"Security" is starting to do my head in. Dominos made me set a long complex password a while ago to protect my previous orders from ne'er-do-wells. I really don't mind folks hacking my pizza history, that's why my old password was "password". You're not a bank, Dominos, you're a pizza shop. I'll never let you store my credit card data even if you did offer that. Same for Subway and any other like them. Make my life easier, not more secure. Place appropriate security on your processes, and sack anyone doing security for security's sake.
Someone at Subway is a serious security nerd
XDA comments screen shot App hacker Randy Westergren has outed the application developer at Sandwich kingpin Subway as a serious security nerd. The hacker set sights on the Subway Android app, which allows uses to order and pay for sandwiches from their devices, in a bid to uncover possible vulnerabilities. He instead …
COMMENTS
-
-
Monday 13th July 2015 06:57 GMT ratfox
I do hate it when websites I really don't care about force me to use a complex password, often with weird rules such as "at least one special character not in ,.*$-+". This forces me to create a new password unique to this site, which I'm guaranteed not to remember six months later when I first need it again. If you have to ask such a password, make sure your recovery options work well.
-
-
Monday 13th July 2015 08:01 GMT ratfox
Re: @ratfox
I don't like the idea of password managers, because it means I would likely forget even passwords which I use all the time. Then it would be a real problem whenever I need to use a device on which I can't use the password manager (my wife's phone, machines with install constraints, etc.) I'm not too comfortable having a lot of important data stored in a single place either; seems risky.
But maybe I'm just too lazy to try.
-
-
Monday 13th July 2015 08:43 GMT Nolveys
Writing password complexity verifiers is pure joy. You start with a list of rules, there must be a number here, a capital here, a non-letter-or-number here, etc. Then, when the user tries to set a password, you tokenize the password into capital letters, lower case letters, numbers and other character groups.
You then iterate the rules over each token until one of the rules fails (which is guaranteed to happen for all but one rule for each token). Then you return an error message to the user describing the failed rule and the position at which the rule failed (but not subsequent rule failures, as those have yet to be determined and if they had stating them would ruin the fun). At this point the first rule is thus decided and we are ready to start the next attempt, thereby determining the next rule. If there is only one token then an arbitrary next rule can be selected.
As the number of attempts is arbitrary it needs to be set to some value. I find that four is the correct number for things that people don't care about and will abandon if password verification fails too many times. Things that people really need to access can usually be set to ten.
My goal is to hit forty.
-
-
Monday 13th July 2015 12:23 GMT ratfox
"That password has already been used by ${USERID}. Do you want to log in as ${USERID} instead, or do you want to pick another password?"
Oh, I'd love that one to be implemented by my bank.
What has also happened to me at least twice is that after forgetting and resetting my password, I study the weird rules for creating a new one, craft a brand new password, only to get an error message saying I'm not allowed to re-use the old password.
-
-
Tuesday 14th July 2015 12:10 GMT Kubla Cant
Password verifiers
The enterprise incarnation of MS Windows evidently includes a feature that allows the BOFH to implement a complex set of password rules without telling anyone what they are. So on the day when you start a new job,and you have 100 other things to remember, you have to go though this:
Computer says "You have to change your password at first login."
You enter a new password from the range of passwords you can remember.
Computer says "No. Does not conform to rules."
You enter a mangled version of one of your memorable passwords.
Computer says "No. Does not conform to rules."
...repeat many times with increasing mangling until...
You enter an impossibly complex password that will conform to just about any rules. It is 30 characters long and includes uppercase, lowercase, digits, punctuation, whitespace, runes and hieroglyphs.
Computer says "Oh all right then."
You immediately forget the complex password.
-
Tuesday 14th July 2015 16:48 GMT Anonymous Coward
Re: Password verifiers
Then chose something like "OMG seriously? day one and I have to remember another password!",
That is roughly what you were thinking when challenged for the new password, the two are already linked, make a phrase out of it and fit that phrase to the complexity rules.
"OMGsrsly?D@y1"
Say it to yourself a few times, you could even write the longhand down as part of your first notes.
Passwords are hard if they don't flow or have no links to the situation. If you build passwords from long phrases the compressed result can be pretty good and you can have the seed in plain sight. Try not to choose phrases like "looking forward to punching X!" unless that is all you can think about, in which case you probably won't need to write it down.
-
-
-
-
-
Monday 13th July 2015 10:16 GMT JDX
Re: Quite agree.
Main benefit for me is I can pay online for delivery, as most local places don't provide this.
Also, half the time when I phone up the combination of noisy work environment and language issues means I'm fairly unsure quite what I've ordered and where they're going to send it.
-
-
Monday 13th July 2015 15:22 GMT Chloe Cresswell
Re: Quite agree.
I used to use them a lot.
Then I was issued a new debit card, and can only pay by card now if I'm having it sent to my home.
As 90% of the orders were when I was out on the road, that meant I had to pay cash (if I had any), and if I'm paying cash, I might as well skip the middle man and ring somewhere direct!
-
-
-
-
Monday 13th July 2015 19:39 GMT Stevie
I'll never let you store my credit card data even if you did offer that
And just how, pray, do you prevent them from doing that if they really want to?
Plus: Your credit card data are intended to be publicly revealed. To think that a credit card is secure over a blind tele-transaction is optimistic to say the least.
Naive pizza customer is naive.
-
-
-
-
Monday 13th July 2015 14:52 GMT Pascal Monett
Re: "the article even says that their methods were pretty trivial to bypass"
Not quite.
The article quotes : Westerngren says certificate pinning and signature verification are laudable goals for application developers but will only "slightly impede" reverse engineering
That means that it is not difficult to pick the app apart, which is rather logical. It is, however, more difficult to tamper with the app without said app noticing it, and the pic in the middle of the article clearly shows that you don't get away with it easily.
-
-
Monday 13th July 2015 07:02 GMT Mark 85
Re: Subway devs employ security by design
We beg for security by design and I'm guessing there will be more than one commentard berating Subway for this. I realize it's only a sandwich shop, but if they can do it, so can the bigger chains and they should. It may not be the best security but it is a start.
-
Monday 13th July 2015 07:06 GMT Lusty
Re: Subway devs employ security by design
"We beg for security by design" actually most around here tend to beg for choice such as third party firmwares which this seems to not play with. Ask yourself, out of all the commentards, how many would prefer not to be able to use an app for ordering a sandwich compared to how many are happy that a sandwich app is so secure they can't use it with their modded phone?
Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this.
-
Monday 13th July 2015 07:42 GMT nematoad
Re: Subway devs employ security by design
"Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this."
Oh and what happens if a person uses the same password on a lot of site, trivial or not. You lose one, you lose the lot.
"The weakest link" and all that.
-
Monday 13th July 2015 08:35 GMT djack
Re: Subway devs employ security by design
"Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this"
I'm not even sure that banks should be doing some of the checks that they do. Such as rooted device checking. I was given the choice of running a stock firmware with known vulnerabilities (updates no longer being produced by the manufacturer) and being able to use my bank's app, or running an updated custom firmware that my bank deems to be insecure.
-
-
Monday 13th July 2015 15:42 GMT Dan 55
Re: Subway devs employ security by design
Doing certificate checking properly is great but I'm not sure what checking for root is supposed to achieve.
Channel 4 also tells you off for having a rooted phone, even though CyanogenMod despite being pre-rooted is probably one of the most secure firmwares out there. The end result is I don't use their app, not I don't suddenly see the error of my ways and downgrade to stock 4.1.
I suppose Privacy Guard needs a 'don't allow app to detect root' option in the list of permissions, if Android is that fine grained.
-
-
-
-
-
-
-
Monday 13th July 2015 13:37 GMT Anonymous Coward
Re: They're watching
"Or you could be suspected of being a peadophile"
That only happens if you add lots of peas to your overpriced sub. (*)
In Jared Fogle's defense, AFAIK the raid on his home was evidence gathering related to the former director of his charitable foundation having been arrested on several paedophilia-related charges. It's not clear that there's any evidence Fogle himself was involved in similar activities.
(*) Assuming Subway offer "peas" as a topping. Which they probably don't.
-
-
-
Monday 13th July 2015 07:05 GMT A Non e-mouse
Apples & Oranges
I don't think certificate pinning or O/S checks are intended to prevent reverse engineering. They're there to try and ensure that someone isn't doing something nasty to the end-user. (e.g. fake Subway's servers)
Without hardware assistance, I believe it's quite hard to truly prevent reverse engineering of a software. All you can do is insert traps to slow people down,
At the end of the day, the app developers took some time and trouble to make reasonable efforts to protect the service they provide and they were slapped down by someone seeking some publicity.
-
Monday 13th July 2015 08:46 GMT Jad
Re: Apples & Oranges
Absolutely, low hanging fruit and all that.
It's the same reason you shred all your financial documents (and letters from school, and Virgin, etc) so that it's hard to get information from them ... you can't stop a really determined person getting data back from shredded paper, but if someone else has non-shredded paper with all the details you want on it they will go there first.
-
-
Monday 13th July 2015 07:38 GMT TeeCee
Hmm.
Could just be an overreaction to something.
Like, oh I dunno, if some bunch had breezed through their password security to nick a load of their customers' credit card details not too long ago.
-
Monday 13th July 2015 07:39 GMT JulieM
Expensive locks on cheap flimsy doors that lead to empty cupboards
My Inner Paranoiac says it's precisely the sandwich ordering bit they don't want you poking about with.
Think about it. If there existed an open and extensible protocol for describing the construction of a sandwich, possibly extending to querying ingredients actually available, that might actually be useful to the consumer of sandwiches. A single app could query multiple sandwich shops and direct you to the best match for your requirements. There could even be multiple, competing sandwich apps not locked to individual vendors. How about a vegan sandwich app that won't allow you to select real butter, honey or m**t; or one for grown-ups with imaginary friends that won't let you order bacon, or anything at all on certain dates when supposed to be fasting? (Possibly even dodgy ones that order extra salad without you asking, or won't let you ask for certain ingredients without a paid upgrade).
Absent any such thing, we face incompatibilities which arise by accident and are maintained on purpose to lock us into the same vendors. The Subway sandwich app exists not to make it easier to buy sandwiches from Subway, but to make it harder to buy sandwiches anywhere else.
-
Monday 13th July 2015 07:48 GMT Jim 48
Re: Expensive locks on cheap flimsy doors that lead to empty cupboards
I've got to ask, why the hell is 'meat' (I presume, from the context, that that is what the 'm**t' is) bleeped out? Is it some kind of vegan trigger warning and if they see the word written out in full they will instantly want a bacon sandwich (on sliced white, no butter, brown sauce). And of course they'd never be able to figure it out for themselves, like dogs and the b-a-t-h.
-
Monday 13th July 2015 08:17 GMT Sir Runcible Spoon
Re: Expensive locks on cheap flimsy doors that lead to empty cupboards
" like dogs and the b-a-t-h."
Our dog has learnt to spell, so that one's out. If I ask her to go outside and do a wee and it isn't obvious we are about to leave the house, she gets very suspicious and I think she has now successfully managed to piece together that this is a pre-cursor to having a shower :)
-
-
Tuesday 14th July 2015 07:59 GMT Sir Runcible Spoon
Re: dogs and b-a-t-h
When it comes to actual food potential the whole spelling thing just goes by the way-side and she brings out the big-guns: telepathy.
Seriously, you've only got to think about going into the kitchen for something and she can go from 'laying on her back with her legs pointing to the four corners of the universe' to 'stalking mode with ears in jodderal bank position' in as much time as it takes to blink :)
-
-
-
-
-
Monday 13th July 2015 09:34 GMT Drefsab_UK
I hate a lot of this
Its really frustrating that this seams to be a growing trend in that if you run a custom rom then sorry we don't want you.
I get protecting that app from reverse engineering but look at the htc one X+ it still a good and fast phone it it has 64Gb of storage but software support was dropped by HTC a while ago, meaning no lollipop no heartbleed fix let along other issue that existed (bugged bluetooth stack etc).
Then you have the devices tied to carrier updates so the vendor may push out an update but the carrier never pushes out an OTA. Meaning even more security issues.
However if you update to a custom rom. you can fix a lot of these issues but then that apparently makes you some kind of pariah to the likes of subway or sky / virgin media / online banks. The result is not that I switch to using stock the result is that I just don't use your app's which is not what the app developers really want. They whole point is to have their apps used. Surely a more sensible balance could be approached (look at netflix for example which works great on a custom rom and streams media even when sky and virgin cant).
-
Monday 13th July 2015 09:57 GMT Anonymous Coward
Damned if they do...
I'm not sure what the story is here. It seems to me that it is usually easier to do things properly, even in instances where a bodge would be adequate, because that way, you don't need constantly to decide when "proper" methods should be used or not. In this case, a relatively trivial app appears to have confirmed to some semblance of good practice, and although that good practice may be overkill, it remains good practice. There's no particularly negative story here about excessive security other than a bit of insider criticism to demonstrate a bit of "I wouldn't do it like that" opinion. A real story would have been if it required inputting your mother's maiden name to add sliced tomato, which would have been process security gone mad.
Beer, a better alternative to an elongated sandwich anyway.
-
Monday 13th July 2015 10:24 GMT Joe Montana
Theatre
The certificate pinning makes a lot of sense, as you really can't trust CAs these days... The anti reverse engineering stuff is just stupid, as the article points out it just slows someone down slightly but doesn't actually prevent them from doing anything.
Knowing how something works doesn't make it insecure unless the design is fundamentally flawed. Everyone has access to the source code for Linux, and yet many highly secure devices are Linux based. And if your application is so flawed that someone who understands how it works can do nasty things then i don't want to be using it at all.
I would much rather fully understand what im using, or at the very least know that i have access to do so should i desire, and that others who's abilities i respect have already looked. I don't want to be using a black box full of security holes just waiting for the first blackhat to find and privately exploit them.
-
Monday 13th July 2015 12:19 GMT PassiveSmoking
Wow, of all people to be on the opposite end of the security bell curve from Adobe, Subway is the last candidate I'd expect.
Having said that, it's kind of sad that an app that actually doesn't have utterly broken security is considered a pleasant surprise. This is pretty much the level most apps where money and/or private data can change hands should be aiming for