"Unmasking IPVM" - "John Honovich Should Be Cancelled."
The following article was published by someone calling himself "Samuel Smith" from Hong Kong, on IPCamTalk and Reddit, concluding that I, quote, "should be cancelled". Both sites subsequently removed it with neither our involvement nor request.
I do believe in freedom of speech, even for China Communist Party shills, even when it is against me. Ergo, presented below, in full, the article, with a short response by me after it:
Unmasking IPVM
How a toxic mix of rage, inferiority spawned the security industry’s most polarizing figure
Samuel Smith
On the evening of November 13, 1994, Dartmouth University’s Student Executive Assembly Committee signed a letter calling on its 19-year-old Secretary, John Honovich, to resign. The letter stated Honovich had acted to promote his own interests and consistently caused "infighting, confrontation, unproductivity, a poor public image, and has run counter to the expectations of the student body we are expected to serve efficiently and honorably.”
The next morning, the Dartmouth Editorial Board said, “In meetings Honovich has shouted over other members, raised his voice at administrators and chanted incessantly that the president and vice president are 'liars;' he has embodied the plague that has sickened the Assembly over the last few years. In an organization that should no doubt incorporate political viewpoints spanning an immeasurable spectrum, tolerance, cooperation and respect are necessary. The difference between good and bad politicians is knowing where to draw the line - and the Assembly cannot stand idly by while Honovich repeatedly crosses it. The only way the Assembly can hope to regain the respect that Honovich has destroyed is to show the campus that it will not stand for such irresponsible, distracting and disrespectful behavior and that it will stand up against members who use the Assembly as a tool for their own political gain.”
An immature, vain, aggressive and irresponsible teenager became an immature, vain, aggressive and irresponsible adult. It probably would not surprise anyone who knew John Honovich and saw his rage at Dartmouth that he would later so frighten a 41 year-old male that [the man] asked a court to issue a restraining order against John Honovich; or that a security equipment company would fire him; or that he would launch a tabloid website called IPVM to attack and bully the very industry that refused to accept him; or that, perhaps most outrageously, he would think that it would be ok if he hacked into Americans’ security cameras, posted their personal data on his blog and then encouraged others to hack into those cameras too.
This is the story of how John Honovich’s duplicitous website lies and cheats to make him more money.
John Honovich Manufactures Controversy to Make Money
IPVM is a subscription-based website founded in 2008 by John Honovich, a self-proclaimed leader in the video surveillance industry. According to one website that has covered John’s Honovich controversial behavior, “Many believe that he generates controversy through his abusive attacks on companies in the industry and then makes those same companies subscribe to his service so they can review his attacks.”
John Honovich and his helpers at IPVM review products and provide commentary on security industry companies and individuals. The source of any additional funding remains a mystery. His commentaries are highly biased, misleading, and often false.
As the same website that chronicles some of John Honovich’s most egregious infractions stated, “The site does not limit itself to attacking small companies. No company in the surveillance industry is immune to his outbursts. However, is his plan truly to build a subscriber base forced to pay to read the latest malicious content posted about their company on his blog or is there something more deep rooted that forces his pen?”
John Honovich Targets Asian Companies for Being Asian
John Honovich’s greed is only exceeded by an intransigent rage that helps drive him to deploy litany tactics designed to go after any Asian technology company simply because they are Asian.
When the Chinese two-way radio company Hytera submitted public comments to the FCC regarding a proposed rulemaking aimed at curtailing Chinese telecommunications companies operating in the U.S., John Honovich and his employees—without any credible evidence—accused the company of lying.
When Japanese stalwart Panasonic alerted its partners regarding a U.S. policy that would potentially impact their ability to purchase Panasonic products, IPVM again accused the company of knowingly deceiving its partners.
And when a prominent US cybersecurity expert joined a major Chinese tech firm, John Honovich was not ashamed to openly called him “White Monkey.”
John Honovich Is So Biased that the Mainstream Press Does Not Trust Him
John Honovich has set himself up as an unregulated, one-stop testing/media/lobbying operation, which uses its platform, former employees working at mainstream media outlets, and contacts on the Hill, to harass, defame, plant negative and misleading stories about, and—apparently—directly lobby against leading Chinese technology companies. Congressional authorities have been notified about John Honovich’s potential flouting of lobbying disclosure requirements. In August of 2021, House and Senate ethics officers— as reported by Axios—even sent John Honovich a letter indicating he could be required to register as a lobbyist. In a terse and ironic—considering John Honovich’s history of bullying anyone who disagrees with him— comment to Axios, John Honovich accused Hikvision of “bullying a small US business.” John Honovich’s website plainly admits how it operates:Notable media outlets like the Associated Press, the London Times, CNBC and Foreign Policy--when alerted to key facts about John Honovich—have either clarified previous reporting or made editorial judgments not to cover certain issues solely seeded by John Honovich or his website.
One industry trade reporter said, “No one likes John Honovich or believes much of what he says, but you also don’t want to be the one he’s bullying, so I just ignore him.”
John Honovich Hacked Cameras to Peek Into Our Bedrooms
In John Honovich’s crusade to destroy one company in particular—Hikvision—he hacked thousands of its devices without the consent of their actual owners. He then produced a YouTube video instructing the public on how to hack those cameras.
In 2017, John Honovich searched the Internet for Hikvision cameras and used a known vulnerability to bypass the username and password of more than two-thousand unpatched cameras across the United States and Europe. As a result, John Honovich gained unauthorized access to computing systems (IP cameras) owned and managed by U.S. and European citizens.
John Honovich violated U.S. law thousands of times to do this. Section 5 of the United States Computer Fraud and Abuse Act states, “Exceeding Authorized Access. Several portions of the CFAA prohibit obtaining information by accessing a protected computer either (a) without authorization, or (b) in a manner that ‘exceeds authorized access.’”Apparently, he does not think the law applies to him.
An IPVM video instructed viewers how to exploit a vulnerability on any camera that customers had not yet patched with the firmware that the company posted online six months prior. This caused significant exposure to U.S. and E.U. citizens who own and use those cameras to secure their properties and lives.
On December 18, 2017, John Honovich published an article on his website that is open for public viewing. The article explains how John Honovich used the Hikvision vulnerability to gain unauthorized access into the cameras of U.S. citizens who connect their cameras directly to the Internet and who did not patch their cameras in the eight months since the company released the patched firmware. It also includes a map that plots the suspected location of each camera in the United States. When a visitor to the website hovers their mouse over the map, a popup image shows a screenshot taken by John Honovich from each camera that he illegally hacked. Here is an alarming example that shows how John Honovich leered into a child’s bedroom.
In a public blog post, John Honovich brags about his unethical and potentially illegal activity against U.S. citizens who own the company’s cameras. From the article:
“Device IPs were exported from Shodan, the result of a search for Hikvision cameras in the US. Each device was evaluated against 3 key criteria:
Was it located in the US, based on results of an IP Geo LookupJohn Honovich admits that he used the vulnerability to gain unauthorized access to victim IP cameras; looked at the name displayed on the video images; and took a picture from the camera. And on January 2, 2018, John Honovich updated his hack map article to include cameras all across Europe. To this day, the article and the map of IPVM hacked cameras remain accessible and open to the public.
John Honovich Bullies Anyone He Disagrees With
When the FCC invited interested parties to comment on its proposed rule-making that would effectively ban the sale and marketing of certain Chinese companies, John Honovich’s predatory instincts sprung to life. When 20 American Dahua partners came out in support of Dahua, John Honovich published their comments and images on his tabloid, in what appears to be a shameless attempt to place a Scarlet Letter on hardworking Americans.
He followed up this attack by blasting nearly 100 small-medium sized American business owners who also supported Hikvision, and were participating in the FCC process, by openly naming and shaming them on his website.
One U.S. business owner said, “Why is this guy putting my name out there!? This is a public comment period and I have every right to comment. For someone who says he’s a voice of the people, it’s pretty ironic that he would try and silence me this way.”
One American company had enough. In a cease and desist letter sent to IPVM, one security equipment maker said,“Your campaign to intentionally defame Arecont includes recent postings by you entitled ‘Lying at Arecont Vision’ and ‘Liars at Arecont Vision’. In these postings, in which you say you are relying on the findings of an alleged security blogger, you accuse my client of lying in its advertising, specifically with respect to a MegaDome® print advertisement. You also make an off-handed remark alluding to what you characterize as Arecont’s ‘fallacious megapixel math.’ I will give you the benefit of the doubt - this one time – that, perhaps, you honestly believed at the time that what you posted was true and that the image in the circle marked ‘actual image’ was not an actual image from Arecont’s camera. Be advised, however, that the image in the circle labeled ‘actual image’ in Arecont’s print advertisement is, in fact, an actual, true image from an Arecont camera. Rather than falsely conclude that the image was simply too good to be true and, therefore, that it must be false advertising, you should have investigated the quality of Arecont’s products more thoroughly. Then, perhaps, you would not find yourself in the situation you are now in. Dissemination of false, defamatory information is actionable in a court of law.”
John Honovich Should be Ignored … and Cancelled
John Honovich’s time at Dartmouth was a harbinger of things to come. As one website cataloging his infractions put it:
“Recently, court documents were obtained detailing a dark past with allegations of physical and mental abuse. This in itself may not be as telling as the actual statements of his 41-year old male accuser. Statements like ‘He [John Honovich] always carried out his threats which got worse when I complain and/or challenge his control or power.’ The complaint continues, “He brags about his ability to verbally attack others. He squeezes his girlfriend’s head and pulls her arms behind her back.” And finally the complainant filed a Restraining Order against John Honovich indicating that “[John Honovich] would cause any reasonable person to suffer extreme emotional distress.” Mr. Honovich then continued to violate the Restraining Order and was arrested by the Honolulu Police Department. He was ordered to immediately turn over all firearms, ammunition, permits and/or licenses to the Honolulu Police Department.”
As yet another blogger stated:
“One by one, the pieces [of John’s life] are not that damaging, but put together, they paint a picture of a man with an unusual, and perhaps morbid psychology. It takes more than a little poking fun at people to have 8 out of 12 people sign a petition for your resignation. It takes a little more than friendly harassment to get a TRO [temporary restraining order] stuck on you. It takes more than a few inflammatory tweets to get someone to create a whole blog dedicated to exposing him.”
John Honovich is simply not credible. He cannot and should not be trusted. In fact, given the serial nature of his transgressions, John Honovich should be cancelled.
While "Smith" makes a broad array of accusations that I am happy to address, as people are interested, I will start by focusing on 3 particular ones.
Dartmouth Student Government: I was 18 years old, not 19, and while in November there was a letter calling for me to resign, just 2 months later, that same student government elected me Vice President. I am not sure how productive it would be to analyze the details of what I did as a teenager more than a quarter-century ago but suffice to say, the situation was more complex and I had far more support than "Smith" construes.
Arrest by the Honolulu Police Department: That was more than 20 years ago. I had an argument with a housemate about the rent which led to him getting a TRO against me. Then, when another housemate arranged for a mattress company to return a mattress I had bought, the housemate who got the TRO contacted the police arguing that by having the housemate facilitate returning a mattress, I violated the TRO. This was as bizarre as it sounds. The charges were shortly dropped, without me doing anything.
Hikvision Hack map: This is something that Hikvision has been complaining about for years. Hikvision's Jeffrey He notably declared that "This is the most outrageous behavior I have seen in my 27 years in the global security industry." Evidently, it was even more outrageous than Hikvision placing a backdoor in tens of millions of its devices or abusing human rights in Xinjiang or selling manipulated fever cameras, etc. As we explained at the time, we simply used the authorized access that Hikvision designed into their products.
I think criticism, even of this variety, is useful for the subjects to better understand their actions and to improve. For sure, I am more mature and sophisticated than I was a teenager, the core thread of this article.
As for "canceling" John Honovich, as IPVM approaches 30 team members, our goal is beyond "John Honovich", to be an institution that researches, exposes, and advocates for better and more ethical usage of technology around the world, including the PRC and USA.
Any questions or feedback, please let me know!
01/08/22 08:41pm
In John Honovich’s crusade to destroy one company in particular—Hikvision—he hacked thousands of its devices without the consent of their actual owners. He then produced a YouTube video instructing the public on how to hack those cameras.
I'm mildly offended.
01/09/22 05:45am
John... that tirade can be considered a compliment. You considered such a threat….addendum to your bio.
01/09/22 06:09pm
If they were trying to save Hikvision in the US market... this smear campaign is just a bit too late.
"When you're taking flak, you're over the target"
01/10/22 01:53pm
Always love it when people use the term "hack" as a catch-all.
I love the website Home that they threw up as "evidence". 1) it is on weebly, 2) it has an outlook.com generic email address and 3) it claims it will contain evidence, cour documents, etc. In reality, it has a main page and an about page, all of which are the quotes from the article.
They also intersperse the allegations so it appears that after targeting Hik, they then went after arecont, which IIRC, that was years ago.
As for the small business being publically called out, they put themself out there on a public forum (FCC), and they did it because HIKUA asked them to publically comment in their favor. They want it both ways....
And in the past, they complained that IPVM is anti-China. But now they are spinning it as anti Asian so they could bring the Panasonic story in to it.
Of course the anonyous source is so obviously a shill. The wording and phrasing and style is the exact same type of typical Hik rant they always use to respond to the "so called blogger hack"....
What a pity. It really makes Hik look weak and powerless. Using our free media to attack the free media...
Quite frankly I expected a little more effort from the Chinese.
01/10/22 04:58pm
Sounds like you were quite the rebel back in the day! Exciting back story!
1- on your first point, you lost their interest in your response the moment you used the word “elected”.
2- Im 58. I had a DUI when I was 19. Are they suggesting that a misc arrest almost 40 years disqualifies me or you as an industry participant? They would lose alot of their own customers using that as a standard. And especially not when they are committing genocide as a side gig.
3- If you have to hack to expose a hacker, especially a government hacker, then hack we must and hack we will.
I call first dibbs on movie rights!
Most boring movie ever:
[stage direction - protagoinst is reading on his computer]
[stage direction - protagoinst is typing on his computer]
[stage direction - protagoinst goes to another room and reads on his computer]
....
Wow. This John Honovich guy went to Dartmouth? Cool!
What courses did you take at Dartmouth College?
Just curious.
The ole ignore the message, shoot the messenger routine.
I haven't logged in to IPVM in a few days - so this is the first I'm seeing this. After reading all of it, I guess I've finally made up my mind. I'm not going to be a housemate with John Honovich. There! I said it! I don't care who knows.
(well, maybe I do care - that's why I'm posting Undisclosed)
As pathetic as they've become, I'm still surprised that it took so long to pull this stunt. As far as I'm concerned, Hikvision just cancelled themselves.
John,
IPVM is a rich source of information and a goto for industry professionals for the latest in security tech. They are trying to put you on defense. Which means you’re doing great work. Do not ever stop! IPVM is exposing these frauds for what they are. You and IPVM will always have this security professionals backing.
So they don't like the Western culture but they want to be part of the Western "Cancel Culture"???
Hey, this is much better than snipers firing at you.
With as much as you've exposed and helped fight for, I figured you'd be on a CCP hit list.
Nothing like concentrated criticism by the powerful to know that one has had an effect. It is clearly the entrenched and powerful (and the powerfully entrenched) who have the most to lose from having their policies and weaknesses exposed. The power of the press (at least for now.......... :( _
Keep at it JH
All very interesting ..... I have a few questions for subscribers to ponder:
1. What qualifications does the IPVM team have to publicly evaluate security technology - do they have educational or experience in technical auditing? (Maybe certifications as a CISA, or certified in NIST)? What makes them the "experts"?
2. Are the publications really attacks or just informational to the industry. To really determine this, we have to look at intent. Information is just data. Determining the accuracy of data, is a whole different topic. (it requires research, validation and yes.... some level of expertise in the subject.)
3. The good news is that IPVMs public forums provide the ability to have other industry experts provide their input.
4. lastly, integrity and objectivity in all reporting - including some level of ethics, will create a trusted subscriber base.
I believe in collaboration within the security industry to understand the good, bad and ugly. BUT, that means listening to things you don't always agree with. Remember: collaboration does not mean consensus.
"Doxxing" and "Cancellation" are the twin last refuges of incompetent cowards with no valid arguments of their own.
In the world of "Breaking News" they did good. "Unmasking" what a great lead verb!
IPVM is just too much of an asset to be hurt by this, but give the devil his due.
P.S.: The "Cancelled" part is the wrong choice of a fairly beat up word. It draws people to your defense.
I can say that I find JH to be pretty un-agreeable, I still have some emails that were not great to receive, pretty unnecessary and kept coming in. We simply did not agree and he felt I had different intentions. That being said, there is plenty of good stuff on IPVM, great tools and very good competitive testing reports.
You can feel about John however you like, but there is far too much on IPVM to warrant this article. There is so much research and testing by a large team, it's not just a 'JH rant'. Not sure of it's a compliment or not but to me IPVM is so much more than John Honovic. It does not make sense to single him out by digging up some personal history to discredit information you simply don't like.
When in the publishing business you find yourself with enemies, that lead by using 25 year old selective history to attack an individual, you must be hitting a nerve.
10 years from now, we will look back and realize that development and distribution throughout the world of PRC designed and financially supported network chipsets along with the millions of network products containing them has been one of the greatest security breaches in history. The current and future risk to Government, educational, medical, institutional, corporate, business, and personal networks throughout the world is impossible to truly comprehend.
After the recent FBI and multi-agency bust last month, potentially 60 million POS systems world wide could still be currently exploiting consumer privacy. In the security industry alone, Network video cameras and recorders combine with an unestimatable number of IOT products that all use PRC chipsets and technology which by design check in with servers located throughout the world for the purpose of providing remote access. The numbers sold and installed on networks are proliferating every day.
The US government agencies have been slowly moving to protect government and all other network interests, but it is a massive undertaking, and the manufacturers of these products are using their own media assault to attack anyone simply stating the truth. Not proving there is no reason for concern, but arguing the agencies do not have the authority to do, what they did themselves over a decade ago.
Human rights violations are a concern, but nothing compared an international breach in network privacy. The actions and measures taken by the US, Great Britain, and other countries throughout the world are to protect their citizens and national security. Every citizen in every country should be interested and supportive of efforts to protect our rights and our privacy. In some cases the vendors may not even realize the threats created by components within their products, and hopefully they will join many others manufacturers who are switching to other sources that don't pose a risk, and software will be developed to mitigate the risks for the millions of systems that are currently installed.
Personal attacks and the attempt to silence opposing voices is something the world has witnessed the PRC do for many years. These security issues are is a Chinese problem. It is a PRC problem. In their country Chinese citizens know that with the PRC running their country, they have no personal privacy.
Why then should anyone assume the PRC would respect the rights of any other citizen in any other country?
Don't allow yourself to be misled by any media source. Do the research yourself. If you are in the security industry don't take chances with your customers or clients privacy. Talk to IT professionals about the risks of devices on networks that utilize peer to peer serialized remote connections, and how to go about securing them.
In a free society, the truth is our friend. Sometimes it can just take a bit of effort to sort out.
You know your doing something right when someone tries to attack you but when they try and personally attack you ... well you know you reached teh pinnacle. Well done John well done IPVM
John, Are you sure you are not planning to announce a run for a political office? Smells like a political hit job to me! What's next, were you suspended from Elementary school too? Haven't seen this since the last election...
Mr. Honovich's attitude or whatever aside, I have found IPVM to be one of the most useful resources available to learn abou video surveillance products and solutions. Most of the material is good positive information. What makes it trustworthy is the honest results demonstrating both pros (even from companies John doesn't like) and cons of products.
Do I see some bias at times? Yes, we all have it. John isn't typically shy about his. At least he has transparancy.
Let's keep working on "cancelling" industry shortfalls. Dishonest claims, fake oportunistic products, poor workplace cultures, racist algorithms, etc., - I hope IPVM / John Honovich strives to make the world better. John, you've obvioulsy accomplished becoming an influencer, congratulations.
I heard that one time John returned a movie to Blockbuster and didn't even rewind it! Can you believe the courage that he has to have to face his accusers?
I discovered your publication about two years ago, and have found the amount of useful information and reviews valuable. Consider our fees less a subscription and more of an investment supporting your publication.
It is important to continue providing independent product reviews and timely current reports on the news, events, ideas, and individuals that may have an impact on our industry, and the services we provide.
It was a bit of a surprise to discover the level of interactivity. The quick responses to follow up questions on reviews and articles are extremely helpful. The opportunity to follow, weigh-in on, and participate in open discussions can help broaden everyone's perspective. All will certainly not agree on everything, but open discussions create opportunities to see things from other points of view, which can often lead to a consensus.
Considering the growing number of new products, evolving technologies, and increasing investment in our industry, your subscriber supported publication provides a useful service. Not being dependent upon advertisers provides independence and opportunity for objectivity, but it also requires you to continue providing value to your subscribers in order to keep the lights on. This is very similar to our objectives as integrators, and service providers.
It would have truly been helpful to have had a publication like this 50 years ago when first entering this industry. At the very least it certainly could have helped shorten the learning curve.
Thank you for your service.
Michael Smith
(NOT related to Sam)
I'm worried about JH's "intransigent rage".
As we explained at the time, we simply used the authorized access that Hikvision designed into their products
Do you have any proof that Hikvision intentionally placed a backdoor in its devices? No. So why you keep saying it?
Hikvision is certainly to blame for releasing such vulnerable products, but saying this vulnerability is intentional without any proof is just dishonest. When a backdoor is intentionally planted, usually this is covert. This is a good example. The Hikvision "backdoor" instead was so trivial to detect, that is unreasonable to think this was done "by design".
Besides, the Hikvision hack map is also a bad move. Raising security awareness is praiseworthy, but this doesn't require publicly exposing thousands of devices. In that post it is also noted
The EU General Data Protection Regulation (GDPR) [...] specifies potential fines for companies that expose data that can directly or indirectly identify a citizen of the EU without their consent. By shipping cameras with a hard-coded backdoor, Hikvision exposes EU citizens to such data disclosures without consent
This is nonsense! It's not Hikvision that exposed data, but actually IPVM that exposed people's data by gaining access to a device without authorization, exploiting a vulnerability. If I use a Windows vulnerability to access your computer without your consent and make your own files publicly available, who should be sentenced, me or Microsoft?
#24, thanks for the feedback!
Do you have any proof that Hikvision intentionally placed a backdoor in its devices? No.
Certainly, it was intentional. They programmed in a magic string that when appended to any request allowed access, without needing to authenticate. Such magic strings are not accidents, like a buffer overflow might be. For your review and others reading, you can watch the video that demonstrates it:
When a backdoor is intentionally planted, usually this is covert
Whether or not Hikvision was "usual" or not, is not the issue. Hikvision coded this in. No one found some overlooked means to get access, Hikvision entered the code in and shipped it.
"Magic string" is a misrepresentation of the vulnerability.
YWRtaW46MTEK seems like a random bunch of characters, but as was mentioned in the original report, it was arrived at by base64-encoding "admin:11".
if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. The password is ignored.
The string that gets mentioned is not random or magic in any way.
- username:password isn't magic - that's a common way to deal with authentication
- base-64 encoding isn't magic - base-64 is quite common (shouldn't be used for passwords, but quite common)
- YWRtaW46MTEK isn't even unique - there are many other strings you could use
It's probably not in the source code (I don't have the firmware so I can't say for sure). If the Hikvision didn't have a user called admin, the string probably wouldn't even work even on a vulnerable camera.
From my perspective, this could easily be a developer's backdoor left in by accident. Somebody could have been testing that snapshot feature, or some other part, and didn't want to login every time. It is possible that it was deliberate, but it is not a smoking gun. I place the chances at 60% deliberate because it's so mind-boggling dumb, and 40% accident because developers sometimes are dumb (these are just gut numbers).
If the string were actually unique, and if it weren't as simple as doing a base-64 of "admin:password", or if that string itself were hardcoded into the camera firmware, then I would agree that it was a deliberate magic string. But none of that seems to be true, so I can't go along with calling it a magic string intentionally put into the camera.
Now, if you want to go the PRC direction, you could make an argument that given their political attitude and history, maybe they shouldn't be given the benefit of the doubt for mind-boggling accidents. I won't argue with you on that.
Certainly, it was intentional.
Keeping saying it, without ANY proof makes just clear to anybody how biased you are and this doesn't do justice to IPVM work which is usually good. Montecrypto himself, who discovered the vulnerability, in his full disclosure said (emphasis mine): Planted backdoor or accidental bug? Make your own judgment. [...] Hikvision indicated that it was a piece of debug code inadvertently left by one of developers. It is plausible, that a developer forgot to remove a piece of test code and it went unnoticed for years. There are no attempts to hide the backdoor code which would certainly be expected in case of a deliberately planted backdoor.
The fact you appear to have such a certainty, Montecrypto himself doesn't have, is kinda pathetic. Others have tried to explain you that base64-encoding of "admin:<whatever>" is not something you would expect from an hidden and obscure "magical" backdoor intentionally planted and shows it was instead an unfortunate (and shameful) piece of code left there during development/integration.
However I noticed you skipped my question: "If I use a Windows vulnerability to access your computer without your consent (I'm assuming you're using Windows but the same applies to other OSs) and make your own files publicly available, who should be sentenced, me or Microsoft?". I'd be curious to know your answer as this example -in terms of behaviour- is exactly what IPVM did with that map.
| 01/14/22 12:53pm
Keeping saying it, without ANY proof makes just clear to anybody how biased you are
How do you interpret this statement in the initial disclosure write up:
It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years.
Your argument is that somehow the code to allow for an admin override via a lightly encrypted string got into the code by accident, and then was subsequently overlooked by developers and QA for 3+ years all on complete happenstance? There was no intention on the part of Hikvision/their developers to include this code, and leave it in there across multiple firmware releases?
admin override via a lightly encrypted string
base64 is not encryption, it is encoding. If you confuse the two, with all due respect I don't think you're the right person to discuss about vulnerabilities and cybersecurity.
Your argument is that somehow the code to allow for an admin override via a lightly encrypted string got into the code by accident, and then was subsequently overlooked by developers and QA for 3+ years all on complete happenstance? There was no intention on the part of Hikvision/their developers to include this code, and leave it in there across multiple firmware releases?
As I said, I don't think it's intentional for 2 reasons: a) intentionally planted backdoors are as covert as possible because they should not be discovered, I provided you a good example with NSA-planted backdoors on Cisco devices: no one would have known without Snowden. Thinking that Hikvision designed a backdoor as simple as the string auth=admin, and left the code unhidden is just ridiculous; b) mistakes like that may happen in software development, and can stay unnoticed in companies with poor QA. A lot of chinese companies deliver third rate products and demonstrated very poor QA which led to catastrophic vulnerabilities (think about Mirai).
The point is, according to my experience and reasoning I believe that was not intentional, but I don't dare to say it's certainly not intentional, because no one can sustain any of the two options with certainty without further proofs.
| 01/17/22 12:19am
base64 is not encryption, it is encoding.
Fair point, I was trying to keep the conversation more generic, but if you think arguing these semantics helps your case, then score a point I guess.
As I said, I don't think it's intentional
But you would agree there was no practical way for this bit of admin authorization bypass to get into the code accidentally, or as the unintended results of some other feature or function, right?
A lot of chinese companies deliver third rate products
Are you saying Hikvision is producing third rate products, or are you just throwing in a comment about other Chinese companies here?
if you think arguing these semantics helps your case
Yes I think it helps because -given that base64 is just encoding and has nothing to do with encryption- a base64 encoded string is just clear text and shows Hikvision made no effort to even slightly obfuscate the "magic string", which is unreasonable for a backdoor.
no practical way for this bit of admin authorization bypass to get into the code accidentally
I don't think lines of codes self-generate. I think these lines were added for some reasons during dev or integration, and then they were forgotten in production. Maybe a lazy developer added this quick-and-dirty piece of code for his own use during dev/integration for quickly bypassing authentication and testing features across different devices because he didn't want to bother with the different default passwords.
Are you saying Hikvision is producing third rate products, or are you just throwing in a comment about other Chinese companies here?
consumer market is flooded with chinese cameras which are security nightmares. The holes exploited by Mirai showed these companies lacked basic security posture. Now with P2P isn't much better. This Hikvision vulnerability is a shame and makes us question the overall quality of its products, at least at that time.
Maybe a lazy developer added this quick-and-dirty piece of code for his own use during dev/integration for quickly bypassing authentication and testing features across different devices because he didn't want to bother with the different default passwords.
#24, help me to understand this type of defense. Are you saying you believe Hikvision has no code reviews? That Hikvision has no senior engineering managers actually examining what gets shipped to production? Any lazy developer can just check in anything they want?
To be clear, I definitely believe you are knowledgeable and respect your taking a contrarian position here but I am unconvinced by this type of "lazy developer" rationalization. Thoughts?
This Hikvision vulnerability is a shame and makes us question the overall quality of its products, at least at that time.
They also make us question what the Chinese Government ownership has to do with the "venerability".
| 01/17/22 02:02am
Yes I think it helps
While we're on the subject, given your claimed expertise and desire for precise wording, what is your working definition for a "backdoor" in this context?
what is your working definition for a "backdoor" in this context?
anything that allows to bypass a security control can be considered as a backdoor. Even hard-coded default credentials. So this vulnerability counts as backdoor, this is not in question.
We're discussing whether this was intentional (and this is the message IPVM is spreading with its articles) or not.
To me this sounds as double-standard. To give you an example of this, consider CVE-2015-7755: this was a vulnerability discovered on Juniper firewall. It's very similar to the one we're discussing here, it's an authentication bypass using an hard-coded password which allowed to impersonate admin (detailed report here). Needless to say, this vulnerability is even worse than Hikvision one because it applies on firewalls, which by definition have a leg on untrusted network, instead cameras shouldn't be facing untrusted network (let alone the internet). Anyway, in Juniper case, the "magic string" (i.e. the hard-coded password) was
<<< %s(un='%s') = %u
Compared to the silly "auth=admin" used by Hikvision, this one has been smartly chosen because it seems like the (many) debug strings which often appears in software codes, so it may go unnoticed even during code reviews. Because of this, to me this sounds as this was an intentional backdoor to be put on production devices.
Despite this, no one has ever accused Juniper to have intentionally planted it on shipped devices, or to "have contributed" to this backdoor in any way. And no-one ever dared to publish a Juniper hack map (there were 25k+ vulnerable devices on shodan at that time, and given that firewalls are meant to protect networks which deserve security, just imagine how catastrophic this would've been).
I dare not imagine what media would've said if it was Huawei instead. This is the double-standard world we're living.
| 01/17/22 04:24pm
Despite this, no one has ever accused Juniper to have intentionally planted it on shipped devices
Perhaps. Most of the followup on that vulnerability you reference seems to trace it to an NSA-originated bit of code. It's unclear exactly how that particular code got into Junipers firmware (eg: did they include it all willingly knowing what it was, did they include it not knowing what it was, or was it somehow planted in the source code without any help from Juniper management), but the general agreement on it is that it was essentially a backdoor that has government fingerprints on it.
This has been a primary part of the argument for banning Hikua/Huawei, and other Chinese government controlled networking gear from use in the US, we all know that large governments are waging cyber warfare. I am certainly not saying the US government is not doing the same kinds of things when they can, and of course the Chinese government is as well.
Juniper also handled the response and messaging different than Hikvision, though also not exactly with a stellar plan, IMO.
You are arguing about whether this was "intentional" on Hikvision's part, as if to imply it would have gone through some kind of internal voting process or highly considered decision, and you're claiming that IPVM and others should not call it an intentional backdoor. IMO you're splitting hairs on this topic. There was code in Hikvision products for years that enabled unchallenged admin level access to devices to entities that knew the right strings to add to the cgi calls.
At this point we are going in circles on this and not adding much new, so you can make your next post/rebuttal and consider yourself as having had the last word on this thread from my perspective.
<<< %s(un='%s') = %u
Still, not vulnerability, but backdoor.
Even Rapid7 write 'backdoor' on this one.
#24, Brian mentioned something below, which I hadn't realized:
I pieced together that what LIKELY happened is he was doing some general investigation of the communications between a Hik NVR and camera, and observed that the NVR was able to control/update a camera that it did not have admin credentials for. This led to some network traffic monitoring and the discovery that if you passed a certain character string to the camera it would execute the API commands as an admin user, even if you did not know the admin password.
My personal belief is that at least part of the justification for this was to reduce support overhead for Hikvision, allowing NVRs to control connected cameras without needing known credentials for each camera. A bit of a "possession is 9/10ths of the law" kind of thing, if the camera is on your network and you have access to the NVR you then should be allowed to control the camera.
Using the backdoor in production code cast a different light on it (to me at least). I was not aware of that before.
That makes accidental debug less likely. I guess it's possible (given modern software development) that the code was an accident by the camera team that the VMS team started using without triggering any extra security reviews. But it's almost guaranteed that more than one person saw this and knew it was going into production.
Now, Brian + John, when you use the words "backdoor deliberately added", do you mean this was a dumb idea okayed by lazy/incompetent managers (as opposed to being an accident); or do you mean it was added maliciously with a view to possible future attacks; or something else entirely? I thought you meant the latter all this time, but the quote above seems to imply the former.
I personally find the lazy/incompetent thesis more likely, especially if it was actually being used by the VMS. That's not a way to keep something secret.
(Sorry, Brian, haven't been able to reply. Work got real busy lately. And John, sorry about hijacking your thread about nonsensical attacks by having an actual discussion.)
| 01/17/22 12:55pm
I thought you meant the latter all this time, but the quote above seems to imply the former.
A few thoughts on this:
1) I think everyone can agree that this kind of code/process is something that needed to be deliberately added. The way it works is via specific strings, not something like a SQL injection, buffer overflow, or other kind of exploit that leverages existing code for unintended or unanticipated results.
2) The functionality fits the textbook definition of a "backdoor", given that it provides a away to get admin level access to a device, even if the user took precautions to change the admin password or other default credentials.
3) It persisted in the code for a number of releases and appears to have been utilized by other Hikvision devices/software/etc at some point, implying that it was not forgotten or overlooked code.
In terms of malice vs. laziness, that is a tough call, and it could possibly be both. EG: we know that the NSA often finds vulnerabilities in products that it does not disclose, and uses for its own purposes. It is possible that this backdoor was first added out of a sort of laziness, but then when noticed by other aspects of Hik/Chinese government was not ordered to be removed because of the potential for future exploit use. People are saying "the Chinese government wouldn't do something this obvious", which gives them excellent plausible deniability, while maintaining full remote admin access to millions of endpoints on all kinds of networks.
I personally doubt that this code/functionality originated in the form of some government order to create a backdoor, but I do not think that means upper level officials were not aware of it and the potential it provided.
This is nonsense! It's not Hikvision that exposed data, but actually IPVM that exposed people's data by gaining access to a device without authorization, exploiting a vulnerability.
This guy doesn't even understand what happened. If I remember right, this was all uncovered by @Bashis, cybersecurity researcher, not IPVM.
I'm a cybersecurity engineer and I'm fully aware of "what happened". If you're interested to this topic, before judging I invite you to re-read my comment and replies to other comments I gave. I explained why exploiting a vulnerability of devices you don't own is considered despicable within the (white hat) cybersecurity industry and illegal in most of the countries.
It's not Hikvision that exposed data, but actually IPVM that exposed people's data by gaining access to a device without authorization, exploiting a vulnerability.
Exposing the vulnerability and notifying the world is the crime, not creating the vulnerability?
Unreal.
Integrator #24 has a good point about accessing these devices and posting the pictures. This is a very touchy area of white hat hacking. I personally would not have done this, but other white hats (case in point) might be fine.
- Discovering vulnerabilities is fine
- Notifying manufacturers is fine
- Announcing to the public is fine (I won't get into the responsible disclosure vs full disclosure debate)
- Raising awareness is fine
- Testing the vulnerabilities on systems you don't own is... questionable. Technically, you could be breaking laws, but a lot of white hats do this as research to determine how bad the impact is.
- Retrieving and storing private information from systems you don't own is... probably illegal. Storing is the big part. Testing the exploit is one thing, storing the stuff you found is really not a good idea for white hats. If you're using it as proof to notify the people affected, maybe it's okay. But other than that, you're starting to move out of the white hat area. Now, guys like Troy Hunt deal a lot with stolen data dumps as a public service, but generally speaking, don't do this.
- Posting the images publicly along with map pin points... also probably illegal. These are images you don't own. Giving estimated locations, really not a nice thing. I don't think the map pin points really impact the legality, but it's pretty close to doxxing.
That said, it was obvious that IPVM was doing this purely for public awareness, rather than trying to spy on or dox people. White hats have done a lot of questionable things in the past for the public good. While it looks illegal, and I disagree with doing this, I doubt that a court of law would do anything more than say, "try to be more careful next time".
Firstly, I really like your post as it touching many valid points and also some greyish areas, to where I have only some comments in the 'debate' you don't want =)
- Announcing to the public is fine (I won't get into the responsible disclosure vs full disclosure debate)
'responsible disclosure' are in my opinion information to vendor prior 90 days to 'full disclosure'.
I do not consider 'responsible disclosure' to give vendors information 90 days before publish some shady details in some blogpost and/or youtube video. If that's the intention, there are no need for any kind of publication at all, as the researcher will not help anyone outside the vendor (so get a t-shirt with the name of vendor).
I am fully aware there are some drawbacks for releasing 'full disclosure', but those drawbacks are less than the actual benefits in the long run for the users/customers.
For instance, we all know that users/customers/integrators do not upgrade their firmwares for some reason, it can be that users/customers/integrators do not know - as vendor do not don't marketing cybersecurity issues with their products as they do with new products.
You and I can have our opinions about that, and maybe even argue few months or years about it, but since we both know that's the case, there are other vendors that makes (most likely) user/customers/integrators more secure with the updates of signatures in their IPS system and stopping exploitation of vulnerable devices.
And one of the most efficient way for making correct signatures for the IPS/IDS is to have valid and correct information about the vulnerability and/or exploit soonest possible, and not some shady details in some blogpost and/or youtube video.
This is one of my main reasons to always publish valid and correct information about the vulnerability and/or exploit.
/bashis
| 01/13/22 10:45pm
I'll throw some comments in here since I was involved with this from the perspective of reporting on it for IPVM as it was unfolding.
First, I had some email conversations with montecrypto between the time when the vulnerability discovery announcement was made, and it before the details were publicly disclosed. He did not give me any specifics on the exploit prior to the date he agreed on with Hikvision (90+ days, IIRC). From the conversations with him I pieced together that what LIKELY happened is he was doing some general investigation of the communications between a Hik NVR and camera, and observed that the NVR was able to control/update a camera that it did not have admin credentials for. This led to some network traffic monitoring and the discovery that if you passed a certain character string to the camera it would execute the API commands as an admin user, even if you did not know the admin password.
Every indication I have ever seen, from other comments/disclosures online and my own observations and verification of things makes it appear that this functionality was deliberately added by Hikvision. Among other things, part of the reason I think this was deliberate is because it does not involve buffer overflows, malformed URLs, uploading packages/scripts to the camera, etc. It uses well-documented commands along with a string that has to match a defined hash/format that would not likely occur randomly or as a result of leftover debug code. My personal belief is that at least part of the justification for this was to reduce support overhead for Hikvision, allowing NVRs to control connected cameras without needing known credentials for each camera. A bit of a "possession is 9/10ths of the law" kind of thing, if the camera is on your network and you have access to the NVR you then should be allowed to control the camera.
After the vulnerability was made public, Hikvision chose to try and downplay it, deny the magnitude of it, and otherwise take what I would consider to be an inappropriate response, which put the resellers and users of their products at increased risk.
Hikvision had PLENTY of time to contemplate how to handle the messaging strategy, how to respond to this, how to prepare statements, and so forth. They were not caught off guard by the public disclosure of the vulnerability, and they arguably had adequate time and resources to prepare fixes, patches, press releases, and related items well in advance of the disclosure release.
The camera hack map really came about in response to Hikvision's attempts to downplay this and spin it. They were denying that this was impacting customers, etc. (I'm avoiding too many specifics here because I don't want to go back and re-read all my notes to put together a precise timeline). I forget how I first became aware of it, but I recall hearing about some of the cameras having OSD text changed to "HACKED" on them. This was easy to setup a scan for (pull data from Shodan, use Hikvision's deliberately included admin override to read OSD settings, log results).
The original map was just a screenshot I posted in a comment in one of the threads where I was trying to illustrate that the vulnerability and impact was much larger than what Hikvision was claiming to their dealers. From there it morphed into the full interactive map that you saw (and became one of IPVM's most popular posts, I had many industry friends at other companies call me and tell me how much they enjoyed it ;) ).
If Hikvision had simply owned this in the same manner companies like Axis had, there would have been no need to attempt to correct their misleading comments, and that map probably would have never even existed, it would not have been worth the effort.
Regarding the images and pinpoints, ALL of the data for the map was made using calls to services or devices that conformed to the APIs, URLs, etc. that the originators of those services and devices implemented in their software, published online, or otherwise made available via unencrypted network connections and calls. No encryption schemes were broken, no buffer overflows, SQL injections, or malformed calls or commands were used or needed to gather the data. Making the calls did not disable any of the devices or services, prevent them from being simultaneously used by other users or services, performing their intended functions, or otherwise compromise their availability or continuity.
In the course of gathering data, a number of OEM units were also available for access. Information for those units was not included, only units that appeared to be Hikvision branded were included. While Hikvision could not (IMO) reasonably claim they had no idea this deliberate backdoor existed in their products, their OEM partners were most likely not informed of it upfront and were not aware, so it made sense to not include them. I think at some point there was a list published of other affected brands, based on this data, but the images/geolocations of those units were not published.
Tl;DR - The Hikvision hack map came about because Hikvision attempted to mislead people about the extent of the problem.
Brian,
when I first saw the map I was thinking 'wtf...', but not long after that - I realised that I would done same thing, all because of the reason to raise awareness. Very important IMO to raise awareness that's not damn joke and should not be downplayed, it's real stuff and indeed can impact users/customers/integrators in far more severe situations.
Good job!
[the Hikvision hack map] became one of IPVM's most popular posts, I had many industry friends at other companies call me and tell me how much they enjoyed it ;)
this is not funny. You actually expoited a vulnerability for gaining unauthorized access to devices, retrieved data you don't own, stored it and made it publicly and easily available to anyone (even to non-members, how bad...). I actually saw people's faces in those screenshots. That's creepy. Others have been sentencted for much less e.g. adding 9 characters to a website URL.
Tl;DR - The Hikvision hack map came about because Hikvision attempted to mislead people about the extent of the problem.
This is not true. As the Montecrypto full disclosure shows, Hikvision started publishing firmware updates for affected devices one week after they were notified of the vulnerability and much before the vulnerability became publicly known. In the cybersecurity world, this can be considered responsible behaviour. Any vendor tries to downplay their vulnerabilities, but this is not relevant, given that vulnerabilities are scored by independent organizations (and this one was scored 10/10). What Hikvision should've done? Phone each single device owner begging to update their devices? The best a vendor can do is acknowledge the vulnerability and promptly release patches and Hikvision, in this case, did that.
| 01/14/22 01:13pm
This is not true.
You can go back on read the IPVM reports, and other things like Krebs on Security, that were publishing info on this as parts of it were disclosed. Amongst other statements from Hikvision around that time was their ""never backdoors" statement, and their overall downplaying calling it a "privilege escalation" and that the "overwhelming majority" of devices were essentially not at risk because they were not directly connected to the internet.
Yes, Hikvision released firmware patches. However they did not make an adequate effort (IMO) to push out notifications and strongly encourage affected users to upgrade asap.
Others have been sentencted for much less e.g. adding 9 characters to a website URL.
That was in the UK. I live in the USA. It was also a case related to a person using URL manipulations that were not the result of direct links on the website, URLs/calls made by other parts of the website, or methods that the designer of the website seemingly intended to be used. It's a bit different, and I expect you can actually figure out why its not comparable if you're actually a vulnerability researcher.
You actually expoited a vulnerability
What I saw from them is that they would "never" include backdoors in their products, so then this must have been intentional functionality, right?
You actually expoited a vulnerability
Dear UI24,
I have now tried to keep quiet for a while, but now I want to ask you something - as you stated that you are Cybersecurity Engineer.
Q: What is the difference between;
http://camera.ip/onvif-http/snapshot
and
http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK
HINT:
First URI: Provides snapshot with credentials
Second URI: Provides snapshot without credentials
FYI:
$ echo -en 'YWRtaW46MTEK' | base64 -d
admin:11
My answer as non Cybersecurity Engineer, only as a simple vulnerability researcher. This is NOT a vulnerability, this code is there on purpose (for whatever reason), and must defiantly be classified as backdoor.
Have a nice day
Your not understanding does not make it not so.
Peer to peer networking via QR codes and Serialized servers was I believe, listed as the 3rd most popular method of providing remote access to Video systems. In the IOT APP world it is utilized by over 90% of all products.
That process allows anyone to connect a device to any network via RJ45 or WIFI. Once connected, downloading an APP, or using a Browser one only needs to enter the QR or serial code, and they have full access to that device and the network on which it sits.
As soon as the device detects a network and internet connection it calls home (A server located somewhere in the world). It then checks in providing at least enough information to identify itself, it's originating IP address, it's internal IP address, QR and/or Serial ID. Of course it can provide much more information and connection to other devices than just the one intended. (check out Fing to see how much information is possible and connection methods). It continues to check in periodically to ask the server if there any requests to open a session or provide access to a remote user.
Sometimes an additional Password is required, but generally the QR or Serial ID is all that is needed. So even if the proud owner of the new device doesn't use the APP, once plugged into network anyone with access to the server and with QR or Serial code can access the device. (manufacturers and their staff have that information).
From that point on, what can be seen, or accessed is only limited by the manufacturers firmware and/or software. Firewalls see nothing about which they should be concerned since request comes from a device located on the network.
That is "Front door"access. No back door is required. This feature has been built in deliberately to most IP video, Analog HD Recorders, and virtually ALL IOT products from inception. The features are in plain sight. It is not a hack, the end user invites them in, so they may have the ability to access their IOT device.
Video manufacturers say this is not a problem because you can turn off the feature.
Unfortunately some systems may still 'check in' automatically even if system owner turns off the remote access feature in the user portion of the management software. Apparently the only thing definitely turned off is the remote users ability to access their own system.
Why? A manufacturer might suggest it is necessary in order for them to monitory health, receive check-ins, requests for firmware updates , or any other reason that they feel is important. Even if you are not aware it is happening.
This wonderful feature provides a Wide Open Front Door allowing the manufacturer and any associates with whom they choose to share the information full access to the device, and to its’ network. Apparently they consider themselves invited in, the moment the device was connected to end users network.
Proving that malicious back doors not only exist, but are deliberate needs to be an ongoing concern of our industry. We know they the doors exist because the front doors are in clear sight and arrive master keyed by the factory. Interesting note is that typically on Security Recorders and cameras the feature is defaulted on.
Currently all products and their servers have technology built in deliberately that presents a huge risk to any network on which they sit. Just sayin ..
John Honovich, what we should cancel is the CCTV expansion with its origins in China, everybody knows that they will use any tactic such us the one you received; and in my view it is just a political move. All technology coming from China, including CCTV, etc. is just a mirror copy of what we have been doing in America many years ago; we allowed it to happen unfortunately, and now we see the results. Of course they will use low level technics to shut you down, and to raise issues on you that took place many years ago it is low; we all make mistakes when we are young and none is exempt from it, that let you see how desperate they are.
What needs to be done is to organize us as a front to keep defending the bad actors, including some companies that are outside China.
IPVMU Certified | 01/15/22 09:23pm
Strange attack. However HIK is the biggest player and has many bugs to loose - so the rage is going on.
I'm wonder what will happend in the rest of the world eg. Europe.. something's going on in Italy and Great Britain, something in Poland .. let's see
I'm wonder what will happend in the rest of the world eg. Europe.
I wonder more about belt and road countries in Africa, S and C America, etc...
due to the belt and road are they even able to resist/ban PRC controlled equipment providers?
IPVMU Certified | | 01/16/22 08:31am
And maybe there is another BIG question? What do we expect from banned companies? Is it simple war with everything made in PRC or the world wants to show WHY and WHAT is not acceptable. If that is only the war and we try to find a reason to ban.. it's more complex - where is the line that shows who is ethical in that game..
If we would like to simple protect the market for our own producer - this is reasonable.. but we should this maybe says clearly:) But then .. maybe there are not too much easy ways (like taxes for imported goods etc) to eleminate these products from the market?
Obviously criticism by IPVM is not being received with a view of improvement and improved transparency.
I think IPVM is to be commended for drawing attention to human rights violations. More companies need to do this.
The ultimate customers definitely need to be more aware. These unfortunate situation is not just om IPVM but numerous other worldwide sources. Also directly from people involved.
Besides the human rights violations there are have been other very significant problems identified..
More worldwide companies need to stand up and push back against China rhetoric. Good on him for making a stand.
What normally happens to a person in China is they "disappear" and may or may not re appear.
Also look what China said about activities in South China Sea and the situation now.
All those fishing boats - tied up together. They must thing people are stupid. If reflects badly on China.
I would think the PRC or Vlad would be able to hire more proficient English speakers. Looking at the usage of language, it would appear to be written by a non-native English speaker.
A simple study of the following sentence makes it quite clear:
John Honovich’s greed is only exceeded by an intransigent rage that helps drive him to deploy litany tactics designed to go after any Asian technology company simply because they are Asian.
It is a very interesting piece linguistically and in terms of understanding the use or propaganda pieces, but, since it is not the purpose of this forum...
I think the most concerning information contained in the entire report is that John squeezes his girlfriend's head. Really John?
Newest Discussions
| Discussion | Posts | Latest |
|---|---|---|
|
Started by
David Little
|
3
|
less than a minute by David Little |
|
Started by
Undisclosed Integrator #1
|
18
|
less than a minute by Undisclosed Integrator #1 |
|
Burglars Steal 4G Camera, ~$8,000 In Tools, Camera Is Still Transmitting Video From Burglars Home.
(1)
Started by
Jermaine Wilson
|
1
|
less than a minute by Jermaine Wilson |
|
Started by
John Honovich
|
7
|
about 1 hour by John Honovich |
|
Started by
Undisclosed #1
|
3
|
1 minute by Undisclosed #2 |
