[slg]

From the article these attacks allow for:

* deanonymizing users

* building social graphs of users’ interactions, both in real time and after the fact

* decrypting and reading direct messages

* impersonating users to anyone else on the network

* completely shutting down the network

* performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well

This app basically allows for the exact opposite of what people are expecting from the app. Doesn't that qualify as some sort of fraud or false advertising? If not, I wonder if we need further regulation to protect the public from developers that are either incompetent or straight malicious.

[nordsieck]

> Doesn't that qualify as some sort of fraud or false advertising?

Fraud typically requires some sort of mens rea. It sounds to me like Bridgefy is just really bad as making secure applications.

> If not, I wonder if we need further regulation to protect the public from developers that are either incompetent or straight malicious.

There is a long history of people trying to create liability for software bugs. It was a bad idea then and it's still a bad idea today.

[faeyanpiraat]

Why?

If a bridge is built wrong and kills people when it collapses, someone must be at fault.

What’s the difference if it happens with a virtual “thing”?

[nordsieck]

> Why?

> If a bridge is built wrong and kills people when it collapses, someone must be at fault.

1. We mostly know how to build bridges that don't collapse. We do not know how to create software that doesn't contain bugs. Even with the most intense scrutiny.

2. Software exists along a gradient between casual to critical, whereas all structural/civil engineering is of critical importance. It simply makes no sense for society to force you to analyze your Excel formulas as intensely as a civil engineer analyzes a bridge.

[tremon]

What’s the difference if it happens with a virtual “thing”?

Certification. Engineering is a protected profession, which means there are preconditions to working in that field and real consequences for failure. Software "engineering" has none of the preconditions.

[squiggleblaz]

You're explaining why there _is_ a difference, but not why their _should be_ a difference.

1. "It is a bad idea to make software developers liable for bugs".

2. "Why? We make engineers liable for physical malfunctions, why not make software engineers liable for software malfunctions?"

3. "Because they are uncertified"

It fails to address the actual point. Is it better that software developers are uncertified? Why not introduce standards?

I guess it's easier to transport software, even running software, across borders today. But even there, one could say, "If Google relocates to Canada, then stuff them - we will drop their packets at the border till they comply with domestic law."

This would be a disruption of the free market, but we already admit that a free market shouldn't exist in house construction. Why should a free market exist in message distribution? The question is always, why is software on this side of the border, and bridges on that side?

(My guess is that it's because few people die when your email is mishandled, but many people could die if bridges fell out of the sky whenever they got bored.)

[faeyanpiraat]

So it seems like it ends up being a moral dilemma:

If a software issue causes for example a data breach, it could cause lots of people to experience mild annoyances, like time wasted on changing passwords, money lost through more effective scamming attempts, etc..

If we compare an actual life lost in an accident with lots of people losing some hours/days from their lives, when can we say they are an equal loss?

1 people = 100 people losing 1 year?

How about if the person is your family member?

This gets waaay too complicated to resolve rationally..

[marcosdumay]

> someone must be at fault

Some times, yes, other times, no. Yet, it's not fraud, when someone is at fault, it's for other issues.

[vkou]

You can always ask for a refund of the zero dollar purchase price. :/

[slg]

Do you think a company has zero obligations to its users if those users are not paying for the service?

Most of us have never directly paid Google for anything. I think we would still have justification in being upset if there was a central Google flaw that allowed users to view our search or Gmail histories.

[rootsudo]

You assume the company is not doing this on purpose, or without intent.

-- There were general flaws w/ Google & gMail to allow governments to snoop in on unencrypted communication. There probably still is.

[vkou]

Ethical obligation? Sure. Ethics don't put bread on the table, though. Practical obligation? You get what you pay for.