
Your Anonymous Posts to Secret Aren’t Anonymous After All - riaface
http://www.wired.com/2014/08/secret/
======
soneca
I didn't see this news in HN, but in Brazil a judge forbidded the app stores
to let brazilian users download Secret anymore.

The app is being extensively used to bully people - non-authorized pics of
naked people, messages with ofenses and etc. It was covered all over
mainstream media and there is a consensus that it was a right decision (in
this kind of press I mean).

Edit: here a TechCrunch about it: [http://techcrunch.com/2014/08/20/brazil-
court-issues-injunct...](http://techcrunch.com/2014/08/20/brazil-court-issues-
injunction-against-secret-and-calls-for-app-to-be-remotely-wiped/) It was
submitted to HN but got no comments or upvotes:
[https://news.ycombinator.com/item?id=8202444](https://news.ycombinator.com/item?id=8202444)

~~~
higherpurpose
The bigger story there is not that Brazil banned Secret, but that Google,
Apple and Microsoft, all have the power to delete those apps _from your
device_. That Orwellian power is the truly terrifying story there. And yes,
personally, I've been aware for a while that they can do that, but I bet the
vast majority of people don't know that.

When will these companies learn that "if you build it (the infrastructure for
censorship/surveillance), they (the governments) will come"? It's inevitable,
and they should know better by now.

~~~
AndrewKemendo
_That Orwellian power is the truly terrifying story there._

Only if you somehow consider the app store and mobile infrastructure a public
good, which is most certainly is not.

There are open source/decentralized options that you are free to use.

~~~
tedks
I consider my phone to be my property. Typically, other people or corporations
can't make changes to my property without my permission.

I guess by "mobile infrastructure" you can extend that to "every phone," in
which case why not remotely remove programs from PCs as well? Why not just say
outright that the coalition of your local government plus Apple/Microsoft own
your computer, rather than you?

I can't tell if you're being sarcastic and advocating free software, or openly
advocating for autocratic computer systems management.

(This is of course what RMS has been saying for literally decades, but for the
people on HN who disagree with RMS, ... told you so.)

~~~
blazingfrog2
> other people or corporations can't make changes to my property without my
> permission.

IANAL but it seems you have given permission:

    
    
      Notwithstanding any other provision of this Agreement, Apple and its principals reserve the right to change, suspend, remove, or disable access to any App and Book Products, content, or other materials comprising a part of the App and Book Services at any time without notice. In no event will Apple be liable for making these changes.
    

[http://www.apple.com/legal/internet-
services/itunes/us/terms...](http://www.apple.com/legal/internet-
services/itunes/us/terms.html)

~~~
judk
Tolerating is not the same as agreeing. There is no meaningful alternative to
allowing app deletion.

~~~
arjie
If this is really a problem for you, here's a solution:

1\. Get a Nexus phone.

2\. Flash to a custom ROM.

3\. Don't flash Google Apps.

4\. Sideload APKs or use an alternative store.

5\. Enjoy.

The reason you can't have everything is that the app devs and most people
prefer the store situation. If this is a particular problem for you, there
will be sacrifices.

------
jrochkind1
The thing about this particular attack is... it's pretty obvious, isn't it?

I had never heard of this app before, but reading the article, as soon as they
got to describing how it works (you give it emails/phone numbers of your
friends, you only see secrets from them), I correctly guessed what the attack
would be.

Now, maybe it wouldn't have been obvious to me without the setup (there's been
a successful attack, and now we're going to describe how Secret works like
this, setting you up to understand the attack).

But if Secret has security engineers, intimately familiar with their system,
and trying to identify possible attacks -- how could they have not identified
this? It makes one think the bug bounty program IS their security program.
Which is probably true of much software, but this is software focused on
secrets!

On the other hand, maybe it just seems that obvious in retrospect? Apparently
they have already given out 42 security bounties, and this one wasn't
identified until now, so I dunno. It sure seems obvious though.

~~~
kalleboo
Read the whole article.

It was a known attack, their defense against it is dummy account/bot detection
systems, and they claim that they were broken somehow due to an infrastructure
upgrade which is why it worked for this guy.

~~~
bellerocky
See though, there's no way that dummy detection system is going to be good
enough to prevent someone determined enough to figure out who made a damaging
secret.

For example, remember that seriously hideous post to secret regarding a
prominent GitHub employee?[1]. The post has since been removed, but a
determined GitHub employee who could see that post could over time defeat the
dummy detection with a method similar outlined in the post. Just continue to
create new accounts on Secret and iterate on the friends in your contact list
the way that git bisect works. Create an account with half your friends and
see if the message pops up. If so, create a new account with half that list,
and continue until you reach 7 and rotate in users you know aren't
responsible. In the end the person who made that horrible post will be
revealed.

[1] [http://recode.net/2014/03/15/prominent-github-engineer-
julie...](http://recode.net/2014/03/15/prominent-github-engineer-julie-ann-
horvath-quits-claiming-gender-based-harassment/)

~~~
grandalf
Exactly. I too thought of this attack but there have been no secrets shared
via my network juicy enough to warrant the time it would take.

------
roywiggins
> “It’s our job to make sure people feel safe and in control,” he says.

So people just have to feel 'safe and in control,' rather than making sure
they are actually safe and/or in control? It sounds like an admission that the
whole anonymity thing is just a marketing gimmick: as long as you have a name
like "Secret" and make people feel like they're safe, they'll share whether or
not they have strong security at all.

~~~
ryandrake
You'll find this kind of wording a lot from companies. It's a sneaky way to
make it sound like you're actually doing something to fix a problem, while
technically being truthful by saying that it's basically just P.R.

"Social Network A wants users to feel like they control their privacy
settings."

"Online Store B believes shoppers should feel like their credit card
information is secure."

"Cable Company C's service goal is for customers to feel like their support
issues are being addressed."

~~~
crpatino
Maybe I have grown overly cynical over the years, but I was not aware that
this kind of thing _still_ works on most people. I pretty much sed 's/feel
like/not/' as an habit without noticing.

------
nikcub
Anonymous application that users install on their phones that identify them,
using their personal email addresses and real-life social networks turns out
to not be so anonymous.

mindblown.gif

As was pointed out when Secret launched by many, the model can never be
secret. It has been interesting to watch the company feel their way around in
the dark to a conclusion that anybody in infosec or who understands
security/anonymity could have told them before they launched.

------
relaxatorium
A few friends of mine were actually talking about this last week. Apparently
some folks in our social network (literal, friend based social network, not
software-based) were using Secret to trash-talk (as is its purpose). It was
immediately obvious who it was.

When you don't know that many people who would even ever be on Secret, which
is true right now about anybody who doesn't work in Silicon Valley, then it
becomes almost completely transparent just because you know who your friends
are. The anonymity model is a joke outside of the tech bubble.

------
probably_wrong
> He turns the question back on me. If there was no Secret, or an app like it,
> where would this anonymous poster go for catharsis? Where would he share his
> struggle with mental illness?

He could do it by snail-mail: [http://postsecret.com/](http://postsecret.com/)

~~~
hownottowrite
Without a hint of sarcasm... How about with a doctor instead of random,
faceless strangers? How about someone who can actually help?

~~~
valarauca1
Some mental illnesses make directly talking about the problem you have
difficult. There is actually a large lack of anonymous therapeutic solutions
for emotional and mental disorders for those who need them.

Simply saying, "Use your brain and solve your problem." To a mental patient is
very insulting and extremely marginalizing to their condition.

~~~
hownottowrite
I didn't suggest that they solve it on their own. Quite the opposite really.

Following your logic, Secret is actually encouraging the very practice you
called out as abhorrent.

~~~
pessimizer
Telling someone to just get help is about a hair's breadth away from telling
someone to just get better.

~~~
hownottowrite
No, telling someone to seek qualified help is the responsible thing to do whe
one is unqualified to help. Providing untrained, unqualified, and anonymous
help is both unethical and dangerous.

If Secret staffed trained professionals to provide anonymous help, that would
e different. They don't.

~~~
pessimizer
>Providing untrained, unqualified, and anonymous help is both unethical and
dangerous.

It's also sometimes the only help that people will ever get. Talking to people
about their problems can't be declared as forbidden or irresponsible unless
mediated by a doctor. That's both unrealistic and it implies an initial
unqualified diagnosis over the internet by a stranger to decide that a
statement constitutes mental illness rather than a simple sharing of internal
states - making an absolute statement like the one you're making self-
contradictory.

For example, I'm upset about a discussion that I had with my sister the other
day. It makes me sad, and slightly worried. Should I continue to talk about
it, or should I consult a doctor? If you answer that question, is it a
diagnosis? Should all inter-human communications be routed through mental
health professionals just in case?

~~~
hownottowrite
If you're talking about the usual gripes and daily complaints, then sure, talk
to whomever you want.

If you're talking about serious mental illness, which was the entire point of
this comment, then it needs to be handled by professionals or at least someone
with basic training.

~~~
pessimizer
My entire point is that you're making a diagnosis when you say that someone
has serious mental illness. It's fine to say that one should encourage people
to seek professional help. To condemn people who are not professional and give
help is terrible IMO (and not supported by the science), especially
considering that experimentally the outcomes of any talking therapy are
equivalent regardless of content (from priests to psychoanalysts), and SSRIs
generally perform no better than placebo.

edit:

[https://en.wikipedia.org/wiki/Dodo_bird_verdict](https://en.wikipedia.org/wiki/Dodo_bird_verdict)

[http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3712503/](http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3712503/)

~~~
hownottowrite
That's unfortunate because I didn't make any diagnosis at all. I was reacting
to the following in the article (as referenced by the comment to which I
originally replied):

[I pick out one of the posts promoted to Secret’s homepage, and read it to
Byttow over the phone: “At work I’m being given more and more responsibility.
Silently I’m struggling with mental illness.” Does Secret provide enough
anonymity for that user?

He turns the question back on me. If there was no Secret, or an app like it,
where would this anonymous poster go for catharsis? Where would he share his
struggle with mental illness? Facebook? Don’t make him laugh.]

Clearly, the interviewer and CEO David Byttow are talking about mental
illness. They are not talking about someone having a bad day or even suffering
from mild, common depression. They are talking about mental illness, and I am
reacting to their discussion of mental illness. My original point, short as it
was, is that someone with an actual mental illness ought to seek actual
treatment rather than the faceless world of something akin to Secret.

This isn't to say that talking on Secret (our a diary for that matter) is a
terrible thing. However, the assertion by Byttow is that his service provides
a legitimate outlet for someone who may need real help and may pose a danger
to themselves or others.

Perhaps the meaning of "mental illness" is where we differ in the discussion?
How about I reveal a "secret" which is quite true and we see where this
goes...

I do not know you, nor do you know me. I do not know if you or people you know
suffer from mental illness. You do not know if I or people I know suffer from
mental illness. I do not know if you or people you know have injured
themselves or others as a result of their illness. You do not know if I or
others I know have done likewise. However, I will reveal to you, that I have
indeed known more than one person who suffered from serious mental illness.
Some of these people have injured themselves and others as a result of this
situation. Of this group, some received professional help. Most did not. Those
who did not chose instead to keep it to themselves or to talk to unqualified
people who had lots of supporting words but had absolutely no idea what they
were actually dealing with.

The results? In two cases, suicide. In one case, murder. Another particular
person has conducted a lifelong campaign of mental and physical abuse against
family members resulting in another person's suicide. In these four cases,
could the issue have been resolved with proper assistance? I think so, at
least in three of the cases. Would something like Secret help? Unlikely. These
individuals needed real help.

So, when I say that it is dangerous, it's because I have witnessed first hand
how dangerous mental illness can be. It is dangerous for professionals and lay
persons alike. It is dangerous for the individual suffering from the
affliction and for those around them. Is this always the case? Of course, not.
Perhaps your experience is different. I certainly hope so because it is a
horrible thing to witness a person you know suffer in this manner and then
cause injury to themselves or others. I wouldn't wish it on anyone.

------
hifier
I could be wrong, but it seems that the way Secret is designed it cannot be
truly anonymous. They need to be able to decrypt your secrets to show them to
others, and they need to be able to associate them with your account to show
them to you when you log in. This means that Secret knows who you are (to the
extent that your login credentials reveal your identity) and what you've
posted. If coerced or attacked there is no reason to believe that posts to
Secret will in fact be kept a secret.

~~~
coldcode
I'm not convinced there is any ultimate way to build a secret type app that
allows for perfect secrecy. Ultimately anything build on top of the internet
has a chain of IP address that have to exist in order to send message back and
forth. Add a system with a server in the middle and it doesn't seem like there
is any way to avoid someone (or a chain of someones) to figure out the far
endpoint. If you can get at least some information leakage (cell phone
connections, other IP accesses, etc) I would think you could eventually figure
out the device on the other end. The only hope you have to keep the source
secret is to make it too difficult or expensive to uncover so no one bothers.

~~~
pinkyand
It all depends on what are the powers your attackers have. If your attackers
can monitor the whole web, inject packets as he wish and control every
computer in the world - there probably isn't any way to offer secrecy.

On the other hand, if we're talking about an adversary with a more limited
capabilities - maybe he can access only 50% of the computers in the world and
that cannot crack encryption at will - Than there are papers talking about
theoretically sound systems that can give you anonymity with very high
reliability.

------
Sami_Lehtinen
App is just extremely badly designed. If service is supposed to be anonymous
it's good idea not to store any identifying information. If there's need to
store some for legal reasons that can be encypted easily. So there's
absolutely no way to recover it without the administrator. Even if the servers
would be seized. Unfortunately world is full of such crappy broken by design
services. Simply bad engineers and engineering does fail. That's how I do it.
When you're anonymous use proxy tor and random wifi or anonymous clean
cellphone. Even then be very careful about writing style analysis. Anyway it's
worth of noting that absolutely nothing is private with Android or iPhones
etc. If you're dealing with things which require privacy you're not using
mainstream smart phone.

~~~
fps
If they don't store identifiying information, the app can't perform it's main
purpose, which is to share secrets _with people you know_. In fact, I don't
think it's possible for this app to work without this vulnerability. For any
set of rules they can provide, a set of sockpuppet accounts can be created to
fulfill those rules and only track a single real person.

~~~
Rapzid
Yes, so say they make a rule like "You're account needs 5 friends and 20
secrets". So create a bunch of accounts with different sets of friends and
find out where the intersections between friends and posted secrets are.
Busted. This application is fundamentally flawed in it's current form.

To even approach feasibility you would need to give people the power to view
and approve emails that are following them. Then social circles would
naturally form within the app along with a form of self governance.

------
pkfrank
I tweeted this back on Feb 19
([https://twitter.com/PeterKimFrank/status/436186142950850560](https://twitter.com/PeterKimFrank/status/436186142950850560)):

.@getsecret Un-veiler-service:

1) Empty contacts

2) Re-add incrementally

3) Identify "secret" posters

4) ??

5) Profit

Seems way too obvious.

------
kenjackson
Secret should consider changing their algorithm. How about the following:

You need at least 7 contacts that use Secret, but approximately half (or 1/3
or 1/4, whatever gives the best experience) of your messages will come from
people NOT on your contact list. That is, most of the posts will be from
people you don't know. But enough will be from your contacts to keep it
personal...

~~~
bentcorner
The allure of Secret is that you _know_ that a given secret is from someone
you know. Diluting the pool is harmful to that message.

What they could do instead is only share secrets if you have N contacts _in
common_. This solves the bot problem - the target will not add the bots.

You could also have some sort of threshold before showing secrets as well.

That said, I've never used Secret so this may or may not work. It'd be
interesting to play with the Secret data to see how the social circles overlap
and what kind of traffic patterns they see.

~~~
gus_massa
If you know N+1 contacts of X, then you create N+1 bots. Each bot has only N
of the N+1 contacts. So, each bot receive the secrets from everyone except one
person.

------
saurabhnanda
was never into this app nonsense, but installed Secret a week ago because a VC
chided me for not having it (and therefore not being able to connect,
generally, with the new mobile masses). How do I delete all my account info
along with the BS that I "anonymously" posted?

------
jamieb
"“The thing we try to help people acknowledge is that anonymous doesn’t mean
untraceable,” says Byttow.

------
thirdtruck
This story is terrifying in the context of the recent attack on women game
developers.

To put the attack in contexts, imagine all the epitaphs you've heard playing
FPS games online, but much worse. Then imagine having those slipped under the
door of your home, scrawled over a Polaroid of you sleeping in your bedroom.
Now imagine that you have no safe place to complain about this invasion of
your privacy, but that you have to keep it constantly bottled up in yourself.
That's a mild version of what these developers are facing.

~~~
bitlord_219
I think you mean "epithets."

~~~
thirdtruck
Correct. I just hope that no actual epitaphs come of this nonsense.

