44 comments

[ 3.3 ms ] story [ 91.8 ms ] thread
Are this kind of apps really a thing?
Well, Apple has had one called “Find My Friends” since 2011.
But you have to authorize them and I trust more Apple than any random dev making an app with my location.

I used the "find my frieds" enabling my wife to track me for when I went in a long distance working trip from Italy in a very sketchy area of the US called SILICON VALLEY.

Jokes apart, a temporary "find my friends" can be useful, but a continuous tracking it's nonsense to me.

People routinely grant apps location access for much more dubious reasons. Anyhow, I was just pointing out this is an function that people definitely find useful.
Yes of course. Personally I use Life360. It's very handy. Even Google had an app like it, until (of course!) they killed it.
Google maps still allows location sharing, not just covert one.
They brought it back. It's branded "location sharing" in the current iteration of Google Maps. Works just like Latitude used to. You can see people who are sharing their location with you right in Google Maps.
Ah that's cool, I did not hear that it came back. Thanks for the info!
Yes. They are terrible. My mother uses it on my teenage brother so much that he actually leaves his phone places so she thinks he’s somewhere he isn’t.

So in wanting to keep your child safe by checking these apps often, you can make them _less_ safe and more dishonest.

That's not a problem with the app.
It is a root problem the app embodies.
We manage to use the app without this problem. Everybody participates willingly.
That gives him the different benefit of experiencing life as a teenager without a phone.
Not much of a benefit if he's the only person in his friends' group without one.
I'm curious about the demographics of someone that would ask such a question (in such a manner). I suspect you do not have children, or at least not teenage ones. I recall that I used to hold much stronger (and different) opinions about child-rearing _before_ I had children of my own.

I constantly struggle with balance between keeping my children safe and allowing them agency and the development of personal responsibility. Among other things, this ranges over such topics as location tracking, internet filtering, browser history, screen-time, etc.

I will absolutely admit that much of this sounds like the stuff that repressive governments engage in, but then again, my children are not full citizens. They are developing human beings that require a certain degree of protection.

Are you only opposed to location tracking? What level of "nanny-state" do think is acceptable in a household setting?

I just fail to see what exactly tracking teenagers would be keeping them "safe" from. It seems like it wouldn't result in anything but resentment and sneaky behaviour.
Now that you do have kids, do you use such an app? Do you plan to?

(I'm a father of a 3 year old; I'll likely use _something_ like this when she's old enough to go to the store around the corner and back by herself, but will likely stop once she's old enough to take the subway by herself.)

Think of it this way, what did parents do before these kinds of things were available? Humans are still in existence, so teenagers were able to survive without this level af parental tracking. I think this level of parental overwatch says more about the parent’s insecurities than anything. You know what you were up to as a teenager. That’s probably what your teenager is doing. Did anything you do deserve big brother level tracking?
Every generation throws off the ideals of the generation that came before.

Parents monitor their kids for a combination of:

1. Worry about the outside world. Justified - but monitoring location doesn't make it any less likely that they'll get hurt.

2. Worry about their child doing something they consider dumb. Again - justified. They will absolutely do something you consider dumb. But monitoring your child won't make then agree with you and won't stop them from doing something you don't like. The tighter the grip, the more they'll fight and the more they'll resent you for making them fight.

Parents like to think that this resentment will go away when the child is older. It doesn't. Many of you probably resent something your parents did when you were younger. But it does become less intense with distance - like everything else.

Anywho - Monitoring teenagers doesn't actually help anything. Monitoring younger children might make you feel more safe, though.

As someone with extremely overbearing helicopter parents that now has a lot of issues that I have been working through over time with a therapist, please don't surveil and micromanage your children. It ultimately led to a lot of distrust of authority, anxiety, depression, social isolation, making worse choices in attempts to circumvent security controls and attempt to have control over my life, and other long lasting negative effects. I can guarantee that anything you implement (gps tracking, cameras, filters, logs) will be easily identified and bypassed, causing distrust and potentially even less safe decisions/scenarios.
> I suspect you do not have children

The absolute worst genre of HN comments is "single childless guy criticizes others about their parenting". You've got some examples in the replies to this comment.

I will say you're probably doing fine.

Not the first time someone left a MongoDB database exposed to the wild, and it won't be the last. It's an easy thing to do, especially since MongoDB is so popular for small single-server projects.

A few years ago, I discovered the open MongoDB database of an educational website called Kaizena, which we were using in my high school English class. When I reported the problem to them, they quickly fixed it (probably with some iptables hack). They even wrote a blog post [1] about fixing it, where they claimed they added "additional firewalls to the database". More like _one_ firewall.

As a side note, Kaizena also had another security bug where their API would return JSON payloads that had private information in it (e.g. the voice feedback for other students' work). I reported it years ago, but who knows if it's fixed.

[1] https://blog.kaizena.com/post/68627783859/a-note-on-security

As bad as it is, I can understand accidentally leaving a database accessible (they generally need to be accessible and setting just the right amount of accessible can be complex).

But this:

> ...plaintext passwords...

Why, oh why, store plaintext passwords?!?

* Because you are outsourcing development and you don't control * Because it's your first app (or something like that)
I can sort of see why and it's for the same reason databases are left wide open.

You start a project. You set up a DB with minimal security because you're just starting the project, and you figure that down the road before you release to the public, you will secure that DB.

A few weeks/months pass and you are ready to release your app into the wild. But by that time you are focused on other things and that unsecured DB is forgotten because it has "just worked" since that initial setup. You release and sometime later something like this happens because that DB never got the attention to security it needed because it "just worked" and was forgotten.

Don't get me wrong this is still very bad. But I can see how an unsecured server/plaintext passwords happen. It's not by design b but rather a shortcut you took way back when that you have since completely forgotten about.

There are better shortcuts today. Use passport-twitter or some other package to authenticate using a third party. Works for local development too as long as you're connected to the Internet when you want to log in.
The password still has to get into the database... something passes it to an insert query or request. It just needs to hash the password on its way through. Let’s see:

* identify a hashing library * install/import it * call it (when storing the password and when comparing)

It’s a matter of minutes really.

> We contacted one app user at random who, albeit surprised and startled by the findings, confirmed to TechCrunch that the coordinates found under their record were accurate.

So they accessed the database as well as personal information of users? Is this not a crime whether or not the database was unprotected?

In the eyes of the law (or at least the courts), journalists have broader latitude in the course of investigative reporting.
Are Techcrunch writers journalists?
Yes but until that's decided in court, is this not confessing to a crime?
Until that's decided in court, there is no crime only actions that may or may not be legal.
Sure seems risky to admit like this. The CFAA has been used very broadly, for example in the prosecution of Weev for accessing customer information on an unsecured AT&T server. It appears this conviction was overturned based on venue (a technicality unrelated to the CFAA), and the underlying question of the CFAA's breadth is still unknown. [1] At the very least, the author is opening himself up to prosecution — even if he ultimately could prevail.

Journalists do enjoy certain freedoms, but to my knowledge (as a former lawyer), special treatment under the CFAA isn't one of them.

1: https://www.wired.com/2014/04/att-hacker-conviction-vacated/

Shameless plug: I've built a family location sharing app that uses end-to-end encryption, so you don't have to worry about this sort of data leak (or any other). It's available for iOS and Android. (It's in beta, but quite functional).

https://www.zood.xyz

Very Interested, but what markers are there for me to trust you/your company? Is it Open Source? Have you been around for long? Are you audited? Is there a sustainable business model?

The https://www.zood.xyz/products/location#about-zood-location page doesn't really say anything other than you promise you are doing what you say (and you probably are).

Fair question. As of this writing, there isn't anything to trust me short of sniffing all the packets coming out of the phone and/or decompiling the APK.

While in beta, I'm not charging, but in order to align my interests with those of users I will be charging for it once I'm done beta testing. So far I've only been testing with family and close friends.

The app isn't currently open source, but I want to find a license model that will let folks see the source code while still preventing someone from forking it and running their own instance of my company. As you noted, this needs to be a sustainable endeavor, and I think that would be unlikely if I just release it all under MIT or BSD-3

It's too early for an audit (and I don't have the money for one yet), but I'm using libsodium for the crypto so there's no need to worry about me writing my own bad crypto primitves.

The website is sparse, because the current audience for it is my family and friends who I've contacted about helping me with the beta testing. I intend to flesh out the site a lot more before I come out of beta.

You could do a reference source-type thing, where it isn't open source and using your source is prohibited, but people can browse it for specified purposes, such as auditing security issues: https://en.wikipedia.org/wiki/Shared_Source_Initiative#Restr...

Copyleft open source licenses only help you so much, people can still clone your company as long as their version is also open source. There's no way to prohibit corporate use of your code and still have an OSI-approved license.

The spot that kinda falls between those two classes is if you want people to be able to fork or self-host for personal/non-commercial use, and there's a few also not open source license examples out there for that too. There's a couple of that sort listed under https://en.wikipedia.org/wiki/Source-available_software (Commons Clause or Mega Limited Code Review sound fairly similar to what you might want.)

Despite being a big fan of copyleft, the "source available" license sounds like the right direction for Zood. Thanks for that link. I had not heard about Commons Clause or Mega Limited Code Review. I'll dig into it those.
What's the advantage of Zood over Find My Friends from Apple[0] and Family Link from Google[1]?

[0]https://itunes.apple.com/us/app/find-my-friends/id466122094

[1]https://support.google.com/families/answer/7103413?hl=en

The biggest difference is that Zood uses end-to-end encryption, meaning I (as the service operator) can't see your location. Your location is encrypted before it ever leaves your phone, and the only person that can decrypt it, is the person with which you are sharing. More info on the second half of the page here:

https://www.zood.xyz/products/location

>TechCrunch spent a week trying to contact the developer, React Apps, to no avail. The company’s website had no contact information — nor did its bare-bones privacy policy. The website had a privacy-enabled hidden WHOIS record, masking the owner’s email address. We even bought the company’s business records from the Australian Securities & Investments Commission, only to learn the company owner’s name — Sandip Mann Singh — but no contact information. We sent several messages through the company’s feedback form, but received no acknowledgement.

And people trust this with the real time location data of their children so they can keep them "safe". Absolutely ridiculous

We should let google do it and give us the details, they do it better as they have already invested a lot in it, doing it and keeping it as secret or FB do it. Basically an Android app asking other person to accept to track their location and send it to other person when they want it. It should be that simple.