Slashdot Mirror
South Korea's "Smart Sheriff" Nanny App Puts Children At Risk
Starting in April, the South Korean government required that cellphones sold to anyone below the age of 19 be equipped with approved monitoring software that would allow the user's parents to monitor their phone use, report their location, and more. Now, however, researchers have discovered that one of the most popular of the approved apps, called Smart Sheriff, may not actually be very smart to have on one's phone.
Researchers from Citizen Lab and Cure53, at the request of the Open Technology Fund, have analyzed the code of Smart Sheriff, and found that it actually endangers, rather than protects, the users. Reports the Associated Press, in a story carried by the Houston Chronicle:
Children's phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app's 380,000 users could be compromised at once.
There will always be shoddy code that makes it into apps, though this is pretty awful and unacceptable. I'm also really troubled by the government mandate that such a program be installed on children's phones. Shouldn't it be up to the parents if they want this level of monitoring or not? Also, can't this be implemented by wireless carriers in a secure fashion by monitoring traffic from the device instead of apps on the phone? Surely such a thing would be more secure and probably a lot harder to circumvent. Why is the government of South Korea turning into a nanny state and requiring something that should be solely the decision of the parents?
. . . and then they won't worry about being spied on by the government later in their lives.
I find this Korean law very creepy. I think that "trust" is one of the most important aspects of the parent-child relationship. If parents need to spy on their children . . . there is a lack of trust.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Daaaamn, that is a train wreck of an app. There's nothing at all that excuses such a complete disaster security-wise. Those issues are the kind that should have been caught by even a completely cursory security review of the app, though anybody doing their job here damn well should have insisted on a lot more than a cursory review.
So... what was the approval process for these apps like? Who approved this app? How nice is their new yacht?
There's no place I could be, since I've found Serenity...
It isn't exactly news, even if it's impolite to say so in as many words; that there are a lot of architectural similarities between the remote management tools used for IT admin work, the 'child safety' remote monitoring stuff; and good old fashioned spyware. The main difference is in who authorizes the deployment(and the license fees).
Now, we have a market where use of this software is mandated, which means that there is going to be a race to the bottom to put the cheapest-possible product that ticks the checkbox into service; because if the reason you are doing something is to say that you did something, why try harder?
And there we are, software that is basically spyware, because that's its job; but totally incompetent, since no handset vendor wants to pay extra for high quality shovelware. Basically a rehash of the various 'support/management' agents that US carriers were sneaking into their handset builds: also basically spyware, because that's implied by the job description; also not wildly competent, since that would cost more.
It is just the first step of a two step process to protect the South Korean youth from one of the five most common causes of injury or death. The second step is to install gps devices on all electric fans. When the system shows a youth in the same location as a working fan for more than 30 minutes, the authorities will be alerted.
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
I lived in Japan for some years. In 2008 Mobiles with such functions started to appear in Japan. My Boss (Japanese) told me his daugthers (around 12/15 back then) got phones with such functions. I asked him what the function exactly does, if it can be triggered by the children, if it can be triggered by the parents, orr if it logs the position all the time, and how the connection is secured.
He was not interested, but just said that his wife (housewife) decided on the phone and that he did not get into the "details". The funny part is: my boss had a PHD in physics and we worked in a field related to cryptography.
So I wonder: People are so fucking uninterested in what their kids are doing that they donâ(TM)t even go "into the detail" if they actually could; this brings me to the conclusion that the money they spent on these apps is "just to do something about something and feel betetr since it costs money" instead of talking to their kids and making real, respectful decisions.
Give you child a panicbutton - ok. Give you child something which is triggered by specific circumstances - ok. Put your child on an electronic leash - and you will wonder that you child will easily cut the leash at some point, without you noticing.
Rape is still better than dead baby parts salesmen. It amazes me Democrats found so many ways to make the Bush Jr. years look favorable by comparison simply because they thought they could get away with it under their emperor Obummer. It has doomed them in 2016 and there will be so many repeals beginning with the instituted socialism called Obummercare, then same sex marriage will be handed back to the states to decide, the TPP will be halted, Iran deal that hands them billions stopped, legalized pot federally enforced, illegal aliens deported, etc.
America will be an even bigger mess all because of Democrats and their dictator who has refused to be transparent and use the democratic process of congress so the people could decide. Shame on him, and shame on Democrats for turning this country into a drama filled spectacle.
Sue the government. Hahahahaha!
It's a piece of software, stop assigning sinister motives to it.
You got a problem with Microsoft, take it up with the 30 other megacorporations and superpowers that don't give two craps what you think and also are spying on you.
When will people start to realize that all of the shit they do because they think will solve one technology problem usually creates another one?
If you start putting in an app to track your children and monitor what they do ... any exploit in that is going to have really bad results. And your band-aid solution slapped together is always going to have exploits. If you poke holes in encryption for law enforcement, law enforcement will never be the only ones who can exploit those holes.
As long as corporations aren't under any legal standard for encryption and security and bear no penalty for doing a bad job, this will always happen. Because they write the stuff which looks cool in a demo, and they may or may not ever get around to realizing they've been totally inept at security. And if they do realize they've been inept at security, they're likely to do nothing.
Almost without fail, these schemes of "won't someone think of the children" or "yarg, teh terrorists" end up with stupid solutions being implemented by people without a clue. And almost without fail someone loudly says "this has huge holes and issues in it and won't work".
And almost without fail, this proves to be true.
So, this is unfortunate. But, it's also something which was pretty much 100% predictable as something doomed to fail ... because the people demanding it, and the people implementing it are seldom aware of, or qualified to deal with, the security holes created by shit like this.
This was kind of inevitable from the start.
If you institute something to track your children under the guise of protecting your children ... you better be damned sure you're doing it to the highest possible standard. Otherwise, all you're doing it creating the situations where you're going to make this information available to someone else.
Lost at C:>. Found at C.
> dead baby parts salesmen.
Which is not morally wrong because it hurts no one. The Republicans on the other hand are wanting to murder children by taking WIC away. They are trying to starve millions of children.
It's a piece of software, stop assigning sinister motives to it.
You got a problem with Microsoft, take it up with the 30 other megacorporations and superpowers that don't give two craps what you think and also are spying on you.
Stop defending unprecedented-in-the-history-of-Earth global spyware.
You are high on chocolate bagels if you think I or anybody else is going to just disregard facts and listen to some punk bitch like you trying give shit-guidance on how it's fine to spy on everybody's PC in the world via deception by Microsoft and pals.
You can't dilute a GLOBAL BACKSTAB with notions that 30 others do it too.
There are not 30 other OS's being bundled with new PC's/devices that consumers just buy and take home and set up and log all keystrokes. That is complete malware. Microsoft giving themselves permissions to access WORLD-WIDE consumers' files in some big bullshit "privacy" "legal agreement" you click is also a big fucking deception.
Fuck you and everything you love for being such a fucking liar.
It is a FACT that a company that has sneaked a piss poor monolithic virus ridden computer operating system onto unsuspecting consumers for years has now completely betrayed the global public's trust in totality. They played on the public's gullibility like vultures. Complicit? You don't see this in dinosaur media whatsoever. I saw one article on Fox about how if you "use this app" it disables all of the Windows spyware.
http://www.foxnews.com/tech/2015/08/05/stop-windows-10-spying-dead-in-its-tracks-with-one-free-app/
Pretty funky ass spin on covering a story of OEM Desktop PC Operating System is now global spyware. Merely "hey, ya ya it's spyware totally but just use this app it's fine". This is another fucking lie, coming at you all, from the media. Who. Owns. Fox. News. And. The. Rest. Of. The. Dinosaur. Mass. Media. And. The. Banks. And. Why. Is. The. USA. OVER 18 TRILLION USD. In. Debt.
You think all is ok because Facebook already tracks everything you say on that facebook.com, and who you know, using algorithmic correlations? Stored indefinitely? Going to other sites do you notice any Facebook buttons or cookies? Oh, but hey... Facebook misses a lot. What you need next for complete surveillance of the global population is to just have the OS itself keystroke log EVERYTHING with mothership permissions set to allow all-file-access by default. Sure, let the microphone listen too by default.
Truly, if you knowingly install Windows 10 or any of the 7/8/8.1 back-ported spyware functions... you are a fucking dunce. The rest of cyberspace is already primarily Linux, this is the time to make the move to Linux. distrowatch.com .. avoid Ubuntu's and Red Hat/Fedora and you're good. Those are the Microsoft wannabe's.
Now AC punk that I responded to, obviously you have some interest in this or you would have said nothing. For that, fuck your ass.
Microsoft is just like any other person or company. Break trust one time your ass can go to Hell. Microsoft has many times already broken global public trust. The movie Antitrust (2001) is a movie about Microsoft using different "names". That's 14 years ago and now they are a complete fucking spyware OS.
There is always a gimmick to get you to install malware. With Windows 10 it's "hey DirectX 12 is Windows 10 only". I've looked at forums out of curiosity and what do I see about DX12? Lower frame rates. Crashes. Profiles won't load. DX12 is bait.
Contrary to what AC punk bitch I'm responding to said, there are not 30 other operating systems out there spying on you. Stating your lies by substituting "corporations" just makes me certain you are a fucking liar personally, regardless of topic.