My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.

They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated

You could easily convince me that it was a brilliantly executed honeypot. It's just too damn poetic.

"It's a women's safety app" No it wasn't. This app was about women's safety as much as the recent payment processor porn game censorship bullshit was about child safety. This was about slandering men for fun because women love gossip. The app's name was "Tea."

Not a single woman who signed up for this app stopped to think, "Here's a brand new app, just came out, has no track record, no reputation. I don't know who runs this. I don't know how they secure their database. I know what they're asking, they want a picture of my government-issued ID. We've spent the last two decades reading news headlines of the pattern "tech company was hacked, 2.2 million users compromised including emails, home addresses and SSNs" on a weekly basis. There hasn't been a week gone by since Dubya was president that hasn't happened."

The women who uploaded pictures of their IDs to some app really had their own safety in mind. Turns out you can short circuit that whole process with hilarious ease if you say things like "women only" and "slander your exes."

I don't think I could have constructed a better example as to why all the recent "prove your identity" shit is comprehensively retarded.

It's just original Facebook but for women to rate and bully men instead of Mark and his scum bros using it to rate and bully women.

As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.

Is it really just permission rights "over-exposure" issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?

Also, if you have time, recommend any links to web/cloud/SaaS security best practices "for dummies"?

I'm a man too and I haven't interacted with someone like that since what, university? Maybe the problem is in who you choose to spend time with?

We didn't like it when Mark did it, why would we like it now?

I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.

So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.

It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.

I have the solution. Nobody's gonna like it, everybody here is gonna scream at me about it, but I have the solution.

Stop dating strangers on the internet.

The entire personals site/dating app experiment we've been running for the last quarter century is obviously a categorical failure. Humans just don't work like this.

Things have gotten so much worse since I was in high school. When I was in high school, the community of girls available to me to ask out were pretty much all girls I'd known since we were 5. A lot of them, I didn't have to wonder about their character, their intentions, their capacity to do harm, I was there when all that was written. I remember how much of a bully Chelsea was in middle school, I remember how nice Ashley was to everyone, I remember how Justine seemed weirdly infatuated with me in the 4th grade. They'd all remember stuff about me and the other boys. We graduated high school, I never saw 80% of them ever again, and within 5 years that figure climbed to at least 95%. Four years of college with mostly abject strangers who you're weirdly fast to form and break deceptively deep bonds with, all of whom I've also lost track of, and then the adult world in which everyone including you is an NPC.

I happen to be the exact age where, I got out of college in 2007, I disappeared into work, like I went to the airport and I went home for two years. In 2009, I looked back up and everything had CHANGED. Instant messaging was on smart phones now, and you WERE NOT TO approach women in person, only through phone-based dating apps and you had BETTER FUCKING NOT already be acquainted.

Don't talk to women at the grocery store. Don't talk to women at the gym. Don't talk to women at the library. Don't talk to women at your work. Don't talk to women at their work. Don't talk to women at the coffee shop. Don't talk to women at the bar. Don't talk to women at the club. Don't talk to women. No woman, only app.

How do you meet more women? Oh that's categorically the wrong question because having the goal of meeting women in the first place is creepy. Stop wanting to meet women and instead organically decide you want to do things that women happen to like, and then accidentally meet women in the course of doing those things. You know, at those meetups that are always happening on a recurring basis, that aren't advertised to happen at a place and time and then no one shows up and the listing is never re-posted. Probably just install more apps.

It's been women driving this, men vastly prefer asking women out from within their social circle. The pressure to make the first move is still on men, and he'd rather ask out women he already thinks he might like. Women on the other hand vastly prefer to be cold approached by a charming stranger.

I think it's gone far enough when we've got women saying dumb shit like "Systematically doxxing and libeling men is a risk we're just going to have to take."

Well, we know what to bait a honeypot with. "Gossip about/slander men right here! To prove you're a woman, insert your photo ID, bank details, credit card information, finger prints and retinal scans."

It would be interesting to see something similar that required accusations to be backed up with evidence. Police reports, court proceedings and results, news articles etc.

It would also be a lot safer, legally speaking, for the service provider.

I think of the "bad" dates I would want to be able to warn other women of that didn't rise to the level of calling the cops. The guy who ordered triple the food and drinks I did and skipped out on the bill. The guy who flat out lied about multiple things and then got irate when I politely excused myself from the date. The MAGA weirdo who went on an unhinged rant about how I needed to submit to him because God said so. I imagine some men have comparable experiences with some anti-social women. The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.

I would prefer the dating apps themselves have some mechanism for disincentivizing anti-social behaviors. It would have to be more than a simple 5-star rating.

I wonder how it would work IRL to offer the ability to write a few sentences in response to prompts about a date. The written review is not published as-is, but is used in grouping of many reviews to give a summary about a person. Like the summary product reviews on Amazon now. "Bill's dates found he was prompt and polite. Some dates expressed discomfort at some of his political views" and "Bob's dates warn he is often late and is quick to use foul language to describe women. Multiple dates report no intention to communicate with Bob further". "Ben's dates report he has skipped out on the bill repeatedly, and sends unsolicited dick pics. Multiple dates have blocked him".

The group summary gives a buffer so the person reviewed doesn't know which specific date said what. And ensures the summary doesn't include negative comments about a person unless multiple dates of theirs independently report similar experiences.

Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than "Tea" is.

Something like Megan’s law but for domestic violence. I’m still not thrilled with the potential for abuse, but at least it wouldn’t be hearsay.

I’m sure the police unions would object, for obvious reasons.

Good lord, please tell me you did not just use ted bundy to describe what you think women like in men?

also did you just lore dump to a complete stranger? we're having a casual conversation.

i never said anything as insane as "Systematically doxxing and libeling men is a risk we're just going to have to take". i said doxxing should be avoided, if you'd read any of my comments.

who is this long winded comment for, exactly?

You've got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and only the hash stored. That's like WEBDEV99 (remedial course, not even 101).

Really. Despite your stated "noobishness", you basically landed in the territory of best practices right of the bat.

If you're looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/

Yeah. You also landed on a correct thought process for security. Cloud providers will let you make datastores public but that's like handing over a revolver with an unknown number of live chambers and saying "Have fun playing Russian roulette! I hope you win." Making any datastore public facing, without an API abstraction to control authN and authZ is not just a bad practice, it's a stupid practice.

Yup. It sounds like they were following security worst practices.

On one hand, yes. On the other, women have, based upon crime statistics, legitimate reasons to avoid putting themselves in a situation where they may be assaulted or murdered for reporting problematic and/or worrisome behavior.

Brother, I need the "remedial" lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.

I've followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I'm doing okay but I have this ever-present anxiety that I've overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.

Thank you for your recommendation.

The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.

What about a guy who had a panic attack in the very beginning and couldn't stop talking about his deceased dad, then about aunts and uncles, then about the dog, then about architecture, then didn't get the hint because of all the shaking, got petrified when hinted at an alcohol element in the continuation of the meeting and in the end didn't even understand a very direct hints at "only silence can save this" and having at least a sleepover?.. Who only became kinda normal after taking a sedative next morning, still shaking.

Just describing one negative experience I have provided in the past, and that while yeah, it wasn't too cool - maybe lifelong shame is not what I deserve for that ...

(Yes, I know that girl was a hero)

The group summary gives a buffer so the person reviewed doesn’t know which specific date said what. And ensures the summary doesn’t include negative comments about a person unless multiple dates of theirs independently report similar experiences.

That can't be done without somehow verifying identities of all the people involved. Unless the review app is the same as the dating app. Then there are various technical variants, like some cryptographic connection between the reviewed person's identity, the token representing one date, and a temporary identity for the reviewer, used to sign the review message. Something like that.

But that only for the entity doing the summary, which will have to be trusted with the original reviews. And that "buffer" will remove any kind of verification, unless it's something egghead-smart like a smart contract forming the review on every client, which means every client can also see the original reviews. So I dunno.

Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than “Tea” is.

Honestly things like this should work like some hybrid of Briar and Freenet. Just entrusting it to a centralized service is as stupid as using Facebook. And in this specific case Briar model is kinda fine - if you synchronize with everyone using the application. You don't need to have the reviews from everyone about everyone, just about people roaming the same general area.

The criminal justice system... At this point any more investment is just a waste.

That said, we're being shortsighted. The criminal justice system is far too corrupted and easy to pervert. It has way too many levers the powerful can exploit to get away with almost anything. The powerful want it that way, so the government wants it that way, and so thats the way it is. We need to burn it ALL down. And relying on naive public satiating actions like useless protest, or the belief that this can be all be fixed though voting, when shit is this far-gone, is counterproductive.