The good news is that there has been a patch that fixes the gaping security hole, since February this year. Magento was told about the flaw by Check Point and released the patch.
However, the bad news is that scores of sites are still unpatched, months after the update was released.
In New Zealand, there are at least 559 sites that are vulnerable, a list compiled with the help of the owner of Dutch Magento hoster Byte.nl Willem de Groot shows.
There are some familiar business names on the the .nz list of sites that are vulnerable to Shoplift. I expect these have reasonably large numbers of customers, so action is needed.
Willem has set up tools to check for the Shoplift bug that you can use and it seems like a pretty serious issue. An earlier story for an Australian publication showed that the Shoplift bug problem is massive across the Tasman, with over 4,000 sites remaining unpatched.
Please, site-owners: patch your Magento installations, or get some help urgently to get it done for you before someone empties the store.
Less than impressive is Magento's attitude towards what is a dangerous situation for their users - the patch is not rolled into the downloadable versions of Magento Community and Enterprise Edition, and have to be applied separately.
The patch is not pushed out automatically, and users have to log in to download it which is quite astonishing. Requests for comment from Magento have been met with silence as well.
Update:
Magento owner eBay's public relations agency emailed to say that the patch has now been rolled into version 1.14.2 of the Magento Enterprise Edition. It will also be added to the next Magento Community Edition release.
The PR agency representative also included a statement from eBay's Enterprise division on the vulnerability:
"Magento is committed to ensuring a safe commerce platform for its global customers. Magento worked quickly to issue a patch on February 9, 2015 after being informed of the vulnerability in mid-January. The Magento team followed best practices by communicating awareness of the patch and vulnerability to customers and partners beginning February 10 and continuing a series of proactive communications prior to and following public disclosure of the vulnerability. Magento did not draw attention to the vulnerability through external communications to protect our merchants from compromise by hackers.
To date we are not aware of any impacted customer data from this vulnerability and can confirm that Nike, Ghirardelli, Sierra Nevada Brewing Company, Rebecca Minkoff, Zumiez and Rosetta Stone are patched and safe from this exploit. At this time we believe a vast majority of our customers are patched and are focused on pointing merchant and partners to resources to fully patch this vulnerability.
We are focused on eliminating the vulnerability and are committed to ensuring the Magento platform is safe and secure for commerce. Any customer that has not yet implemented the patch is encouraged to visit our customer and partner portals and to do so immediately. Magento advises merchants to confirm they have implemented the latest patch via a tool developed by Byte.
Magento Community Edition merchants can download the patch here.
Magento Enterprise Edition merchants can download the patch here.
Gear: Netgear Arlo security camera system
While in two minds about adding to the "cameras everywhere" modern day panopticon, they can be useful when you're not around in person.
In the past, the networked cameras I've looked at have been big, clunky and needed cabled power over Ethernet networking for instance, making installation of them difficult and time-consuming.
Netgear Arlo fixes that by using fully wireless cameras that are dead simple to set up.
Plug in the Arlo access point with the supplied Ethernet cable, sync the cameras and create a log on for the Netgear website that's used to manage the whole lot and to access video stored in the cloud, fiddle around with the tricky motion detection sensitivity setting and you're done.
Well, you need to position the cameras as well, within 91 metres of the of the access point. I got the two camera pack to trial, and Netgear supplies some cool magnetic mounting domes for them. Very simple to use, but of course, the cameras can be removed as easily which could be a drawback in some situations like outdoors mounting. Netgear also has other, more permanent mounting options for sale for Arlo.
All the gear seem to be good quality, with the cameras being quite Apple inspired with their white, round design.
The ease of set up comes with a price though: the only thing you can set on the supplied access point is the time zone and whether or not it should receive automatic firmware updates.
There's no way to change network settings in the access point, or to pick different 2.4GHz Wi-Fi channels, or to change the SSID identifier for instance. The access point has two USB ports but it doesn't appear to be possible to record video straight to storage devices.
Apparently the separate access point is necessary to manage the power usage on the cameras, but it does mean a further device with cabling to deal with which is a shame.
Speaking of power, the cameras use four CR123 half-length batteries and you'll pay through your nose for those - $13-15 each - if you don't shop around. Netgear promises four to six months' battery life so with multiple cameras definitely use rechargeable units instead.
Image quality at 1280 by 720 pixel resolution is pretty good, even with the severe compression Netgear uses to fit seven days of recording into the 1 gigabyte free account. Note that you have to set Arlo to record in 720p HD as it defaults to 650 by 352 pixel videos otherwise to save camera battery and storage space.
Two second videos are just under 11 megabytes in 720p HD, and 7.1MB in the default resolution. You'll want the 720p HD resolution for added image clarity. The cameras seem to use around 1 to 1.5Mbps of bandwidth each when operating, and the connection to the Netgear storage site is SSL secured.
There's a nightview mode in black and white and the 130 degree field of view that the cameras provide is usefully wide, making up for the fact that you can't remotely move them around.
Once positioned configured, you can get alerts when things move and the cameras start recording, delivered via email or Android or Apple iOS apps - the latter provide the same functionality to manage the cameras as the website, and are easy to use (and free).
Price-wise, Netgear Arlo isn't too expensive - in the US, where it costs US$349 for the starter two-camera and base station kit on Amazon which is a Netgear recommended reseller.
In NZ, the recommended retail price is a whopping $729 for the same kit.
Add on cameras in NZ are $299 each, whereas in the US they're US$150, less if you buy two and three packs. Shop around to get the best price, in other words.
The free storage plan for Arlo lets you run five cameras, one base station and have 1 gigabyte of storage, with videos either being deleted when the storage is full, or the cameras stop recording.
You also get thirty days free access on the free plan to premium features to upsell you to take out a monthly subscription - the Premier plan for US$9.99 a month/US$99.99 a year provides up to 10GB of storage, 30 days of recordings, scheduler for the motion detection, camera sharing and up to ten cameras per account and better product support.
An Elite option lets you hook up 15 cameras and three base stations as well, and gives 100GB of storage for 60 days' worth of recordings. This costs US$14.99 a month or US$149.99 per annum if you pay up front for a year.
The US$100 a year option's probably the best one to go for as the free account is a squeeze so factor that additional cost into the Arlo equation.
There are some areas that Netgear Arlo could do better in like providing more control of the base stations of for users, but if you want a surveillance cam system that can be set up with the minimum amount of hassle and which provides great picture quality it's worth checking out.
