←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 8 comments | 12 May 25 16:39 UTC | HN request time: 0.222s | source | bottom
Show context
michaelteter ◴[12 May 25 17:34 UTC] No.43965514[source]
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

replies(10): >>43965600 #>>43965723 #>>43965782 #>>43966035 #>>43966222 #>>43966281 #>>43966578 #>>43967558 #>>43968803 #>>43969670 #
tmtvl ◴[12 May 25 19:18 UTC] No.43966578[source]
I vehemently disagree. 'Well, they didn't know what they were doing, so we shouldn't judge them too harshly' is a silly thing to say. They didn't know what they were doing _and still went through with it_. That's an aggravating, not extenuating, factor in my book. Kind of like if a driver kills someone in an accident and then turns out not to have a license.
replies(6): >>43966766 #>>43967142 #>>43967680 #>>43967819 #>>43968420 #>>43969894 #
LadyCailin ◴[12 May 25 20:30 UTC] No.43967142[source]
This is exactly why I think software engineering should require a licensing requirement, much like civil engineering. I get that people will complain about that destroying all sorts of things, and it might, yes, but fight me. Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one.
replies(7): >>43967245 #>>43967271 #>>43967301 #>>43967749 #>>43967914 #>>43968373 #>>43970478 #
1. viraptor ◴[12 May 25 21:42 UTC] No.43967749[source]
While the idea is good, I'm not sure how this would get implemented realistically. The industry standards/audits are silly checkbox exercises rather then useful security. The biggest companies are often terrible as far as secure design goes. The government security rules lag years behind the SotA. For example how long did it take NIST to stop recommending changing passwords?

Civil engineering works well because we mostly figured it out anyway. But looking at PCI, SOX and others, we'd probably just require people to produce a book's worth of documentation and audit trail that comes with their broken software.

replies(3): >>43968164 #>>43968463 #>>43968787 #
2. Spooky23 ◴[12 May 25 22:45 UTC] No.43968164[source]
I worked on a project that was using federal tax information and had IRS 1075 compliance requirements. Those follow some version of NIST that was out of date at the time.

We had two security teams. Security and compliance. It was not possible to be secure and compliant, so the compliance team had to document every deviance from the IRS standard and document why, then self-report us and the customer to audit the areas where we were outside the lines. That took a dozen people almost a year to do.

All of that existed because a US state (S Carolina iirc) was egregiously incompetent and ended up getting breached. Congress “did something” about it.

replies(1): >>43968492 #
3. no_wizard ◴[12 May 25 23:38 UTC] No.43968463[source]
There's no governing body that continually researches, vets and updates standards of security. There should be, honestly, but there isn't. Thats not true of professional engineering organizations, or medical boards, or the Bar Association etc.

They all update their recommendation and standards routinely, and do a reasonably good job at being professional organizations.

The current state of this as regards to the tech sector doesn't mean its impossible to implement.

Thats why all the usual standards (PCI, SOC2 in particular) are performative in practice. There's nothing that holds industry accountable to be better and there is nothing, from a legal stand point, that backs up members of the association if they flag an entity or individual for what would be effectively malpractice.

replies(1): >>43968550 #
4. ikiris ◴[12 May 25 23:43 UTC] No.43968492[source]
This is why delegated authorities should be managing things instead of congress itself. Because congress has no idea what they're doing on technical topics generally.
replies(1): >>43969222 #
5. socalgal2 ◴[12 May 25 23:56 UTC] No.43968550[source]
I feel like people who suggest governing bodies for this kind of stuff always imagine some perfect unicorn organization that makes perfect recommendations where as I usually imaging every UX turning into the worst possible 20x step process because of "regulations" and it will actually just be theater and not actually solve whatever problems it claims to.
replies(1): >>43974852 #
6. LadyCailin ◴[13 May 25 00:49 UTC] No.43968787[source]
I mean, bridges collapse sometimes. It’s not really about making things perfect from the get go, it’s about making sure that the industry as a whole learns from mistakes. And I agree that some of the existing standards and audits are checkboxes at best, and actively suggesting problems at worst. But, we need to be evolving those actively anyways, that has to be baked into the DNA of whatever this licensing scheme ends up being.

Anyways, I’m not the one who should be deciding the specifics here, it should be a collaboration between lots of different parties, even if I may have a seat at that table. But we have got to get away from the notion (as seen in other comments in this thread) that any sort of attempt to prevent this kind of harm before it happens is authoritarianism.

7. Spooky23 ◴[13 May 25 02:30 UTC] No.43969222{3}[source]
That is the 20th century innovation. Unfortunately, the king doesn’t like it.
8. no_wizard ◴[13 May 25 16:41 UTC] No.43974852{3}[source]
I don't imagine some perfect unicorn organization myself.

I do imagine a technical organization that strives to do its best and would have sufficient scope to protect its members legally if need be, so members would be empowered to make the best decisions possible.