Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate (zdnet.com)

← Back to Stories (view on slashdot.org)

Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate (zdnet.com)

Posted by msmash on Wednesday September 26, 2018 @04:00AM from the security-woes dept.

A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.

[...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.

73 comments

Min score:

Reason:

Sort:

durrrrrrr by Anonymous Coward · 2018-09-26 04:34 · Score: 2, Funny

This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.
1. Re: durrrrrrr by saloomy · 2018-09-26 05:49 · Score: 3, Insightful
  
  Your accounts security for all those applications is equal to the weakest security of any of those apps. If any of them are compromised, have reversible encryption or worse, store their user passwords in plain text, you will get owned. Do not do this.
2. Re:durrrrrrr by Oswald+McWeany · 2018-09-26 05:54 · Score: 3, Interesting
  
  This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.
  Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:
  a1h8passwud123##
  Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)
  
  --
  "That's the way to do it" - Punch
3. Re:durrrrrrr by Anonymous Coward · 2018-09-26 06:40 · Score: 0
  
  The formula would give you:
  a1h8passwud123##
  Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website.
  Might work for throwaway website passwords - but an invasion from using the same password on all of them wouldn't matter much either.
  If you are interesting enough to come up against a real intelligence organization, (even if the interest merely is of the type "try hacking all who belongs to org x to get a foot in the door") then it fails. Get hold of even two passwords like that, and the common part is trivial. The rest can be found through experimentation, or by figuring out the pattern. Encryption schemes much harder than this "third and fifth letter" has been cracked by people taking a hard look at it.
4. Re:durrrrrrr by Anonymous Coward · 2018-09-26 07:01 · Score: 0
  
  XKCD does it better: https://xkcd.com/936/
5. Re: durrrrrrr by Anonymous Coward · 2018-09-26 07:30 · Score: 0
  
  Woosh.
6. Re:durrrrrrr by Anonymous Coward · 2018-09-26 09:39 · Score: 0
  
  And having a 20 minute timeout after five or so failed passwords makes it take even longer. Use a passphrase and passwords that are 25 or so characters long.
  Been doing it for years and never had my passwords broken.
7. Re:durrrrrrr by swillden · 2018-09-26 12:54 · Score: 1
  
  I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula
  If I saw your password for two sites I'd know generally what you're doing, and what the invariant portion is. What's left is a 4-6 character alphanumeric password; maximum entropy 31 bits. You really don't gain a great deal with the invariant string, other than fooling password strength meters, and maybe yourself.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:durrrrrrr by Oswald+McWeany · 2018-09-26 23:48 · Score: 1
  
  I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula
  If I saw your password for two sites I'd know generally what you're doing, and what the invariant portion is. What's left is a 4-6 character alphanumeric password; maximum entropy 31 bits. You really don't gain a great deal with the invariant string, other than fooling password strength meters, and maybe yourself.
  Not that I am going to give away my passwords, but I guarantee you wouldn't be able to figure out my formula from knowing any two passwords. :)
  
  --
  "That's the way to do it" - Punch
9. Re:durrrrrrr by mjwx · 2018-09-27 01:43 · Score: 1
  
  This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.
  Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:
  a1h8passwud123##
  Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)
  I think your formula is far too complex. Did I swap the o for a u or a zero, where was the 8, how many hashes was it, did I use the fourth or fifth letter because this websites got a space in the name... so on and so forth. Further more, it's based on a dictionary word with common substitutions making it easier to guess. A better password is:
  
  Frank1
  
  That's all you should have to remember to make a complex password. A simple for or 5 letter word, followed by a number. In the case of requiring a special character just use the exclamation mark (or bang) and capitalise the first letter. To meet the length requirements simply double up the first word so your password becomes "Frank1!frank" but all you have remember is "Frank1".
  
  Already you have a simple to remember password that meets stringent requirements and is hard for computers to guess. Its a pattern that can be repeated to whatever length you need, I.E. "Frank1!frank1!frank1!frank", all you need to remember is the number of repetitions.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
10. Re:durrrrrrr by swillden · 2018-09-27 02:06 · Score: 1
  
  If it's simple enough to do in your head, it's simple to reverse engineer.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
11. Re:durrrrrrr by nasch · 2018-09-27 03:51 · Score: 1
  
  "Frank1!" would be very easy for a computer to guess. I'm not an expert, but I suspect "Frank1!frank1!frank1!frank" is only slightly better. If you're not going to use a long random password, a series of several unrelated words is best. "jalopy mango disappointed eraser" for example. I would recommend just getting a password manager and being careful about what apps you install.
iOS by Anonymous Coward · 2018-09-26 04:39 · Score: 0

It's still better than iOS password managers: Which forget passwords for sites Apple doesn't want you logging into. In fact, don't use passwords. iTunes is all you'll ever need!
No mention of KeePass by macraig · 2018-09-26 04:47 · Score: 2

It's curious that there's no mention at all of KeePass and its Android integration apps like the one I use, KeePass2Android. It uses an alternative keyboard to manually inject usernames and passwords, so is it vulnerable to the same trickery?
1. Re:No mention of KeePass by Anonymous Coward · 2018-09-26 04:59 · Score: 2, Interesting
  
  It doesn't appear to me that this would be a problem for KeePass. The version of Keepass I'm using doesn't autofill fields, which while mildly annoying, means that it's a lot less likely to have applications doing things like this as you'd have to manually paste the information into the wrong app.
2. Re:No mention of KeePass by q4Fry · 2018-09-26 05:07 · Score: 1
  
  I, too, would like to see analysis for KeePass2Android (both with and without registration as an Android keyboard) and for Password Store.
3. Re: No mention of KeePass by Anonymous Coward · 2018-09-26 05:10 · Score: 0
  
  Probably because keepass is terrible
4. Re:No mention of KeePass by Anonymous Coward · 2018-09-26 05:19 · Score: 0
  
  More than mildly annoying. I can swipe your phone, break into it, and your freaking passwords are stored in your copy/paste buffer.
  Horribly insecure, is more like it.
5. Re:No mention of KeePass by b0bby · 2018-09-26 06:10 · Score: 1
  
  With Keepassdroid, at least, there is a configurable timeout for clearing the clipboard. So you would have to swipe my phone within 5 minutes of me doing the copy-paste, and if I was at all concerned about that I would set it to 30 seconds.
  You are trading a user-configurable window of potential insecurity for the ability to have arbitrarily complex, unique passwords which you can use on your phone. Seems worth it to me.
6. Re:No mention of KeePass by magarity · 2018-09-26 06:12 · Score: 2
  
  No, and that's why I don't mind the extra step of copy and paste password from keepass. that's exactly why it isn't vulnerable to this kind of thing.
7. Re:No mention of KeePass by omnichad · 2018-09-26 06:13 · Score: 1
  
  Accessibility options and alternative keyboards is what Lastpass and others used to use. Android now has an autofill API for this. The question not answered in the summary is whether the flaw is with the implementation of this new API or the apps themselves.
8. Re:No mention of KeePass by macraig · 2018-09-26 06:14 · Score: 1
  
  Nope, a copy/paste buffer is not used in the process, at least not with KeePass2Android. You haven't actually used it, have you? The only way you compromise anything is if you can swipe my phone right out of my hands with the database unlocked.
9. Re: No mention of KeePass by c6gunner · 2018-09-26 06:47 · Score: 1
  
  The copy paste buffer IS used, but is only one option. The other option, as mentioned earlier, is using the keepass "keyboard" which does not use the buffer.
10. Re: No mention of KeePass by Anonymous Coward · 2018-09-26 06:52 · Score: 0
  
  No they are not. The reason it uses a custom keyboard is so that they never get put into copy/paste. If you're lazy and do a quick copy paste instead of using the custom keyboard it clears it out after a configurable amount of time.
11. Re: No mention of KeePass by nitehawk214 · 2018-09-26 06:59 · Score: 1
  
  Or it is the only one on this list that doesn't store the passwords in a reversible encryption with a key on a 3rd party site; virtually guaranteeing it will be cracked eventually.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
12. Re:No mention of KeePass by Anonymous Coward · 2018-09-26 07:14 · Score: 0
  
  "You haven't actually used it, have you?"
  I have, unlike you, which c6gunner just proved.
13. Re:No mention of KeePass by Anonymous Coward · 2018-09-26 07:18 · Score: 0
  
  KeePass is great! I do not use the android integration. If I need a password, I force myself to use my computer, which gives me time to consider why it is I'm getting a password. If It's an online purchase I have time to think about weather it's worth the effort of logging in twice to place that order.
14. Re:No mention of KeePass by sexconker · 2018-09-26 07:27 · Score: 1
  
  With KeePass Droid, the clear clipboard timeout DOES NOT WORK on most phones.
  On Android, all apps have access to the clipboard (or "Clip Tray").
15. Re:No mention of KeePass by Anonymous Coward · 2018-09-26 07:29 · Score: 0
  
  All c6gunner "proves" is what a ridiculous chock-full-of-shit faggot he is, constantly.
16. Re:No mention of KeePass by Anonymous Coward · 2018-09-26 10:55 · Score: 0
  
  One password at most is in the copy/paste buffer if and only if I had used it recently and it hand't yet been wiped.
  In this scenario, I'd have far, far more to worry about than that, because you'd also have any and all email accounts attached to the phone and could reset most of the passwords.
  In reality though, you'd have to grab the phone out of my hand while I'm using it, because the rest of the time, it's encrypted. Or, more likely, just beat me with a $5 hammer until I give up the relevant password.
17. Re: No mention of KeePass by nasch · 2018-09-27 03:54 · Score: 1
  
  Are you saying the others store the key on their site? If so, do you have a reference? If not, yes it can certainly be cracked, but "eventually" is a long time. If an attacker cracks my password vault 150 years after I'm dead, I really don't care. The question is, if someone gets hold of a bunch of password databases, how long would it likely take them to crack mine, given that they would have to crack each file separately?
18. Re:No mention of KeePass by b0bby · 2018-09-27 04:08 · Score: 1
  
  I don't know about most, but I just tested it on my Xperia X and it worked as expected.
  Certainly a malicious app could access the clipboard, but if I go installing malicious apps then all bets are off IMHO.
19. Re: No mention of KeePass by nitehawk214 · 2018-09-27 07:26 · Score: 1
  
  The online-based password fillers have to keep the key on the server side, you can access the unencrypted passwords via the website once you log in. Hopefully they would keep separate keys for each user. But it is only a matter of time before one of them gets hacked or man-in-the-middled.
  With KeePass, even if you store your vault in the cloud, the master key or password is not there.
  However you are right about the usefulness of any encryption. It is only to make it prohibitively expensive or time consuming to break in to. Any password safe should not be a replacement for regularly rotating passwords and security questions. If anything, they should make this practice easier, since there is no need to remember the passwords.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
20. Re: No mention of KeePass by nasch · 2018-09-27 07:36 · Score: 1
  
  The online-based password fillers have to keep the key on the server side
  I don't think that's true. "...exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data... Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors."
  
  https://lastpass.com/whylastpass_technology.php
21. Re: No mention of KeePass by nitehawk214 · 2018-09-28 05:23 · Score: 1
  
  That is pretty interesting. We use LastPass at work, but I have never dug deep into how it works. I don't trust it enough for my personal use.
  But it seems that since they are using reversible encryption, that anyone getting access to their database can decrypt your passwords.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
22. Re: No mention of KeePass by nasch · 2018-09-28 13:12 · Score: 1
  
  But it seems that since they are using reversible encryption, that anyone getting access to their database can decrypt your passwords.
  That's not how encryption works. You have to have the key to decrypt it. If anyone with access to the database could get the passwords, that would mean they were not encrypted.
23. Re: No mention of KeePass by nitehawk214 · 2018-10-01 02:23 · Score: 1
  
  Yeah, but multiple individual user accounts at LastPass can view the same set of passwords. (We use it for company shared accounts and passwords.) So the user's password does not encrypt the password (for LastPass, at least).
  Maybe they encrypt the company shared password with the user's password, I don't know. And that is the reason why I don't use it for things that matter, such as my personal passwords.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
24. Re: No mention of KeePass by nasch · 2018-10-01 14:32 · Score: 1
  
  I think how it works is each user has their own vault, encrypted with their own password. What I'm not sure of is how they handle synchronization. It's possible that passwords are stored without user encryption on the server until they're synchronized. I didn't see anything explaining that in their FAQs. Support would probably be responsive if you wanted to ask them.
Re:Only apps can app apps! by Hognoxious · 2018-09-26 04:52 · Score: 0, Offtopic

This is why I use APK's host files thing!

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This is a user flaw not a password manager flaw by Wycliffe · 2018-09-26 04:56 · Score: 3, Interesting

The user is the one who was tricked into installing the fake app. Personally, I don't think that apps and websites should be sharing passwords. If I download a new app, I expect to have to type in the password the first time I use it. But even requiring the user to type in the password doesn't fix the problem they are talking about which is when the user thinks it's the real app and willingly gives the app their password either from a password manager or manually.
1. Re:This is a user flaw not a password manager flaw by Ksevio · 2018-09-26 05:20 · Score: 1
  
  A lot of apps are just mobile interfaces to services that also have web pages. Why would you have different passwords for each interface? Should there be a different password if you have a desktop app? What about a mobile browser?
2. Re:This is a user flaw not a password manager flaw by Wycliffe · 2018-09-26 05:50 · Score: 1
  
  A lot of apps are just mobile interfaces to services that also have web pages. Why would you have different passwords for each interface? Should there be a different password if you have a desktop app? What about a mobile browser?
  I didn't say different passwords. I said that you shouldn't be autofilling from one to the other until they use if for the first time. They shouldn't be trying to link the app with the website. The user should be the one doing that. I see no reason to expect a password manager to carry my password across from the website to the app unless I specifically tell it to. Even if it does, this is still a user screwup that would still happen without a password manager.
3. Re:This is a user flaw not a password manager flaw by omnichad · 2018-09-26 06:14 · Score: 1
  
  If you were already tricked into downloading a fake Facebook app, for example, it doesn't really matter whether it auto-fills as you'll just choose the corresponding web site when it asks to sign in anyway.
4. Re:This is a user flaw not a password manager flaw by Ksevio · 2018-09-26 06:15 · Score: 1
  
  Personally, I don't think that apps and websites should be sharing passwords.
  
  Ah so you mean the password manager shouldn't share passwords? The problem with that is when the website and app use the same password and you update it in one, then the other now has the incorrect password and it would be a pain to update. I know lastpass at least asks which password should be used for an app if it's a new one that's not linked anywhere else. I guess it's more of a convenience thing that you have to look out for if you download sketchy apps
5. Re:This is a user flaw not a password manager flaw by Anonymous Coward · 2018-09-26 12:13 · Score: 0
  
  The user is the one who was tricked into installing the fake app.
  What's a "real" app? Answer that and we can discuss how people can avoid fake ones.
6. Re:This is a user flaw not a password manager flaw by Wycliffe · 2018-09-26 12:25 · Score: 1
  
  The user is the one who was tricked into installing the fake app.
  What's a "real" app? Answer that and we can discuss how people can avoid fake ones.
  If Apple and Google are going to insist on having walled gardens they should also guarantee that these walled gardens are safe. Who is asleep at the wheel and approving clones of popular sites? They need to either police their walled garden or get rid of it. If they got rid of the walled garden then third parties could start offering malware scanners, etc... to alert people of malicious apps.
7. Re:This is a user flaw not a password manager flaw by Anonymous Coward · 2018-09-26 13:32 · Score: 0
  
  If Apple and Google are going to insist on having walled gardens they should also guarantee that these walled gardens are safe.
  So, suddenly it's not a user problem but a walled garden problem? How about you tell me what a "real" app is and then we can discuss how Apple/Google can only include them in their walled garden.
  
  Who is asleep at the wheel and approving clones of popular sites?
  The lack of a wheel has a lot to do with it. Apple has a more thorough vetting process, but there's little evidence whatever human involvement is going to magically spot all the apps which only selectively demonstrate malicious behavior. Call it the malicious behavior deciding problem.
  
  They need to either police their walled garden or get rid of it.
  They do police their walled gardens. I know Google does a horrible job of it. I don't know how well Apple does. But then I avoid Apple in part because I can't avoid their walled garden. Google's walled garden is entirely optional.
  
  If they got rid of the walled garden then third parties could start offering malware scanners, etc... to alert people of malicious apps.
  Use Amazon's. Start your own. I'm not excusing Google's shitty policing (or Apple's if they're anywhere near as bad). But to protect sites like here to allow user uploaded content, you have to also protect "sites" like Google's Play Store. There's no good grey area, short of evidence of actual malice, for punishing those who attempt to engage in editorial control. All your complaints could equally apply to any platform (here, Twitter, Facebook), and I don't disapprove of the notion of creating some sort of standard API so users have the tools to block content based on their own or a third party filtering system of their choosing.
  The fundamental issue is that content creation is a firehose and not even the likes of Google or Facebook have the resources to filter it all properly*. Their efforts at machine learning (aka "AI") will invariably be a failure because people who are malicious have every incentive to make combative "AI" decided to either making their "AI" unlearn what is "bad" or merely learn the rules to game to make their own malicious thing "good" by its standards.
  It's why I asked at the start what is "real". Because beyond even "good" or "bad", defining "real" and "fake" are even harder problems to crack even for humans. So, I don't like the implicit intent of blaming the user. There is no one answer, but it's clear that at least part of it is writing software that's more defensive to protect the user in as many ways as reasonable possible. For that, there is good reason to blame the password manager apps developers.
  * Personally I think they have their own agendas that preclude them from doing things properly in a way that I'd see as properly. For example, any attempt to add "download" into a search query is not tied about getting you ways to download something if Google doesn't approve.
8. Re:This is a user flaw not a password manager flaw by Anonymous Coward · 2018-09-26 14:09 · Score: 0
  
  The user is the one who was tricked into installing the fake app. Personally, I don't think that apps and websites should be sharing passwords.
  One possible vector would be an app telling the password manager it is a different application and getting a password. (I admittedly didn't read the article, but this problem is likely solvable.)
  The password app could basically use 2 factor authentication. One would be a cryptographic routine involving the application itself which provides half of the key. The other half would be the key provided by the end user. This way the password app can't unlock the password without the correct cryptographic exchange from the true application.
  Of course nothing prevents you from installing the fake application then setting it up with the true key, though you could mitigate that by keeping the encrypted keys stored in the cloud so you don't ever have to reenter them. Basically if you installed a keyboard logger you would, at best, get the unlock code for the password manager, but hopefully not any actual passwords.
  I'm probably missing something, but adding a bit of defense in depth is usually not a bad idea..
9. Re:This is a user flaw not a password manager flaw by Wycliffe · 2018-09-26 23:57 · Score: 1
  
  It's why I asked at the start what is "real". Because beyond even "good" or "bad", defining "real" and "fake" are even harder problems to crack even for humans.
  You don't have to strictly define "real" vs "fake" for every questionable app for this to be a non-issue. You just have to make sure that apps that matter (banking apps and fortune 500 apps) are made by actual banks and actual fortune 500 companies. We are talking about maybe a few thousand companies max that need to be properly vetted. If you make sure there are no fake clones of the banking apps and the top 50-100 most popular email and social apps then you have eliminated 99.9% of the potential attack vector. Obviously, noone other than facebook should be allowed to publish a facebook clone app, same goes for most other popular apps that would be tempting to create a phishing app for.
Simple fix by TimMD909 · 2018-09-26 04:57 · Score: 4, Insightful

Never install more than is absolutely necessary. I've only installed a couple apps that are vital (like a decent email app) and nothing else. With my reduced attack surface and less distractions, I'm generally happier.
1. Re:Simple fix by ckatko · 2018-09-26 05:34 · Score: 2
  
  Yeah! The BEST most insightful thing to using a phone whose SOLE feature is apps that extend it... is to NOT use apps.
  The BEST way to not get viruses from the internet isn't to make secure browsers, but instead, visit ZERO websites. I've been using Internet Explorer 5 for over a decade with no viruses!
2. Re:Simple fix by Oswald+McWeany · 2018-09-26 05:56 · Score: 1
  
  Yeah! The BEST most insightful thing to using a phone whose SOLE feature is apps that extend it... is to NOT use apps.
  The BEST way to not get viruses from the internet isn't to make secure browsers, but instead, visit ZERO websites. I've been using Internet Explorer 5 for over a decade with no viruses!
  You can still get a virus on a machine connected to the internet without visiting a website if you don't have a firewall.
  
  --
  "That's the way to do it" - Punch
3. Re:Simple fix by commodore64_love · 2018-09-26 06:42 · Score: 2
  
  Most apps can be used directly in the web browser (examples: Gmail, youtube, yelp). I don't need to have a lot of stuff cluttering my phone's desktop.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
4. Re:Simple fix by Anonymous Coward · 2018-09-26 06:46 · Score: 0
  
  You can still get a virus on a machine connected to the internet without visiting a website if you don't have a firewall.
  There are other ways to get viruses than through websites - but they don't appear with no effort at all. I had a machine on the internet for 20 years without a firewall - and yes, I browsed the web with it too. Some shady sites now and then for their entertainment value. Had two security incidents with that machine, none related to browsing.
  The internet is not that dangerous, particularly not the web. Unless you're on windows?
5. Re:Simple fix by nasch · 2018-09-27 03:58 · Score: 1
  
  Or you could use Android, and install as many apps as you want (or have room for anyway) and only put the shortcuts you want on your desktop. Or install a launcher that doesn't put any apps at all on the desktop.
only reason to keep a printer around... by Anonymous Coward · 2018-09-26 05:18 · Score: 0

I use an offline computer and USB printer to maintain my passwords -- the printed passwords include a special character which represents a memorized mini-password
Re:Only apps can app apps! by Anonymous Coward · 2018-09-26 05:29 · Score: 0

Thanks, App Guy!
Re:KAVANAUGH is one sick mofo by Anonymous Coward · 2018-09-26 06:23 · Score: 0

Kavanaugh set up gang/train rapes, with his bud Mike Judge spiking the punch to get the lonely/single girls too drunk to know what happened, let alone consent.
Republicans are tricked into accepting rapists by Anonymous Coward · 2018-09-26 06:41 · Score: 0

as legitimate justices, presidents, and congressional rape-resentatives...
1. Re:Republicans are tricked into accepting rapists by Anonymous Coward · 2018-09-26 07:21 · Score: 0
  
  Bill Clinton isn't a Republican.
2. Re:Republicans are tricked into accepting rapists by Anonymous Coward · 2018-09-26 07:51 · Score: 0
  
  Did he rape you? Did you enjoy it as much as the traitor Don Junior will in prison?
Is it our turn? (Trigger warning: Android vs iOS) by Hallux-F-Sinister · 2018-09-26 06:53 · Score: 1

For people who regard Android as suspect, and while chafing at the restrictions of Apple's "walled garden," we still use it because it is simply more secure, despite occasional problems. HOWEVER, whenever there *IS* a security problem, error, oversight, or let's call it what it is, a fuckup, committed by Apple, Android boosters, (or at least, those among them who tend to be assholes,) go NUTS and take to sites like this one, slashdot, and laugh about how we're all idiots for buying Apple products, especially as they often cost more than competitors, because of the benefits they provide, such as overall better security and user experience, most of the time.
My question is this. Is it our turn to laugh at, well, NOT ALL Android fanboys, but the ones who take to places like this and mock Apple, Inc. product users whenever there's a problem in Appletania, is now our time to point and laugh?
SERIOUSLY THOUGH...
This is not the reason I don't use Android, or any product running on Android. Nothing really against the Linux kernel it runs on, but the rest of the OS around it is, in my experience, a sloppy, inconsistent, grotesque, pain in the ass KLUDGE of cobbled together crap that suffers from problems like this all the time, and all the perceived disadvantages you have to put up with using an Apple, or specifically an iOS device, iPhones, iPads, etc., you'll get just the same when you use Android, though the reputation for "openness" that you might mistakenly think makes Android "open" is false, or at least distorted or exaggerated. The fact that Android was bough-out/taken over by Google, (which people maybe were okay with because, you know, "don't be evil",) has made Android basically Google's iOS. Except instead of a company bilking you for overpriced hardware to cover all the background stuff like free software updates, maintaining available storage and data access through iCloud, etc., Google has to make that same money, (and they make LOTS) selling your information, selling YOU, in essence, to their advertisers.
I will pay Google the following backwards compliment: at least they were honest about becoming evil, when they ditched their motto. Android is the fruit of this poisoned tree that is Google, where you think you're getting the handset at cost, (or the software on it, anyway,) and paying what you pay for the device ONLY to cover the cost+profit of the actual company that made the device, such as LG or Samsung, etc., and not much if any money is getting kicked back to Google, (or "Alphabet," as they're pretending they're calling themselves now, almost certainly for nefarious, if not outright evil purposes). The reality though, is that Google is making money off you using Android devices, and it's a devil's bargain.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
Re:KAVANAUGH is one sick mofo by JackieBrown · 2018-09-26 06:53 · Score: 1

I know. We should be able to accuse anyone of anything and destroy their lives! It's up to the accused to prove they didn't do anything if they want to have a clear name.
You people are insane.
Hmmm... by Actually,+I+do+RTFA · 2018-09-26 08:01 · Score: 1

The only password manager to work securely is one run by the OS maker, who use an undocumented API. This sounds very shades of the mid-90's.

--
Your ad here. Ask me how!
Re:Is it our turn? (Trigger warning: Android vs iO by nasch · 2018-09-27 04:00 · Score: 1

My question is this. Is it our turn to laugh at, well, NOT ALL Android fanboys, but the ones who take to places like this and mock Apple, Inc. product users whenever there's a problem in Appletania, is now our time to point and laugh?
You can always do that.
Re:Is it our turn? (Trigger warning: Android vs iO by Hallux-F-Sinister · 2018-09-28 15:54 · Score: 1

My question is this. Is it our turn to laugh at, well, NOT ALL Android fanboys, but the ones who take to places like this and mock Apple, Inc. product users whenever there's a problem in Appletania, is now our time to point and laugh?
You can always do that.
Thanks. :)

--
Our reign has gone on long enough. Indeed. Summon the meteors.