Re: F-Droid only if you can
Ok I got the hint nobody wants to hear about how much better an "insecure" software source like F-Droid (which has never had malware) is.
Security biz Pentest is sounding alarms after it found an Android app it says has been downloaded 50 millions times despite being "little more than malware." UK-based Pentest said a whitepaper study [PDF] of the popular Flash Keyboard found that the Android app is "abusing" OS permissions, inserting potentially malicious ads, …
This post has been deleted by its author
Phoning home to China leaves your phone open to being completely taken over. Any connections that cross the "Great Firewall" can be intercepted. Google is not going to install malware or sling ads on your lockscreen. This keyboard app is still in playstore, and one of the multitude of permissions is, "download files with out notice" . Helloooow? Does that alone but bother you. Perhaps it would be best if you did a little homework before embarrassing yourself.
Well requiring an open source code repository for all apps discourages the Asian scammers up front plus the apps are free. The drawback is of course a much more limited selection of fart apps (and admittedly other apps as well). To be honest a teen girl social butterfly couldn't probably get by with just F-Droid but its perfect for a back up out of warranty after market rom phone on which you don't want to have any sign on accounts.
@King Jack,
@ bazza Please can we stop using that stupid argument
Ooo, touchy! Been stung by some Android malware recently?
As you blatantly ignored my innocent call for debate on my question, I'll kick it off.
So what's worse? An app whose permissions are blatantly and clearly more acquisitive than necessary?
Or Google's lengthy EULA which grants them far more rights, yet goes unread by and largely unexplained to end users?
Google are fundamentally no more or less trustworthy than any other US company. Arguably they're less trustworthy than a European company who operate in a much stronger data protection legal environment. Google operate in a data protection legal vacuum by comparison.
But they're just another company, and one who are on a mission to get more of your private data so as to screw more advertising revenue from that market. So far they have managed to be far more successful at it than most others so far.
Granting them special access to ones private data is fine if that's what one wants. But having done that it's inconsistent to then whinge about an app that quite openly and clearly (by means of its permissions) tries to do the same thing but on a more limited basis. Especially as it can be avoided entirely, simply by not installing it.
Sure, an app such as this keyboard seems particularly slimy (but then so is Google's EULA), and it is kinda crazy to install it. But millions of installers seem not too worried about the permissions that were put before their very eyes.
Difficult Challenge For Google
It might be that this kind of thing gets installed because people don't care, which in turn may be because they don't put anything they really care about on their phones.
Yet Google wants them to trust their entire lives to their mobile (so they can extract advertising cues from it). However if people are deliberately withholding data from them that's going to limit how much Google can grow their business.
And then there'll always be those people who find the whole Google-sees-everything nature of Android utterly repulsive. And given Apple's success, you have to conclude that there's a monied majority (majority as in Apple have made more money than Google) who'd rather not join Google's club. And then you get the BB10 users such as myself...
No.... ok, Betteridge's law of headlines does not apply here apparently.
I'm sure the publisher will claim ignorance. "oops, we had those things on for testing and forgot to disable them".
The bigger question is, why would anyone use a keyboard app that requested those permissions? User education is the only way to keep users safe. Otherwise, we'll all be playing in an empty sandbox wearing safety helmets and drinking out of sippie cups, because, you know, we don't want poor Johnny to feel left out of group activities.
Johnny here is the moron who's too stupid to know that you shouldn't install anything from China that requires internet, camera, contacts, etc... Don't be Johnny!
>The bigger question is, why would anyone use a keyboard app that requested those permissions?
Um because Grandma isn't an expert on app permissions which is another reason why Apple can charge the premium they do. They do a better job sippy cup or not of protecting users from their own ignorance.
And even if she has she doesn't have any way or not giving the permission other than not installing the app. I have a lot of apps that require more privileges than I like to give but I can't revoke them. For instance Kitchen Timer needs rwd access to my SD card and a Latin English dictionary demand the right to read phone status (it's on a tablet without phone capability and still works so it plainly isn't a necessity).
Where was your USB or bluetooth keyboard made? Is it China? Now, what would you do if there was malware built into your keyboard that could secretly activate itself at random times and also gathered and forwarded your info? Do you know how to decode a USB connection stream and monitor it for this kind of weird activity? Me neither, but that's my next security project for home; what are my Chinese keyboards doing when I'm not looking? Please continue typing, people. Nothing to fear, so far.
This post has been deleted by its author
Because there is no existing app that doesn't require ALL the existing permissions; if you want to actually install anything at all, you learn quickly to sign away your first-born (and as many more offspring as requested) without even thinking twice about it. I should know - I refuse to do that but the price I continually pay for it is basically having nothing to install. "It's the integration, stupid" - every app has bloated into getting integration with all aspects of your phone, so it asks for everything...
demands access rights far exceeding what I consider reasonable for the job it's doing.
I sometimes think that only a small fraction of users even review the permissions, and fewer even decide against installing based on that.
I have no idea why Google yanked the Permission Manager functionality. Is it to suck up to developers who'd otherwise have to structure reasonable requests for access? Not like they're endangering their entire ecosystem by alienating a few devs who just request full access to phone/text/location for a simple flashlight app. They are however endangering their user base by allowing that bullshit to continue.
Android 6 permissions model works differently. You don't grant any permissions* until the app tries to use that feature (basically the same as iOS). You can also retrospectively revoke permissions even on legacy apps (which may cause them to crash, but my personal experience is that most of my apps survived the denial of things that are not functionally related to the app's purpose)
* admittedly that's Google's version of any, meaning it can still do network etc.
With android M, permissions are granted at runtime and the app gets an exception if it isn't granted the permission. Older apps still get their permissions up-front at install time, but a savvy user can disable them before first run. The reason the old K permissions manager was disabled was, put simply, because it broke too many things if you actually used it, and it broke them in unpredictable ways that were very difficult to debug.
As stated, of course, pretty much everything has network access permissions. But pretty much every app needs those for one reason or another (at the very least for ads in the case of the flashlight apps, which why are you even installing that if you're on L or M? It's built into the OS!). And one doesn't want to ask users about a permission that every app asks for because that just contributes to people ignoring the permissions warnings.
Unfortunately the new permissions framework on M doesn't help much since most people aren't on devices which have been upgraded to M. That's Android's real problem relative to Apple - most users don't care about permissions and privacy settings, but they do care about apps. And fewer apps get written, and they have fewer features, when only 10% of the phones have the latest OS.
"most users don't care about permissions and privacy settings"
I'm not sure that's true, or fair to most users.
I think that most of us, to one degree or another, have just surrendered.
A few decades ago people remarked on the page of dense fine print on the back of a car rental contract.
Everyone knew it was absurd, and everyone accepted that no-one ever read it, but it was part of the deal, so you just signed.
What's changed is that literally everything you do on-line forces you to "sign" a long, dense, and unread contract, and with apps, accept a more or less random demand for permissions.
People just don't have hours each day to read these things.
Even if they did, the fact remains that if you need a service like FedEx, Netflix, or any of hundreds of government sites, you have NO choice in the matter: accept the contract conditions.
Heck, even my entirely open source computer makes me click to accept the various licences.
I don't buy the "users have just surrendered". That may be true of Reg readers, but the average Android or iOS user doesn't really have a clue what it means when they are asked for permission to use location information. They'll just agree if asked, just like they will agree every time Windows 7 asks for permission to do something that needs admin rights, etc.
The thing in Apple's favor is that since this sort of permission has been required forever, app writers know they can't get away with requesting ridiculous permissions, like wanting access to contacts or photos for an app which has no earthly reason for wanting it. The average user might not know why that's a bad idea, but the ones who do give one star ratings that kill it in the app store.
Eventually the same might be true for Android, the problem is it will take many years until app writers are forced to change their ways because there will be hundreds of millions of people on Android 4.x and 5.x for years and years now. Another problem is that many Android apps simply break if a permission is denied, because they haven't been updated to expect the possibility of a permission being refused since that's so new. But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!
@ Doug S
Quote: "But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!".
Not really Googles fault (apart from them caving to pressure), they wanted to have proper permissions management in Android from day one, but developers (of the services they were typing to attract, like FB etc) didn't want to play ball, and refused to write apps for the then new Android platform if the users could just switch on/off permissions as they (the user) wanted.
So initial Android came with the horrible 'all in advance' model.
Android is big enough now (by far) to force through what Google originally wanted, and I think with all the various issues the existing process has, I don't think anybody else (FB etc) can really object in anyway without making themselves look like the issue (which of course is exactly what they were/are anyway!).
But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!
Because Android is, and always has been, a user-tracking and ad-delivery system. Which should surprise exactly no one, since Google is, and always has been, a user-tracking and ad-delivery company.
Oh, and don't discount that 'innocuous' network permission as a tracking tool. Since GPS creeps people out, many, many apps now request "View WiFi connections" instead. That returns a list (with signal strength) of all APs within range of the phone. They can cross-correlate that info to a database of AP locations, which in turn will geo-locate the device almost as precisely as GPS (at least in urban areas).
Now if only the permissions model was narrow enough. As I understand, and admittedly I'm not an Android developer, required permissions are auto-determined at build time by looking at the dependencies of a project. Given the interconnectedness of services and APIs, you easily end up requiring silly permissions, because some little corner of a library somewhere might need it in specific circumstances...which, of course, may well be totally irrelevant to your app.
My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated.
" a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."
That would be good wouldn't it, as would various other possible improvements.
I seem to remember something like that in later versions of Symbian, but it was a long time ago so I could be wrong.
Oh well, stuff's progressed since then. Not sure which way though.
"My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."
--------------
Unfortunately, this becomes less and less useful as malware migrates, and all you see is some anonymous commodity cloud server in the url.
Hi,
You might go have a look at no-root firewall apps in playstore. There are many to choose from now, and Lostnet has a geo blocking function. You can fire up these when using apps that are suspect. Or run it all the time.
Now, for those who don't think it's a big deal about this keyboard app, then I suggest looking at how few permissions other well known keyboard apps ask for. Almost all are about half the amount.
I once had one of these smartphone things and was appalled to see what practically anything I downloaded to install pretended to access on it. Phone records, camera, log files, etc.
So I got rid of it.
As I see it, the truth of the matter is that a *very* small fraction of users even *know* about permissions and fewer *have the knowledge* to act upon them.
Even fewer decide against installing based on the permissions these freeware malware impose.
This post has been deleted by its author
Yeah really. The correct call is to buy a Windows Phone or Blackberry as an investment. It will probably end up being the last model either make and much like the Kin you can probably ebay it in several years as a nerd joke gift for a good amount of cash. A lack of scarcity in the wild certain won't be an issue considering both's unit numbers are now down pretty much to what they give away to employees.
Is to pay attention to the permissions being requested by what you're installing, and the reputation and reviews of the publisher, but the same type of people that would get suspicious that someone asked for their house key and social security number on a first date can't be bothered to pay attention to what they're doing on their phone, tablet, etc. Maybe it's because our brains are wired by evolution to not think that something as innocuous as a feather touch on a phone display can set in motion an immense chain of events and repercussions. Of course anyone that has drunk texted their friends or lovers has likely come to understand this in the light of day.
There is a great deal of freedom and flexibility with the Android platform, but you do have to consider the decisions you make, and a decent freeware AV isn't a terrible idea either. Some people may be better off in the walled garden, at least until more security is built in by default.
And silly AC is ignoring that many Android users paid a fat wad for devices they can't expand with SD memory and has no removable battery. Or was the Galaxy S6 just a figment of my imagination? And it wasn't the only one.
What people like you ignore is that not everyone cares about those features as much as you do. I remember in the early days of Android when one of the touted features that Apple was missing was an FM radio. Many Android phones still include that feature, and Apple still doesn't, but I have yet to every personally meet ANYONE who uses their phone to listen to FM radio. Sure, if you want an FM radio or SD card or removable battery Android is your only choice. But don't act like these are features that everyone wants. I'd prefer not to have my performance go in the toilet since the SD interface sucks so bad compared to properly designed internal storage, thanks.
I have used the FM radio before, though sparingly. I wouldn't call it a deal breaker by any means if it isn't there, though it seems silly to not have an app to use it if the feature is already on a chip in the phone. I would miss my IR remote though. If you buy a decent quality SD card, performance is fine. If you buy the cheapest one you can find, it won't be. A removable battery is nice, but the deal breaker for me is if the device doesn't have an SD card slot. I like storing my media on an SD card. You can preach all you want about cloud backups, but if something happens to my phone, I can just pull the card and there's my stuff, or swap the card into my next phone like a SIM, and again, there's all my stuff.
Though even if there was no card slot, I would still prefer an Android device personally. I just like the flexibility and the UI better. I've never cared for Apple's UI design on their phones. And I don't have to use the frustrationware that is iTunes.
"or SD card or removable battery Android is your only choice"
Or you can buy a Windows Phone. My Lumia 640 has both.
But back to Apps (and obviously being a WP user I'm hardly qualified to talk about those as there are so few on WP ;)). It seems to me that no one cares about the origin of apps, who the authors are or anything. On a Linux PC, if I was installing something, I'd be checking out the website or open source repositories or professional reviews. It seems nobody cares that the authors are unknown and can't be contacted. it seems that average joe (or janet) user just thinks apps are created in the ether somewhere by pixies and can be installed without a care. No wonder things often end badly.
* Oh wait 80%? Ouch! I wonder how many shoppers even realize that Google is behind Android, or that M$ makes serious $ from it too. But what's the alternative? That, or post a pile of money to Apple...
* How many consumers are aware that the Play Store is full of this sh1t? If I didn't follow these articles, I could have easily assumed, that Google would never be dumb enough to let this happen.
* Do we see any warnings in the mass media? No its just glorified plugging of the Play store all day long, and how neat this app is, or this other one.
* Its all very well to talk about educating users. But whose going to do it, the government? F@ck that! There needs to be accountability and responsibility here. Google should be fined megabucks for letting these apps slip through. Blaming users is just so unjust....
* Its also increasingly tricky to find a real-world store that offers a non-Android dumb phone from a few years ago. There just isn't choice anymore. Its the same with Smart TV's. No basic models around anymore.
* Many flavors of Android phone sold across the world (outside EU./ US), come with tracking enabled out of the store with invasive apps already installed. WTF??? Vendors should be lined up and shot for this...
What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time. Until there is some Android malware that causes real consequences for a lot of users the problem will be ignored. Look how many years Windows malware (and DOS malware before it) was around before it really got the kind of attention required for Microsoft to do something about it. It wasn't until stuff like Code Red, I.Love.You and so on all hit over a short period of time and caused a lot of problems that people took notice, and bad publicity forced Microsoft to act.
The same will be true of Google (and Android OEMs who are part of the problem as far as not updating Android) Until it becomes a big problem, they will mostly ignore it because it isn't hurting them financially. I'm not sure why you think Google should be "fined megabucks" because of apps in the Play Store. Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?
Good for you! But its warnings to the masses I'm talking about. Not sites you and I read. We don't need to read every warning anyway as our defences are already up. Its the average person in the street who needs this info, and urgently... In fact the most ignorant of all, are the staff working in stores selling this stuff. Talk about clueless...
Boy talk about red herrings!
What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time.
Uhh, Dougie...for the record Cnet != Mass Media. Call me back when NBC does an in-depth story in the Nightly News, or this becomes a story on 60 Minutes.
Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?
The mind just boggles at the density of that remark.
Wow, so you're upset that people are backing Google and Microsoft by buying Android, but then note that the alternative to giving them money is to give Apple money. You know that's how business works right? You give people money for a product or service, and the ones with the most successful product or service get more money.
I don't think there's any confusion that Google are behind Android, I also don't believe most phone buyers give a crap. They probably don't even buy a phone - they get it free on contract, and the network handles the payment for the phone. So as far as they can see, they've paid Google/Microsoft/Apple absolutely nothing.
The Google Play Store is also not "full of this shit".It's got some malicious apps, the majority are not.
I had deleted many Android software because they had permission creep. They had a few permissions, and then added more. Another set of software that I refused to update was a calculator that seemed to need access to the phone. It used to be excellent until they decided to team up with a phone answering company that basically hijacks your phone when it rings.
I have increasingly had to delete software. Probably one of the most useful software I have installed on my Android mobile is No Root Firewall. It has stopped me from getting adverts for many installed software. :)
"Is that not what the Darwin awards are for?"
They are only for *fatal* stupid. And even they don't *fix* stupid.
Side note: Many of the incidents that lead to people being shortlisted for the Darwin Awards are linked to an apparently innocuous molecule sometimes called methylcarbinol.
You or I know it by its full "scientific" (i.e. IUPAC systematic) name, ethanol. A distressingly large fraction of DA winners (and even runners-up and mere Honourable Mentions) were drunk to a lesser or, more frequently, greater extent.
Android has a "security system" limiting access rights for applications, but in reality that's useless as people just install stuff anyhow.
Instead of useless security measures we should have mandatory code reviews. In the case of a "keyboard app" that shouldn't even be difficult, as such an app surely has less than a screen full of code.
Since the distinction between good and bad is often a question of opinion, we need multiple sources providing code reviews. Ideally we'd even have a whole dialogue about code and code patches. For this to happen code needs to be much simpler and therefore better written than what we currently have.
So you want Google to wall up their garden with higher walls than Apple? Even Apple doesn't require submission of source code, which is what it sounds like you're suggesting. I'm sure app writers will be totally comfortable giving up their source code to Google, one of the world's largest software companies...
>So you want Google to wall up their garden with higher walls than Apple?
I think what might be desirable to el reg's audience are FLOSS repos for android.
You can keep your trivia apps, I just want vlc or mplayer, amarok firefox, kmail etc on a phone.
I trust those guys more than I trust google.
Alternatively a system of shims between apps and resources: a GPS fuzzer/usage verifier, a camera/mic use verifier, a contact data filter.
"You can keep your trivia apps, I just want vlc or mplayer, amarok firefox, kmail etc on a phone. I trust those guys more than I trust google."
That would be Ubuntu Phone then. I haven't used any version of x-buntu for a few years now, because I think there are better distros for just about any given purpose, but I'd trust their phone offering well ahead of anything else I've seen on the market.
Then again, perhaps running UP and sticking to the official repos is about as limiting and no safer than running Android and sticking to the Google-branded apps. In both cases you are intentionally cutting yourself off from all the third parties simply because you can't tell which ones are trustworthy.
"You mean like F-Droid?"
Yup. And if you're missing the pretty pictures to see what the app looks like at a glance (which F-droid apparently considers to plebeian a thing to do) there''s always a chance its more handsome mirror Flossdroid can help...
What I want is a place where I can get some information on if someone looked at the code, or at least some information on the license of it. F-droid for example only accepts software where the source code is public... and they even warn you about software you might consider malware.
The big point is that _I_ need to be in control of _my_ hardware, not some company, not some app-store, but me. And this is currently impossible as Android is far to complex.
In just the same way that ordinary people (my mum, billionaire leaders of tech services, IT professionals included) don't or can't have a personal password policy which ensures security, the same people when faced with a multitude of questions when installing something will just press 'ok'.
It's precisely the same thing that goes on when we click the "I have read the terms and conditions".
Each time some failure of security results, there's lots of helpful advice on these threads about what people should do.
But they're as likely to do it as the pope is likely to convert to islam. So it does beg the question why we keep on building a tech world which doesn't work well with the way humans actually are, rather than some mythical alternative where we study password policy 8 hours a night and read all the legal small-print before ticking a box.
Yes, it's a good browser. Plus, add-ons, which is even better. I would think it would require all those permissions to provide the web APIs to allow access to them. Firefox itself probably doesn't care about your GPS location (for example), but provides it as an API so that web pages like mapping services can access it. People like having web pages that run like apps. Almost as much as they like apps that run like web pages. Firefox would always ask you before granting permission for any site to use those APIs.
Firefox is a fabulous browser! Once you learn how to add some add-ons to harden it, that makes it a whole lot safer than many others. I use (ublock origin) ad blocker , (Self Destructing Cookies) , (Https everywhere) a (restart button) and from settings, a (Quit button) So much customization can be done with Firefox Android. Take the time to learn how to use it, you won't be sorry. And finally, one of my favorite features, it loads tabs in the background, like when I'm in my gmail app, I click links and they don't open the browser automatically. They are directed to the browser so when I finally open it, they are all there waiting on me. This is enabled in the settings. And it works for any link, clicked in any other apps.
And how well known is Hacker's keyboard compared to Flash Keyboard?
A quick look on the play store, and there seems to be various Hacker's keyboards, none of them very popular (by number of downloads).
Search generically on the store for 'kerboards', and the first Hacker's keyboard entry is at least 5 pages down the screen, (with the Flash one being about 2 screens down). So not something your average user is going to stumble on.
Not saying it's not a good keyboard, just how are people not going to 'look further than Hacker's keyboard?' if hardy anyone seems to have heard of it or be using it in the first place?
..that this has just been noticed.
1st hit in Google Play for search term "Torch"
Camera
take pictures and videos
Other
receive data from Internet
change system display settings
modify system settings
full network access
prevent device from sleeping
view network connections
control flashlight
People just blindly accept anything.
slightly OT... On my phone I recently denied all apps access to the Microphone (running Cyanogen OS). Viewing mail in the gmail app works as normal but while composing a msg I get the following message every 30s or so:
"This app won't work propertly unless you allow Google Play services' request to access the following: - Microphone. To continue, open settings, then Permissions and allow all listed items. [Cancel] [Open Settings]"
wtf??
Get the rights you might like up front, then you don't have to ask to be "upgraded" to better privs later on!
If you work in backroom server tech circles this is the oldest developer trick in the book and usually the first trick you learn to say no to when you first start in backroom tech!
This post has been deleted by its author
It's supposed to be a good one. I had it demoed for me and it certainly has some nice features.
It's still in the draw. I won't be using it.
Reason?
Crap like this.
No mobiles, no tablets, no internet enabled on any computers except for an old beater with dual boot XP/Linux. And the XP is only for testing some stuff - it won't have internet enabled by default.
I realise I am in the minority, but I really don't need a phone/tablet etc. as I don't have any friends. Everything I need to do I can do on an air-gapped computer, and Linux is actually a real treat to use for surfing as it is a much richer experience compared to the bloat of a hi-jacked windows machine.
People keep asking me if I have Whatsapp or wtf the latest fad is, and I say 'no, I don't have a mobile phone/tablet'. They then shuffle slowly sideways muttering excuses to get away from the weirdo. Fine. If people can't conduct business by going through channels other than these security nightmares, then they won't do business with me. Their loss.
And I'm not a Luddite. I embrace technology. But it has all turned into 'hippy-hell' when it should have been 'hippy-heaven'. I pray that this is some kind of bubble and that it will burst. But my greatest fear is that this is the future, forever, now.
Whatever happened to ethical hackers? The internet is going through another wild-west phase, this time far nastier and more nefarious than that which went before.
Stop the spinning globe in the upper top corner. I want to get off.
... Are why I spent some appreciable time on my replacement phone last night looking for a simple flashlight widget.
No stupid fully-blown app, no ads, no stupid strobe effects, just a simple widget to toggle the camera flash LED. Preferably without claiming to be the "brightest" app too.
Considering the LED toggle seems to be the Android equivalent of Hello World, trying to find one that wasn't full of crap was decidedly trying.
Massive YAWN here.........
There is a multitude of helpful application in china for mobile AND computers
Windows Translation apps that translate to multiple languages as you mouse over, or as you type.......
Yep type in your user name & password an off it goes to the central server tools for a translation....
Then we have 'QQ' as always , ever so helpful ... in providing remote access to your computer or business systems to ANYONE, just fire QQ up and give anyone a remote session.
oh... and watch those babies SPAM adverts all over your system, maybe 30GB of bandwidth per 150 users a DAY!!!!!