I have had a security vulnerability on file with Facebook since September regarding what seemed like the ability to read WhatsApp messages for a small significant subset of the Indonesian population. They still have not responded. A few weeks ago I posted on HackerNews that detailed Facebook information records for all 71 million Vietnamese citizens who use the platform were posted online on an open server. Again no response. I am not saying these are necessarily enormous security issues, but the lack of no response is incredibly demotivating and leads me to my next point.
Business leaders are not typically going to be your friend, and are not highly motivated to tell you the truth regarding a situation that might damage the company and their own personal career. As the two stories above show, and I have a dozen more like those, they are extremely unmotivated to help you in anyway. I'm not blaming business leaders per se, as they are at the mercy of large historical and economic forces that limit what can influence them and the options open to them to choose, but again it is extremely silly to imagine that responsible disclosure was anything more than a nice neoliberal idea that didn't hold up in the real world.
To me, responsible disclosure means to get the problem fixed as fast possible for the greatest number of people in a way that has historically over the last two decades been shown to work. It means making a prominent yet still careful enough example of the situation so as to in the future set the ethical and moral norms for what is considered right and good behavior.
These ideas today are pushing the envelope, and they deserve to be argued against and at. Multiple people make up 12 Security, but as the founder and current leader of the group, I want to make it clear that it was my decision and the responsibility lies with me solely as far as going public on information related to the Wyze Breach.
The reason for this is because we now believe at this time, and this evidence will be released over the next week, that Wyze was committing espionage against American citizens in the United States. We believe that the company was set up originally for this purpose. Furthermore we believe that in subsequent statements the founder has made Wyze users have been purposely lied too and data that contradicts these claims will be shown. I will reach out to the Wyze founder for clarification once other individuals I have reached out to in the security community are available, but considering the nature of the claims it would not have any sense to reach out before now because of the record of business leaders and the Shanghai State Security Bureau's (part of the Ministry of State Security in China) previous spying in the United States.
I am willing to "bet the company" so to speak on making that claim now and taking the risk of being wrong personally. Twelve Security has not been set up as an LLC currently, so the risk is significant and wholly mine, yet I believe the data speaks for itself. Lastly bold claims require extensive evidence, and we welcome the challenge. The media, the press, and public opinion overall make up the "4th Branch of Democracy" so we submit it to them to decide what is best. One of the first people implicated in this breach was the Managing Editor of the Wall Street Journal, Karen Pensiero, who was extraordinarily helpful with confirming the accuracy of the data, and I want that story to show how the press itself is potentially in danger or at least significantly less secure based on what we will show.
In the next few days and in subsequent posts, we will ask Google, Amazon, and IFTTT to conduct an internal investigation into how Wyze used customer data, the espionage implications, and to look especially hard into the 1,200 @gov accounts that were compromised along with at least two dozen @mail.mil accounts.
V / R,
San Antonio, Texas