Women’s ‘red flag’ app Tea is a privacy nightmare
Technology
127
Beiträge
61
Kommentatoren
1.4k
Aufrufe
-
It would be interesting to see something similar that required accusations to be backed up with evidence. Police reports, court proceedings and results, news articles etc.
It would also be a lot safer, legally speaking, for the service provider.
Something like Megan’s law but for domestic violence. I’m still not thrilled with the potential for abuse, but at least it wouldn’t be hearsay.
I’m sure the police unions would object, for obvious reasons.
-
I have the solution. Nobody's gonna like it, everybody here is gonna scream at me about it, but I have the solution.
Stop dating strangers on the internet.
The entire personals site/dating app experiment we've been running for the last quarter century is obviously a categorical failure. Humans just don't work like this.
Things have gotten so much worse since I was in high school. When I was in high school, the community of girls available to me to ask out were pretty much all girls I'd known since we were 5. A lot of them, I didn't have to wonder about their character, their intentions, their capacity to do harm, I was there when all that was written. I remember how much of a bully Chelsea was in middle school, I remember how nice Ashley was to everyone, I remember how Justine seemed weirdly infatuated with me in the 4th grade. They'd all remember stuff about me and the other boys. We graduated high school, I never saw 80% of them ever again, and within 5 years that figure climbed to at least 95%. Four years of college with mostly abject strangers who you're weirdly fast to form and break deceptively deep bonds with, all of whom I've also lost track of, and then the adult world in which everyone including you is an NPC.
I happen to be the exact age where, I got out of college in 2007, I disappeared into work, like I went to the airport and I went home for two years. In 2009, I looked back up and everything had CHANGED. Instant messaging was on smart phones now, and you WERE NOT TO approach women in person, only through phone-based dating apps and you had BETTER FUCKING NOT already be acquainted.
Don't talk to women at the grocery store. Don't talk to women at the gym. Don't talk to women at the library. Don't talk to women at your work. Don't talk to women at their work. Don't talk to women at the coffee shop. Don't talk to women at the bar. Don't talk to women at the club. Don't talk to women. No woman, only app.
How do you meet more women? Oh that's categorically the wrong question because having the goal of meeting women in the first place is creepy. Stop wanting to meet women and instead organically decide you want to do things that women happen to like, and then accidentally meet women in the course of doing those things. You know, at those meetups that are always happening on a recurring basis, that aren't advertised to happen at a place and time and then no one shows up and the listing is never re-posted. Probably just install more apps.
It's been women driving this, men vastly prefer asking women out from within their social circle. The pressure to make the first move is still on men, and he'd rather ask out women he already thinks he might like. Women on the other hand vastly prefer to be cold approached by a charming stranger.
I think it's gone far enough when we've got women saying dumb shit like "Systematically doxxing and libeling men is a risk we're just going to have to take."
Good lord, please tell me you did not just use ted bundy to describe what you think women like in men?
also did you just lore dump to a complete stranger? we're having a casual conversation.
i never said anything as insane as "Systematically doxxing and libeling men is a risk we're just going to have to take". i said doxxing should be avoided, if you'd read any of my comments.
who is this long winded comment for, exactly?
-
Encrypting the transmission doesn't do much if every app installation contains access credentials that can be extracted or sniffed.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter "noobishness" is showing, but at least it's triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a "best practices" way that you can recommend? I suppose I could just look it up, but I thought I'd ask.
Edit: I don't know why I'm down-voted. My questions were sincere.
You've got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and only the hash stored. That's like WEBDEV99 (remedial course, not even 101).
Really. Despite your stated "noobishness", you basically landed in the territory of best practices right of the bat.
If you're looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/
-
Wouldn't some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I'm not understanding the gist of the problem
Yeah. You also landed on a correct thought process for security. Cloud providers will let you make datastores public but that's like handing over a revolver with an unknown number of live chambers and saying "Have fun playing Russian roulette! I hope you win." Making any datastore public facing, without an API abstraction to control authN and authZ is not just a bad practice, it's a stupid practice.
-
My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.
They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated
Yup. It sounds like they were following security worst practices.
-
Defaming people without giving them a chance to defend themselves, talk about shit people...
On one hand, yes. On the other, women have, based upon crime statistics, legitimate reasons to avoid putting themselves in a situation where they may be assaulted or murdered for reporting problematic and/or worrisome behavior.
-
You've got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and only the hash stored. That's like WEBDEV99 (remedial course, not even 101).
Really. Despite your stated "noobishness", you basically landed in the territory of best practices right of the bat.
If you're looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/
Brother, I need the "remedial" lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.
I've followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I'm doing okay but I have this ever-present anxiety that I've overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.
Thank you for your recommendation.
-
I think of the "bad" dates I would want to be able to warn other women of that didn't rise to the level of calling the cops. The guy who ordered triple the food and drinks I did and skipped out on the bill. The guy who flat out lied about multiple things and then got irate when I politely excused myself from the date. The MAGA weirdo who went on an unhinged rant about how I needed to submit to him because God said so. I imagine some men have comparable experiences with some anti-social women. The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.
I would prefer the dating apps themselves have some mechanism for disincentivizing anti-social behaviors. It would have to be more than a simple 5-star rating.
I wonder how it would work IRL to offer the ability to write a few sentences in response to prompts about a date. The written review is not published as-is, but is used in grouping of many reviews to give a summary about a person. Like the summary product reviews on Amazon now. "Bill's dates found he was prompt and polite. Some dates expressed discomfort at some of his political views" and "Bob's dates warn he is often late and is quick to use foul language to describe women. Multiple dates report no intention to communicate with Bob further". "Ben's dates report he has skipped out on the bill repeatedly, and sends unsolicited dick pics. Multiple dates have blocked him".
The group summary gives a buffer so the person reviewed doesn't know which specific date said what. And ensures the summary doesn't include negative comments about a person unless multiple dates of theirs independently report similar experiences.
Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than "Tea" is.
The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.
What about a guy who had a panic attack in the very beginning and couldn't stop talking about his deceased dad, then about aunts and uncles, then about the dog, then about architecture, then didn't get the hint because of all the shaking, got petrified when hinted at an alcohol element in the continuation of the meeting and in the end didn't even understand a very direct hints at "only silence can save this" and having at least a sleepover?.. Who only became kinda normal after taking a sedative next morning, still shaking.
Just describing one negative experience I have provided in the past, and that while yeah, it wasn't too cool - maybe lifelong shame is not what I deserve for that ...
(Yes, I know that girl was a hero)
The group summary gives a buffer so the person reviewed doesn’t know which specific date said what. And ensures the summary doesn’t include negative comments about a person unless multiple dates of theirs independently report similar experiences.
That can't be done without somehow verifying identities of all the people involved. Unless the review app is the same as the dating app. Then there are various technical variants, like some cryptographic connection between the reviewed person's identity, the token representing one date, and a temporary identity for the reviewer, used to sign the review message. Something like that.
But that only for the entity doing the summary, which will have to be trusted with the original reviews. And that "buffer" will remove any kind of verification, unless it's something egghead-smart like a smart contract forming the review on every client, which means every client can also see the original reviews. So I dunno.
Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than “Tea” is.
Honestly things like this should work like some hybrid of Briar and Freenet. Just entrusting it to a centralized service is as stupid as using Facebook. And in this specific case Briar model is kinda fine - if you synchronize with everyone using the application. You don't need to have the reviews from everyone about everyone, just about people roaming the same general area.
-
I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.
So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.
It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.
The criminal justice system... At this point any more investment is just a waste.
That said, we're being shortsighted. The criminal justice system is far too corrupted and easy to pervert. It has way too many levers the powerful can exploit to get away with almost anything. The powerful want it that way, so the government wants it that way, and so thats the way it is. We need to burn it ALL down. And relying on naive public satiating actions like useless protest, or the belief that this can be all be fixed though voting, when shit is this far-gone, is counterproductive.
-
This post did not contain any content.
Why did the app had the government IDs and credit card data to begin with? The app looks like an obvious phishing scam/ Honeypot situation.
-
Wouldn't some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I'm not understanding the gist of the problem
Exactly, it's not necessary. It's bad / lazy design. You don't expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That's normal Client-Server-Database architecture.
-
On one hand, yes. On the other, women have, based upon crime statistics, legitimate reasons to avoid putting themselves in a situation where they may be assaulted or murdered for reporting problematic and/or worrisome behavior.
I don't think creating an incel style circlejerk is the best solution.
-
Good lord, please tell me you did not just use ted bundy to describe what you think women like in men?
also did you just lore dump to a complete stranger? we're having a casual conversation.
i never said anything as insane as "Systematically doxxing and libeling men is a risk we're just going to have to take". i said doxxing should be avoided, if you'd read any of my comments.
who is this long winded comment for, exactly?
please tell me you did not just use ted bundy to describe what you think women like in men?
I did, because he was. Two different ways.
-
Bundy's modus operandi was to approach women in public as a handsome, charming stranger. I'm pretty sure women like handsome, charming strangers; the entire female dating strategy seems to be geared toward attracting handsome, charming strangers. Ted Bundy was able to attract dozens of victims like that. There's an inherent danger in attracting strangers, because sometimes strangers are psychopaths.
-
Ted Bundy got a LOT of fan mail from women while he was in prison. Love letters, marriage proposals, nude photos. A shocking number of women saw his picture on the news alongside words like "murder trial" and "death sentence" and said "That's the man for me." He pulled some weird stunt to "get married" and he fathered a child from prison. This isn't unique to Ted Bundy, lots of mass murderers and serial killers have groupies, from Charles Manson to Dylan Klebold.
i said doxxing should be avoided, if you’d read any of my comments.
You came across as pretty lukewarm to me. "Yeah doxxing is a problem I guess." You can't have a Don't Date Him Girl website without doxxing. Doxxing is how they work.
-
-
This post did not contain any content.
A more ironic outcome couldn't have happened
-
A lot of people have speculated that.
According to their statement their code was written in Feb/2024 and predates "vibe coding"
What intrigue me is this:
I'm confident vibe coding was not to blame in this particular case,
So they used vibe coding, they are only saying that they think/hope that it is not the cause of the break (and maybe also of the second one)
And if vvibe coding is not caused then they are even more incompetent.
-
I don't think creating an incel style circlejerk is the best solution.
I agree. Some sort of solution is necessary but this probably isn't it.
-
please tell me you did not just use ted bundy to describe what you think women like in men?
I did, because he was. Two different ways.
-
Bundy's modus operandi was to approach women in public as a handsome, charming stranger. I'm pretty sure women like handsome, charming strangers; the entire female dating strategy seems to be geared toward attracting handsome, charming strangers. Ted Bundy was able to attract dozens of victims like that. There's an inherent danger in attracting strangers, because sometimes strangers are psychopaths.
-
Ted Bundy got a LOT of fan mail from women while he was in prison. Love letters, marriage proposals, nude photos. A shocking number of women saw his picture on the news alongside words like "murder trial" and "death sentence" and said "That's the man for me." He pulled some weird stunt to "get married" and he fathered a child from prison. This isn't unique to Ted Bundy, lots of mass murderers and serial killers have groupies, from Charles Manson to Dylan Klebold.
i said doxxing should be avoided, if you’d read any of my comments.
You came across as pretty lukewarm to me. "Yeah doxxing is a problem I guess." You can't have a Don't Date Him Girl website without doxxing. Doxxing is how they work.
skipped everything about ted bundy cause wtf you're obsessed, man. maybe join a bundy dating app?
also let me make it clear since you missed it last time (even though you quoted it). I think doxxing is bad and should be avoided. fuck's sake man. i am a commenter, not a politician. i read this stuff over breakfast. take it easy ffs.
not everything has to be a huge debate.
-
-
I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.
So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.
It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.
I think there must be a way to deliver on the value of the app without it being the privacy/public exposure nightmare it sounds like. Speaking naively, perhaps a setup where you can only speak about a person with those who have actually matched with them.
-
Yup. It sounds like they were following security worst practices.
I get doing that in Dev for testing before launch, but in production? that’s insane.
Like it has to either be a junior developer playing the role of lead or some serious lack of web dev fundamentals haha
-
I think there must be a way to deliver on the value of the app without it being the privacy/public exposure nightmare it sounds like. Speaking naively, perhaps a setup where you can only speak about a person with those who have actually matched with them.
There’s no “matching” on this app, because men aren’t allowed. By its very design, you can’t avoid the unilateral one-sidedness.
