We interrupt this 2010 predictions column to predict trouble ahead, first for mobile banking apps, second for ISPs who stupidly piss-off my readers, and finally for buyers like me of Dell Vostro A90 netbooks. I further predict we’ll return with more prediction columns within hours.
First the mobile app problem. My friend Stephen Schaubach just noticed something about mobile banking apps that is very scary. He wrote about it tonight on Slashdot, but since he’s my friend (Stephen introduced me to my wife — I think that qualifies him as a friend, don’t you?) I feel okay about the duplication. As for that introduction many years ago, Stephen was just showing her off, not realizing that I would see in her great potential as the mother of difficult children.
“While checking out Google’s Android app store I searched for a banking app to use with my bank, ” wrote Stephen. “I was surprised to see three mobile apps listed and none of them released from the bank itself. I cannot say what any of these apps are doing behind the scenes for sure but the mobile app could certainly swipe your credentials and connect you to the bank at the same time a lot more convincingly than any phishing site could. Is this the beginning of mobile app phishing? It’s hard to believe nobody at the app store end is checking to see if the app has been legitimately released/signed from the actual bank it’s representing. It makes me wonder what other apps are out there mining people’s personal data, phishing, etc. and what can be done about this potential risk to safeguard the general public? Has anyone else run into similar situations? Anti-phishing software like Nokia’s Free Anti-Phishing app or mobile Safari’s similar feature wouldn’t protect the mobile user from an application doing something via code behind the scenes. Perhaps only a code walk-through or a legit digital certificate would remedy this situation. Any thoughts?”
I think this is potentially a huge problem that snuck up under our noses. And there’s more of it than just at banks. On my iPhone, for example, I have apps for Netflix and Red Box video rentals, neither of which was produced by those companies and both now know my account numbers and passwords.
Yes. there are outfits like Mint.com that ask for all our account numbers and passwords, but Mint at least has a lot on the line as now a part of Intuit. With many mobile app developers being one-man outfits, it’s easy for a bad guy to get away with murder by offering a service that appears to be a heck of a deal but is really being used for identity theft.
I just wrote a paragraph here explaining how I would go about running such a scam then realized that was just encouraging crime. Needless to say there are a number of common user habits that can be leveraged quite easily to obtain the most private user information. And what can be done probably is being done right now.
Remember that while your bank may cover financial losses that are their fault, your signing-up for a bogus third party mobile banking app counts as your fault and the bank probably owes you nothing.
Second complaint: Time-Warner Cable doesn’t seem to care about helping its customers fight crime. Here’s the story from reader Andy Barr back in my old stomping grounds of Holmes County, Ohio:
“My parents house was robbed and their computer stolen. I had installed www.logmein.com on the computer so when it showed up on the internet 18 hours later I was able to get the IP address and give it to the police, which in turn asked Time-Warner cable, the ISP for that IP address, for an address for the thief. Time-Warner has a web page specifically about how to get this information.
“It seems straight forward. However the police are computer illiterate. They had no idea what an IP address was but I explained it to them. The police submitted a request and then 10 days later Time Warner came back saying they don’t have a computer with that IP address. It seems the person who submitted the paperwork listed the wrong IP address.
“So they resubmitted again, waited two more weeks and this time Time-Warner said they needed a time and date when the computer was on the internet with the given IP address. I had told the police about the above web page but in spite of this they evidently did not put any the time or date on the subpoena.
This is Bob again. We’ll get back to Andy’s story in a moment but my experience with cable modems and cable ISPs is that while their IP addresses are technically dynamic — that is subject to change at every login — in practice they hardly ever are changed. Most cable Internet users have exactly the same IP address for years. Just to be sure I ran this information past another friend who was one of the architects of Time-Warner’s Roadrunner system and he confirmed that IP addresses are essentially permanent. So this particular dodge from Time-Warner is nonsense.
Back to Andy: “They resubmitted again and waited another three weeks. This time Time-Warner came back saying they now need a search warrant. The police submit a search warrant and now three months since the IP address was given to the police they still have no information from the cable company.
“After a few weeks of waiting, I used logmein’s pro version to connect to the computer and downloaded all my parents’ documents and pictures. I found a picture of the likely thief in front of the computer. I also have the person’s name and Myspace page, though the police don’t seem interested in tracking down the person using that information. ”
I feel Andy’s pain, don’t you? Time-Warner Cable appears not to want to be bothered. In fact they are probably annoyed at the persistence and technical capability of Andy. If anyone from Time-Warner Cable is reading this or if you are a Time-Warner Cable customer who doesn’t want to have a similar experience, now would be a great time to speak up.
Third complaint: My son Fallon’s Vostro A90 netbook, which I wrote about right after Christmas, was finally repaired successfully by Dell but now the Vostro thinks it is an Inspiron 10V.
It took Dell a few days to notice my column about Fallon’s A90 that wouldn’t charge and my many attempts to get it fixed. I eventually got a call from a very nice guy in Dell PR who became my official contact, whatever that means. It sure didn’t mean better customer service. I got a call from Dell support saying that had received the Vostro for a second motherboard replacement and I’d be getting an update from them just as soon as they heard from the repair depot, probably within minutes or hours. Five days later, still having heard nothing more from Dell support, the little A90 reappeared on my doorstep.
This time the netbook appears to have been repaired successfully. I can tell work was done because the SSD this time was reinstalled with the proper two screws instead of just one screw last time. I could tell work was done because the case, which hadn’t been scratched before, now had lots of little scratches on it. Or maybe the scratches came because Dell didn’t use the padded foam envelope they’d asked me to use to ship the system to them. It was there, crumpled in the bottom of the box, but they didn’t bother to use it. Not using it meant the A90 was too small for the foam padding and knocked around inside the shipping box. But I knew most obviously that work had been done when I booted the A90 and it told me as the BIOS loaded that it was now an Inspiron 10V.
Maybe this is no big deal. Maybe I should be glad that my $200 netbook now has the motherboard of a $350 netbook. But frankly I found it annoying. The last time I got a shuffle like this was when a Chevy 350 engine appeared inside my new 1976 Oldsmobile. GM paid customers millions to cover that executive decision.
Fallon also had a couple apps (this is Linux remember) that he’d compiled specifically for the Vostro and its A04 BIOS. Well the Inspiron BIOS is A05 and the apps no longer work right, so I guess Fallon will be recompiling again, which at age three is a non-trivial event.
This is just slipshod support. Maybe they’ve already discontinued the A90 and are out of motherboards. I don’t care. Dell is supposedly committed to supporting my machine and they didn’t do it. Worse still, when I reported this back to my “official contact, ” he quoted Customer Support as saying that they had sent me an e-mail that I never got.
If they are lying to him and lying to me, then they are lying to you, too. Worse still, if they’ll play this fast and loose with a tech blogger with 300,000 readers, then Dell simply doesn’t give a damn about any of us.
I’ll be waiting for your call, Michael.
About item #1: And to think that Janet Reno isn’t even involved in the making of that screw up.
About item #2: Come on Bob! It took YEARS before law enforcement (fed, state, local) to even recognize the existence of “computer crime.” Your buddy in Ohio ain’t so smart, otherwise he would have wired a small indelible dye bomb into that computer that could be triggered by the logmein app. (How about being my go-between to the tech venture people?)
About item #3: When ol’ Michael Dell closed their place here in NC, he said he wanted to OUTSOURCE everything to MEXICO and CHINA for reasons of EFFICIENCY and PROFITABILITY (no mention of customer service quality). Sounds like that is where your son’s netbook has been a couple of times. Anyway I’ll send the link for this article to my friend at Dell…you never know.
Bozo – Dell repair depots are not overseas. They are local, I believe, to what quadrant of the country you live in.
The people who are handling the logistics of getting your complaint logged, and generating an incident ticket, are definitely overseas, whether it’s the Phllipines, India, or somewhere else.
Based on timelines for a recent repair I had to a Dell xps m1210 laptop, there’s no way it traveled anywhere out of the country. My machine is 2 years out of warranty, but for the money I spent on repairing it, it saved me about 1000 bucks if I had to buy a new laptop.
I don’t think Dell is the best, but they’re doing a B- job with difficult product.
As of a month ago, I’ve given up on Dell. They get no more of my money. I tried to buy a laptop from the Dell outlet. The laptop purchase was bounced, but they did successfully bill me $50 for the extended service. I tried to cancel that by calling Dell. 90 minutes later, after being bounced around 8 times and back to the original receptionist, I have officially given up.
A client who’s gone through much pain with his outsourced computer support told me during a few years ago
“It will be a cold day in hell before I get anything from Dell.”
May not be Michael Dell’s idea of brand recognition but it’s still true today.
and you didnt contest the charge?
300k readers or not, you SHOULD be treated as well as customer #1, and if you are treated better, something is wrong at Dell. You shouldn’t be treated any differently, and as we can read, you are not. whew.
Thanks for the warning about the 3rd party mobile apps. Maybe this is a reason why it doesn’t completely suck to have Apple vet each app before it shows up in the store…
Not sure how much Apple’s app-vetting actually accomplishes. So far we’ve seen apps of dubious value routinely approved (sometimes to be unceremoniously yanked later on), while otherwise fine apps are repeatedly delayed over trivial and/or obscure issues. And the developers are often left in the dark, not knowing if or when their apps will be approved, making the whole process a crapshoot.
I suppose any app review is better than none, but the improvement provided through Apple’s process is debatable, and approval by Apple may foster an unwarranted sense of value & safety on the part of the consumer. Apple needs to make their process much more transparent.
Actually, since the new year, apps are being approved in a matter of hours.
While Apple has an extensive application process, they do not actually audit what the code is supposed to be doing or not doing. Be careful with that false sense of security.
On mobile banking apps, or *any* mobile app that asks for *any* account information: If the user first hasn’t investigated the app, and perhaps only gone to purchase it by first visiting the bank/Netflix/Redbox/whatever web site and *only then* clicking through to purchase/download it, well, shame on them.
Bob, it makes me feel good about Dell that they treat everyone with equal disdain.
Clearly this was an exceedingly expensive computer. I don’t know your hourly rate, but I suspect you passed MacBook prices some weeks ago.
Do you think the Google-branded Chrome OS netbooks to come will be different? (I sure hope so …)
John (Gordon) Faughnan
OS has little to do with the problem. The problem is a consumer culture that sees things as disposable thanks to advertising and the shoddy manufacturing practices that are required to create dirt cheap disposable computers. Computers built to last two years and die (cellphones come to mind) make companies money. Computers built to last 5-8 years (Apple PowerMac G4 towers and G4 laptops come to mind) don’t make companies money so they are replaced by cheap junky models. Anyone who does not get at least 6yrs out of a computer has been ripped off.
Preempting the Moore’s Law refrain: As much as Cringley touts Moore’s Law the reality is there is no application on the market or coming to market in the next two years that requires the computing power of a computer built after 2005 (except Flash but that’s just bad design & programing). See also why ARM dominates many markets and not Intel.
I’m inclined to agree with your statements. I have had my current laptop going on 5 years now. It has served me very well in a professional and casual capacity. I’m about due for a new one now but I think I have gotten my mileage and then some out of this one.
I also agree. My Powermac duel 1.2 g4 i bought in 2003, (chipset is really almost a year older than that) has served me well these 6.5 years. Its is longest I have any machine and it has served me well in my freelance graphic design. By alas, it is long in the tooth, and many apps i want to use, are intel only. My plan in 2000 was any machine I by should last at least 4 years. This will still be useful for me until the new Powermac i7 comes out.
The app problem highlights the complaint I’ve had about them all along: most of us would be served by a better, mobile, device independent website in the first place.
Apps do a lot of things HTML JavaScript aren’t explicitly designed for. It’s urgent that there be rolling draft versions of standards like login information caching, location services, etc.,as a rolling set of draft standards, and devices start treating web apps as little more than shortcut to a specific page.
The app problem highlights the complaint I’ve had about them all along: most of us would be served by a better, mobile, device independent website in the first place
You got that right! it just not sexy or as profitable.
I don’t give my bank or email credentials to any iphone apps, unless they are bona-fide apps like facebook. It limits the usefulness of some apps, and I’m sure most are OK, but there is no way to know what an app really does with any credentials, and the potential for identity or financial fraud is very real. This is an issue with iphone’s app store, and increasingly with android marketplace. Probably an issue with PC software too, except not so many apps work that way on PCs.
I would only trust a banking app if the bank publishes it, or publicly endorses a third party app, and only if they wear the cost of fraudulent use.
“bonafide apps like facebook?!”
There are freakin’ *tutorials* around the net right now on how to gain access to someone else’s facebook account. The company is at the point that myspace hit about two years ago: too many customers to make more than a passing stab at genuine customer service.
Anyone is a fool to put anything into a social networking website that they don’t want everyone to know. “I really would like to have an affair with you” is bad enough but I would never, ever, in a billion years link up my name to a bank account number in facebook. The safety of the app might be certified but your account access certainly is not.
Poor Fallon!
This is a travesty, but more so for Dell than you and yours, Cringe. You are a direct influencer of 300,000 people, most of whom I would venture to say are more technically literate than the average population. And I wonder how many people WE influence? If we each know ten people who at some point in the next year or so who will be in the market for a computer, now we’re talking about 1% of the population of the US. That’s a lot of people who now potentially won’t be saying, “Dude! I’m gettin’ a Dell!”.
Personally, HP is usually my first choice with my money, and IBM/Lenovo Thinkpads on the company dime. I’ve used a lot of Dell’s with fairly good results, but they are not my first choice. Or my second.
I don’t like that I have to visit this site to hear the podcast when I used to be able to get to it in the rss feed. love the show
It’s ok I have updated my rss reader to the new mp3 feed as the old feed no longer has the mp3’s
We’ll be back on iTunes momentarily. Apparently the bug that was keeping us off has not been fixed and all that’s left is something stupid I am doing as I post. Some reeducation and we’ll be back to normal.
Complaint Nr. 3: Get only Macs. I used to be a long time PC user, then switched to Mac for programming iPhone apps. I really must say, it is just great. Finally a Unix with a nice interface and without 3D graphic card hazzles …
Complaint Nr. 2: Very strange indeed. Even with the name and photo the police doesn’t react ?!
Complaint Nr. 1: Apple has a lot of information about the programmer of the app. But I guess it is not that hard to use a stolen credit card or something to buy a developer account … A way to be a little bit more sure about what the app does it to only use banking software which uses the highest level of encryption. This kind of software goes through an extra US approval process which can take months to complete. Maybe not much more secure, but within these months a stolen credit card could be reported 🙂
But this was an ANDROID app. different rules.
Per Compliant #1 – he was not talking about Apple’s AppStore – but about the others out there, namely the Google App Store. They don’t have the same requirements or procedures that Apple has, partially due to people complaining about Apple’s requirements. However, Apple has those requirements for a reason – partly security. So you get what you get.
Also, using only the highest level of encryption doesn’t mean much anymore other than that it will be that much harder to break into it on the fly.
Nor does it mean anything when the developer(s) is rotten and can easily redirect the session through their own proxy – in which case, your encryption set is with them, not with your bank/etc; they then have an encryption set with you bank/etc. So you wouldn’t know the difference unless you traced the connection, and even then it’d take some dirty work to figure it out. (FYI – it’s called Man in the Middle Attack; but it’s a lot harder to foil when you’ve given the keys away from the get go.)
#1 – I don’t trust any mobile app with anything, outside of the AppStore for iPhone. That is because I created my account on my home computer and use the AppStore to purchase apps only. No online remote banking for me. Too risky.
#2 – Does not surprise me one bit that T-W does not care and even threw roadblocks in the way of the police and your reader. It also does not surprise me that the police really don’t care about solving crime. Robberies are too numerous to spend man hours trying to resolve them. Also, it is not “sexy”, meaning it is not visible enough to warrant the effort. Cynical I know.
#3 – Good luck with that. Dell is not the Dell we knew and loved at one time. Dell is not the Dell I worked 6 years for. I would be hard pressed to recommend a Dell to anyone at this time, and it is all because of their customer service/support.
Take care,
1) Years ago it made us nuts when our enterprise users got access to their corporate email from their unsupported, insecure POP3 mail clients by giving a web based third party their AD credentials. After dealing with that sort of behavior for a while I finally found a solution – I got a different job.
2) ISPs *all* sux and it is only going to get worse.
3) Get a Mac 🙂
2. I would attribute this behavior to a feature, not a bug. The ISPs work for the customers and not the police. The onus should be on the police to provide as detailed information as possible in order for the ISP to sanity check it prior to giving out a customer’s private information. TRWTF is the police not providing the required information initially and not following up more aggressively once having done so.
DHCP addresses can change if the modem connected device changes. Furthermore, if there’s a router in place it could easily be that the culprit is using the nation’s favorite wireless service, Uncle Wally’s “linksys”.
First of all you need an editor. Your sentence construction has gone way downhill since you left PBS.
Second, why doesn’t this put an impetus behind owning your own authentication? It seems to be that OpenID is the right platform to solve these login problems.
You are assuming I had an editor back then….
I think the difference is that back then you had a week to prepare each column. Now I come to Cringely.com every day and can barely keep up.
This sounds like one of your 2009 predictions is trying to become true:
Internet Centric devices
Theft of smart phones and Internet centric devices will become a big problem. Thieves will figure out how to steal identity information, raid bank accounts and investments, and so on. This will become a big problem.
Thanks, I needed that!
Maybe it’s the big players who need all these dubious apps in circulation?
In the same way Microsoft needed 3rd party utilities, to wrap them up in the OS.
Only this time, the fun is that you’re genuinely spooked into preferring to trust Microsoft, or Google, or Apple with access your financial data. Maybe it’s a decision: small company you’ve never heard of vs. big company but they can “collect non – identifiable aggregated data” about your banking habits?
Lovely kicker for their advertising metrics.
For the immediate rebuttal, that there’s obviously a market for independant trusted third parties to extablish themselves, i counter that it’s a mammoth task to set up the legal and machine infrastructure to compete. A good example is financial payments networks, where Citibank dominates the volume because of worldwide coverage. It’s not a US or other market – only proposition. You need that worldwide network. Any brands in the space we’re on about which come to mind, which are trusted, but single market? Not a rhetorical Q, that, i just don’t have an answer myself. Any such credentials broker (those are already very loaded words if you think legally) would be transcending the regulatory spaces too. Maybe that – regulated market areas – is the only thing holding back the computing names from doing this. We know their legal histories. But corrolary to that is their histories are as much about pushing hard into the grey or even black areas as possible. This was equally true of Walter Wriston’s National City Bank, which dodged every imaginable law to effectively become the first pan – state bank at a time that was prohibited in law.
Google has already confirmed the first deliberately malicious banking apps:
http://mobile.slashdot.org/story/10/01/10/2036222/Malicious-App-In-Android-Market
https://www.firsttechcu.com/home/security/fraud/security_fraud.html
People will load almost anything to help save them two clicks and typing a password, does it surprise you that they will do the same for their banking? I’ll continue to use the official website for my Credit Union, thank you!
2. TW does hop IPs. I’ve tried to use them several times as my ISP and had to go back to DSL because I couldn’t maintain a work-day’s VPN connection to my employer. I kept getting dropped at least once a work day. I never had that problem with DSL.
Also, it appears more the police dept. at fault here. From a privacy standpoint, if I was TW, I wouldn’t just hand over the subscriber’s information that easily. I’d be worried about getting sued by the alleged, criminal, subscriber, right or wrong. More power to the user in being able to retrieve his parents information. However, did he violate the criminal’s rights by also retrieving that guy’s identity and image? 🙂
“which I wrote abut right after Christmas,”
-> about
Fixed, thanks.
Item 2:
It might be a big deal to the reader’s parents, but it’s too insignificant for the use of time by law enforcement. Unless there’s some proof that the theft resulted in tens of thousands of dollars in damages, was part of some greater organized crime effort, etc., they are not going to dedicate a lot of their limited resources on a single residential computer theft.
Maybe you’re onto something there. We should just not bother calling the police if a theft doesn’t meet a certain tier, and certainly shouldn’t do what we can to protect our assets, nor should we have any expectation of any help from the law enforcement offices we finance through hard work and legitimately filed tax returns.
I wouldn’t expect a task force to be formed for taking down this probably small-time outfit, but there wasn’t much more Andy could have done, and the fact that nothing happened falls 50/50 on the police and Time Warner here. It would have taken very little effort on either of these parties ends to chase this down a bit more.
Maybe your expectations of local law enforcement only responding to organised crime/high dollar robberies level sets such that you won’t be disappointed by their inability to communicate with an ISP, but I’ll continue to expect that such communication should happen, and that due diligence be carried out by all parties. Andy did his, so it doesn’t seem too much to hope that the police/ISP do theirs.
And whilst this might be representative of a single robbery, odds are the guy is habitually breaking into places and stealing stuff. I’m sure local contents insurance companies would appreciate the police doing all they can too.
I had an airplane stolen once from my garage in Palo Alto. When I filed the robbery report the police said their only effort to solve the crime would be to grab the plane if any officers noticed it on the street. Looking further it turns out stealing registered aircraft is a federal offise so I called the FBI. They never showed-up.
You didn’t tell them there were DRUGS in it?
Well, then, what did you expect?
🙂
Or he could have said he saw some middle-eastern looking men hanging just before it was stolen.
But then, I would trust DHS to find a plane if it landed in their parking lot.
There were headlines just today about a rogue phishing app removed from the Android marketplace for posing as a banking application.
https://www.theregister.co.uk/2010/01/11/android_phishing_app/
Some ISPs do cooperate tho. Here’s the story of a guy who was apparently responsible for at least part of a rash of thefts and burglaries in my neighborhood. They caught him logging on with a stolen Xbox – the ninny.
https://www.lohud.com/apps/pbcs.dll/article?AID=20101070358
Just one thing, as a loyal reader of many years, THANK YOU for the mobile version of your blog! Good to see that you finaly believed your own predictions that computing will move to smartphones…
Enjoying the brevity, spontaneity and frequency of your new format.
Dell’s sales department isn’t much better. Last year, my wife took advantage of a killer deal that Dell was offering and ordered a desktop for m daughter. A week later, she received an email saying the computer was delayed, and gave a new arrival date. Several times they sent similar emails, each time extending the arrival date. Finally, she received an email saying the computer wasn’t available and that her order was canceled.
She called Dell for an explanation. Was this some kind of bait and switch or would they honor their deal? First, the representative told her that our daughter didn’t need that much RAM or that large of a hard drive (basically trying to sell my wife a lesser computer for the same cost). When my wife further complained she was basically told, “too bad. We’re already being sued by other customers.”
first thing I do when I open the Sunday paper is toss out the Dell ad. it’s whitebox or Mac for me, period.
Item #1:
Apple’s way of doing the iTunes App store might actually make sense. Google allows almost anyone to put up an app, and does no real checking whether or not the app is above board. This means you can have Apps on the Android phone that Apple won’t allow (tethering, porn, Internet calling over a phone company’s data connection, etc.). It also means that apps aren’t always scrutinized the way they should be.
All the banking applications I found on the Apple app store are from the banks themselves. All of the Netflix applications found in the Apple App Store except for Phoneflix (which was at one time called Netflix and was the official Netflix app) are mentioned on the Netflix application page.
I can imagine some nicer banking applications in the Android marketplace where some third party developers creates an application that combines all of your various bank accounts into a single application and has more features and is easier to use than the official banking applications.
At the same time, I can imagine someone putting up a fake Bank of American Android App that captures your financial information and then drains your bank account dry.
Item #2:
Cable companies are the second most incompetent businesses in the world. Their “natural monopoly” allows them to be completely awful, yet retain their customers. You can use your local cable company, or not watch TV. The choice is yours.
Unfortunately, the most incompetent businesses in the world are the local phone company.
Personally, I would ban content deliverers from being content owners and providers. You can either run a cable company or produce cable content. You can’t do both. I can see a world of harm from allowing Comcast to own NBC. Imagine if by some fluke of a chance, AT&T’s U-verse and Verizon’s FIOS systems actually became competitive with the cable company, and suddenly Comcast decides that NBC isn’t available on U-verse or FIOS.
In a perfect world, I would also separate out the data pipe owners from those who provide service over those pipes. This would be similar to the situation we had back in the 1980s and early 1990s when most Internet connections were dialup. The ISP was a distinct organization from the phone company.
Item #3:
How much money could Dell be making on that $199 computer? The problem is that the netbook is a computer in the sense that it has a fully functional desktop, that you can put any application on it, that apps and data are really mere files, etc.
In other words, it is a very complex system for which Dell is lucky to be making $25 on. My best guess is that if Dell adds up all the profit is sales and subtracts all the cost of technical service, they’ll find that these netbooks are burning profit.
An iPod Touch costs about the same as your netbook, but because it operates in a much more strict environment is probably a lot more dependable. Want to download an app? Sorry, only Apple approved ones. Want a different desktop? Tough. Doing this helps Apple keep down technical support issues.
Jobs once said that he didn’t know how to build a sub $500 system that wasn’t junk (probably more like $400 now). The truth is that no manufacturer can. To put in everything you’ve got in that netbook, you’ve got to cut costs somewhere. People talk about an Apple Tax because Macs tend to cost more than what you can find from other PC manufacturers. However, that “Tax” allows Apple to use better quality components and better support.
The other manufacturers are looking for market share, but aren’t looking at the possible cost of getting that market share.
Why should we treat mobile apps any different from PC apps?
If you went on to some random PC website and found an app called “Bank of America Internet Application” would you blindly download and install it?
Is it that smart phone users are less computer literate than PC users?
Or is it because you find the cellphone app on an “official” app store page you assume it is somehow more trustworthy?
As on a PC people have to be responsible for their own actions, the alternative is the path towards a nanny state. Don’t install Nigerian Bank Scam apps on your cellphone..
> Why should we treat mobile apps any different from PC apps?
> If you went on to some random PC website and found an app called “Bank of
> America Internet Application” would you blindly download and install it?
One word: App Store. When Android creates the Android Marketplace, they give a certain cache to any application that is there. I would never go to http://fubar23123.com to download a banking app because some user named p07n3at3r tells me that there’s a really cool bank app there.
But what if I go to the Android Marketplace and see a banking application for MegaBanc with the MegaBanc logo on it and 100 very positive reviews from various sock puppets? Hey, it looks good to me.
There are many complaints about the iPhone App Store, but they do make it extremely difficult to install a rouge program. I know people who’ve written App store programs. Apple verifies the data being sent back and forth. They verify that you’re only using the provided API. They hunt down backdoors. And, they verify who the author is and even whether the author has permission to product a particular app.
Anyone can download the Android API and play with it. Almost anyone can submit an App to the Android Market after paying a $25 fee. It creates a dynamic marketplace, but very little oversight.
Google is going to have to tighten the ropes on the Android Market. They’re going to have to limit it to verified applications much like the iPhone App store does. They can still allow you to install other apps not from the App store, but al least this way, it doesn’t have Google’s Stamp of Approval on it.
How about this for an “app”: a really awesome freeware game that secretly sneaks through your file system seeking passwords and banking information, then sends the data back in encrypted format as part of the regular “update” procedure that is executed every login. It doesn’t need to send the complete message in one pass either, it could send part of it back every single login. Even if you have to reboot 20 times before the full details are sent, it’ll happen eventually.
Off topic.
For RSS feeds I use the Sage plugin for Firefox. When your feed switched to feedburner from cringely.com (without warning AFAIK) Sage started throwing XML parse errors.
Is this just me (Sage) or did something get ‘improved’?
I have a pet theory about the concept of “Big Brother” for years now. It is a three-headed beast – Government, Crime, and Business.
If you are worried about criminals stealing banking information while you are using phone apps, don’t forget about the Government and Big Business. The Government and Business may not steal money, but they will data mine the information stored on your phone for their own ends.This will include signed apps.
About the slowness of the police handling of the stolen computer, I doubt the person using the computer now is the actual thief. They probably bought it from the actual thief. The new computer user is still guilty of possession of stolen property, but it involves more paper work and will probably not lead to the arrest of thief.
It’s interesting to note that these three apps were reported to google last Thursday and they are still up today. In fact even though several stories about this very problem have hit the net, the bank I work for contacted Google to report the issue and I myself clicked the ‘flag as inappropriate’ button for each app separately multiple times… Google hasn’t lifted a finger. It’s hard to say why nothing has been done; however, Andy Rubin was quited as saying they have to get better at customer service.
If this wasn’t bad enough there is a NEW security flaw whereby if your friends’ droid phone is locked you can call it, accept the call and hit the back button whereby it promptly unlocks the phone for you.
I know that Google bought Android (the company) so this begs the question as to who is responsible for mobile QA at Google/Android…they should be ‘on it’ and they are not, IMO.
Google’s reliance on Open Source software may have hit a glitch because there are no Open Src mobile QA products other than maybe junit (that I know of). They are on their own to implement QA products to test Android. The Nexus One that I used recently had so many easily found bugs it makes you wonder if they are QA-ing at all. Google’s QA as a whole seems lacking…gmail outages, etc. No wonder all their products are marked BETA !
then there’s this:
https://www.engadget.com/2010/01/11/phishing-android-apps-explain-our-maxed-out-credit/
Amazingly poor service from Dell.
My benchmark for excellent service is Nintendo. Absolutely fantastic. I’ve had to return two Wii and one DS and its easy as pie: Online booking, free postage, quick, and keeps you informed. Perfect.
I would also say Apple too. I hear that their service is good. But none of my many Macs have ever gone wrong…
For 10 years now all I have ever seen is people buying Dell’s, regretting it and never buying them again. I have no idea how this firm can still be in business.
I’m not sure why point #1 is actually any different to your PC?
Does you bank provide the application you use to access their internet banking site?
You’re using some third party web browser, probably with a number of plugins and add-ons, some of which may have come from unvalidated providers.
You’re also using a 3rd party operating system, with 3rd party drivers, and any number of 3rd party applications running with system privileges.
The mobile one is interesting – even more so by the fact that it’s out there in the wild, but there’s lots of ways someone could achieve the same end result on your PC (or Mac), if you are foolish enough (or your computer is vulnerable enough) to install unknown applications/tools.
The lesson people (including me) need to learn is don’t install unverified applications just because they have a nice name and a pretty logo. That applies to mobile apps and desktop apps.
I believe this is the exact thing you talked about in your post: http://phandroid.com/2010/01/11/phishing-android-app-steals-banking-info/
Since no one is saying anything nice about Dell, let me balance the scales a bit:
Two years ago I bought my mother a Dell laptop. A couple months after she got it, a neighbor kid stole it and trashed it, including spray painting the case and leaving it hidden outside for weeks.
When it was recovered, mom called Dell support and even though it obviously wasn’t a warranty issue, they had their local support contractor pick it up. When he was finished, it looked and ran like new, and it didn’t cost us a penny. Too bad they can’t support a $200 netbook as well a $700 laptop.
I agree that 2 years ago Dell support was great, but the same support that we have been paying for all along has been slipping lately. Next day service is more like 2 or 3 day service now. And I’ve even had support reps outright mislead me over the phone as to errors I was getting from diagnostics. How do you explain that?
I really don’t know what to say about the machines themselves, but the support these days is lacking big time.
I haven’t played the Dell “Let’s diagnose your problem over the phone with my handy flow chart” game in years….I understand that’s what they use in Guantamano when waterboarding fails to get results.
Bob,
I value your words telling us what’s what in the tech. world but it seems like your articles are getting more & more about bad stuff. Is anything good happening out there?
Well my previous column about Microsoft was viewed by many readers as TOO positive, but I’ll take your point to heart. When I announce my startup project next week I think you’ll see plenty of positive content at I, Cringely.
It seems Google read your blog: https://www.elpais.com/articulo/internet/Google/retira/sospechosas/aplicaciones/bancarias/Android/elpeputec/20100112elpepunet_1/Tes (it’s in Spanish).
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fwww.elpais.com%2Farticulo%2Finternet%2FGoogle%2Fretira%2Fsospechosas%2Faplicaciones%2Fbancarias%2FAndroid%2Felpeputec%2F20100112elpepunet_1%2FTes&sl=es&tl=en
IP addresses given out by the cable companies are only permanent when assigned to the same hardware MAC address… at least through Comcast, anyway.
THe MAC address that matters is not the cable modem’s, but that of the hardware (computer or cable router) plugged into it. If you plug a different MAC address into your cable modem, it will get a different address when you reboot the modem.
If I want to change my IP address, all I do is manually edit the MAC address of my Netgear WGR614 cable router, and reset the cable modem. Presto: different IP address! If I change it back to the original value (at least if I do so the same day), it gets the same address it had before I edited it.
My last Dell order, about four years ago, was for a top-of-their-line desktop, with lots of extras – a big order. Without going into details, they completely screwed up the order, numerous times. As compensation, they sent me a “free” all-in-one printer – the scanner didn’t work, and ink cartridges cost more than price of the printer. The motherboard died a week after the warranty expired.
I used to use Dell exclusively. Many people ask me for advice on buying computers. I would guess that that screw-up has cost Dell at least $15,000 so far in lost orders.
[…] post di Cringely il cui primo punto, quello sulle applicazioni mobili, mi sembra molto interessante. Lo […]
I am really digging the new Howard Beale style Robert X Cringely! It was always there a little bit but now with the whole damned world economic system circling the drain, well, it just feels so Right at this time. Good on ya Bob.
# 2, Wait a minute! How do we know that the guy who’s pictured is the thief? Maybe he bought the PC from the thief. If we start shooting from hip we’ll end up back in the old west! 🙂
Bob,
This was a lot easier when your podcast auto-loaded in iTunes. Why the change to MP3?
Still Listening,
(another) Bob
The mobile app phishing thing is relatively easy to control, if not eliminate. If the api provider uses an authentication protocol such as OAuth, there is no reason for a user to share their credential with a 3rd party application provider. Each application which consumes an API is issued its own secret key. When a user needs to authenticate with the api, they are sent to a URL at the original site (netflix, bank, whatever) which is signed with the developer key and which includes a unique token. The user is then asked by the origin site to log in, and the unique token can then be associated with that user. The user is asked whether they wish to grant access to the application in question (identified by the secret key id in the url). If the user grants permission for the 3rd party app to access their account (and you can specify the level of access they should be granted), then a special code is shown to the user. When the user provides that code to the 3d party app, it is able to exchange the original user’s token in combination with the code for a new secret token that identifies an authenticated user. All subsequent requests by that 3rd party app are signed with a combination of the developer’s API key and the user’s authentication key – and all of this without ever providing a password to a 3rd party.
When implemented correctly, all of the back and forth is accomplished with a series of redirects between apps (ask me how frustrated I am that a native iphone app can’t redirect to safari without throwing up yet another new safari window) and a minimal amount of user input – mostly just a click granting permission for application x to have read-only access to your account (or similar).
Even better, since it is possible for a user to revoke their own token directly from the origin website, even if your phone is lost or stolen, it is trivial to revoke the credential for that phone to use that application. All that is necessary is a page back on the origin site which lists all 3rd party consumers that are currently authorized to use the account which provides the ability to delete the token for that account from the database.
There are oauth server and client libraries available for every language you could possibly want (and they aren’t that hard to implement, regardless)
In short, users should refuse to type passwords into 3rd party apps. Demand that app developers use 3-legged authentication schemes such as OAuth and retain control over your own accounts.
I bought a Dell laptop 2 years ago – worst mistake ever. The continual transferring between service departments the five times I had problems just drove me up the wall. The support wanted all of my personal information, every new idiot I was transferred to. I hated that Dell machine and will never buy Dell again.
I bought an HP laptop last year, whilst no current IT vendor support is remotely pleasant, HP support were quite quick, efficient and fixed the problem on-site same-day. Good enough.
Great column Bob! I have been a huge fan since first watching “Triumph of the Nerds” on TV and I am an avid reader/listener of your columns for years.
Regarding the vulnerabilities associated with the apps on the Android platform, I foresaw this when I first heard that the Android Marketplace would be open and not have any vetting/screening as is the case with the iPhone/iTunes store. There are those who decry Apple for forcing an approval process for iPhone apps before they are made available on iTunes and these very same people cheered at the openness of the Android Marketplace. It is obvious that Apple’s approach was a great choice as it significantly decreases the potential for identity theft and theft of people’s bank accounts through information gleaned from such phishing apps. This will most certainly continue to be a problem and is only the beginning of the problem associated with allowing any and all applications onto smart phones.
People already have a significant amount of trust in apps due to the safer environment which Apple has fostered with the iPhone and so many people will easily be duped into installing these apps put out by criminals. I have always been careful about validating the origin and authenticity of apps for highly sensitive accounts such as my bank accounts before installing any such app on my iPhone.
I do not expect there to be any change in the Android Marketplace in light of these potentially fraudulent apps and many people stand to lose a lot. This will result in the pool of trust moving away from Android based phones back into Apple’s arms.
Keep up the great work Bob!
Friends don’t let friends buy Dell.
That out of the way, Apple should handle this problem for its target audience. It’s a simple logic flow:
1) apps need to declare with a flag (xml tag, plist entry, whatever) if they store usernames and passwords for remote sites. Violating this rule gets a serious sanction (developer ban, etc.)
2) if (1), then they need to declare the https URL’s they’ll be connecting to in the same definition.
2a) they need to include a token in the app signed with the same key as the https server. This is a trivial step for the server admin who has openssl handy.
3) the iPhone data access layer needs to provide an outside-sandbox warning message to the user (‘OK’, check ‘never ask again’ is fine) about what’s going on if violations of (1) and (2) occur. This enforces disclosure by the app vendor. So long as people are making concious decisions they’re actually accepting responsibility.
This algorithm should in no way be construed as moral support for the gated playpen approach to software distribution.
Banks themselves are warning of this: http://isc.sans.org/diary.html?storyid=7936
Doesn’t sound like Dell has changed much since another mega-blogger had problems with them – https://www.thisistrue.com/dellhell.html.
Full disclosure – I have 7 dell systems – mix of laptops and desktops – and I must have been lucky so far. I’ve not needed service beyond drivers off their web site.
The web site sucks for usability, but once you find them, downloads plus the service tag concept works really well.
I run a small computer consulting company, and all I ever use is Dell’s, I have had fantastic luck with them for the last 10 years or so, and will continue to do so. I aways get a quick response from their customer service, and as long as you know what the problem is (bad hard drive, bad ram, bad motherboard), they wont make you go through their troubleshooting steps. I also always have them send me the hardware, and do the replacements myself.
Brian, are you the Dell PR contact that Bob mentioned?
OK, a little late to this party…
I am not a Dell PR hack. I am a HVAC contractor.
We have used Dell machines, both desktop and laptop for 10 years. There has been the occasional problem, but each time I received prompt service. We have about 200 machines.
I expect to be on the phone with tech support for 20 minutes, answer their script and get the proper parts shipped out. The parts are usually received the next day.
I even get the same tech support guy on the east coast. Newfie accent is unmistakable.
Dell tech support is top notch.
Sorry to see that we caused some problems with your son’s Vostro A90. Know that you’ve been working with others at Dell to resolve. If something comes up in the future where you need help, feel free to let me know.
https://www.twitter.com/LionelatDell
Thanks,
LionelatDell
I know this might not be the most appropriate place to post this but for other readers living in the USA are you concerned about the debt? It just seems like it is getting to the point where the country is going to go bankrupt and my husband and I are just a little concerned that our kids and grandkids are going to have some big problems in a few years. Thanks for letting me vent, Sara
One of the things I enjoy about website blogs is the fact that they trigger an idea in my head. As soon as that happens, I feel like I must respond hoping it is beneficial to some people.Simply becauseIt really is at these moments I find myself returning to your website simply because you have many really good insightswhile, which is very exciting.triggering thoughts
Wonderful article, a bunch of useful information and facts.
Great information you write it very clean.
I dont think the problem is your router. Those linksys routers dont really do any packet filtering. My guess is the problem lies in the access restrictions on the Cisco VPN. I’m not exactly sure of your connection type, but the four computers on your router could be broadcasting the same IP, perhaps the VPN cant distinguish between the pcs on the network.
This is excellent information. Thank you for taking the time to write this. I was just wondering about the last paragraph. Is that actually for real? I’ve never thought about it that way. This website talks about that a bit too. Internet Marketing for Beginners
Hello,I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts.
Thanks dude. It was interesting seeing
Thanks very good o/
You have a very nice blog.
Love the information, thanks
stupendous book you receive
good, great article
Your website is excellent, have you thought about getting it included to dmoz or yahoo directory?
I have to state you put together a number of really good facts and probably will put up a small amount of thoughts to add in just after a day or two.
Really agree with writer. Finally someone has the balls to tell it like it is.
This was a definitely perfect post. In theory I’d like to create like this also – taking time and real work to produce a great post… but what can I say… I procrastinate alot and in no way appear to obtain something completed.
I used to use shaving to remove my unsightly hair however it was so uncomfortable that I decided to stop. I gave waxing a go and it performed somewhat but was sometimes inconveinant. So I took a few weeks researching the silk n sensepil laser. I actually bought the laser hair removal and am very satisfied with the outcome. It offered me complete hair removal at an affordable price tag. I definitly recommend it to everyone in place of sugaring.
Between me and my husband we’ve owned more MP3 players over the years than I can count, including Sansas, iRivers, iPods (classic & touch), the Ibiza Rhapsody, etc. But, the last few years I’ve settled down to one line of players. Why? Because I was happy to discover how well-designed and fun to use the underappreciated (and widely mocked) Zunes are.
While wanting to quit smoking, I came across the e-cigarette. The electric cigarettes wotks on a nicotine juice that holds nothing but nicotine. Virtually no poisons at all. They’ve actually saved my life. No longer breathing in toxic chemicals feels marvelous to me!
Hot entertainment and overall fun at this site.-Hot Adult Entertainment
I was reading something else about this on another blog. Interesting. Your position on it is diametrically contradicted to what I read earlier. I am still contemplating over the opposite points of view, but I’m tipped heavily toward yours. And no matter, that’s what is so great about modernized democracy and the marketplace of thoughts on-line.good
If you can create a blog that generates at least $1 per day on complete autopilot, how many blogs will you create? As many as you can! Read more…
on necklace, it is called a pendant. and if on a bracelet, it is called charms.hope this can help you.
hellollll
selam hello senmisisn
hellloooooooooooo turkey
turkiye sen misisn superrim
hey gidid hey
seslisohbet sesli chat turkiyenin en kalitelisis
karadeniz en guzel sohbet hadi burada
turkiye sana sesleniyoz seslikaradeniz hızla geliyor kacın
seslikaradeniz forum sitesi acıldı
turkey chat hadi burada
besiktas holay
İlkönce yağmurla
sonra birdenbire açan güneşle başlamıştı sabah.
Henüz ıslaktı asfaltın solundaki tarla.
Harp esirleri çoktan iş başındaydılar.
Topraktan nefret duyarak
Başları önde,
kalın, kırmızı ve harap parmaklarına bakıyorlardı.
Terliydiler.
Haşlanmış lahanayla günlük kokuyordu.
Kürsüde muhterem peder
metinnnnnnnnnnnnnnnnnnnnnnnn
osmannnnnnnnnnnnnnn
wats up man hows it going,They are very very good,Can you please show where it’s done wrong in this article? I searched but couldn’t find a place. Thanks.
You have noted very interesting points ! ps decent web site here .
Thanks for the information. Will you be making others like this?
Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you!
It in fact was a amusement account it. Look advanced to far added agreeable from you!
I’d need to test with you here. Which is not one thing I often do! I get pleasure from reading a submit that will make folks think. Additionally, thanks for allowing me to remark!
I like how are you thinking…and I must confess I’m totally addicted to your articles!
It must be emphasized that every individual even children have hemorrhoids or piles in their bodies. It is only when these become inflamed and swollen that health problems like bleeding and itching of the anus blood in the stool and physical pain occur. Fortunately most piles resolve on their own so hemorrhoid cures are often unnecessary. However it will help matters along when you adopt the following dietary changes to treat and prevent their recurrence.
Thanks for your time for this! I havent been this moved using a blog for a long time! You’ve got it, whatever which means in blogging. Well, You are definitely someone who has something to convey that men and women should hear. Keep the good job. Keep on inspiring the folks!
These are some great tips you’ve pointed out in your blog, keep it up
Support you ,come on , give us some latest news,love you!
Desk Pen SetsExecutive desk pens and accompanying set from Paradise Pens make perfect gift pens for graduates, newlyweds and professionals alike. These pen desk sets are completely unique with handy features including notepads, calendars, thermometers and more. Select desk pens when you wish to create an attractive and useful gift.
Discovered your weblog and decided to have a study on it, not what I usually do, but this blog is great. Awesome to see a site that’s not spammed, and truly makes some sense. Anyway, fantastic write up.
Terrific post, I’ve bookmarked this page and have a feeling I’ll be returning to it frequently. Regards http://destinyusullivan.sosblog.com/The-first-blog-b1/Sweaty-Feet-Causes-Bacteria-b1-p2.htm