I joined after the team had gotten traction already. Both the GM and senior most product person on the team told me about their tactics independently.
To be honest, I didn't think of it as anything sinister at that time. AWS had such high octane culture to move fast and innovate that I actually felt what they had done was quite smart. It was a super competitive culture and people did whatever was needed to build new things. On a day to day basis the only pressure was to build... I don't remember instances where ethical guidelines were brought up. So, in a way, the outcomes were a result of what people were rewarded on.
Only after I left AWS I started thinking it was ethically iffy. I still believe Amazon is an amazing company and my time at AWS was one of the best learning experiences.
"It is difficult to get a man to understand something when his salary depends upon his not understanding it." - Upton Sinclair.
I wish we went into this in much more detail in high school when covering economics and ethics (if the school even bothers to teach ethics). It should be a prerequisite in any capitalistic economy (but not only those, it can easily be extended to other things).
I've also worked in industries that I think don't operate very ethically. It's amazing what you can ignore as an outlier because the alternative is uncomfortable or means you have to make a large personal change.
Well, yeah. Or just having to look for a new job that may or may not pay as much. But I wasn't really going that far as saying people (myself, at one point, if you notice what I wrote) staying at a company they feel is acting unethically, but actually just noticing and accepting the company as doing unethical things instead of attributing it to an outlying situation that isn't indicative of how things are normally done.
Companies and people sometimes do shitty things. It isn't always on purpose (misunderstandings, one bad person, etc), and there isn't always a good way to fix it afterwards. I don't condemn people and companies because of this, and there's a tendency to assume this when you see something and work at the company. It can take a while before you start seeing a pattern and accept that it might just be how things are done sometimes and the management is fine with it. If you don't have a lot of options, I think there's a tendency for people to not look closer either on purpose or subconsciously because they might not like what they find, and then they've put themselves in a harder situation, where they must choose between what they believe is right and a hardship.
Sometimes ignorance is bliss, and the human mind is very complex. That's all I'm saying.
Put it on a private VLAN (eg guest Network that can't be reached from main network), pull the Sim card, uninstall all non-essential software, turn off all non-essential services.
Although I prefer "Internet of un-updated linux boxes". (A thing to which I'm ashamedly a party to. I was in a startup ~5 years back where I was responsible for the backend that provided the software and OS updates (a customised ARCH Repo and pacman config) for our hardware. The startup went under, having shipped the first production run. I kept the Arch repo up on my own dime for as long as I could, but eventually the control over the domain dried up and the subdomains it relied on no longer existed... There weren't many of our devices still connecting to them that last time the log files showed connections, but I'm looking at two of them right now which I've been occasionally doing security updates to by hand. I feel bad each time I do it, knowing there's customers out there who bought our stuff who are no longer getting any updates...)
That's going to be hard to deal with, principally because I'm sure many of the control apps only search for devices on your local subnet and don't allow manual specification of IP. If they do allow manual specification of IP, then you could probably do what the other person who replied to your question suggested: multihome a router, establish a hardened second network, and leverage port forwarding. If they don't, then you need to put them on a separate network and put a controller on that second network too (eg an old phone, tablet, smart speaker).
Alternatively, you could set up a bridge by hardwiring the device to a raspberry pi and then use the pi's WiFi to connect to your existing network. You then set up traffic forwarding across the NICs, man in the middle all the traffic, and only allow certain traffic in and out. This avoids the need to create a new network.
A small router device put in between might help, say a repurposed (OpenWRT?) WiFi access point, or a small Microtik or similar devices. By having forcing all IoT devices on a second private WiFi network would allow to set rules so that for example they can be reached by devices on the home network but are prevented to connect anywhere else on the outside.
No security updates means potential for exploits, not definitely exploited. If you don't open yourself up to exploits by using the browser or untrusted apps, you're pretty unlikely to be compromised even with an older phone.
If this concept gets popular enough eventually the majority of users will start using the same old model Android phone(Nexus 5, etc.). That's when all of the unpatched vulnerabilities will become a serious problem that's difficult to fix.
It's not difficult to fix. It's just that corporations want you to throw out and buy a new phone every year. This is what happens when you let the same company make the software and the hardware.
> This is what happens when you let the same company make the software and the hardware.
Not sure that follows, it seems a quite Android-centric view? (Which I guess is valid in the context of this discussion...)
Apple do a remarkably good job (in my opinion) of providing software/security updates to older iOS devices. iPhones as old as an SE or 6S are still getting current versions of iOS.
I have a _much_ harder time keeping similar aged Android devices up to date (My Galaxy S6Edge has been stuck on Android 7 forever. I'd need to root it and install a 3rd party ROM to upgrade it. I haven't done that because I use it still as a mobile app test device, and I don't personally "trust" not stock OS installations to be particularly valid test devices for work apps...)
