Only peripherally related but after the recent Robinhood fiasco I downloaded the Interactive Brokers mobile app, and they send your login user/password in plaintext:
They’re not exactly security literate. Here is IB defending no pasting of passwords from a password manager. I tweeted this early last year and I guess Troy Hunt just revived the issue with them. https://twitter.com/mmaunder/status/1243592529855078406?s=21
ING Bank forces me to use exactly 5 numbers as my password. That happened after an update 2 years ago, when I had a long and safe password. They forced me to "update to a more secure password".
So 12 characters is not secure, 4 numbers is not secure, 6 numbers is not secure either. 5 numbers is the best security!
Very doubtful. Traders tend to prize speed over all other considerations, and so I'm sure at some point somebody with a Pentium running Windows 95 said this would be faster without SSL. And it really would be (on a sufficiently crappy machine, and assuming you're doing HTTP/1.1) but most of us have long since reasoned that "faster but now I don't have any security" is a bad trade and also meanwhile faster encrypted-only alternatives emerged.
They've got a custom OTP setup which they've revised at least twice already, but as with this Clubhouse thing if you transmit your OTP as plaintext over unencrypted channels obviously a bad guy can intercept that. So basically that SSL box ought to be removed (in favour of always doing TLS) or at the very least default checked.
Well I expect Android since 2018 to force use of https when you create an app. So from my knowledge to make it not tls takes more effort than otherwise. They actively have to 'hack' around this requirement.
Their site claims it might be faster. Which totally made sense a decade or two ago, and they've been in this game for a very long time (the company itself pre-dates the Web substantially). Is it faster today? Probably not. And if you're trading from a phone app, the chances your execution happening 100ms later ruins your day is very tiny. Whereas if bad guys snoop your WiFi, MitM your login and use your capital to run the other side of a stupid scam (e.g. buying some penny stock with all your investment savings) that's really going to ruin your whole year.
I can most easily imagine they had a proprietary setup in the 1990s, and one day they make a web site because of this exciting new technology. Should it have SSL? Security sounds good, but it is slower. Traders demand an option. Now, fast forward a few years you're building an iPhone app, your prototype looks good, but traders ask, where is that SSL option? Chances are the answer is "Um, TLS is always On? Because switching it Off would be stupid?". Oh dear, are you calling a long time customer "stupid" for not clicking the SSL box all these years? No of course you aren't, you add the SSL box to the app and everybody working on it learns not to point out that this is stupid.
They do at least have almost-mandatory 2FA through SMS or Android app. So it's not quite as insecure as someone reading your email or snooping your WiFi getting the keys to the kingdom.
If you just have something scooping up all unencrypted data (which is something any bored teenager might set up) then you get a password but the OTP codes will be useless shortly afterwards and, if the implementation is competent immediately useless in another session once used.
[ Do I trust that they got that right? Maybe. Others might have a better idea how many off-the-shelf OTP implementations handle this correctly ]
However an active MitM just works. You give the user the illusion they're talking directly to the real system, but you actually keep working copies of their logged in state. When they're done trading, you just carry on. If there's an explicit "Log out" step you can dummy that out.
Forget passwords and OTP, even something modern like Security Keys (WebAuthn) would fall to this - except WebAuthn's APIs magically don't exist unless you have secure context (basically an HTTPS site) so for the web that can't happen. If you used the built-in Android / iOS FIDO implementation† and stupidly did HTTP backend in your app, you'd be screwed.
† In this scenario, you're getting the same features as WebAuthn but backed by your device biometrics, and with a custom per-app identifier instead of a DNS name to stop you stealing the user's Google authentication or whatever.
Same reason Tinder ( Match Group who owns all the apps) sent user location data all over the place.
Normal people will never learn about this , and doing it right would take too much effort. While I would love new better social media to take over, I don't think social media which serves it's users is possible.
Hell, I self sensor more here than I do in real life. In real life if I say something odd it's forgotten within minutes.
DTLS is the general "drop-in" TLS for UDP. It does have limitations and compromises, esp. in regards to real-time media, but this does seem like a situation where it would not be especially difficult to send this data over a DTLS-secured channel which is logically separate from the media.
Sure getting it right might be hard, but getting it somehow good enough to not be obviously bad is much less so.
Not only are there thinks like DTLS, in the worst case you could just "ship" a AES key when you login over TCP/TLS and then you encrypt any udp message with that key or something like that. Sure there are many ways you can get it wrong but it's easy to setup and better then plaintext.
So the PRC now has a list of PRC nationals, based on their phone hardware IDs, who discussed "sensitive topics" (phrase used by PRC state media about Clubhouse) on the app? Yikes.
In case you want to host your own Clubhouse or get a feeling for Clubhouse (or Twitter Spaces) without access to an iPhone and/or invite:
"Jam" is an open source implementation of the "audio space" concept that I built over the last few days w/ @DoubleMalt and @mitschabaude
There is still a lot to do but for now you can create rooms and moderate them (stage, audience, mic-flashing, …), powered by WebRTC and should work in any modern browser.
Any feedback, suggestions, thoughts welcome, might do a Show HN in the next days
Impressive that this literally only requires one click to get going, and seems to ask for no other requirements (and does browser + mobile equally well from what I can tell). Would be interesting to see how this behaves on large rooms (collections of people). Could also be useful as some sort of 'serverless' or quickly-deployable/click-and-run Clubhouse, perhaps even for certain countries that tend to shut these things down quickly.
Hmm maybe I'm missing something, but why does this matter? For a long time, on Facebook, you didn't have a "username", you just had your "ID" in the URL. I'm just not sure how it could be exploited.
I'd be more worried about it being hosted in China than user IDs being unencrypted.
I kind of like that Facebook is considering to compete with Clubhouse.
There are a lot of software features that Clubhouse can add, but they have to or choose to focus on many other things instead. Something simple like a "shut up" button "we got your point two minutes ago".
Competition will force them to re-prioritize just to keep the users.
Who could've guessed? It would be interesting to see a "move slow and fix things" approach for once. But I guess it isn't compatible with ruthless expansion.
Haha, this is one of the tamest instances of cutting corners in the news lately. It's not like this is super-secret information either. It's not health, finance, or legal data.
Some people on HN seem to take security much more seriously than necessary, as if security is the most important feature. But in business, it usually isn't.
User IDs are sensitive because they can be used by internet service providers to track and identify users as they move through various networks. And they can be associated to figure out who your contacts are. As others have mentioned, the CCP could use this information to punish users for joining rooms they don’t like.
The rule is, if ever in doubt, send all data through https. There is just about no reason to use unencrypted http or tcp in 2021.
That may be true of Clubhouse but not necessarily for the person I responded to. Anyway, there's plenty of ways to encrypt UDP, such as DTLS; see this RFC: https://tools.ietf.org/html/rfc6347
> otherwise why they are using a Shanghai-based startup for their voice backend platform?
Is there a term for this form of argument? Like where someone makes a rhetorical question after seeding the answer? Its like creating a false dilemma, where one intentionally removes non-binary choices for their own agenda, but its not quite a false dilemma yet, except after someone responds about how weak this form of argument is by presenting second, third and fourth reasons that were outside of the boundaries of the question but inside the boundaries of reality.
There is huge power in knowing the name of a thing, isn’t there. Reminds me of a Wittgenstein quote: "The limits of my language mean the limits of my world.”
I would admit it was actually not a proper form of argument and a constructive way to form a discussion. However, there is a real dilemma right here. If a company is going to use a technology from an adversarial country that could potentially harming oppressed people, it could potentially be a PR disaster.
The bigger question right here is why startup culture works so successfully. The purpose of a VC Startup assumes to create a product to expand the marketshare to the world eventually. And it was based on the assumption of globalization. In a world where it was less polarized to politics opinion and enjoy the economical growth and appreciation of new tech. A entrepreneur who neglect geo-politics could do pretty fine in this environment.
With the rise of sharp power of China, the question is not so straightforward. Hollywood company faced China's influence by banning content that is not favorable to China, in order to get access to China's market. Airline companies were threatened by China to not referring Taiwan as country otherwise a boycott to those airline. If a company just comply to China's request or threat, then they could potentially piss off Taiwan and Hong Kong customers, and potentially losing other countries in the free world if the PR was too bad. However, they don't comply, then they could potentially lose access to China's market. It is difficult to be neutral and not taking side, because of the polarization of both parties. Not taking side was potentially the worst option which would piss off both side because both thinks the company does not stand for their value.
It is just a extension of this underwater war. The take right here is if a startup is intended to be used by the world, the owner may need to be prepared for unintentionally pissing off a potential group of customers because of not understanding sensitive geo-polictics issue.
The American and Western market has sensibilities too even if they dont come from the government the user experience is the same. Try disagreeing with Isreali domestic and foreign policy and doing business in any industry in the West, especially Hollywood. You have to censor.
Deciding that China’s gatekeeping is worse just because it comes the government is where we lose a lot of possibility of introspection from people.
>why they are using a Shanghai-based startup for their voice backend platform
because a lot of Chinese companies are really good at voice related services due to the ubiquitous use of it in China. (typing Mandarin is annoying because you have to use pinyin).
Maybe, because that startup does a good job for an reasonable cost.
> Clubhouse is a honey pot for CCP
No it's a fancy life style app which doesn't care about censorship resistance at all. As far as I know
you can be pretty sure that any service operating in China will have backdoors or similar of some form, through potentially only for their Chinese users.
So as long as you don't use a service which explicitly cares about censorship and privacy which also operates in China you shouldn't trust them with any sensitive information at all especially if part of the "conversation" is "in china". I mean I would be seriously surprised if the key-server of e.g. zoom doesn't leak encryption keys for "(partial) in china" conversations to the government.
And coming back to clubhouse while they might seem to be privacy orientated on the first sight they are, as far as I can tell not. They just use "exclusivity" as a way to sell there product and mistaking this "exclusivity" with privacy would be a big mistake.
I mean some of the most common usages of club house are basically a fancy form of a pod-cast "just more exclusive".
> Or prove me wrong
Your argument is as much based on biased assumptions as is mine. So this discussion is pretty far away from any prove in any direction tbh.
The CCP has all power over corporate trade in China, and can obtain access to corporate data.
That fact of life is not guiding factor for why corporations create technology, compete for contracts, and make revenue.
And there is a lot of technology there. It is an innovative, high growth, competitive maybe overly competitive, and dense part of the world. Most of which has nothing to do with what's happening on the other side of the Gobi desert. If that is to be your cause, great, because that's going to keep happening, but its a large stretch to make that the sole guiding factor for everyone else that creates or simply uses software from China.
If you are subject to that system, then you should use discretion on Clubhouse, that would really be the entirety of your message.
If it was a honeypot, then why block it inside of China? Now they have to break a VPN on top of breaking a voice chat protocol in order to get the real identities of people inside of China.
This is what I found from their job posting for a backend engineer, ”You have deep expertise in building, deploying, monitoring and scaling systems on AWS. You understand the ins and outs of Python, Postgres, Redis and more.”
I also found out there’s a project management app called Clubhouse, so that’s a little weird.
> This is not the bug of the year. Ok, the id is not the encrypted. So encrypt it and next. Nothing to see
The privacy implications of leaking user identifying information are massive. Not something that should be dismissed so quickly as “nothing to see”.
Maybe not interesting for you, but many of us care about holding companies accountable for bad practices. If you don’t, this will become more common as it’s effectively being tolerated.
There is no evidence that they tried to hide that. The company was created in 2020 and one of their API is not encrypted, that kind of things has probably happened to most of companies created less than a year ago
> that kind of things has probably happened to most of companies created less than a year ago
No company gets a free pass on the implications of sacrificing privacy or security. Even if “less than a year old”.
This is serious:
“Any observer of internet traffic could easily match IDs on shared chatrooms to see who is talking to whom. For mainland Chinese users, this is troubling”
Why I can't register for an account even if the app is not available? Why, again, Android users get discriminated against and iPhone users get a leverage again and again?! How hard is to create a signup form and give everybody an equal chance to reserve their username?
That's how many services lure people in with "Hurry up and reserve your username." It's like usernames matter anymore as URLs and domains lose their attractiveness, too. The worst mistake, though, is to piss people off and don't let them preserve their identity. For example, many startups use Twitter usernames, and it's pretty much one of the fairest options.
If I was Clubhouse and when I launch a new service one day when I'm not so busy with my day job, I will have a sunrise period where GitHub user will reserve their username. There will be phase 2, when Twitter users will be able to grab theirs, too, and will get the option to use the "@" prefix if somebody with GitHub grabbed theirs or change it. Lastly, there will be Facebook and LinkedIn phases, too. How can one be pissed in such a scenario? Plus, I will be onboard the most influential people first.
https://twitter.com/arkadiyt/status/1356054340008460293