Can I ask how you identify issues like this so quickly? I'm an infosec student, and I'd love to hear what your thought process is when briefly looking over the security of a certain website.
I've got a lot of practice breaking things.
CSRF can be identified really fast by checking for unique tokens. Some unguessable token should be submitted with each state changing request. If not, attackers can steal authenticated accounts by making a request to the "change PW" or "change email" URLs. It's a little confusing at first.
XSS I just set JavaScript as something that shows up in a field on a different page.
The RCE I mentioned is just uploading a PHP file for the "file upload" feature associated with messages. If he puts the uploaded file within the webroot (and the file is php since his whole site is php) then the file will be executed when you go to its URL
Web app security is something that infosec professors don't talk about at all (in my experience). I had to teach myself but OWASP is very good to get started. It also helps to write a lot of software as well since you'll tend to find pitfalls of doing things wrong
edit: If you would like to see more of the technical how-tos behind CSRF check this link out. It is a blog I wrote about CSRF and how one would actually attack someone with it.
http://ejj.io/csrf-password-bruteforce/
I thought of a similar idea one day when day dreaming at my old retail job. What if in the future, all the stores become so small, malls could house 1000s of stores. You could go in, touch the product, try it on, but they were all just display models. And than you'd order it in store, and it would be on your doorstep the next day. No need to keep inventory in the store, and you pay a much smaller rental fee. And shrink could be almost reduced to zero.
Here in the UK that's how many shops (and some chains that are still extant) started out.
You went into the local grocers which had a counter/hatch (think post office/bank), You told him what you wanted (or he your weekly order) and he (or usually his boy) would then drop the merchandise off at your house.
The Supermarkets pretty much paid to your corner grocer (economies of scale, later opening hours, more variety of items, the ability to do your shop yourself as and when needed and the increasing wealth of the UK (cars and refrigerators)).
It would be amusing if we went back to a high tech version of that.
If you go to the local Best Buy, they're already on their way to this model. They have Apple, Samsung, Nintendo, and now Microsoft mini-stores within their large space.
Someone has already picked up on the "micro-mall" phrase. They're running a store where merchants rent display space, and they handle the cash registers and stocking for them.
Though I agree, it does sound insane. What would they stock? They can't supply everything obviously. I think it will be a good outreach to put a face to the company you're buying from, and make it more personal. I'm sure the employees will have little Kindles so you can quickly order things in stock. And gain the confidence from buyers that are hesitant buying things from online retailers. Potentially this could hurt stores like Best Buy, or the like. If Amazon can provide a better customer service in person, than people will choose them over the other. I'll be curious to see how this plays out for them.
"Though I agree, it does sound insane. What would they stock?"
????
I would expect they are only going to stock amazon stuff.
Maybe amazon branded + amazonbasics.
Why would they stock anything else?
To me, this seems like a fairly obvious play: They have had trouble getting playing with fire branded stuff in their internet and tv-only campaigns.
People actually want to play with the devices.
Given the choice between buying space in best buy among tons of other companies, and leaving it to the whims of blue shirted people to sell their stuff, or doing it themselves, they chose "doing it themselves".
While I agree with you that it would definitely help their sales by selling it themselves vs. the blue shirts. I can't seem to think they will only sell Amazon products. Not to say they will sell substitutes of their products as well, I think it would be a missed opportunity to stock it only with Kindles, and Fire Phones. It would be surprising to me at least, if their main objective with this store front was to increase sales of their products alone. I could envision them being a big box in the future with stores around the US. They've already got a lot of warehouses to back something of that caliber up.
If they get into selling other people's stuff in person, they then have to compete with other people in the area on those prices, deal with support for those devices when they break. They also have to deal with all the attendant supply chain issues, etc.
Supply chain for a warehouse is different than supply chain for the store. If too many people in alabama want something tomorrow that isn't in alabama warehouse, they overnight it from vegas and pay the price. If too many people show up to buy something in the store in alabama, they are simply out of stock. In one case, they make a sale and pay a little more overhead. In the other case, they probably don't make the sale.
Additionally, right now their support is limited to "we click buttons, you repack stuff, and we ask UPS to take stuff back to us". The average brick and mortar store provides a lot more support than that.
They already deal with a lot of this for kindle products, but not other peoples.
For other people's products, I can't see them wanting to get into this business, it's a rathole, and only serves to help others more than them :)
I don't think they will get into the business of selling tvs in a big box, for example, right up until best buy dies.
I think they are perfectly happy with "people try stuff, then buy it on amazon", and i don't see why they wouldn't be.
In short, i have trouble seeing why they would want to be a big box in the future. Their entire business model is based around the idea that being a big box is inefficient.
I guess I am being too optimistic. I really enjoyed reading that response, and you brought to mind a lot of things I just didn't really consider. Supporting other peoples devices would be a hassle, and a huge undertaking who does zero of that currently. Since you've debunked my theories :), rethinking it maybe it's just a great way to advertise, and get people touch, and feel the phone in person with a great salesperson next to them. The article I think said it is suppose to be up before the holiday season. And why run a test store in New York, New York? I wouldn't ever suggest doing a test run in an extremely high end area like that. Maybe it's up for Nov, Dec, Jan.. and than disappears.
It makes sense to me too. I've never owned an Amazon device, or (I think) even touched one. I've heard middling things about them, but holding one in the hand could be enough to persuade me to pick one up.
I don't think they would have too much trouble knowing what to stock, they would just look at their sales. Stock the most popular items, new releases of movies/books/games, and phones, tablets and PC's.
On the other hand, that would make them nearly equivalent to any of the other "brick and mortar" businesses. I wonder if they want to focus on showcasing their own products, like an apple store. They have been pushing the advertising on amazon fire TV and phone a lot.
From how I interpret the Stingray, it is executing a MITM attack. These types of devices are sometimes refereed to as IMSI-catchers, and sit in between the users phone, and the real network towers. [1]
My concern is what exactly is being contained, and collected. The cell phone companies are already collecting the same data, but I would assume that with the Stingray it makes getting access to that data much faster versus having to request it from the cell phone network companies. The article mentions what they are collecting with the Stringray, "When mobile phones—and other wireless communication devices—connect to the stingray, the device can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location. By moving the stingray around, authorities can triangulate the device’s location with greater precision than they can using data obtained from a fixed tower location." This technology could very well advance, and allow them in the future to collect much more maybe. Gathering location seems to be the biggest reasoning behind using the Stingray.
I'm hoping that these devices don't interfere with 911 calls. The Enhanced 911 service uses GPS data from the cellphone (if available) and cell-tower triangulation to locate the caller. If the Stingray device is acting like a tower, and someone calls 911, wouldn't an incorrect (or no) location be reported?
