I've seen this advice all the time but somehow I wonder how did they get their first thousand visitor. Did they do something like reddit and have bots filling up the database until they got the ball rolling? I'm genuinely curious.
It's crazy to think that a developer would publish an application that would store username/password in clear text. iOS has a keychain API that would require maybe 3 hours of work to make it work/test. I'm sure Android has something similar.
There are tons of "developers" out there that don't know much about security or really care about it. This is especially true in the mobile space where anyone that has published a Hello World app to the app store can get a job working as a contractor.
This makes me think though that there could be some good money to be made by opening every single app like this to check it's security then offering services to said company to secure their application. Of course the way the world works today; instead of taking me up on the help they would probably just contact the police.
" Of course the way the world works today; instead of taking me up on the help they would probably just contact the police."
Ok so try it this way.
Contact the company [1] [2] and tell them you believe there might be security holes in their app (and make reference to cases like starbucks while pointing out that even if they are ok on that there could be other issues) and offer to tell them the results of your testing (a written report) in exchange for your fee.
You haven't said you found anything in particular (and you haven't), haven't specifically said you've intruded and you can get paid for a security review which if written and done correctly will give the executive hiring you cover.
[1] Suggest postal letter rather than email but you could start by email I just think it will be ignored and that it's worth the stamp to get more attention.
[2] I've done similar things (not with security) and it's worked pretty well.
And it's done quite frequently by home security companies whenever there is a burglary in a particular area. "You're neighbor just had a burlary and you might be vulnerable as well!"
And the wording can be altered to suit one's taste or level of comfort.
Of course you can blaze a large "this is a solicitation across it" but I would suggest that if you aren't willing to push the envelope with marketing you are going to not make out as well. This is based on my many years of experience doing similar things. Business involves taking and assessing risks and rewards. (Everyone's level of comfort or ability to do this differs of course).
And it's not the same (nor was I suggesting) that you say to someone "hey I found a hole in your app and if you don't pay me I will publish the results of the security hole". Details matter.
By the way saying to a homeowner "I saw you have a few windows at your house that appear to be broken (that would allow entry!) and I'll tell you the broken windows if you pay me $50" is not extortion. Anymore than saying "You have an outdated HVAC and for $100 I will give you a proposal on the best system to replace it with".
Yeah, you're right, it's not extortion. That's why I said it's almost extortion. It's certainly pretty tasteless. It is a tactic used by extortioners, and I wouldn't consider doing business with someone who applied that tactic.
I would not agree that this is extortion. I would consider it to be more self-protection. If you have no intention of misuse or public release of the security flaw to the public; you are offering a no harm approach while offering a valuable service. The unfortunate situation is that the business in question does not value the service even though they should.
Most competent programmers do not have time to just go around and fix every security flaw pro bono either.
I understand it's not extortion. You'll note I never said it was extortion.
I also understand how it protects the reporter.
I'm not asking the reporter to take responsibility or do anything that would harm them, I'm asking them not to essentially make the sales pitch of "look at how your neighbor had something bad happen to them, you wouldn't want something similar to happen to you now would you?"
While debatable (depends on execution) whether it is tasteless to make money you sometimes have to get over that.
"I wouldn't consider doing business with someone who applied that tactic."
The person doing the sending isn't looking to close 100% of the people he mails to. Nor does he care what the recipient thinks. If you worry about that you will potentially miss a business opportunity.
Look think of it like using a cheezy line in a bar. Something that I've never done but I recognize that it works for some people and gets them dates. In the end approaching 100 women with a line will work better than staying home and doing nothing (assumes you can take the rejection of course).
Well said. I think the deceiving part is the compiling/sandboxing environment phones have. New developer don't really know what's happening when they hit the 'Build & Run' so they can't understand that the key value they are storing are in plain text somewhere in the phone easily extractable.
I hear him, Internet could become a caste system for businesses. But from what I understood, the ruling was more about the FCC trying to bend rules to accomodate everyone with carrier types (common carrier?). Yesterday's ruling raised awareness but the game is far from over.
I wonder if that treaty has any effect on anything. Signing parties exclude Japan, New-Zealand, Russia, Chile, Ecuador and all central america. Seems like this is one of those treaty done just to say: 'Look we tried, but it's complicated, [yada yada yada]'.
Without reading through it, it would seem it may have a great deal of effect on public relations in the participating countries. I'd imagine it may be used as PR leverage against countries who did not participate as well. "Just look at how little Russia and NZ care about the environment!"
Those kind of experiments are so crazy, in a good sense. I wonder how different it is to actually seeing, and isn't there technology today that can give eyesight to blinds? Unless this is meant to be used by people who have had injuries to their eyes
