Puff Puff… Pass (opens in new tab)

(faptrackr.org)

110 pointshelmut_hed12y ago55 comments

55 comments

Terrible response by the Puffchat guy: https://twitter.com/MikeSuppo (Google Play's dev listing goes to the Puffchat blogspot site, which links to this Twitter account.)

  "This is a friendly message to advise that you remove all web based content about Puffchat"
  "Please remove within 1 hour."
  "Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him."

Edit: Actually, this could just be a publicity stunt. Do something boneheaded like this, get some exposure. Take flak from users that don't necessarily matter, and hope to score a lot more users. If you're not getting the growth you hoped for, what do you have to lose?

lostcolony12y ago

Maybe. But a publicity stunt that highlights findings that run counter to what you're trying to sell the platform on seems dubious.

madaxe_again12y ago

No such thing as bad publicity. It gets the brand known "oh, yeah, puffchat, I've heard of that, can't remember why", and if they tell users that it's secure often enough, no amount of evidence that it isn't will make any difference - humans respond more strongly to an authoritative voice than to objective reality.

veidr12y ago

> @iH8sn0w @NinjaLikesCheez All content, including articles, scripts, reddit posts, tweets, everything. By 11.40pm today (3/3/2014).

Hahaha, that is a pretty hilarious bit of fail, there. I don't think it could really be intentional... it might make him kinda famous (in a probably unwanted way) but it won't net him new users.

nthitz12y ago

https://twitter.com/sexysez95_sarah - fake account promoting puffchat seems pretty sleazy. https://twitter.com/Queenselfie96 also seems suspicious

jevans12y ago

Also https://twitter.com/Staceyythatsme

NinjaLikesCheez12y ago

Yeah they are pretty awful, the funny thing is they're the most popular accounts on the app :/

deletes12y ago

This is what reverse google image search says:

https://www.google.com/search?tbs=sbi:AMhZZitfuTwYMbUV9Yv-cR...

Her actual account: https://twitter.com/rachelburr1

https://www.google.com/search?tbs=sbi:AMhZZivEFJQlM8ezy2mFjo...

And her account: https://twitter.com/ashleeholmes

Either they really like puffchat and they made separate account to promote it, or the pictures were stolen and the accounts are fake.

1 more reply

tylerlh12y ago

I'm not seeing where the "intimidates security researcher" part mentioned in the title comes in. Am I missing something?

nknighthb12y ago

Seems the founder thinks he can suppress speech through tweeting: https://twitter.com/NinjaLikesCheez/status/44064551256879513...

tylerlh12y ago

Thanks for the link! I thought I was taking crazy pills.

helmut_hedOP12y ago

You can read the founder's response to the disclosures on Twitter https://twitter.com/MikeSuppo

doktrin12y ago

Reading his responses, the entire app feels like a bad attempt at trolling.

In any case, nice write up. I enjoyed reading it.

deletes12y ago

And it is all over the internet:

Blog’s going offline while we bump the specs so we can deal with all the traffic, bear with.

I expect to see some articles tomorrow.

First one: http://www.tuaw.com/2014/03/03/snapchat-competitor-puffchat-...

NSAID12y ago

I'm not too impressed with the blog's author either. He documents breaking into another website in a previous blog post: http://faptrackr.org/blog/?p=45

hrrsn12y ago

That website hosted pirated copies of iOS apps, so it's not as bad as it seems.

deletes12y ago

It seems OP is in similar business.

https://github.com/KJCracks/Clutch

1 more reply

NSAID12y ago

As did a site the author was running, by my read. Responsible disclosure is one thing, but I won't support defacing of websites.

1 more reply

lukejduncan12y ago

It was the content of the article, and not the title of the blog that left the bad impression?

netman2112y ago

Take a look at vaportstream. They have ephemeral messaging that leverages vram to hide the messages from the kernel. Pretty secure.

primitivesuave12y ago

They really need to make a secure version of this app. You'd be saving thousands of burner phones from entering landfills.

MichaelGG12y ago

Aren't burner phones that way because you want to ditch the entire phone to erase any link to you after using it in an incriminating way?

Even if this app was "secure", it wouldn't prevent the need to ditch a phone. LE can subpoena the company, find out which IP:port connected for whatever user/message. Then go to cell company and get records and track the cell.

cgag12y ago

Get an android and use textsecure if you actually care about people not reading your messages.

jbigelow7612y ago

If you're using a burner I doubt the environment is your topmost concern.

iNeal12y ago

Why would you even consider using this app?

pistle12y ago

1. Create snapchat alternative to try to harvest sensitive content & info. 2. Profit.

There is no platform or space, in someone else's control, that you can or should trust this way.

en4bz12y ago

From Founders twitter:

> provide evidence that can be used against him.

So is the founder trying to mount a legal case against him for hacking?

lstamour12y ago

11 (or is it 12?) months in, Andrew "Weev" Auernheimer is still serving a 3-year conviction (on appeal now) for "hacking" the AT&T iPad signup script to get email addresses out of it ... using a web request and random numbers. In case that's not clear enough, it was published, public data waiting to be requested, no security restrictions except the numbers to be guessed. I'd say that's the same for any such "private" (hah!) service that uses ID numbers to access data over public channels, wouldn't you?

1 more reply

wudf12y ago

@notacop See what great work you could be doing if you would participate in the year of code?

sergiotapia12y ago

Ultimate Streisand effect - I have literally never heard of this app that seems geared towards drug users; and yet I learn about it from it's incompetance.

How do people release public API's without THE MOST BASIC OF SECURITY CHECKS. Really? You can add a friend without any checks and even send messages as someone else? Christ.

A) Who funds these guys?

B) How can I get a piece of that seemingly-easy-as-hell-to-get pie?

nknighthb12y ago

I triggered executive-level uproar just yesterday by pointing out what should have been obvious security issues in an API we were about to be asked to integrate with. I was not the first technical person to look at the document we were given, and in fact I was the only one to look at it who couldn't actually read it in detail (it was in Chinese, I only speak English, but the identifiers were in English), but nobody else had spotted the problem.

I'm not a roving security consultant, so my sample size is limited, but I have seen little evidence that even basic security awareness is part of the toolkit any substantial number of developers have.

danellis12y ago

I was a security specialist at a large software company for a couple of years, and I did some developer training.

> I'm not a roving security consultant, so my sample size is limited, but I have seen little evidence that even basic security awareness is part of the toolkit any substantial number of developers have.

My experience matches yours.

jmngomes12y ago

Agreed, and I think that's when a (good) CS education makes the difference, by helping you grasp how t design and code for security, which are fundamental concepts that a lot of "junior" developers have no clue about. And then you see the same basic attack vectors creeping up all the time...

1 more reply

brianpgordon12y ago

I can definitely see a developer's concerns being brushed aside as a "business decision" on the grounds that growing their userbase or adding new features is more important to the startup's survival than security at that time.

It's actually a pretty damn good line, and I think it's really, fantastically hard to know when your ethical responsibility as an engineer starts to outweigh your obligations as an employee.

mpchlets12y ago

Hmm, did you just post this "disclosure" on your blog before informing the company? Well, now everyone is at risk if your claims are true. Poor form.

Proper course is to disclose to company first, then disclose after fix is in place in reasonable amount of time. Why risk everyone for your benefit?

akerl_12y ago

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

LCoder12y ago

At the bottom of the post it does state:

In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data.

MichaelGG12y ago

Everyone was already at risk, but they didn't know it. They were already downloading this content to devices everywhere.

He also says that he tried to contact the developer but got no response.

The dev would have been much better off apologizing, pushing a fix, and asking for a temporary embargo while the fix is put into place.

alcari12y ago

FTA:

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

zorpner12y ago

As you can read in the article, he did try to contact the developer.

That aside, though, when the issues are this egregious I'm honestly not sure what the right approach is. With flaws this bad it's hard to imagine that they're even capable of fixing the problems, let alone responding appropriately to the disclosure.

hrrsn12y ago

They seem like really easy problems to fix, too.

nknighthb12y ago

Puffchat put people at risk.

rdl12y ago

Fuck "Responsible Disclosure" in cases of utter incompetence like this.

TacticalCoder12y ago

TFA states precisely this:

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

endlessvoid9412y ago

This needs to be a part of ThatHigh.com :)

Except, you know, not sketchy.

j / k navigate · click thread line to collapse

55 comments

MichaelGG12y ago

Terrible response by the Puffchat guy: https://twitter.com/MikeSuppo (Google Play's dev listing goes to the Puffchat blogspot site, which links to this Twitter account.)

  "This is a friendly message to advise that you remove all web based content about Puffchat"
  "Please remove within 1 hour."
  "Puffchat will be fixed in due course. Every piece of content with the original author's name attached to it after GMT scheduled will only provide evidence that can be used against him."

lostcolony12y ago

Maybe. But a publicity stunt that highlights findings that run counter to what you're trying to sell the platform on seems dubious.

madaxe_again12y ago

veidr12y ago

> @iH8sn0w @NinjaLikesCheez All content, including articles, scripts, reddit posts, tweets, everything. By 11.40pm today (3/3/2014).

Hahaha, that is a pretty hilarious bit of fail, there. I don't think it could really be intentional... it might make him kinda famous (in a probably unwanted way) but it won't net him new users.

nthitz12y ago

https://twitter.com/sexysez95_sarah - fake account promoting puffchat seems pretty sleazy. https://twitter.com/Queenselfie96 also seems suspicious

jevans12y ago

Also https://twitter.com/Staceyythatsme

NinjaLikesCheez12y ago

Yeah they are pretty awful, the funny thing is they're the most popular accounts on the app :/

deletes12y ago

This is what reverse google image search says:

https://www.google.com/search?tbs=sbi:AMhZZitfuTwYMbUV9Yv-cR...

Her actual account: https://twitter.com/rachelburr1

https://www.google.com/search?tbs=sbi:AMhZZivEFJQlM8ezy2mFjo...

And her account: https://twitter.com/ashleeholmes

Either they really like puffchat and they made separate account to promote it, or the pictures were stolen and the accounts are fake.

1 more reply

tylerlh12y ago

I'm not seeing where the "intimidates security researcher" part mentioned in the title comes in. Am I missing something?

nknighthb12y ago

Seems the founder thinks he can suppress speech through tweeting: https://twitter.com/NinjaLikesCheez/status/44064551256879513...

tylerlh12y ago

Thanks for the link! I thought I was taking crazy pills.

helmut_hedOP12y ago

You can read the founder's response to the disclosures on Twitter https://twitter.com/MikeSuppo

doktrin12y ago

Reading his responses, the entire app feels like a bad attempt at trolling.

In any case, nice write up. I enjoyed reading it.

deletes12y ago

And it is all over the internet:

Blog’s going offline while we bump the specs so we can deal with all the traffic, bear with.

I expect to see some articles tomorrow.

First one: http://www.tuaw.com/2014/03/03/snapchat-competitor-puffchat-...

NSAID12y ago

I'm not too impressed with the blog's author either. He documents breaking into another website in a previous blog post: http://faptrackr.org/blog/?p=45

hrrsn12y ago

That website hosted pirated copies of iOS apps, so it's not as bad as it seems.

deletes12y ago

It seems OP is in similar business.

https://github.com/KJCracks/Clutch

1 more reply

NSAID12y ago

As did a site the author was running, by my read. Responsible disclosure is one thing, but I won't support defacing of websites.

1 more reply

lukejduncan12y ago

It was the content of the article, and not the title of the blog that left the bad impression?

netman2112y ago

Take a look at vaportstream. They have ephemeral messaging that leverages vram to hide the messages from the kernel. Pretty secure.

primitivesuave12y ago

They really need to make a secure version of this app. You'd be saving thousands of burner phones from entering landfills.

MichaelGG12y ago

Aren't burner phones that way because you want to ditch the entire phone to erase any link to you after using it in an incriminating way?

cgag12y ago

Get an android and use textsecure if you actually care about people not reading your messages.

jbigelow7612y ago

If you're using a burner I doubt the environment is your topmost concern.

iNeal12y ago

Why would you even consider using this app?

pistle12y ago

1. Create snapchat alternative to try to harvest sensitive content & info. 2. Profit.

There is no platform or space, in someone else's control, that you can or should trust this way.

en4bz12y ago

From Founders twitter:

> provide evidence that can be used against him.

So is the founder trying to mount a legal case against him for hacking?

lstamour12y ago

1 more reply

wudf12y ago

@notacop See what great work you could be doing if you would participate in the year of code?

sergiotapia12y ago

Ultimate Streisand effect - I have literally never heard of this app that seems geared towards drug users; and yet I learn about it from it's incompetance.

How do people release public API's without THE MOST BASIC OF SECURITY CHECKS. Really? You can add a friend without any checks and even send messages as someone else? Christ.

A) Who funds these guys?

B) How can I get a piece of that seemingly-easy-as-hell-to-get pie?

nknighthb12y ago

danellis12y ago

I was a security specialist at a large software company for a couple of years, and I did some developer training.

My experience matches yours.

jmngomes12y ago

1 more reply

brianpgordon12y ago

It's actually a pretty damn good line, and I think it's really, fantastically hard to know when your ethical responsibility as an engineer starts to outweigh your obligations as an employee.

mpchlets12y ago

Hmm, did you just post this "disclosure" on your blog before informing the company? Well, now everyone is at risk if your claims are true. Poor form.

Proper course is to disclose to company first, then disclose after fix is in place in reasonable amount of time. Why risk everyone for your benefit?

akerl_12y ago

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

LCoder12y ago

At the bottom of the post it does state:

In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data.

MichaelGG12y ago

Everyone was already at risk, but they didn't know it. They were already downloading this content to devices everywhere.

He also says that he tried to contact the developer but got no response.

The dev would have been much better off apologizing, pushing a fix, and asking for a temporary embargo while the fix is put into place.

alcari12y ago

FTA:

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

zorpner12y ago

As you can read in the article, he did try to contact the developer.

hrrsn12y ago

They seem like really easy problems to fix, too.

nknighthb12y ago

Puffchat put people at risk.

rdl12y ago

Fuck "Responsible Disclosure" in cases of utter incompetence like this.

TacticalCoder12y ago

TFA states precisely this:

"In the interest of responsible disclosure I did try and contact the dev multiple ways, I was either ignored or not replied to and I feel users deserve to know what’s happening with their data."

endlessvoid9412y ago

This needs to be a part of ThatHigh.com :)

Except, you know, not sketchy.

j / k navigate · click thread line to collapse