SoylentNews is people
SoylentNews
Many Android apps in the Google App store do not properly use HTTPS for logins, thus exposing user passwords.
Original Submission
This discussion has been archived.
No new comments can be posted.
HTTPS Defects in Dozens of Android Apps Expose User Passwords
|
Log In/Create an Account
| Top
| 25 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Ryan's Law:
Make three correct guesses consecutively
and you will establish yourself as an expert.
(Score: 4, Interesting) by darkfeline on Monday June 22 2015, @02:56AM
Here's one possibility:
Only free and non-commercial software licenses are allowed to fully limit liability of software. That means that if there's a bug in the software, the developer has no responsibility for any damages caused.
Any commercial or non-free software MUST follow certain software quality regulations. Otherwise, they are fully responsible for any damages caused by their software due to lack of documentation or bugs. If they meet these quality regulations however, they can avoid liability from some random bug screwing stuff up (because bugs do happen, unfortunately).
Join the SDF Public Access UNIX System today!
(Score: 5, Insightful) by gnuman on Monday June 22 2015, @03:08AM
That's completely stupid proposal. What standards? Who enforces them? If Microsoft fixes a bug that then causes other software to fail because they understood that as a feature, then what?
Software is not rebar in concrete. People that try to compare the two really don't know WTF they are talking about, either with respect to software or rebar.
(Score: 4, Insightful) by Runaway1956 on Monday June 22 2015, @05:58AM
Why is it so stupid? The concept is already in effect in other fields. Police are held to different standards than other people. Doctors are held to standards that EMT's, first responders, and volunteers are held to. Truck drivers are held to standards that few motorists are willing to adhere to.
The difference is, professionals should be accountable for their actions, whereas hobbyists and volunteers aren't liable for much of anything, in any field. Gross negligence is often punishable, but the standards for determining negligence are vastly different for a volunteer and a professional.
You do ask a couple fair questions - "What standards?" and "Who enforces them?" Those are questions that need to BE answered, before trying to enforce any kind of standards on anyone. So - let's look for those answers!
Bottom line is, a person who profits from his creations should be responsible for those creations.
(Score: 2) by gnuman on Monday June 22 2015, @08:57PM
Why is it so stupid?
There are penalties in engineering, if an engineer makes terrible decisions and building/bridge collapses, then they can be liable including imprisonment. When was the last time an engineer went to jail? Why are most residential foundations in North America cracking? Why aren't these "professionals" accountable? When was the last time a doctor went to jail because their patient died?
Software is not like doctors. Or engineers where you can test strength of every component and know it works. Software is a house of cards, bugs on top of bugs. If you change something at bottom, the entire thing can topple even if the change was 100%. This is why software relies on extensive unit testing and integration frameworks. You can write 100% correct software, that then will crash and burn because someone commented out one line of code.
https://www.debian.org/security/2008/dsa-1571 [debian.org]
or because it was compromised by,
http://news.softpedia.com/news/NIST-Removes-NSA-Made-Crypto-Algorithm-from-RNG-Recommendations-List-438944.shtml [softpedia.com]
Who is going to hold NSA accountable? What about volunteers? What makes someone a "professional"? And what about the PHB that breaths down on developer "fuck security, we need to ship it NOW"?
This is why this is a stupid idea. There are millions of developers in this world. We don't need most of them pushing paperwork to comply with some random "rules" just so parts of "Angry Birds" can be written better. Look abysmal state of security in medical devices - and that is a *regulated* field. If they aren't able to fix it in that niche, what makes you think you can solve it in general?
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @01:19AM
Because the problem there isn't shoddy design, its that they haven't been maintained. The government has a responsibility to maintain infrastructure, so they should be the ones in prison when bridges collapse after decades of neglect.
(Score: 1, Interesting) by Anonymous Coward on Tuesday June 23 2015, @08:35AM
Ever heard of unit testing?
This sadly describes a lot of software written today. But that's not a law of nature, that's the result of incompetent programmers.
If you remove the wrong wall from the basement of a building, the whole building can crash. So how that's different to software?
If your software structure is properly documented, you know what you can change and what you cannot change without the software stack cracking down.
Given that the change was to remove undefined behaviour, I don't agree that the software was 100% correct. The "fix" of course was causing the behaviour to be defined, but wrong. In addition, according to this site [taint.org] the SSH authors were not reachable to ask about it; another thing that would be covered by proper standards (indeed, arguably such parts as ensuring proper reachability — within the limits of reasonable effort, of course — are even more important than standards about the actual code).
Well, three letter agencies break the law all the time, so that's not an argument … but if someone has to lose real money because of their actions, the pressure to actually hold them accountable will be much larger (remember, big companies fuinding the politicians will not like being at financial risk).
If you enter contracts about doing the work, you're acting as a professional. If you ask for money for your product, you're acting as a professional.
Well, that PHB will then later have to tell his boss why the company has to pay those liabilities. And due to process documentation standards, there will be no question who is responsible.
Are there regulations about device security?
Anyway, you might be right in claiming that it is a bad idea; I certainly didn't do an extensive analysis of the pros and cons. But a bad idea is not the same as a stupid idea. And I keep claiming that the idea is not stupid.
(Score: 3, Interesting) by Anonymous Coward on Monday June 22 2015, @07:22AM
Such a line is an almost certain hint that the one who writes that line is the stupid one.
Sure, because nobody has ever been able to develop a standard about anything.
Who enforces the standards about the electric grid? Who enforces the standards about railways? Who enforces the standards concerning building codes?
Did Microsoft document that to be a feature? No? Then on what basis did the programmer of the other software consider it a feature?
That's of course assuming that Microsoft fulfilled its documentation duties which would also be part of those standards. That is, the interface has to completely specified. And of course Microsoft has then the duty to only rely on the specified interface also for its own software.
(Score: 0) by Anonymous Coward on Monday June 22 2015, @02:07PM
Such a line is an almost certain hint that the one who writes that line is the stupid one.
You stated this as a statistical fact, and yet I don't see you citing any studies. There are plenty of stupid proposals being suggested out that, so I don't see where you get this.
Sure, because nobody has ever been able to develop a standard about anything.
I wouldn't say that it's impossible to develop a standard, but it isn't a good idea. You're going to increase the cost of developing software immensely, and even with a FLOSS exception, there are little guys who develop and sell their own software (probably learning to code while doing so) that probably couldn't meet these standards. And they probably develop unimportant phone apps, too.
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:38AM
If you are still learning to code, you shouldn't sell the stuff you wrote, period.
(Score: 1, Informative) by Anonymous Coward on Monday June 22 2015, @08:05AM
avionics software is heavily regulated, so regulation is at least possible
if consumer software is regulated in any kind of similar fashion, prices will soar and you can kiss FOSS goodbye
so while it may be possible to regulate software, that doesn't make it a good idea
(Score: 0) by Anonymous Coward on Monday June 22 2015, @04:21AM
Are you using Microsoft brand tinfoil hats or the generic food-4-less type? It isn't working, everyone can see your I.Q.
(Score: 0) by Anonymous Coward on Monday June 22 2015, @02:01PM
Any commercial or non-free software MUST follow certain software quality regulations.
Releasing software is free speech, and needing to pay for it doesn't change that, so I would consider this a violation of the first amendment even if the courts don't see it that way. Besides, what if it's Free Software *and* commercial? Or what if it's just some random amateur trying to sell some software? These mythical regulations will only vastly increase the cost of making software, and since the topic is about phone apps, that's utterly fucking absurd. The little guy who is learning on the job and developing and selling their own software wouldn't even have a chance.
Not all software is of equal importance, either.
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @01:24AM
Source code should be covered as free speech, but I fail to see how compiled binaries would be.