BlueBourne - CGA Claim advice

Forums › Off topic › BlueBourne - CGA Claim advice

1 | ... | 3 | 4 | 5 | 6 | 7 | 8 | 9

750 posts

Ultimate Geek

#1883682 14-Oct-2017 23:47

mattwnz:

minimoke:

That became a bit unstuck. What I found was that Telecom sold the Tivo's through a separate company which no longer exists.

I know you have probably put this behind you, but when I purchased mine, I purchased it directly from Telecom and it was on my bill from them. So intrigued who the separate company was.

As per the other thread on this at the moment, it does look like they can now be modded, which is another possible solution for some, but potentially pricey.

I only mention this because there is a technology lesson here. Just because you paid on your telecom bill is not proof of purchase between you and the seller. If you delve more deeply you will find on your original contract that the supplier is actually "XYZ Ltd" Not "Telecom Ltd".( I purchased directly off telecom as well - or so I thought)

If you were to audit the money trail your cash leaves your bank account, enters Telecoms bank account and then heads off to XYZ Ltds bank account. I 'd argue there is some deceptive selling happening there - but as you say its kinda behind me.

But my advice would be when making a purchase look very closely, not only at the conditions of sale but also who the seller legally is - that's the person you will pursue in a CGA claim.

I haven't bought anything from Spark or Vodafone for while. If you have go have a look at your purchase contract and see who actually sold you your device.

minimoke

750 posts

Ultimate Geek

#1883683 14-Oct-2017 23:57

mattwnz:

[

That is like a builder having in their contract that 'all roofs may leak' in the contract. Things have to be fit for purpose and last a reasonable period of time based on the price paid..

In which case the builder might say "the roof water tightness is limited to protection against known causes of leakage at the time of agreeing this contract"

Your builder isn't going to be liable if a lead acid battery factory sets up next door to you later down the track (assuming factory waste affects the roof)

Dratsab

3946 posts

Uber Geek

Trusted

Lifetime subscriber

#1883687 15-Oct-2017 00:09

I really don't see any reason to get worked up over the panic reporting that's going on with all the sensationalist headlines such as "Wireless 'Blueborne' attacks targets billions of bluetooth devices" or "Blueborne attacks impacts billions of bluethooth devices". It's supreme sensationalism. One security company (Armis) has discovered a series of exploits through which they have been able to engineer an attack on a close proximity device. Have their tools been released into the wild? Has anyone developed similar tools in parallel? How many actual reports of Blueborne style attacks in the wild have been made? What's the real possibility of being hacked?

Bluetooth attacks have been around a few decades now and the research into vulnerabilities is only in its infancy. In their whitepaper on Blueborne, Armis say "However, as the Bluetooth stack is such an immense piece of code, the work we are presenting might be only the tip of the iceberg". Earlier in the paper, through the sheer size of the specification Armis demonstrate quite clearly how big, and how much of a mess, Bluetooth is.

Here's a brief article from July 2005 about Bluetooth attacks back then. The security advice today is no different from when this article was written: if you're not using it, turn it off.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1883689 15-Oct-2017 00:23

Also to note from @Dratsab's post is there have been numerous other vulnerabilities in the past regarding Bluetooth and other wireless technologies.

1) If you have an older router with WPS enabled did you know it takes all but 5-10mins to crack the WPA key?
2) If you have an older iPhone did you know you could exploit the WiFi chipset to gain full root access?
3) Did you know the same phone that you're using likely has the same WiFi vulnerability? (also known as Broadpwn).

There are much worse things out there that have been actively exploited in the wild your phone may be vulnerable to. It is one of those risks with having a Smartphone. Just like how a computer could be pwned by a network trojan (think Wannacry) or how your TV could be listening to your every conversation (think the multiple Samsung Tizen exploits).

At least in your case, it is mitigated by third-party firmware. Other people are not so lucky.

There are many valid points made here but I think also the thread is going around in circles and have got their tinfoil hats on. If you're concerned about Bluebourne then take a look at the bigger picture of the other devices around you that may hold much worse vulnerabilities. How do you know that your router has not been compromised already due to an insecure version of dnsmasq syphoning your data off in the process to some black hat hacker?

Anyway - I locked this before but wanted to make some valid points too. I think you need to take a long hard think before looking at a single device at other devices around you to note that this is why the CGA doesn't cover it. It is impossible to track serious CVE's in every device you own. Since the OP's question has been sufficiently answered by a Lawyer and many other people who have experience in this industry I am calling it and locking this before it goes off topic once again.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1885677 18-Oct-2017 12:55

I know this was (rightly) locked by a mod. But in light of new evidence, I am unlocking it. As per Consumer NZ post on Twitter:

scuwp

3885 posts

Uber Geek

#1885711 18-Oct-2017 13:46

Interesting development. I guess the key point here is "we think..." in which it is only an opinion, and from a group whose sole purpose is to advocate for the consumer. If that were the actual legal position in NZ then I think a lot of technology companies would be concerned at their exposure to claims.

No doubt most have seen the latest sensationalised headlines about KRACK. What are the chances that the likes of Samsung (not alone but used as it relates to the OP) can actually roll out a security update to every single handset in use regardless on the make, model or carrier? I would say next to no chance they can do that, so then does that mean anyone who does not get provided the update has a claim that their handset is suddenly not fit for purpose and they can ask for a remedy? (which I assume would be to send back to Samsung so it can be manually updated or a refund/replacement).

Then, what time frame would be acceptable? Immediately, 2 Weeks, sometime before Christmas?

https://www.theverge.com/2017/10/16/16481136/wpa2-wi-fi-krack-vulnerability

Lazy is such an ugly word, I prefer to call it selective participation

minimoke

750 posts

Ultimate Geek

#1885888 18-Oct-2017 19:12

freitasm:

I know this was (rightly) locked by a mod. But in light of new evidence, I am unlocking it. As per Consumer NZ post on Twitter:

I would have thought there was a difference between not receiving security updates and not receiving security updates for a particular previously unknown issue.

Unless you had bought some kind of annual maintenance agreement which said you would get protection form all threatens.

I am pleased to see though that Consumer NZ seems to think it important that if there is a known issue or shortcoming it should be advertised as such.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Linux

11391 posts

Uber Geek

Trusted

Lifetime subscriber

#1885920 18-Oct-2017 19:33

Wow just wow is all I can say

Linux

dejadeadnz

2394 posts

Uber Geek
Inactive user

#1885925 18-Oct-2017 19:38

scuwp:

Interesting development. I guess the key point here is "we think..." in which it is only an opinion, and from a group whose sole purpose is to advocate for the consumer. If that were the actual legal position in NZ then I think a lot of technology companies would be concerned at their exposure to claims.

You will never get definitive case law on the vast majority of Consumer Guarantees Act-related issues. Two simple reasons: (1) most claims are not worth the money required to get things on to the High Court or higher, where binding precedents can be issued and (2) the decisions of the Disputes Tribunal (where most CGA claims are heard) are not widely published, even if one DT decision might have some persuasive value on another DT referee. Be that as it may, even as a generalised, informed opinion from a reputable organisation, I think Consumer's view is potentially going way too far. And I am obviously rather informed on CGA-related issues and is coming from a POV of having no time of the day of the anti-consumer sentiments that at times pervade here.

The view that if it "can" be patched but a security update isn't provided then it is a substantial failure will, if taken literally, mean that no NZretailer in their right mind should consider stocking Android phones, given the manufacturers' tendencies to stop offering any updates after around 2 years. I am not defending this behaviour but when the expectation is so far beyond what is available in the market, enforcing this kind of thing in a blunt way will just lead to massively reduced choices, high prices, and lower availability of devices. And just in case anyone thinks that I am some Android fanboy, I actually detest Android and personally couldn't care less what is/isn't available on that platform.

The furthest that I think one can realistically go is that, for as long as OS updates are being issued for the phone, you'd expect the manufacturer to promptly issue security patches for exploits of this nature, and for security updates at least to be available for up to around 3 years since a device's first introduction to the market - whichever is the longer. In practice, should the Android camp up their game, will mean that updates are available for 3 years. I think that certainly is more consumer friendly and reasonable.

Jase2985

13457 posts

Uber Geek

ID Verified

Lifetime subscriber

#1885937 18-Oct-2017 20:01

but the phone still CAN receive security/software updates, its just the manufacture just hasnt released any.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1885965 18-Oct-2017 21:12

minimoke:

I am pleased to see though that Consumer NZ seems to think it important that if there is a known issue or shortcoming it should be advertised as such.

I fundamentally disagree with the Consumer NZ tweet and hope they took legal advice before posting it.

It certainly wouldn't be the first time they've mislead the general public with advice.

dejadeadnz

2394 posts

Uber Geek
Inactive user

#1885969 18-Oct-2017 21:27

sbiddle:

I fundamentally disagree with the Consumer NZ tweet and hope they took legal advice before posting it.

It certainly wouldn't be the first time they've mislead the general public with advice.

There's very limited legal advice that anyone can seriously obtain on this kind of issue, for the reasons I have already explained. And, no offence, your second statement is a pretty serious allegation -- not very cool to be throwing this around without further elaboration as you yourself haven't exactly demonstrated a perfect knowledge of these complicated legal issues.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1885976 18-Oct-2017 21:47

dejadeadnz:

sbiddle:

I fundamentally disagree with the Consumer NZ tweet and hope they took legal advice before posting it.

It certainly wouldn't be the first time they've mislead the general public with advice.

There's very limited legal advice that anyone can seriously obtain on this kind of issue, for the reasons I have already explained. And, no offence, your second statement is a pretty serious allegation -- not very cool to be throwing this around without further elaboration as you yourself haven't exactly demonstrated a perfect knowledge of these complicated legal issues.

Their claims over Colgate toothpaste are all I really need to say to substantiate my comment.

blakamin

4431 posts

Uber Geek
Inactive user

#1885988 18-Oct-2017 23:08

Is Consumer NZ a non-profit/govt department available to all, or is it a subscription based magazine written by people that have opinions like anyone else?

Oh, wait...

In 1986 the Ministry of Consumer Affairs was established and the Consumers Institute (Consumer NZ) lost its special legal protection and government funding.

Consumers' money comes from the sale of publications and subscriptions to Consumer and consumer.org.nz.

While they might "steer" Consumer Affairs in some ways, they're no different to any lobby group.

minimoke

750 posts

Ultimate Geek

#1886024 19-Oct-2017 06:59

blakamin:

While they might "steer" Consumer Affairs in some ways, they're no different to any lobby group.

And like any lobby group they can usually claim some expertise in the area they are lobbying for. While some might not like their opinions, on a continuum I think their views on consumer rights are stronger than those expressed on internet forums. They live and breath consumer issues and (ought to) have access to all case law on consumer.

I don't think you can take a character limited tweet as a full expert opinion - however it gives a sense of their view. The most important words (for this thread) are likely to be "cant receive security updates". How many phones cant do that?

1 | ... | 3 | 4 | 5 | 6 | 7 | 8 | 9