Kickstarter is full of projects like this where every possible shortcut is taken to get to market. I’ve had some good success with a few Kickstarter projects but I’ve been very selective about which projects I support. More often than not I can identify when a team is in over their heads or think they’re just going to figure out the details later, after the money arrives.

For a period of time it was popular for the industrial designers I knew to try to launch their own Kickstarters. Their belief was that engineering was a commodity that they could hire out to the lowest bidder after they got the money. The product design and marketing (their specialty) was the real value. All of their projects either failed or cost them more money than they brought in because engineering was harder than they thought.

I think we’re in for another round of this now that LLMs give the impression that the software and firmware parts are basically free. All of those project ideas people had previously that were shelved because software is hard are getting another look from people who think they’re just going to prompt Claude until the product looks like it works.

• lr4444lr

  today at 5:00 PM

  At this point, I trust LLMs to come up with something more secure than the cheapest engineering firm for hire.

  • nozzlegear

    today at 6:34 PM

    "Anyone else out there vibe circuit-building?"

    https://xcancel.com/beneater/status/2012988790709928305

  • Aurornis

    today at 5:14 PM

    The cheapest engineering firms you hire are also using LLMs.

    The operator is still a factor.

    • jama211

      today at 5:43 PM

      Yeah, but they’ll add another layer of complexity over doing it yourself

      • Aurornis

        today at 6:01 PM

        The people doing these kickstarters are outsourcing the work because they can’t do it themselves. If they use an LLM, they don’t know what to look for or even ask for, which is how they get these problems where the production backend uses shared credentials and has no access control.

        The LLM got it to “working” state, but the people operating it didn’t understand what it was doing. They just prompt until it looks like it works and then ship it.

        • caminante

          today at 6:33 PM

          You're still not following.

          The parents are saying they'd rather vibe code themselves than trust an unproven engineering firm that does(n't) vibe code.

          • TeMPOraL

            today at 9:26 PM

            > they'd rather vibe code themselves than trust an unproven engineering firm

            You could cut the statement short here, and it would still be a reasonable position to take these days.

            LLMs are still complex, sharp tools - despite their simple appearance and proteststions of both biggest fans and haters alike, the dominating factor for effectiveness of an LLM tool on a problem is still whether or not you're holding it wrong.

  • Kiro

    today at 7:45 PM

    LLMs definitely write more robust code than most. They don't take shortcuts or resort to ugly hacks. They have no problem writing tedious guards against edge cases that humans brush off. They also keep comments up to date and obsess over tests.

    • BoorishBears

      today at 9:34 PM

      I had 5.3-Codex take two tries to satisfy a linter on Typescript type definitions.

      It gave up, removed the code it had written directly accessing the correct property, and replaced it with a new function that did a BFS to walk through every single field in the API response object while applying a regex "looksLikeHttpsUrl" and hoping the first valid URL that had https:// would be the correct key to use.

      On the contrary, the shift from pretraining driving most gains to RL driving most gains is pressuring these models resort to new hacks and shortcuts that are increasingly novel and disturbing!

    • devmor

      today at 7:54 PM

      Interesting and completely wrong statement, what gave you this impression?

      • Kiro

        today at 8:16 PM

        The discourse around LLMs has created this notion that humans are not lazy and write perfect code. They get compared to an ideal programmer instead of real devs.

        • joe_mamba

          today at 9:46 PM

          This. The hacks, shortcuts and bugs I saw in our product code after i got hired, were stuff every LLM would tell you not to do.

        • gxs

          today at 9:11 PM

          Amen. On top of that, especially now, with good prompting you can get closer to that better than you think.

        • salawat

          today at 8:43 PM

          LLM's at best asymptotically approach a human doing the same task. They are trained on the best and the worst. Nothing they output deserves faith other than what can be proven beyond a shadow of a doubt with your own eyes and tooling. I'll say the same thing to anyone vibe coding that I'd say to programmatically illiterate. Trust this only insofar as you can prove it works, and you can stay ahead of the machine. Dabble if you want, but to use something safely enough to rely on, you need to be 10% smarter than it is.

      • dylanowen

        today at 8:20 PM

        I know right. I kept waiting for a sarcasm tag at the end

      • majorchord

        today at 8:23 PM

        right and wrong don't exist when evaluating subjective quantifiers

  • lukan

    today at 5:13 PM

    And the cheapest engineering firm won't use LLMs as well, wherever possible?

    • fc417fc802

      today at 7:34 PM

      The cheapest engineering firm will turn out to be headed up by an openclaw instance.

    • TheRealPomax

      today at 5:18 PM

      fun fact, LLMs come in cheapest and useless and expensive but actually does what's being asked, too.

      So, will they? Probably. Can you trust the kind of LLM that you would use to do a better job than the cheapest firm? Absolutely.

  • minimalthinker

    today at 5:02 PM

    this.

I'm the founder of neurotech/sleeptech company https://affectablesleep.com, and this post shows the major issue with current wellness device regulation.

I believe there was some good that came from last months decision to be more open to what apps and data can say without going through huge regulatory processes (though because we apply auditory stimulation, this doesn't apply to us), however, there should be at least regulatory requirements for data security.

We've developed all of our algorithms and processing to happen on device, which is required anyway due to the latency which would result from bluetooth connections, but even the data sent to the server is all encrypted. I'd think that would be the basics. How do you trust a company with monitoring, and apparently providing stimulation, if they don't take these simple steps?

How about complaining that brain waves get sent to a server? I'm a neuroscientist, so I'm not going to say that the EEG data is mind reading or anything, but as a precedent, non privacy of brain data is very bad.

• willturman

  today at 6:41 PM

  Non-privacy of this person is currently sleeping data is very bad as well, for different reasons.

  You know, now that I'm thinking about it, I'm beginning to wonder if poor data privacy could have some negative effects.

  • fc417fc802

    today at 7:36 PM

    Unsecured fitness monitor data revealed military guard post (IIRC) activity a while back.

    • werrett

      today at 7:44 PM

      Yawp. T’was Strava. https://www.theguardian.com/world/2018/jan/28/fitness-tracki...

    • iririririr

      today at 10:17 PM

      not because you knew how much someone worked out. But because it had GPS.

• b00ty4breakfast

  today at 6:27 PM

  People will be lining up to have their brainwaves harvested because it'll be mildly easier to send emails or something similarly inane.

  • RobotToaster

    today at 7:46 PM

    Corporations will be lining up to require their employees have their brainwaves harvested, so they can fire employees who aren't alert enough.

• delichon

  today at 6:14 PM

  You could read the alertness level from an EEG, which could be helpful to a burglar. The device with slow-wave status seems ideal.

• amarant

  today at 5:02 PM

  How useful could something like this be for research? I'm not a neuroscientist so I have no clue, but it seems like the only justification I can think of..

  • mattkrause

    today at 7:25 PM

    The general idea of an EEG system that posts data to a network?

    Very, but there are already tons of them at lots of different price, quality, openness levels. A lot of manufacturers have their own protocols; there are also quasi/standards like Lab Streaming Layer for connecting to a hodgepodge of devices.

    This particular data?

    Probably not so useful. While it’s easy to get something out of an EEG set, it takes some work to get good quality data that’s not riddled with noise (mains hum, muscle artifacts, blinks, etc). Plus, brain waves on their own aren’t particularly interesting—-it’s seeing how they change in response to some external or internal event that tells us about the brain.

  • brabel

    today at 5:40 PM

    Not a neuroscientist either but I would imagine that raw data without personal information would not be useful for much. I can imagine that it would be quite valuable if accompanied with personal data plus user reports about how they slept each night, what they dreamed about if anything, whether it was positive dreams or nightmares etc. And I think quite a few people wouldn’t mind sharing all of that in the name of science, but in this case they don’t seem to have even tried to ask.

    • iberator

      today at 8:07 PM

      What if you gonna think about your social security number 30000 times in your dreams, and someone knows the pattern? See the danger? That's evil.

  • AnimalMuppet

    today at 5:37 PM

    If they're taking patient data for research without permission, they are not ethical researchers.

    • sneak

      today at 7:24 PM

      Is it really “without permission” if it’s from a server for which the access credentials have been deliberately published to the entire internet?

      • AnimalMuppet

        today at 9:36 PM

        If it's without the patient's permission, then yes, it is without the only permission that matters for medical ethics.

  • minimalthinker

    today at 5:39 PM

    I believe they use it for sleep tracking

• minimalthinker

  today at 5:18 PM

  I would presume data privacy laws already have good precedent for health data?

  • baby_souffle

    today at 5:42 PM

    > I would presume data privacy laws already have good precedent for health data?

    Google for a list of all the exceptions to HIPPA. There are a lot of things that _seem_ like they should be covered by HIPPA but are not...

    • minimalthinker

      today at 5:44 PM

      Interesting...

  • freedomben

    today at 5:44 PM

    Only for "covered entities" under HIPAA (at least in the US)

• sneak

  today at 7:22 PM

  Millions of people voluntarily use Gmail which gives a lot more useful data than EEG output to DHS et al without a warrant under FAA702. What makes you think people who “have nothing to hide” would care about publishing their EEG data?

Ok, obviously unethical to do it, but this sounds like you've got the power to create some sci-fi shared dreaming device, where you can read people's brainwaves and send signals to other people's masks based on those signals. Or send signals to everyone at the same time and suddenly people all across the world experience some change in their dream simultaneously.

Like, don't actually do it, but I feel like there's inspiration for a sci-fi novel or short story there.

• pjerem

  today at 8:54 PM

  That’s the plot of Paprika.

• StanislavPetrov

  today at 9:08 PM

  Dreamscape, 1984

• billylo

  today at 6:56 PM

  Inception

• darba

  today at 9:24 PM

  [dead]

Remember that the S in IoT stands for Security.

I have deployed open MQTT to the world for quick prototypes on non personal (and healthcare) data. Once my cloud provider told me to stop because they didn’t like it, that could be used for relay DDOS attacks.

I would not trust the sleep mask company even if they somehow manage to have some authentication and authorisation on their MQTT.

• n4bz0r

  today at 6:05 PM

  I don't think there is an S in IoT?..

  • BenjiWiebe

    today at 6:11 PM

    Right - the saying indicates that IoT stuff is well known for ignoring security.

    • n4bz0r

      today at 6:15 PM

      Went right over my head :)

      • rationalist

        today at 6:58 PM

        Where I work, the saying is, "The H in ABC stands for Happiness."

        (Also, "We're not happy until you're not happy.")

  • roysting

    today at 7:35 PM

    Thank you for your astute observation. :)

  • absoluteunit1

    today at 6:13 PM

    Exactly

I would love to see the prompt history. Always curious how much human intervention/guidance is necessary for this type of work because when I read the article I come away thinking I prompt Claude and it comes out with all these results. For example, "So Claude went after the app instead. Grabbed the Android APK, decompiled it with jadx." All by itself or the author had to suggest and fiddle with bits?

• minimalthinker

  today at 4:30 PM

  Very little intervention tbh. I will try to retrieve it and post.

  • dnw

    today at 10:32 PM

    That's great to hear. I'd be interested to see the session. Yes, Claude Code keeps sessions in ~/.claude/projects/ by default. Thank you!

  • selkin

    today at 5:41 PM

    By default, Claude code keeps session history (as jsonl files in ~/.claude).

    It’s wasteful not to save and learn from those.

    • dnw

      today at 10:32 PM

      Check this out: https://github.com/kulesh/catsyphon

• cyanydeez

  today at 4:43 PM

  Really is a derth of livestreams demostrating these things. Youd think if thetes so much Unaided AI work people would stream it.

The shared hardcoded credentials pattern isn't just an IoT problem. I work in AWS security and see the same thing constantly. Teams hardcode a single set of AWS access keys into their application, share them across every environment, and hope nobody runs strings on the binary. Same logic, same laziness, same outcome.

The difference is when it's a sleep mask, someone reads your brainwaves. When it's a cloud credential, someone reads your customer database. Per-device or per-environment credential provisioning isn't even hard anymore. AWS has IAM roles, IoT has device certificates, MQTT has client certs and topic ACLs. The tooling exists. Companies skip it because key management adds a step to the assembly line and nobody budgets time for security architecture on v1.

• roysting

  today at 7:33 PM

  > nobody budgets time for security architecture on v1

  It’s quite literally why the internet is so insecure, because at many points all along the way, “hey, should we design and architect for security?” is/was met with “no, we have people to impress and careers to advance with parlor tricks to secure more funding; besides, security is hard and we don’t actually know what we are doing, so tow the line or you’ll be removed.”

While most comments are focused on the issue that they found, I’m more intrigued by the fact that Claude was able to reverse engineer so well.

Lowering the skills bar needed to reverse engineer at this level could have its own AI-related implications.

> I was not expecting to end up with the ability to read strangers' brainwaves and send them electric impulses in their sleep. But here we are.

Almost out of a Phillip K Dick novel

Nevermind. I have just described my iPhone as a “generic chinese mobile device” to Claude, and he successfully gained root access with admin privileges to my iPhone, and even captured a couple minutes of EEG from 30 genetic mobile devices in my neighborhood. Seems like iPhones are tracking your thoughts, Claude could prove that, just ask it to tell you everything

Name the company, hiding it is irresponsible

• Jolter

  today at 6:09 PM

  Author doesn’t spell out why they are not naming them, but my guess is they are trying to not promote the product to malicious actors who would be interested in the sleep data of others.

  I guess that’s not a huge problem, though, since all users are presumably at least anonymous.

  • bstsb

    today at 7:55 PM

    less sleep data, i imagine, and more the whole “send remote electrical impulses” thing

• brabel

  today at 5:58 PM

  It’s probably safe to assume they are all like that.

The narrator in the article acts as a third person observer and identifies "Claude" as the active hacker. So assuming the (unidentified) company that sells/manages the product wants to prosecute a CFAA violation, who do they go after? Was Claude the one responsible for all of the hacking?

This feels like a reason to buy the device to me? I would want to block all of the data going to the cloud and would only want operations happening locally. But the MQTT broadcast then allows me to create a local only integration in Home Assistant with all of the data.

What's the real risk profile? Robbers can see you are asleep instead of waiting until you aren't home?

I have not implemented MQTT automations myself, but it's there a way to encrypt them? That could be a nice to have

• matthewfcarlson

  today at 7:15 PM

  Sounds like you cannot control which MQTT endpoint it is headed to? It just goes to the server of the device. Assuming you could modify the firmware, you could program it to send to a local MQTT.

  • erazor42

    today at 7:45 PM

    Simpler just update your local network dns so whatevercompany.brain.com redirect to your local 10.0.0.3 mqtt

This guy bought an internet connected sleep mask so it's not surprising that it was collecting all kinds of data, or that it was doing it insecurely (everyone should expect IoT anything to be a security nightmare) so to me the surprising thing about this is that the company actually bothered to worry about saving bandwidth/power and went through the trouble of using MQTT. Probably not the best choice, and they didn't bother to do it securely, but I'm genuinely impressed that they even tried to be efficient while sucking up people's personal data.

• 8n4vidtmkvmk

  today at 7:02 PM

  Meanwhile streaming everyone's data, negating any benefit.

huh, not sure if life imitates snark and bull https://medium.com/luminasticity/great-products-of-illuminat...

"The ZZZ mask is an intelligent sleep mask — it allows you to sleep less while sleeping deeper. That’s the premise — but really it is a paradigm breaking computer that allows full automation and control over the sleep process, including access to dreamtime."

or if this is another scifi variation of the same theme, with some dev like embellishments.

• mrguyorama

  today at 5:50 PM

  That is the premise of HypnoSpace Outlaw, a neat game about 90s internet nostalgia and scifi.

Well that’s a brand new sentence.

• amelius

  today at 4:25 PM

  But not a beautiful sentence.

the shared MQTT credentials pattern is unfortunately super common in budget IoT. seen the exact same thing in smart plugs and air quality sensors. the frustrating part is per-device auth is not even hard to set up, mosquitto supports client certs and topic ACLs with minimal config. manufacturers skip it because per-device key provisioning adds a step to the assembly line and nobody wants to think about key management. so they hardcode one set of creds and hope nobody runs strings on the binary.

I discovered a very similar vulnerability in Mysa smart thermostats a year ago, also involving MQTT, and also allowing me to view and control anyone's thermostat anywhere in the world: https://news.ycombinator.com/item?id=43392991

Also discovered during reverse-engineering of the devices’ communications protocols.

IoT device security is an utterly shambolic mess.

• stevage

  today at 10:20 PM

  That is terrifying. Messing with thermostats could be enough to kill vulnerable people.

• minimalthinker

  today at 9:53 PM

  I’m not super familiar with MQTT. I wonder how common this is..

  • dlenski

    today at 10:10 PM

    MQTT is a very simple pub/sub messaging protocol.

    It's used in a enormous number of IoT devices.

    The "IoT gateway" service from AWS supports MQTT and a whole lot of IoT devices are tethered to this service specifically.

This smells like bullshit to me, although I am admittedly not experienced with Claude.

I find it difficult to believe that a sleep mask exists with the features listed: "EEG brain monitoring, electrical muscle stimulation around the eyes, vibration, heating, audio." while also being something you can strap to your face and comfortably sleep in, with battery capacity sufficient for several hours of sleep.

I also wonder how Claude probed bluetooth. Does Claude have access to bluetooth interface? Why? Perhaps it wrote a secondary program then ran that, but the article describes it as Claude probing directly.

I'm also skeptical of Claude's ability to make accurate reverse-engineered bluetooth protocol. This is at least a little more of an LLM-appropriate task, but I suspect that there was a lot of chaff also produced that the article writer separated from the wheat.

If any of this happened at all. No hardware mentioned, no company, no actual protocol description published, no library provided.

It makes a nice vague futuristic cyperpunk story, but there's no meat on those bones.

• threecheese

  today at 10:22 PM

  Claude could access anything on your device, including system or third party commands for network or signal processing - it may even have their manuals/sites/man pages in the training set. It’s remarkably good at figuring things out, and you can watch the reasoning output. There are mcp tools for reverse engineering that can give it even higher level abilities (ghidra is a popular one).

  Yesterday I watched it try and work around some filesystem permission restrictions, it tried a lot of things I would never have thought of, and it was eventually successful. I was kinda goading it though.

• skibz

  today at 7:06 PM

  A lot of BLE peripherals are very easy to probe. And there are libraries available for most popular languages that allow you to connect to a peripheral and poke at any exposed internals with little effort.

  As for the reverse engineering, the author claims that all it took was dumping the strings from the Dart binary to see what was being sent to the bluetooth device. It's plausible, and I would give them the benefit of the doubt here.

• RachelF

  today at 9:24 PM

  Yes, it is very lacking in details. The Claude output would have been interesting, or a few logs or protocol dumps.

  The lack of detail makes me suspect the truth of most of the story.

• llm_nerd

  today at 6:40 PM

  https://www.kickstarter.com/projects/selepu/dreampilot-ai-gu...

  Found that in seconds. EEG, electrical stimulation, heat, audio, etc. Claims a 20 hour battery.

  As to the Claude interactions, like others I am suspicious and it seems overly idealized and simplified. Claude can't search for BT devices, but you could hook it up with an MCP that does that. You can hook it up with a decompiler MCP. And on and on. But it's more involved than this story details.

  • flax

    today at 6:52 PM

    That appears to be more than a centimeter thick, and not particularly flexible. It's more like ski goggles than a sleep mask.

    So yeah, a product exists that claims to be a sleep mask with these features. Maybe someone could even sleep while wearing that thing, as long as they sleep on their back and don't move around too much. I remain skeptical that it actually does the things it claims and has the battery life it claims. This is kickstarter after all. Regardless, this would qualify as the device in question for the article. Or at least inspiration for it.

    Without evidence such as wireshark logs, programs, protocol documentation, I'm not convinced that any of this actually _happened_.

  • orsorna

    today at 7:02 PM

    Claude, or any good agent, doesn't need MCP to do things. As long as it has access to a shell it can craft any command that it needs to fulfill its prompt.

    • llm_nerd

      today at 7:35 PM

      There are no shell commands to do what is described. I could get Claude to interact with BLE devices, but it did it by writing and running various helper applications, for instance using the Bleak library. So I guess not an MCP per se.

• sublinear

  today at 7:38 PM

  I was originally going to ask something similar, but from a different angle.

  These blog posts now making the rounds on HN are the usual reverse engineering stories, but made a lot more compelling simply because they involve using AI.

  Never mind that the AI part isn't doing any heavy lifting and probably just as tedious as not using AI in the first place. I am confused why the author mentions it so prominently. Past authors would not have been so dramatic and just waved their hands that they had some trial and error before finding out how the app is built. The focus would have been on the lack of auth and the funny stuff they did before reporting it to the devs.

>Since every device shares the same credentials and the same broker, if you can read someone's brainwaves you can also send them electric impulses.

Amazing.

Is this some kind of joke? Claude hallucinated everything, including capacity of device to accurately measure EGG of brain waves and hallucinated the process of decoding APK to some paranoidal user who has posted his conspiracy level AI hallucinations “finds” to his blog post and everyone is like “Yeah, Claude can do this”. Is everyone here insane? I am insane?

As an aside, it seems cool that the bar to reverse engineering has lowered from all the LLMs. Maybe we'll get to take full control of many of these "smart" devices that require proprietary/spyware apps and use them in a fully private way. There's no excuse that any such apps solely to interact with devices locally need to connect to the internet, like dishwasher.

https://www.jeffgeerling.com/blog/2025/i-wont-connect-my-dis...

It's disappointing to see. It doesn't take much work to configure a MQTT server to require client certificates for all connections. It does require an extra step in provisioning to give each device a client certificate. But for a commercial product, it's inexcusably negligent.

Then there's hardening your peripheral and central device/app against the kinds of spoofing attacks that are described in this blog post.

If your peripheral and central device can securely [0] store key material, then (in addition to the standard security features that come with the Bluetooth protocol) one may implement mutual authentication between the central and peripheral devices and, optionally, encryption of the data that is transmitted across that connection.

Then, as long as your peripheral and central devices are programmed to only ever respond when presented with signatures that can be verified by a trusted public key, the spoofing and probing demonstrated here simply won't work (unless somebody reverse engineers the app running on the central device to change its behaviour after the signature verification has been performed).

To protect against that, you'd have to introduce server-mediated authorisation. On Android, that would require things like the Play Integrity API and app signatures. Then, if the server verifies that the instance of the app running on the central device is unmodified, it can issue a token that the central device can send to the peripheral for verification in addition to the signatures from the previous step.

Alternatively, you could also have the server generate the actual command frames that the central device sends to the peripheral. The server would provide the raw command frame and the command frame signed with its own key, which can be verified by the peripheral.

I guess I got a bit carried away here. Certainly, not every peripheral needs that level of security. But, into which category this device falls, I'm not sure. On the one hand, it's not a security device, like an electronic door lock. And on the other hand, it's a very personal peripheral with some unusual capabilities like the electrical muscle stimulation gizmo and the room occupancy sensor.

[0]: Like with the Android KeyStore and whichever HSMs are used in microcontrollers, so that keys can't be extracted by just dumping strings from a binary.

Interesting project. Here's a thought which I've always had in the back of my mind, ever since I saw something similar in an episode of Buck Rogers (70s-80s)! Many people struggle with falling asleep due to persistent beta waves; natural theta predominance is needed but often delayed. Imagine an "INEXPENSIVE" smart sleep mask that facilitates sleep onset by inducing brain wave transitions from beta (wakeful, high-frequency) to alpha (8-13 Hz, relaxed) and then theta (4-8 Hz, stage 1 light sleep) via non-invasive stimulation. A solution could be a comfortable eye mask with integrated headphones (unintrusive) and EEG sensors. It could use binaural beats or similar audio stimulation to "inject" alpha/theta frequencies externally, guiding the brain to a tipping point for abrupt sleep onset. Sensors would detect current waves; app-controlled audio ramps from alpha-inducing beats to theta, ensuring natural predominance. If it could be designed, it could accelerate sleep transition, improve quality, non-pharmacological.

• BenjiWiebe

  today at 6:14 PM

  So are the brain waves the cause or the effect?

  Are beta waves a sign that my mind is racing and wide awake, or are they the reason?

• Jolter

  today at 6:11 PM

  What’s your proposed mechanism for how audio waves would induce brain waves?

the headlines these days

Won't they sue for the reverse engineering?

• Jolter

  today at 6:12 PM

  On what grounds could they sue?

"smart sleep mask :D - what next, smart toilet seats? Oh, wait...

Dudes so stupid being tied to tech everywhere.

cyberpunk

> For obvious reasons, I am not naming the product/company here, but have reached out to inform them about the issue.

Coward. The only way to challenge this garbage is "Name and Shame". Light a fire under their asses. That fire can encourage them to do right, and as a warning to all other companies.

My guess is this is Luuna https://www.kickstarter.com/projects/flowtimebraintag/luuna

• a4isms

  today at 4:20 PM

  Doesn't disclosing this to the world at the same time as you disclose it to the company immediately send hundreds of black hats to their terminals to see how much chaos they can create before the company implements a fix?

  Perhaps the author is not a coward, but is giving the company time to respond and commit to a fix for the benefit of other owners who could suffer harm.

  • rkagerer

    today at 5:01 PM

    but is giving the company time to respond and commit to a fix for the benefit of other owners who could suffer harm.

    If that's the case then they should have deferred this whole blog post.

  • today at 4:45 PM

  • mystraline

    today at 4:21 PM

    It took me 30 seconds with ChatGPT by saying:

    Identify the kickstarter product talked around in this blog post: (link)

    To think some blackhat hasn't already did that is frankly laughable. What I did was like the lowest of low-bars these days.

    • Barbing

      today at 4:33 PM

      Put the product name in the title & maybe it sends thousands instead of hundreds of blackhats…

      We often treat doxxing the same way, prohibiting posting of easily discovered information.

      • mystraline

        today at 4:39 PM

        So your plan is to let the blackhats in the know attack user devices, rather than send out a large warning to "Quit using immediately"?

        If we applied this similar analogy to a e.coli infection of foods, your recommendation amounts to "If we say the company name, the company would be shamed and lose money and people might abuse the food".

        People need to know this device is NOT SAFE on your network, paired to your phone, or anything. And that requires direct and public notification.

    • pphysch

      today at 5:01 PM

      And ChatGPT hallucinated a misleading answer that you are confidently regurgitating.

      • croisillon

        today at 5:16 PM

        their original message said "my guess", not ChatGPT's, talk about responsible disclosure...

• minimalthinker

  today at 4:52 PM

  I did consider naming, but they were very responsive to the disclosure and I was not entirely familiar with potential legal implications of doing so. (For what it's worth, it is not Luuna)

  • stavros

    today at 5:45 PM

    Please name 50 other companies it's not.

    It's good that they were responsive in the disclosure, but it's still a mark of sloppiness that this was done in the first place, and I'd like to know so I can avoid them.

• itishappy

  today at 4:36 PM

  I don't see estim mentioned on that website, but I do see a comparison chart with 4 other competitors with similar capabilities to the one you linked.

  What makes you think this is the one?

  • mystraline

    today at 4:41 PM

    https://meta.wikimedia.org/wiki/Cunningham%27s_Law

    I said a guess, not absolute.

• today at 4:19 PM

• today at 4:18 PM

• everdrive

  today at 4:17 PM

  Even if naming and shaming doesn't work, I sure want to know so I can always avoid them for myself and my family. Thanks for the call-out and the educated guess.

• today at 5:25 PM

• j45

  today at 5:05 PM

  EEG devices can cost a lot to own personally as well.

  The other side of owning equipment like this is it still could be useful for some for personal and private use.

  • minimalthinker

    today at 5:58 PM

    EEG is very useful for accurate sleep tracking.

• hxbdg

  today at 4:22 PM

  Presumably they’ll be named and shamed after they’ve been given a chance to fix things.

[dead]

• ai-x

  today at 5:38 PM

  There should be two separate lines of products. One in which privacy is priority and adheres to government regulations (around privacy) and probably costs 2x and one with zero government intervention (around privacy) which costs less and time-to-market is faster.

  I don't want a few irrationally paranoid people bottlenecking progress and access to the latest technology and innovation.

  I'm happy to broadcast my brainwaves on an open YouTube channel for the ZERO people who are interested in it.

  • drnick1

    today at 7:11 PM

    > I don't want a few irrationally paranoid people bottlenecking progress and access to the latest technology and innovation.

    Paranoid? Is there not enough evidence posted almost daily on HN that tech companies are constantly spying on their users through computers, Internet-of-Shit devices, phones, cars and even washing machines? You might not care about the brainwave data specifically, but there is bound to be information on your devices that you expect remains private.

    Things have become so bad that I now refuse to use computers that don't run a DIY Linux distro like Arch that allows users to decide what goes into their system. My phone runs GrapheneOS because Google and Apple can't be trusted. I self host email and other "cloud" services for the same reason.

  • tgv

    today at 5:52 PM

    Explain how sending EEG recordings is progress. And why faster access to the latest tech is always good, for everyone.

  • selkin

    today at 5:44 PM

    otoh: the non regulated should cost more.

    It’s kinda like “qualified investors” - you want to make sure people who are wiling to do something extremely stupid can afford it and acknowledge their stupidity.

    We don’t need regulation to protect those that can afford to buy protection: we need it for those who can’t.

• plagiarist

  today at 5:00 PM

  It is a governance failure.

  It is also technically a user failure to have purchased a connected device in the first place. Does the device require a closed-source proprietary app? Closed-source non-replaceable OS? Do not buy it.

  • brabel

    today at 5:57 PM

    Very few options available, if any, if you actually do that. The IoT market is unfortunately small and dominated by vendors that don’t want at all an open ecosystem. That would hinder their ability to force you to pay for a subscription which is where all the money is.

  • jmb99

    today at 6:00 PM

    Yes, that’s right, don’t buy any new car, any phone, any television. Hell don’t buy any x86 laptop or desktop computer, since you can’t disable out replace Intel ME/etc.

Without a brand name, how can we verify this is real?

• ohyoutravel

  today at 5:39 PM

  Without any skin in the game with your username, why should we take anything you say seriously?

  • edgarvaldes

    today at 6:47 PM

    Interesting position in a thread about the dangers of exposing yourself to the internet.