mav
New Member
Posts: 29
|
Post by mav on Jul 24, 2008 15:02:56 GMT -5
Assuming this is true -- then there you go. AF looks at its user-submitted e-mails and phone numbers, probably picks out those flagged by people that have you as a friend, and just runs a local search simply to verify that the friend is a friend. If so, then the AF data as to the player's level and progress gets sent back to AF and finds its way to the player's friend to keep things updated. The search lives and dies within the app and no contact list stuff ever goes back into the cloud.
Again, assuming this is what happened, this is the kind of information people need to know to stem the tide of fear and inaccurate news coverage.
|
|
Kevin
New Member
Posts: 10
|
Post by Kevin on Jul 24, 2008 15:11:34 GMT -5
I assumed the contact list info was sent to the cloud where the query was run on the AF server. However, I'm also assuming the contact info was deleted when the query finished, based on the responses by the devs concerning the whole issue.
|
|
socom
New Member
Posts: 21
|
Post by socom on Jul 24, 2008 15:15:16 GMT -5
socom, your pregnant doging and moaning is getting to be borderline annoying. i don't know what gratification you are getting by repeatedly remarking that your privacy was infringed upon, and elaborating on how wrong that was. seriously, if you don't want to play the game, don't play the f*cking game, uninstall and go on your merry way! what is even more curious to me is what sort of contacts you have stored on your phone that you are so concerned about their rights being violated. you want to sue-go sue! just please don't feel obliged to share your indignation with the rest of the forum every 15 minutes; we get it. Thank you for sharing, it means a lot to me. But apparently you haven't actually read the posts. First I chime in just as others do, its a forum, conversation goes back and forth, its how it works. Keep reading, you and I both might learn something. Secondly, if I got answers to the questions I asked from the Devs I wouldn't need to keep bringing these things up, since you seem to be ahead of the curve on this, feel free to explain to me how it all works, then you wont hear from me again on the matter. Third, as I have stated, I love the game and would gladly pay for it, my only concern was the list, because I do work in a cooperate environment and there are contacts on there that are not for public knowledge. And according to there updated post this has been taken care of, I have never mentioned suing, only that I wanted it deleted. Even though we were talking about legality, that does not mean everyone who was plans to sue anyone. Fourth, Why you are curious as to my contacts is beyond me, I would take a guess and say there are many people who would prefer their company contact list not to be on someones server. But, lets just pretend the only person in my contact list was my mother.. and she is really shy, I would think I would have the right to say, hey, need to remove that, mom doesn't want her name and number getting around by mistake. Lastly, swearing in your first and only post, and in general attacking me, not really that much more constructive.
|
|
|
Post by morgaine on Jul 24, 2008 15:20:07 GMT -5
I personally love this game and I hope a solution arises quickly and an update can be made to this game. I was browsing the Macenstein article which was one of the first to address this issue and stumbled across what seems to be a very good solution. now this is NOT my idea and I take absolutely no credit for it. The user who posted this on the Macenstein site was "Tai Da" and he deserves the praise. I simply wanted to post this here just to make it more visible to the developers cause I think it is the best solution i've read. "Danielle, a way to get around this would be to hash each of the contacts with one of their contact info items. Make as many hashes as there are combinations of name + phone, or name + email. This 128-bit number (for MD5) could be bandied about all over the web without a prayer of someone regenerating private data from it. You could have a unique hash for each ‘real’ user also, not just for their hashed contact methods. In other words, if my friend ‘bob smith’ has three phone numbers and an email address, this algorithm would create 4 items. There would be no reason to tie these to ‘bob smith’ for any reason — just a salted MD5 that would match up later with an identically salted MD5 on the server, which was submitted by another user (maybe even Bob himself). Simple, and secure. There’s (almost ) no way you could every possibly hope to rebuild the name and phone number from an MD5 digest, but you can easily regenerate them using the same source data. I love your game, and I wanted to help you out. Hope this helps." I actually just forwarded that post to the devs last night - it does seem like a perfectly good solution, doesn't it!
|
|
|
Post by andersonimes on Jul 24, 2008 16:13:34 GMT -5
*sigh* I love the fact that all these people who register to post don't even read where you state you guys AREN'T storing their entire contact list. Come on people, show a slight bit of maturity and actually READ the post from the developers before believing everything you hear on some random news site. The only info that's stored is the info YOU submit to them in the community section. Excellent Point! So in a way, AF didn't really violate your privacy... Sorry guys but this is wrong. By not saving your contacts list, they are requiring you to send it to them every time you click refresh. This means that every time you are sitting in a cafe on free insecure wireless or foe every router you contacts bounce throug, someone gets a crack at free an clear contact info. I'd almost rather they store it.
|
|
|
Post by theshaman on Jul 24, 2008 16:15:58 GMT -5
MD5 can be broken especially if you know it's a phone number... don't use it please... salt won't help much... Just have everyone submit their own email addresses... ask for permission to use peoples address book. Transport across https, match against the db and call it day... Oh yeah Love the game, can't wait for the update and in my book as a developer you guys did no wrong. People just get crazy... like claiming their address book isn't for public knowledge? That comment has no place here as it never was... and a copy on your iphone... big deal your address book as a copy their as well...
|
|
noyb
New Member
Posts: 1
|
Post by noyb on Jul 24, 2008 16:36:56 GMT -5
lol I to wonder what people are storing on their phones that is this sensitive. I mean come on would you have stored all this info in a paper roledex on your desk that could just be stolen. For security concerns the most you should have on your phone is name, address and email. No passwords, no account numbers, definitely nothing illegal because well thats just stupid agreed. what about a computer? someone can hack in to that baby day and night? what about forums or joining any other website. emails, passwords, even credit card information is stored on those sites!! a community function that stores your email address and contacts such to link you IN GAME would be would be so small and so minute of a worry that it isnt even worth it. i digress. plain and simple. if you don't like it. don't download it. I think people are missing the bigger picture here. I am not as concerned with the lack of encryption as I am with the fact that they would pull all of this information without telling you in detail what they are doing. Your comment is ridiculous. How can someone know if they don't like something if they don't know it is being done? That is the big problem here. Also, everyone acting like it is no big deal to pull all of your address contacts must be a bunch of high school or college kids. I have plenty of people in my address book that are business contacts that I would no want to include in something like this even if I did want to participate in the community aspect. I would ONLY want to include my friends. Doing something like this without informing the user is amateur hour. These guys continue to brag about how they wanted to develop a cool app in 10 weeks flat. There is a reason why real applications take longer than that to develop. You have to look at the big picture when you are releasing your application to the public. Instead, it seems as if this was developed with the mindset of them using it with their friends. Again, the lack of encryption, small server, etc. is not the major problem. The assumption that their users would want their entire address book uploaded is the problem.
|
|
|
Post by morgaine on Jul 24, 2008 16:55:20 GMT -5
whew, I cannot believe just how many hours I've had to spend reading news articles, stupid blogs, and however many hundreds of posts on this forum .... people have worked themselves up into a frenzied panic - and the data wasn't even being stored! I've started posting to Danielle and Jason, I feel so incredibly awful for you guys - you didn't deserve this at all. Have you managed to get through to anyone at Apple yet? Any word on the actual *official* reason for removing the app, or when/if the update will be released? By the way, I've seen lots of articles/forums/blogs out there that are just completely crazy and wrong - calling AF spyware and other nonsense. I'm making certain to post a clarification on every one that I find - that is, unless vegantnt got to them first Seriously though, I think this is one way in which we as a *Community* can actually be helpful to the devs - we can do some truth-spreading! Go out and find this rubbish, and DEBUNK it! If you think about it, the upside to all this is that the game is getting an INSANE amount of free press.
|
|
|
Post by cyberpawz on Jul 24, 2008 17:37:29 GMT -5
This issue is not as serious as you seem to make it out to be, their servers have not been compromised, and they are working to fix it. Get your broomstick out of your behind, because what you are doing is nothing short of blowing something out of complete proportion. To those people that say things like this, who use the defense its no big deal, nothing has happened yet.. shame on you. Do we have to wait until something does happen, before we are allowed to voice our opinions. Do you have any knowledge of who has extremely confidential contacts on there phones? And if we do are we not allowed to use this program? Do you know every possible scenario of what could happen, who could have attempted to get this date, if not before, certainly now that it has come into the open. Let me assure you, if those confidential contacts are not destroyed, there can be serious repercussions if anyone ever access that information. We reserve the right to expect a certain amount of privacy, as posted before, our contacts in our database had no option to opt in or out. None of you (except for the dev's) have any true idea what data they pulled or have stored on there servers or anyone else. Again I do not believe this was done with malicious intent. But that doesn't mean it should not be immediately rectified and deleted. Why is it that we still have not heard that any and all data that had been captured or sent from our phones has been completely and utterly deleted? I would think this would be the very first thing that is posted and stressed from the Devs in the forums. I personally have asked more then 4 times, including in a private pm, and still no response on what the current state of all the data that was "sent unencrypted to our web servers" is. Just msg me, email me, post on here, its all be deleted you have our word.. and I will be happy.. Let me put it to you this way, I personally run a server that stores data from over 500 people, over 14 countries, and which equal over 5GB of data... doesn't seem like a lot, but here is the thing, the data I have right now can cripple anyone I want if I let it go, I don't because I promised people it wouldn't be. Also, server systems don't get hacked as often as you think they do, the majority of people that attempt to hack systems attempt via a DoS attacks, or brute force attacks. The majority of systems if patched correctly, which I am quite sure the servers this info is on is patched effectively enough, are immune to those types of attacks. Not to mention most systems have a router or switch, a firewall, and then also something all together different which will keep things from being attacked. My server is continuously probed but because I have my entire network stealthed no one can attack me openly. Even if they knew my IP address they wouldn't be able to access it. I am sure that your data as precious as it is will not be stolen, of course your porn swapping buddies must be protected, as are those people you think are important to hackers I run a company off my iTouch, and I am not worried about the data... I have people worth multi-billion dollars in my contact list, angel companies, investors, financial gurus, etc... from all of the world. The fact that you are panicking making people think that this was done and that a hacker an get to it in an instant in asinine at best. You don't have a clue how to hack by the sounds of it, you don't know how encryption, or even standard routers or even switches work... or how that if data that is thrown to those can't be traced back correctly will never be seen by either... I am not saying it isn't impossible for the server to be hacked, but either way if you download this game you have an option... play it or don't. They make it perfectly clear when you install it and want to add buddies what they are doing, if you don't like it don't play it. I am not going to say that you are wrong in imagining the worst case scenario, but you are blowing things well out of proportion... and scaremongering, how about this, realize that hacking a server that is secure is not easy, and hacking one without knowing much about it with no access to it internally is nearly impossible if the firewall, the router, and switches are all set up correctly, and the server itself is protected via software, hardware, and also internal security with only allowing some things to work a certain way. The computer I am on now can't be hacked by a script kiddy, it can't be hacked by anyone period... the fact that you will see my IP address doesn't worry me... and I expect the server that the game database is exactly the same way, if not more secure.... so untie your panties and let the developers worry about it... you don't need to. If you are do worried about your data get a lawyer, delete the game, and shut the hell up... let people who actually have a head on their shoulders communicate like adults, not like children who cry over something or complain because something doesn't go their way.
|
|
socom
New Member
Posts: 21
|
Post by socom on Jul 24, 2008 17:37:39 GMT -5
If you think about it, the upside to all this is that the game is getting an INSANE amount of free press. Lol, this is a very good point, so when they do release the new one, it should do very well, cause everyone is going to want to see what all the noise was about!
|
|
|
Post by miken1 on Jul 24, 2008 17:43:11 GMT -5
Any guess as to when the new version of AF will be released?
|
|
jeffy
New Member
Posts: 11
|
Post by jeffy on Jul 24, 2008 18:04:35 GMT -5
realize that hacking a server that is secure is not easy We're of course assuming that the devs were as careful as you are, which I think we could hazard a guess that they weren't (or we wouldn't be having this discussion).
|
|
socom
New Member
Posts: 21
|
Post by socom on Jul 24, 2008 18:05:48 GMT -5
To those people that say things like this, who use the defense its no big deal, nothing has happened yet.. shame on you. Do we have to wait until something does happen, before we are allowed to voice our opinions. Do you have any knowledge of who has extremely confidential contacts on there phones? And if we do are we not allowed to use this program? Do you know every possible scenario of what could happen, who could have attempted to get this date, if not before, certainly now that it has come into the open. Let me assure you, if those confidential contacts are not destroyed, there can be serious repercussions if anyone ever access that information. We reserve the right to expect a certain amount of privacy, as posted before, our contacts in our database had no option to opt in or out. None of you (except for the dev's) have any true idea what data they pulled or have stored on there servers or anyone else. Again I do not believe this was done with malicious intent. But that doesn't mean it should not be immediately rectified and deleted. Why is it that we still have not heard that any and all data that had been captured or sent from our phones has been completely and utterly deleted? I would think this would be the very first thing that is posted and stressed from the Devs in the forums. I personally have asked more then 4 times, including in a private pm, and still no response on what the current state of all the data that was "sent unencrypted to our web servers" is. Just msg me, email me, post on here, its all be deleted you have our word.. and I will be happy.. Let me put it to you this way, I personally run a server that stores data from over 500 people, over 14 countries, and which equal over 5GB of data... doesn't seem like a lot, but here is the thing, the data I have right now can cripple anyone I want if I let it go, I don't because I promised people it wouldn't be. Also, server systems don't get hacked as often as you think they do, the majority of people that attempt to hack systems attempt via a DoS attacks, or brute force attacks. The majority of systems if patched correctly, which I am quite sure the servers this info is on is patched effectively enough, are immune to those types of attacks. Not to mention most systems have a router or switch, a firewall, and then also something all together different which will keep things from being attacked. My server is continuously probed but because I have my entire network stealthed no one can attack me openly. Even if they knew my IP address they wouldn't be able to access it. I am sure that your data as precious as it is will not be stolen, of course your porn swapping buddies must be protected, as are those people you think are important to hackers I run a company off my iTouch, and I am not worried about the data... I have people worth multi-billion dollars in my contact list, angel companies, investors, financial gurus, etc... from all of the world. The fact that you are panicking making people think that this was done and that a hacker an get to it in an instant in asinine at best. You don't have a clue how to hack by the sounds of it, you don't know how encryption, or even standard routers or even switches work... or how that if data that is thrown to those can't be traced back correctly will never be seen by either... I am not saying it isn't impossible for the server to be hacked, but either way if you download this game you have an option... play it or don't. They make it perfectly clear when you install it and want to add buddies what they are doing, if you don't like it don't play it. I am not going to say that you are wrong in imagining the worst case scenario, but you are blowing things well out of proportion... and scaremongering, how about this, realize that hacking a server that is secure is not easy, and hacking one without knowing much about it with no access to it internally is nearly impossible if the firewall, the router, and switches are all set up correctly, and the server itself is protected via software, hardware, and also internal security with only allowing some things to work a certain way. The computer I am on now can't be hacked by a script kiddy, it can't be hacked by anyone period... the fact that you will see my IP address doesn't worry me... and I expect the server that the game database is exactly the same way, if not more secure.... so untie your panties and let the developers worry about it... you don't need to. If you are do worried about your data get a lawyer, delete the game, and shut the hell up... let people who actually have a head on their shoulders communicate like adults, not like children who cry over something or complain because something doesn't go their way. Lol, I swear, if you would focus as much of this on what the issue are versus me being upset at the issues, we would get farther. And as someone who just did a whole of of guess work and speculating, I wont even reply to most of this as its a waste of conversation, you know nothing about me, you have no idea what companies I run or don't run, you know nothing of my background in security and infrastructure. Maybe, just maybe if you did, you would not be so quick to tell me what cant be done. You may do all the things you say you do, you may not, but go ahead and ask those Milliondollar friends of yours, those techie guru's how they feel about the possibility that there contact information is or could be or was on someones unsecured server with out there permission, your right, im sure they would all say.. woo hoo, put more of it up. I suppose you don't have NDA's for them either? As for the rest of it, I didnt know you knew exactly what their security measures are and what firewalls they are using. And, your router and switch, wont do much to protect you.. don't think because it was switched to an internal IP that means much, because if you do know as much as you say you do, you are aware it doesn't. You might want to remember a billion dollar company felt the need to remove the app (rightfully or not) because of the mere possibility of privacy issues (granted we are or I am assuming that is why it was taken down) and that Tech stories all over are covering this, not just me in one little forum. Again, they and we have all said the same thing, great game, good that they are asking for what they should do next, but bad that it went out to the world like this. Yes, Apple is at fault too.. I know. And, you might not want to show this to your company, and system admin that doesn't work with disaster recovery and worse care scenarios isn't doing a very good job. There is a reason we run those simulations, that's because it can and does happen. Course if you only have 5Gb of data for 500 ppl over 14 counties, I'm not really sure how many servers, firewalls, routers and switches you would need, but I don't work with you, so who knows. And, I wasn't worried of them being attacked or hacked at first, and sure its still a minor minor possibility, however now that there are tons of tech people out there who know, people who like to mess with other people for no other reason then to malicious, it raises my concerns a little more, I just wanted to make sure they had deleted everything, they now say they have. Lastly as for the porn comment, what is with people taking jabs like that, I really don't see the point. If you have a intelligent thought, then say it, but don't throwing in stupid comments just for the sake of it. If there were porn contacts on there, pretty sure they would be the last people to care, more business the better I would assume. Well there goes not talking about it, ended up writing a book. As for everyone else, if I have been too strong on my opinions and am posting to much, I truly am sorry, I truly do love the game and hope that they can work out these issues. If I didn't, I wouldn't be pushing so hard on this forum, I would have done just what people have said, deleted it and moved on, I want to see it succeed and I want to see it back in the app store. I wont be talking about any of these issues anymore, except if people continue to point at me and tell me what I don't know. and sorry for the long message.. wow.
|
|
socom
New Member
Posts: 21
|
Post by socom on Jul 24, 2008 18:08:19 GMT -5
realize that hacking a server that is secure is not easy We're of course assuming that the devs were as careful as you are, which I think we could hazard a guess that they weren't (or we wouldn't be having this discussion). It quoted the wrong person! But I agree with you Jeffy
|
|
|
Post by eliu87 on Jul 24, 2008 18:16:44 GMT -5
If you think about it, the upside to all this is that the game is getting an INSANE amount of free press. Lol, this is a very good point, so when they do release the new one, it should do very well, cause everyone is going to want to see what all the noise was about! Keep in mind this is negative press though...
|
|