get burned. The resulting learning experience takes them wherever it takes them and that's it.

    I don't know how old this doc is, but I have NEVER heard about HP, peripherals, and NAS devices in the US main stream media.

  45. Tim Blackburn

    Being a website developer, I can safely say that it's not that hard to build software the requires a user to enter a password upon registration or installation. In fact, I'd create a blacklist of words that cannot be used for the password (qwerty, 123456, password, etc).

    Shocking really... Websites are bound by law to provide certain levels of security to ensure customer security, but storage devices are not?

    Come on.. imagine if when anyone created a Facebook account it gave them a default password of "password" that they didn't have to change, can you imagine the public outcry, yet there are storage devices out there that don't even have this level of protection. Shameful really,..

    And before you say "read the manual", didn't you see the part where one particular manual didn't even mention setting up security.

    There should be a certain level of accountability. Just like cars have to be produced with certain safety standards, so should wireless devices. Having security disabled as a default is a bit like selling a car, but the seat belts are somewhere in the boot/trunk and you have to install them yourself. Not cool!!!

  46. Jean-Claude Lafond

    Very good point I have a feeling that 's it's the Hard Drive company and the printing companies are aware of this trend and use it themselves to rob sensitive material from their own customers ... data mining is really the new gold... is it not?

  47. luna

    amazing doc great reporting

  48. Brian E

    Interesting Doc that is geared toward the irresponsibility of technology producers.

    I would draw the analogy to that of a car. Most everyone knows that the oil in a car needs changed every so many thousand miles dependent upon the make and model, however not everyone knows how nor has the tools to do so.

    If your privacy is of concern equal too or even somewhat to performance and longevity of your car and you don't have the tools or wherewithal to set up a device that compromises that which you value, then you should hire a professional to set it up for you.

    If Car manufacturers had to provide the resources to ensure that every person changed their oil (as they should) it would put a ginormous strain and expense on the manufacturer that would drive the cost of the vehicle which will be passed on to the consumer.

    The problem here, is that Cyber Security just isn't "common knowledge" enough. These technology companies still carry some fault in this scenario by not making privacy "common knowledge" aware enough. As a previous commenter noted by having something such as a Big Red piece of paper or better yet an obnoxious peel-off sticker on the device itself indicating to set up the security for your own protection. If you ignore it, haven't the wherewithal and decide not to heed the warning, then its on you my friend.

    my two cents.

Leave a comment / review: