
Our Responsibility As Developers - wattson12
http://kylerichter.com/our-responsibility-as-developers/
======
jokull
Hi Hacker News. I’m one of the developers at QuizUp. We’re very proud of the
product, but obviously we missed the mark when it comes to privacy and user
data. On a cultural level we take these things to heart, and we take them
seriously. It’s a matter of not having taken the time to review these things
carefully enough.

Let me address the things mentioned in the article:

No data is ever sent or received to or from our servers in plain text. Due to
a bug in our third-party network library the certificates were not being
verified so a self signed certificate could decrypt the data. This issue has
been addressed in an update waiting review at Apple. Users' passwords are
hashed before we store them in our databases (pbkdf2, salt, multiple
iterations).

Our user's address books are not stored on our servers and only used
temporarily to help us find your friends. It was a mistake to not hash the
contents of the address book before sending to our servers and we are
currently changing the client application so it hashes the address book
contents before sending to our servers.

Sensitive user data was exposed in certain endpoints (although only accessible
for authenticated users). We have already addressed this issue in a server
deployment and the hotfix is live now.

We are currently wading through inboxes looking for Kyle’s outreach. It looks
like it may not have reached the core server developers. Please contact me
personally at jokull@plainvanilla.is if you have questions.

Finally I want to thank Kyle Richter for working out our security holes, small
and large. We’re currently reviewing our endpoints and codebase to further
harden security and ensure the privacy of our users.

~~~
riquito
You make it sound like there are a couple minor bugs. What about the addresses
of the users sent away? "only accessible for authenticated users": which means
everyone.

From the home page "Play against friends in real time": this is a false
advertising at best. Also, is it written anywhere that people can play against
bots?

"We're sorry" would have been a better start

~~~
alandarev
Good catch. Sadly the "We are sorry" for being careless reminds me of a "BP -
we are sorry" incident.

There is no cost for a faceless company to be 'sorry', and only prmotes the
further unethical actions by other companies. I would rather see them pay the
fine for privacy breach.

Moreover, this all goes down to the apps requiring ALL permissions to run, why
is that acceptable? Why is QuizUp allowed to see user's location in first
place?

To me, it feels like making stalker's life easier than ever. Make an app
displaying cats, set it require full permissions, put on App Store.

~~~
jokull
Geo coordinates are acquired from user via the iOS location permission. It is
persisted in an ElasticSearch index for the "Nearby" leaderboard.

------
RyanZAG
The Facebook token isn't an issue, that is how Facebook authorization works.

Recording single player games and then sending them to other users to work as
fake real time multiplayer games seems like a very clever move and is probably
the reason this game is doing so well. Not that I have heard of it before this
post, though. It's a good hack that capitalizes on the way a quiz game works
and doesn't have any real differences to true real time multiplayer except for
the likely lack of real time messaging. The same could be done for any game in
which people compete yet do not directly influence each other.

The benefits are very clear: reduced matchmaking times, eliminates latency
issues, eliminates signal loss issues. All of these are major hurdles to
multiplayer cellphone gaming, so I don't doubt that this game would be pretty
successful because of it.

Sending users data to other users without permission like that feels like it
should definitely be a punishable offense, but then the legal system doesn't
work on logic so who knows.

~~~
ToastyMallows
> Not that I have heard of it before this post, though.

Tetris Friends does this for their multiplayer games[1][2]. When you "play
against people", what you're really doing is playing against their replays.
It's quite clever, and it had me fooled for a while while I was still in
college.

[1]:
[http://harddrop.com/forums/index.php?showtopic=1434](http://harddrop.com/forums/index.php?showtopic=1434)
[2]: [http://www.destructoid.com/tetris-friends-has-instant-six-
pe...](http://www.destructoid.com/tetris-friends-has-instant-six-person-
multiplayer-sort-of-140709.phtml)

~~~
spbaar
The interesting consequence of this is that since you can react to the
repalys, and the replays can't react to you, players will almost
subconsciously play attack and defense in a smart way to win the game. So most
players will have a win ratio of over 50% in a multiplayer game. It's a neat
trick to keep everyone happy.

------
angersock
An excellent point is raised:

 _What is perhaps the most shocking is QuizUp is backed by several venture
capital firms, including some very large and well known ones. The question I
have is: did they not do their due diligence when vetting this software or did
they not care. I am not sure which one is more alarming to me, and it doesn’t
really matter either way. Is this a sign of a bubble when a company can raise
millions of dollars with so little care put into its technology or
development?_

This, sadly, should be of surprise to no-one.

~~~
joshfraser
Ha, I laughed when I saw that. I've gotten term sheets from VC's without them
even using my product. To expect them to do a full security audit is quite
adorable.

~~~
angersock
What part of the country are you in? The VCs where I live are, um, a bit
hesitant about the _venture_ part of venture capital.

~~~
joshfraser
SF bay area.

~~~
angersock
Yep, that'd do it.

:(

------
woah
Amazing how many developers, even from very prestigious schools, write really
horrific code. As a self taught programmer getting into the industry over the
past few years, I have been shocked. Oh well, I guess it's "fuck it, ship it".

~~~
pnathan
Question: why would school prestige correlate with quality of code?

~~~
nitrogen
Why shouldn't it? Prestige presumably had to be earned at some point. If
prestigious schools are producing sub-par developers at a rate equal to other
schools, what is the value of that prestige?

~~~
pnathan
Not all prestige is equal, for one thing. Your fine institution might attract
world leaders as speakers for its econ, foreign policy, and poly sci
departments, but its CS department might be weak. For another thing, the
academe and what it teaches is, as a general rule, not really focused on what
the business world teaches. So excellence in the academe does not per se
translate immediately to excellence in the business world. While an adaptable
learner would be excellent potential and long-term capability, I would expect
them to have a learning curve for the different pressures and knowledge needed
to succeed in business.

~~~
anaphor
Presumably someone who graduates from Stanford or MIT in CS will be preferred
over someone graduating from Princeton or Yale in CS (Personally Indiana or
NEU would be my first choices).

~~~
ars_technician
Precisely. Princeton is prestigious, but I don't want formal models. I want
someone that can at least pass the fizzbuzz test.

------
HistoryInAction
Actually, while the initial investigation of Path related to their poor
information security and abusive use of user data to drive their viral
coefficient, the fine specifically related to violations of COPPA. That law
refers to extra privacy protections for children under 13, as well as parental
approval. The regulations are onerous to the point that most online social
networks filter out users under the age of 13 to avoid running afoul of COPPA.
Path didn't filter out these users and we're found to have violated COPPA,
resulting in their $800k fine.

Doesn't detract from your excellent piece or put Path in a better light, but
that's the context you're referring to there.

------
andreftavares
It is a new kind of approach to software development: SFAQL.

Shoot First, Address Questions Later.

I bet this kind of decisions are a consequence of MBA/Excel mindset.
Developing software properly takes time and money and that isn't... lean (lol)
and doesn't drive billion dollar valuations.

~~~
eropple
You are aware that a core concern of business programs is risk assessment and
mitigation, right? So how does this out-of-hand assumption follow so
necessarily?

------
JabavuAdams
I don't have a problem with the bot thing. It's a clever solution to the
"there's no one online" problem for new multiplayer games. I have no
confirmation, but I assume that games like Fun Run do the same. Having played
online RTS games in the 90's, these new iOS lobbies seem to fill up
suspiciously quickly.

------
damian2000
Sounds like they followed the philosophy of "its easier to ask for forgiveness
later than ask for permission up front.

