[Petition][Poll] We want Https on XDA! - About xda-developers.com

[Petition][Poll] We want Https on XDA!
Three days ago I had a conversation with @benkxda. During that conversation, he pointed out that XDA uses no https encryption. Therefore everybody can read our passwords and PMs when we send them to the server. What if someone replaced our downloadable files with viruses?
Is that really what we want? Neither @benkxda nor I think so. Hence we decided to create this thread.
Now you might ask what you can do to get https on our forum. The first and easiest option is probably the most effective. Vote in the poll at the top of the page.
If you've got some spare time, you can also write a short (or long) post explaining your opinion.
If we get enough votes for this petition, the admins might consider supporting the https protocol.
To ensure that everybody sees this, we want to get this on the portal. Please help us by either clicking this link or by clicking the "Tip us?" button in the right upper corner of this post.
It would also help to spread the word if you put a link to this thread into your signature.
Thanks for reading.

Announcements
4th March 2014: 1000 supporters.
2nd January 2014: bitpushr implemented https for the login form! Thanks to all supporters.
23rd December 2013: And again, doubled. 800 votes now.
1st November 2013: Another announcement by bitpushr: They "have gotten [their] CDN provider to add SSL." Moreover, he will "add this to the forums".
28th September 2013: Doubled, again. 400 now.
31st August 2013: We just hit the 200 voters mark. Thanks.
13th August 2013: We reached 100 supporters. Keep voting.
7th August 2013: bitpushr announced that the admin team is working on https. I want to say thank you to all who have voted yet. But remember, we don't have https yet. So continue to vote.
29th July 2013: This petition was created.
Click to expand...
Click to collapse
Code for the signature
Code:
[SIZE="5"[B][/B]][[B][/B]URL="http://forum.xda-developers.com/showthread.php?t=2383868"][[B][/B]COLOR="Blue"]Vote for a secure XDA: [/[B][/B]COLOR][Petition][Poll] We want Https on XDA![/UR[B][/B]L][/SI[B][/B]ZE]

Well, XDA folks, you have to take the poll serious. In days where secret services all over the world spy almost everything, the poll has two options, a secret service version as well as a normal version :angel:
But to be honest, we are not safe from those spies. Encryption can help much - not only against those spy experts, but also against the administrators in a network, for eg in the company.
Currently, we have no secured connection like SSL/TLS secured HTTPS. Login data can be stolen, every communication is held open. We need a secure connection for the whole XDA website, including linked in scripts and images and not limited to the login sequence. This is state of the art even at Google or Facebook.

benkxda said:
Well, XDA folks, you have to take the poll serious. In days where secret services all over the world spy almost everything, the poll has two options, a secret service version as well as a normal version :angel:
But to be honest, we are not safe from those spies. Encryption can help much - not only against those spy experts, but also against the administrators in a network, for eg in the company.
Currently, we have no secured connection like SSL/TLS secured HTTPS. Login data can be stolen, every communication is held open. We need a secure connection, which is state of the art at Google or Facebook.
Click to expand...
Click to collapse
All sites these days should be https. Also I want to add that it is important that https is not only added to the login itself but the entire site. To cut cost, lots of sites use http to https redirect for login only and then swtich the user back to http. Problems with that are tools for cookie hijacking, session hijacking, and tools like sslstrip. The vote should be for SITE WIDE https.
Let's face facts people. On XDA, we download things and flash to our phones, tablets or other devices. If our account is hijacked )which is so easy its not funny) then someone else can replace our material with ones that have back doors/trojans and update the posted MD5. No one would know. security is a concern for me at least.

calisro said:
All sites these days should be https. Also I want to add that it is important that https is not only added to the login itself but the entire site. To cut cost, lots of sites use http to https redirect for login only and then swtich the user back to http. Problems with that are tools for cookie hijacking, session hijacking, and tools like sslstrip. The vote should be for SITE WIDE https.
Let's face facts people. On XDA, we download things and flash to our phones, tablets or other devices. If our account is hijacked )which is so easy its not funny) then someone else can replace our material with ones that have back doors/trojans and update the posted MD5. No one would know. security is a concern for me at least.
Click to expand...
Click to collapse
True, only full secured websites are really secured. Thanks for this hint, will edit my prior post.

calisro said:
All sites these days should be https. Also I want to add that it is important that https is not only added to the login itself but the entire site. To cut cost, lots of sites use http to https redirect for login only and then swtich the user back to http. Problems with that are tools for cookie hijacking, session hijacking, and tools like sslstrip. The vote should be for SITE WIDE https.
Let's face facts people. On XDA, we download things and flash to our phones, tablets or other devices. If our account is hijacked )which is so easy its not funny) then someone else can replace our material with ones that have back doors/trojans and update the posted MD5. No one would know. security is a concern for me at least.
Click to expand...
Click to collapse
Of course, it should be added to the entire site. However, I didn't even think about the downloading thing. That's definetly true and I'll add that.
Feel free to spread the word.
Thank you very much. :good:
benkxda said:
True, only full secured websites are really secured. Thanks for this hint, will edit my prior post.
Click to expand...
Click to collapse
Posted at the same time. :laugh:

benkxda said:
True, only full secured websites are really secured. Thanks for this hint, will edit my prior post.
Click to expand...
Click to collapse
Not fully correct.
NSA is getting also access to https secured connections.
http://www.dailytech.com/FBI+NSA+Wa...Keys+from+Internet+Companies/article32046.htm

Mardon said:
Not fully correct.
NSA is getting also access to https secured connections.
http://www.dailytech.com/FBI+NSA+Wa...Keys+from+Internet+Companies/article32046.htm
Click to expand...
Click to collapse
That's right, but our main concern should be the (bad) hackers. It is difficult to stop the NSA, you know.

Mardon said:
Not fully correct.
NSA is getting also access to https secured connections.
http://www.dailytech.com/FBI+NSA+Wa...Keys+from+Internet+Companies/article32046.htm
Click to expand...
Click to collapse
This must be verified first, but frankly I really believe, they try to get those master keys. But they would need a master key to get access. At least, an encryption keeps out most assailants.

nikwen said:
That's right, but our main concern should be the (bad) hackers. It is difficult to stop the NSA, you know.
Click to expand...
Click to collapse
Right https is much better i agree
If NSA or FBI or who else gets the masterkeys there also exist a chance for others (hackers) to get the keys too.
I think the whole internet needs a new full encrypted security protocol in future where the keys are randomly changed and such things like masterkeys only working a few hours to minimize the hacking risks.
But thats offtopic i think

Mardon said:
Right https is much better i agree
If NSA or FBI or who else gets the masterkeys there also exist a chance for others (hackers) to get the keys too.
I think the whole internet needs a new full encrypted security protocol in future where the keys are randomly changed and such things like masterkeys only working a few hours to minimize the hacking risks.
But thats offtopic i think
Click to expand...
Click to collapse
Oh yes, indeed I recently thought almost the same. And maybe we are a bit special picky, hope the "normal" users can keep up that indignation or sometimes outrage on these spy stuff. Also true, off topic.

Mardon said:
Right https is much better i agree
If NSA or FBI or who else gets the masterkeys there also exist a chance for others (hackers) to get the keys too.
I think the whole internet needs a new full encrypted security protocol in future where the keys are randomly changed and such things like masterkeys only working a few hours to minimize the hacking risks.
But thats offtopic i think
Click to expand...
Click to collapse
you realize there aren't one set of master keys for all certificates right? lol. Each certificate has a master key owned by the company owning the cert. If facebook gives them their master keys that doesn't mean they can snoop your xda or bank account traffic.
ok back on topic! I digress!

Mardon said:
Not fully correct.
NSA is getting also access to https secured connections.
http://www.dailytech.com/FBI+NSA+Wa...Keys+from+Internet+Companies/article32046.htm
Click to expand...
Click to collapse
Just saying, but on HTTPS stuff that we use, we use forward-secret HTTPS. Meaning the "private key" for the site is of no use for decrypting past connections. That's becoming more popular for larger sites these days, but I started looking into it a while ago, and it is ready to use now. Look for a key exchange method of DHE or ECDHE
As such, the only value in obtaining such keys would be to spoof future connections. If someone is that determined to target YOU individually with spoofed or MITM'd connections, you should be worrying about other things (it would be fairly impractical to mount a widescale meaningful attack).
If you are concerned, you should look into the issues with the CA system who issue SSL keys - an SSL certificate can be signed by ANY of them, and there's a number of CAs who are somewhat sketchy in trust... Tl;dr if an active attacker wants a key for your site to spoof it, he can get it. It won't be the same one (cannot decrypt legit traffic), but can be used to impersonate the site.

pulser_g2 said:
Just saying, but on HTTPS stuff that we use, we use forward-secret HTTPS. Meaning the "private key" for the site is of no use for decrypting past connections. That's becoming more popular for larger sites these days, but I started looking into it a while ago, and it is ready to use now. Look for a key exchange method of DHE or ECDHE
As such, the only value in obtaining such keys would be to spoof future connections. If someone is that determined to target YOU individually with spoofed or MITM'd connections, you should be worrying about other things (it would be fairly impractical to mount a widescale meaningful attack).
If you are concerned, you should look into the issues with the CA system who issue SSL keys - an SSL certificate can be signed by ANY of them, and there's a number of CAs who are somewhat sketchy in trust... Tl;dr if an active attacker wants a key for your site to spoof it, he can get it. It won't be the same one (cannot decrypt legit traffic), but can be used to impersonate the site.
Click to expand...
Click to collapse
Thanks for the info. I didn't know that.

Not a techie nor from a part of the world affected by PRISM (?) but still having read all this I'm inclined to say i second this motion

nikufellow said:
Not a techie nor from a part of the world affected by PRISM (?) but still having read all this I'm inclined to say i second this motion
Click to expand...
Click to collapse
Great.
Are you sure that you are not affected? Everyone is, some more, some less.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(http://upload.wikimedia.org/wikipedia/commons/5/5c/Boundless-heatmap-large-001.jpg)

We've reached over 50 votes.

nikwen said:
We've reached over 50 votes.
Click to expand...
Click to collapse
Nice. So, some people know about HTTPS and encryption and prefer that. Not only because of the secret services of the "Five Eyes", but also to protect me from curious network administrators. There are surely more on XDA, who want to support this necessary petition.
EDIT: Oh, please don't misunderstand, I did not want to protect the secret services from other countries, as they might be not better in privacy protection, for eg the German secret service called "BND" seems to be the sixth eye. Again, I did not want to say only those five do bad things.

As lots of users don't know / care about encryption, a secured https connection with XDA might sensibilize at least some.
So, I support your request.

rog_star said:
As lots of users don't know / care about encryption, a secured https connection with XDA might sensibilize at least some.
So, I support your request.
Click to expand...
Click to collapse
Yeah, I hope so.
Thanks for voting.

Related

WP7 offers no Copy & Paste? Look again

Bing.
That is the answer. Bing.
Download the Bing app and install it on your WM6 phone.
I like what I see. Keep it up M$ - WP7 team - You rock!.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
MS has already announced number and email and web address detection in WP7. And it already exists in WM6.x
So what's your point? Bing is not new, nor is that feature.
The feature I would like to see most from Bing is Voice control for the entire WP7 OS.
What I am saying is that it does "copy" and "paste", apart from picking up the address and Phone number for US(at least). It does not copy and paste at pixel level. That is all.
What in the world are you trying to say?
Great example of why you actually need copy/paste, thanks. What should I do if I want to email the address?
vangrieg said:
Great example of why you actually need copy/paste, thanks. What should I do if I want to email the address?
Click to expand...
Click to collapse
Just click on the underlined email address and you'll go to the email app with the address already filled in.
What is copy & paste at the pixel level?
I don't see the underlined email address on the screenshots, sorry.
I've had enough frustrations with OneNote Mobile not having Copy/Paste. Now a modern phone not having it is just ridiculous. I use this function all the time-if not every day then every week for sure. Everyone, including Microsoft seems to have forgotten about note-taking. So they have One Note without Copy/Past and Word Mobile without it either? what?! Hello!
vangrieg said:
I don't see the underlined email address on the screenshots, sorry.
Click to expand...
Click to collapse
The screenshots are Bing for WM6.x not for WP7. Supposedly this functionality is more advanced in WP7. My guess is that the address would be detected by the OS and options would be available to you to act on that address. Don't know for sure, but that's how it was explained by MS.
I WM, if someone SMS'es a phone number to you, it is detected and you can perform actions on it such as calling the number. That is far more convenient than C&P that number then loading the phone dialer and pasting the number in there.
Only in Office-type apps do I see a need for copy and paste. I believe they said C&P is implmented within those apps.
WhyBe said:
The screenshots are Bing for WM6.x not for WP7. Supposedly this functionality is more advanced in WP7. My guess is that the address would be detected by the OS and options would be available to you to act on that address. Don't know for sure, but that's how it was explained by MS.
Click to expand...
Click to collapse
It may be more advanced than WM6 but it'll never work well. There are just too many ways to write addresses - what if I send you an email in response to a question about where we should meet, and I'll reply - "coffee place on corner of main and franklin"? And the meeting is going to happen, say, a month from now? How are you going to save this address from my email? Will your smartlinking recognize it? No freakin' way. Don't delude yourself by repeating these mantras.
vangrieg said:
It may be more advanced than WM6 but it'll never work well. There are just too many ways to write addresses - what if I send you an email in response to a question about where we should meet, and I'll reply - "coffee place on corner of main and franklin"? And the meeting is going to happen, say, a month from now? How are you going to save this address from my email? Will your smartlinking recognize it? No freakin' way. Don't delude yourself by repeating these mantras.
Click to expand...
Click to collapse
Well, that's a good one, but who's to say you can't attach an email to a calendar item or contact? Personally, I would like to be able to do something like that over C&P.
I'm not making excuses for no C&P, but there are more than one way of doing things.
WhyBe said:
Well, that's a good one, but who's to say you can't attach an email to a calendar item or contact? Personally, I would like to be able to do something like that over C&P.
Click to expand...
Click to collapse
Look, it's not like I prefer C&P to "smart" stuff. Of course smart stuff is better. The problem is that it's impossible to do in a way that'll cover all scenarios. I can come up with examples forever (like, what if there's a typo in the URL, like users here sometimes post deliberately, because they aren't allowed to post links - what the heck are you going to do with that?). And sometimes that could be a real pain in the neck. Like I encountered once with a pre-3.0 iPhone - an email contained a link with directions, and there was no way to click it, and no C&P to the rescue. Sure I didn't die as a result, but I wasted 3 hours looking for the damned place in the middle of nowhere. For every example you can probably come up with a solution, but there will be another example that'll require another solution etc. That is the whole point of C&P - you can make those 80% core use cases easy with smart stuff, but then you add something trivial and easy like C&P and that'll take care of everything else! It's just not an "either... or" situation, and that's why Microsoft's excuses are just lame.
I have to agree with you, but if MS were under a time constraint and had to choose between smart linking and C&P, I'm glad smart linking came first. C&P will show up in due time. In the meantime, you can go to the school supply section at Walmart and buy a copy and paste toolkit (pencil and paper)
Walmart announced like 5 times that they're entering Russia, but never got the nerve to actually go ahead and do it.
Anyway, congrats on getting to the WP7's target audience. Guess you're not using Outlook Tasks either, huh?
Wish I could be there as well, because I love many aspects of this new OS, and I'm rather optimistic about the prospects of getting access to some serious native APIs in WinCE via jailbreaking, which hopefully will be done via lowering the privilege thresholds rather than having to do a privilege escalation hack (which will open the door to pirating apps and therefore will be chased by Microsoft's updates).
vangrieg said:
Anyway, congrats on getting to the WP7's target audience. Guess you're not using Outlook Tasks either, huh?
Click to expand...
Click to collapse
Tasks really isn't useful enough for me. Too much data entry to achieve nothing. Maybe if it were tied in with the phone dialer, calendar, contacts, GPS awareness, etc, I would actually use it.
Thought so.
Tasks are reminders essentially, they're more of an alarm thing than a calendar thing, if you look at just phone use. They are a very different thing when you use them on a corporate Exchange server, where you can assing them to somebody, track progress, get reports etc.
^^^ Yeah, I've never been able to put it to good use in my daily life.
vangrieg said:
It may be more advanced than WM6 but it'll never work well. There are just too many ways to write addresses - what if I send you an email in response to a question about where we should meet, and I'll reply - "coffee place on corner of main and franklin"? And the meeting is going to happen, say, a month from now? How are you going to save this address from my email? Will your smartlinking recognize it? No freakin' way. Don't delude yourself by repeating these mantras.
Click to expand...
Click to collapse
Why not? Isn't that what progress is all about?
There was a time when professionals/geeks could not understand how an OS could work without command line instructions. But now we have it. None of the smartphones have command line instructions.
There are still folks (apparently of European descent) who cannot believe that an automatic transmission can work in 95% of scenarios as good as a manual. How wrong they are.
chiks19018 said:
There are still folks (apparently of European descent) who cannot believe that an automatic transmission can work in 95% of scenarios as good as a manual. How wrong they are.
Click to expand...
Click to collapse
It's not the 95% that's the problem. It's the other 5%.
Shasarak said:
It's not the 95% that's the problem. It's the other 5%.
Click to expand...
Click to collapse
Rule#1
Never develop a program based upon exceptions. That is poor decision making.
Program to take care of the 95% (the meat) of the requirements. And do it perfect.
Eg. Folks who buy a minivan based upon the 5% chance that they will need to haul 9 people for about 15 times a year. Crazy.
Same for people who buy a Truck so that they can haul a Christmas tree once a year.

What's Still Missing from Windows Phone 7

Source: pocketnow.com
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
As Chuong reported earlier today, a handful of tech reviewers have gotten to spend a couple of weeks with a Windows Phone 7 prototype devices made by Samsung called the Taylor. Overall the sentiment towards Windows Phone 7 is positive: reviewers agree that the operating system is generally well thought out, that it performs very well (with nearly no lag when jumping around the operating system), and that it has the potential to be a true contender in the mobile platform space.
After digging through several of these reviews, it's clear that there are a handful of features still missing from Windows Phone 7, some of which will be addressed by the time the platform launches this fall, but many of which will not. Here's a list:
- No Twitter integration
- No copy and paste
- No third-party multitasking
- No Flash, Silverlight, or HTML5 support in the browser
- No dedicated YouTube application
- No robust document editing capabilities in Office
- No way to stop Facebook contacts from mixing with global contacts
- No global email inbox
- No threaded email
- No organization of the full program list (it's alphabetical)
- No way of knowing if a long press is available
- No universal search
Some of these aren't too big of a deal and are very specific to use case scenarios that not everyone will experience (like adding multiple email accounts to a phone, etc). But some of the big ones like the lack of multitasking and Twitter integration could provide a reason for potential buyers to go with another smartphone platform.
ATHiEST said:
- No way to stop Facebook contacts from mixing with global contacts
Click to expand...
Click to collapse
You can do it relatively easily if you don't use Facebook directly but via Live, I think.
My 2 cents:
- No Twitter integration
Stupid when Facebook is there
- No copy and paste
Discussed so many times yet still unbelievable.
- No third-party multitasking
May be in the future?
- No Flash, Silverlight, or HTML5 support in the browser
Very bad indeed.
- No dedicated YouTube application
Will be I believe.
- No robust document editing capabilities in Office
Crazy.
- No way to stop Facebook contacts from mixing with global contacts
That will be a really annoying thing. What if I DON'T have Facebook??!!
- No global email inbox
??
- No threaded email
I don't care.
- No organization of the full program list (it's alphabetical)
Again a stupid, strange step BACKWARDS
- No way of knowing if a long press is available
Hmmm....
- No universal search
Awesome :-(
To sum it up, well....
I have to touch it of course.
But comparing this to WM 6.5 I see the main change will be interface itself.
Regarding functionality - so many things missing as hell.
yup, W7 is looking like a bag of sh*t
ATHiEST said:
- No Twitter integration
Click to expand...
Click to collapse
There's already several Twitter apps for WP7 - The notification system allows seamlessly integration.
ATHiEST said:
- No copy and paste
Click to expand...
Click to collapse
Read the 2000 other threads on this -- c&p is pointless, and not needed. I'm tired of repeating the arguments in every bloody thread.
ATHiEST said:
- No third-party multitasking
Click to expand...
Click to collapse
Same as above.
ATHiEST said:
- No Flash, Silverlight, or HTML5 support in the browser
Click to expand...
Click to collapse
Wrong. No HTML5 support, mainly because it's still a draft.
ATHiEST said:
- No dedicated YouTube application
Click to expand...
Click to collapse
Write one, or let Google do that. I don't think Google would like Microsoft to write one for sure.
ATHiEST said:
- No robust document editing capabilities in Office
Click to expand...
Click to collapse
Invalid. Better Office integration than any other phone on the market.
ATHiEST said:
- No way to stop Facebook contacts from mixing with global contacts
Click to expand...
Click to collapse
Invalid, as there's no public phones out, you can't know this, thus it's a lie.
ATHiEST said:
- No global email inbox
Click to expand...
Click to collapse
Wrong
ATHiEST said:
- No threaded email
Click to expand...
Click to collapse
The email application ain't done yet, where's your proof?
ATHiEST said:
- No organization of the full program list (it's alphabetical)
Click to expand...
Click to collapse
Use the search-button
ATHiEST said:
- No way of knowing if a long press is available
Click to expand...
Click to collapse
Neither is on any other phone in the world.
ATHiEST said:
- No universal search
Click to expand...
Click to collapse
Uniform search-api and seach-button support for all applications. Universal makes little sense.
ATHiEST said:
Some of these aren't too big of a deal and are very specific to use case scenarios that not everyone will experience (like adding multiple email accounts to a phone, etc). But some of the big ones like the lack of multitasking and Twitter integration could provide a reason for potential buyers to go with another smartphone platform.
Click to expand...
Click to collapse
Multitasking is the LEAST important problem. When do you fools start realizing this?
And again, Twitter is just yet-another-application. Android and iPhone don't have Twitter support either, there's just 20 different Twitter apps for each platform.
@Windcape
As well as you have great valid points,
I must say that this of your sentence:
"c&p is pointless, and not needed. I'm tired of repeating the arguments in every bloody thread."
Where did you get that?!
It's a CRUICAL feature on any device.
Maybe you're this person who don't use it, maybe you never do
any serious stuff on your device, but why do you spread here such a false and pointlesss information?! It's the same as you'd say that a phone doesn't need a speaker.
It's the basic function, present on any mobile OS since 2000,
and also supported even by those who wanted to omit it and tell people they know better.
It's a BASIC function with any txt work, whether it's office, mail.
Man, how hard is it to get it? Or what false logic brought you to this senseless conclusion?
I hope you'll never be responsible for any serious development with such false statements.
No, it's not a crucial feature. The navigation-handlers allows for much better transitions than using c&p.
A smartphone is not a PC -- People use it differently, and copy&paste doesn't make sense. A lot of you might think it's easy to implement for text, and partially is (WP7 only supports Unicode, there's your first challenge), but for random objects (images, binary, etc.) it's a completely other story.
Instead of just repeating yet another "omg no copy&paste", then perhaps read some of the lengthy discussions about the subject, instead of believing in it in blind faith.
I would ask the relevant user groups, and have their reaction. Nerds who think they need c&p, but actually never use it, are not a relevant user group. Ask people who got a iPhone or Android if they uses copy&paste often, or if they missed it on previous versions of the iPhone. They'll probably say no.
Hell, where I need it most is in my browser, and Android's default browser have such terrible support, that it doesn't work anyway. I'd rather have a navigation-handler auto-converting emails to click-to-open-email-application links.
This argument is getting tiresome. Can we move on to something else? Like complaining about lack of socket APIs and SL4 support?
Windcape - some of those are legit. There is no way to downselect your FB friends, no threaded email, and no unified/global email inbox. See the many reviews for evidence. While it's not quite done, it's pretty darn close. They have to give the OEMs lead time in order to be able to manufacture devices with the RTM code on it.
But to the OP et al, see this post on WMPowerUsers which echos my sentiments very closely. Basically, calm down... take a deep breath.
Windcape said:
No, it's not a crucial feature. The navigation-handlers allows for much better transitions than using c&p.
A smartphone is not a PC -- People use it differently, and copy&paste doesn't make sense. A lot of you might think it's easy to implement for text, and partially is (WP7 only supports Unicode, there's your first challenge), but for random objects (images, binary, etc.) it's a completely other story.
Instead of just repeating yet another "omg no copy&paste", then perhaps read some of the lengthy discussions about the subject, instead of believing in it in blind faith.
I would ask the relevant user groups, and have their reaction. Nerds who think they need c&p, but actually never use it, are not a relevant user group. Ask people who got a iPhone or Android if they uses copy&paste often, or if they missed it on previous versions of the iPhone. They'll probably say no.
Hell, where I need it most is in my browser, and Android's default browser have such terrible support, that it doesn't work anyway. I'd rather have a navigation-handler auto-converting emails to click-to-open-email-application links.
This argument is getting tiresome. Can we move on to something else? Like complaining about lack of socket APIs and SL4 support?
Click to expand...
Click to collapse
Listen, are you reading with comprehension?!
Who gave you the right to call me nerd huh?
I think you're rather nerd who doesn't really speak on the topic.
Don't tell me or anybody else how we actually use our devices!
How do you know? Have we met?
You're incompetent troll, like somebody else stated in other thread.
Maybe go to other forums instead of telling complete lies here.
Also your sentence:
"I'd rather have a navigation-handler auto-converting emails to click-to-open-email-application links."
Has NOTHING to do with work on txt!
Please move away from here with your "maybe" and "probably".
If it's actually based on hands-on reviews, then I'll agree it might be considered a problem.
The thing is, half of the articles out there complaining about the phone, is basing it off data from Feburary/March, or unlocked emulators -- both I consider highly invalid.
And I'm calm, I'm just annoyed we got 50 threads with focus on multitasking and c&p, which is the most irrelevant problems there is from a developer perspective.
I find it much bigger issues that the phone only support Unicode, don't have socket APIs yet (because it runs SL2/SL3, and not SL4). And a few other things here and there which is vital to application development.
People keep nitpicking about the least important issues, which sadly removes focus from the important problems.
doministry said:
Listen, are you reading with comprehension?!
Who gave you the right to call me nerd huh?
Click to expand...
Click to collapse
We're posting on a forum for mobile hackers, that means we're nerds
doministry said:
Don't tell me or anybody else how we actually use our devices! How do you know? Have we met?
Click to expand...
Click to collapse
It's more likely that technical interested people focus on more technical features.
Most people who buy a iPhone 4 don't buy it because it can do copy&paste, but because it looks awesome, and have a fantastic screen (Retina Display).
doministry said:
"I'd rather have a navigation-handler auto-converting emails to click-to-open-email-application links."
Has NOTHING to do with work on txt!
Click to expand...
Click to collapse
It have everything to do with regular phone use. Copying links, email addresses and phone numbers.
The phone isn't meant to be a Blackberry replacement, or a notepad replacement for editing Excel spreadsheets on the run.
One last thing:
You can implement copy&paste internally in your application. It's just c&p data between applications that's not supported.
I guess that helps a lot for your office/spreadsheeting edition, no?
ATHiEST said:
- No Twitter integration
- No copy and paste
- No third-party multitasking
- No Flash, Silverlight, or HTML5 support in the browser
- No dedicated YouTube application
- No robust document editing capabilities in Office
- No way to stop Facebook contacts from mixing with global contacts
- No global email inbox
- No threaded email
- No organization of the full program list (it's alphabetical)
- No way of knowing if a long press is available
- No universal search
Click to expand...
Click to collapse
- Twitter will be back working with Windows Live soon. Twitter changed their APIs a month or two ago, and Microsoft need to update things to make it work again.
- Copy and Paste is coming in a future update
- Multitasking is also planned to be out in a future update
- Flash is coming in a few months after launch, Silverlight we don't know about
- We may see a YouTube app come from Google after launch, if not flash will work in the browser so that's all good
- As a start, the Office tools on Windows Phone 7 are good for basic editing, and collaboration. More features may come, but I do question if you need much more really, with such a small screen.
- We know when adding a Google account, you can choose to add all or only some of these options: Contacts, Calendar, Email. It is possible facebook integration can be done in the same way, but I don't use facebook, so I am not too fussed. However thanks to the Quick Jump List controls, you can click the letter in the blue box, and choose a letter to find your contact. Or even press the search button to find a contact.
- I actually prefer the idea of having a separation between my Live Mail and Outlook Email inboxes, and is a great way to maintain your work life balance if you are using the Phone for work, and personal uses. You do have a combined calendar, which does make sense, because you only have on schedule at a time
- Threaded mail, or conversation view, will be coming, you should know this as Outlook and Hotmail now support it.
- This one I agree with, I would like a button appear below the arrow on the left, to switch to flat list, category, favourites, or alphabetical sorting, using the Quick Jump Lists.
- Well, this is a trial and error thing, you don't get told when you have a right click menu available, there is no indicator, you just expect it and find it for yourself.
- If the Hub/App doesn't have internal search, the search button will pull up bing. In future dev tools, they will provide an API to override the search button as you can the back button presently. Patience, my friend, Patience!
Windcape said:
c&p is pointless, and not needed. I'm tired of repeating the arguments in every bloody thread.
Click to expand...
Click to collapse
Windcape said:
Write one, or let Google do that. I don't think Google would like Microsoft to write one for sure.
Click to expand...
Click to collapse
Actually, these two statements contradict each other somewhat. By far the two most often reasons for me to watch a video on Youtube are a) watching embedded videos on web sites and b) getting a link in an email. Now, pray tell, how am I going to watch those videos in a third party application in a sandboxed environment without a way to open a URL directly in this application or without an ability to copy and paste this URL there? Let's say on many web sites I can search for the video if it's properly named, but what about this link in an email? Am I supposed to memorize it and type into the app? Or maybe write it down on a piece of paper?
I would certainly prefer it if links to videos opened directly in this Youtube app (or better yet, a standalone flash/video/html5/whatever player), that would be a "smartlinking" scenario that I would prefer to c&p. But that's not available either. C&P may be a kludge, but in the less than perfect world we live in those are often needed.
Windcape said:
And again, Twitter is just yet-another-application. Android and iPhone don't have Twitter support either, there's just 20 different Twitter apps for each platform.
Click to expand...
Click to collapse
Now let's be consistent please. If we like the way data from multiple sources is integrated in WP7, a Twitter app isn't a perfect solution.
Twitter will be there though. It will be supported in Windows Live or separately. It's missing temporarily in the current version as Twitter changed their API or something like that.
@Windcape
Are you a tard??
a) I didn't write the review so stop quoting me as if I wrote the list and the trying to contradict me.
b) Dont need copy and paste? are you on crack? You must be because I can see endless list or reasons why its a MUST!
c) The review is NOT from a emulator its a HANDS ON review of a prototype phone!
Also people remember this isnt a list of what will NOT be in WP7, its basically a round up of features currently still not in WP7, OBVIOUSLY its not finished and will have more to come.
Either way I still think the OS looks like sh*t, But the flashaholic in me will still end up flashing it to my HD2 when/if its ported.
a) It's easier to quote you to respond to the points. Why is that a problem? Wasn't the whole point with quoting the important points of the article to turn them into a discussion?
b) No, and there's little reason to be rude.
c) O'rly
vangrieg said:
Now, pray tell, how am I going to watch those videos in a third party application in a sandboxed environment without a way to open a URL directly in this application
Click to expand...
Click to collapse
A 3rd party application will be able to register a navigation handler so you can open youtube links in a youtube application if necessary. Just like Skype plugin for PC browsers today.
vangrieg said:
but what about this link in an email? Am I supposed to memorize it and type into the app?
Click to expand...
Click to collapse
Navigation handlers will also apply to emails.
Basically you'll just have to click it. Much easier than copy, change application, paste, and activate it.
vangrieg said:
that would be a "smartlinking" scenario that I would prefer to c&p. But that's not available either.
Click to expand...
Click to collapse
Yes it is? That's how it's intended to be, and why Microsoft don't consider c&p a priority atm.
vangrieg said:
Now let's be consistent please. If we like the way data from multiple sources is integrated in WP7, a Twitter app isn't a perfect solution.
Twitter will be there though. It will be supported in Windows Live or separately. It's missing temporarily in the current version as Twitter changed their API or something like that.
Click to expand...
Click to collapse
Well, on the "other" mobile platforms Twitter is just yet-another-application. If Microsoft integrates it in Windows Live, it's just better than the others.
It's not a loss either way.
Windcape said:
A 3rd party application will be able to register a navigation handler so you can open youtube links in a youtube application if necessary. Just like Skype plugin for PC browsers today.
Click to expand...
Click to collapse
That would solve the problem indeed, but could you provide a source for this information? This is the first time I hear about a way for a third party application to meddle with IE/mail client behavior in WP7, and when I asked Brandon Watson he said nothing like that would be possible.
Dude, there is a edit button, no need to keep double posting. Oh and YES "rly", read the topic.
btw, what about copy and pasting files?, or even blocks of txt's like in a document or web page for example or am I missing something here, that seems a pretty simple but integral part of windows to me, ffs this isnt apple its windows.
Applications have access to the internet, and files on the internet, it just cannot run in the background or access local files outside of its own local isolated storage. (unless there is a task, launcher, or chooser available to apps)
Native Twitter feeds will be coming soon, Windows Live had it until Twitter changed some APIs, and it will be brought back.
Microsoft have not said Copy & Paste is not a priority, only that in order to get the phone out in time for an Autumn/Winter release, and that it will be coming soon.

Windows Phone 7 DRM for Apps Cracked with Proof of Concept Program [Video]!

Security is an important aspect of anything that gets used by anyone, at any given moment around the world. For developers of applications that get purchased through a digital storefront, like Microsoft’s Windows Phone 7 Marketplace, making sure that it’s not easy, next to impossible in fact, to steal apps and put them on a device free-of-charge is just as important. But, as WPCentral reports, it looks like the Digital Rights Management (DRM) security tools set in place by Microsoft have been cracked!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Fortunately, though, the program that is being used to do so is not known to the general public. In point of fact, the “white hat” developer that created it is just showing it as a proof of concept. If the program were to make it out into the world, then it would be possible for some people out there to strip the DRM from applications available in the Windows Phone 7 Marketplace, and then download them for free.
As of the time of this writing, Microsoft hasn’t made an official comment regarding the security hole. WPCentral has been in contact with Brandon Watson from Microsoft, but so far they have not heard back from him. The video demonstrating the proof of concept program making short work of DRM for the Windows Phone 7 applications can be viewed below.
www.youtube.com/watch?v=flqB9WCkGiQ
The depressing thing is it's so disturbingly easy. I stumbled on it getting HTC Apps to work on my Samsung, and it's far too easy. I think it'll probably be a matter of time before piracy becomes public on WP7, so to speak.
And for any doubters as to whether it is genuine (seen a few in my travels) - It works. A paid-for, commercial application running in the Windows Phone 7 emulator, after being deployed from a cracked XAP.
Still, it's good to see that WP7 seems to attract the sort of user that isn't a rabid pirate. Despite the ground being laid for some time, and despite people having independently developed methods of piracy, No-one has yet put such information into the public domain, seeking a way of solving the problems, rather than exploiting them.
Microsoft have made an official comment, by email to every developer, on the 16th November, titled "Windows Phone 7 App Protection". It included a white paper on the topic which pretty much said it was easy to steal apps but was a limited risk because of a developer unlocked phone is needed, a limit to how many side loaded apps, basically a couple of steps which would turn off the casual pirate.
I suppose what's new here is a simple one click tool that exploits MS's oversight in this statement: "all signed applications on an unlocked phone still require a license acquired through Marketplace to run". Basically they didn't realise that if you strip the signature, no license is required.
Another thing is they shouldn't have made paid apps on unsecured URLs, they should have put more effort into a secure download system like Apple or pretty much anyone else has.
I guess the main problem, that was a fatal flaw in the design of the platform, is they don't allow native apps only .NET apps, which means almost every single app available can easily be decompiled back to source form. It's a much bigger problem if other developers can steal your code than a few users stealing your app. It's for this reason WP7 can't be taken seriously as a development platform. Oh also it means 3rd party apps launch too slow compared to the built in ones, 1 minute to launch Tetris what a joke.
If you could somehow exclude the paid apps from this "FreeMarketplace" it would be really helpful for people who live in countries where the marketplace isn't as good content wise as in the usa.
That way everyone could download those free apps without the region problems.
These are just my thoughts on this. I'm not a developer or anything so I don't really know if this is actually possible without hurting the developers in any way.
indiekiduk said:
Microsoft have made an official comment, by email to every developer, on the 16th November, titled "Windows Phone 7 App Protection". It included a white paper on the topic which pretty much said it was easy to steal apps but was a limited risk because of a developer unlocked phone is needed, a limit to how many side loaded apps, basically a couple of steps which would turn off the casual pirate.
I suppose what's new here is a simple one click tool that exploits MS's oversight in this statement: "all signed applications on an unlocked phone still require a license acquired through Marketplace to run". Basically they didn't realise that if you strip the signature, no license is required.
Another thing is they shouldn't have made paid apps on unsecured URLs, they should have put more effort into a secure download system like Apple or pretty much anyone else has.
I guess the main problem, that was a fatal flaw in the design of the platform, is they don't allow native apps only .NET apps, which means almost every single app available can easily be decompiled back to source form. It's a much bigger problem if other developers can steal your code than a few users stealing your app. It's for this reason WP7 can't be taken seriously as a development platform. Oh also it means 3rd party apps launch too slow compared to the built in ones, 1 minute to launch Tetris what a joke.
Click to expand...
Click to collapse
You still need a dev unlocked device to sideload the cracked apps. Chevron7 doesn't really do the job as the phone relocks itself every week? which gets a bit annoying and might put people off, and also delete all the sideloaded apps with it. Imagine that, all your save games, app settings and history being reset every week.
Unless someone improves on Chevron7 I don't think piracy is much of a danger.
thats a great revolution, wp is now jailbreaked )) have funnn
digger1985 said:
You still need a dev unlocked device to sideload the cracked apps. Chevron7 doesn't really do the job as the phone relocks itself every week? which gets a bit annoying and might put people off, and also delete all the sideloaded apps with it. Imagine that, all your save games, app settings and history being reset every week.
Unless someone improves on Chevron7 I don't think piracy is much of a danger.
Click to expand...
Click to collapse
If it relocks, it doesn't delete any sideloaded apps, it just prompts you to uninstall when you attempt to run them (though you can escape from the prompt of course). Also, you can avoid it relocking by putting the phone in Flight Mode before syncing.
hounsell said:
I stumbled on it getting HTC Apps to work on my Samsung, and it's far too easy.
Click to expand...
Click to collapse
THAT is very useful. Sharing HTC, LG and Samsung oem apps across platforms should be allowed.
hounsell said:
If it relocks, it doesn't delete any sideloaded apps, it just prompts you to uninstall when you attempt to run them (though you can escape from the prompt of course). Also, you can avoid it relocking by putting the phone in Flight Mode before syncing.
Click to expand...
Click to collapse
Any chance of sharing the (Free) HTC Youtube app? That's the only I desire desperately.
This "proof of concept" shows only one thing (according to youtube video) - guys intercepted search requests from Zune, parse the responce and make a simple app to duplicate Zune's functionality. Anyone who can spend 30 minutes to WireShark and couple hours for coding can do the same app (actually, I've already posted a direct URL's to the marketplace apps on this forum).
As far as I understand, that's it, nothing more. No DRM crack, no "apps cracked", no "security hole" - just nothing!
As for .NET apps vulnerability: does anybody here have an experience to disassemble and compile back a really complicated and large application, obfuscated by the latest commercial version of Dotfuscator (actually, the wp7 devs can obtain it for free until March 2011)? I've tried once (of course I'm not a "some hat - white or black, just a pro developer)... Results are negative. In theory it's possible but... We saw a lot (no, A LOT!) of commercial native apps for win32, mac etc. successfully cracked and hacked. Just visit any pirate tracker for proof. So, it's not a "big .NET problem".
digger1985 said:
Any chance of sharing the (Free) HTC Youtube app? That's the only I desire desperately.
Click to expand...
Click to collapse
Without real hack (hacking license verification etc.) it's not possible. Simple downloader described here as "WP7 ultimate crack" can't help. If you want you may search my posts here, I've already posted direct link to HTC's youtube xap...
I think it's real.
Another guy also did the same
http://forums.create.msdn.com/forums/t/70704.aspx
He cracked an app on request and loaded into the emulator.
sensboston said:
Without real hack (hacking license verification etc.) it's not possible. Simple downloader described here as "WP7 ultimate crack" can't help. If you want you may search my posts here, I've already posted direct link to HTC's youtube xap...
Click to expand...
Click to collapse
I believe Hounsell managed to run the HTC stocks app on a Samsung
http://www.neowin.net/news/htc-wp7-app-ported-to-other-wp7-hardware
digger1985 said:
I think it's real
Click to expand...
Click to collapse
Real what? Read my post above... If someone "hacked" non-obfuscated small application by removing or blocking IsTrial() requests, it's not a real hack.
Ask this guy to "hack" NeedForSpeed Undercover ;-)
sensboston said:
As for .NET apps vulnerability: does anybody here have an experience to disassemble and compile back a really complicated and large application, obfuscated by the latest commercial version of Dotfuscator (actually, the wp7 devs can obtain it for free until March 2011)? I've tried once (of course I'm not a "some hat - white or black, just a pro developer)... Results are negative. In theory it's possible but... We saw a lot (no, A LOT!) of commercial native apps for win32, mac etc. successfully cracked and hacked. Just visit any pirate tracker for proof. So, it's not a "big .NET problem".
Click to expand...
Click to collapse
You didn't see any source code for commercial native apps because there are no automatic tools that do it, but you can see source code for all WP7 apps, using a free utility called Reflector. You choose the app, and it generates a visual studio project containing the code, simple as that.
In my experience developers don't readily use .NET obfuscators because they generally introduce instability which leads to increased development time.
indiekiduk said:
You didn't see any source code for commercial native apps because there are no automatic tools that do it, but you can see source code for all WP7 apps, using a free utility called Reflector.
Click to expand...
Click to collapse
Huh? HexRays has an ARM decompiler which can produce readable C. It is possible to get back to similar to the source equivalent (with a lot of manual tweaking). If MS used a strong packer on the native code then it would make reversing it much harder/time consuming. At the end of the day it still needs to execute.
I've used .NET Reflector for years (and I do have another one, for Java/.NET written by my friend - sorry, can't announce it here).
My question is: have you ever tried to disassemble and re-assemble big, obfuscated application? Or you just theorizing? I did, and it's very complicated/not possible (at least by using Reflector tool only). This method is good for small non-obfuscated application only.
For the topic: here is my "proof of concept"
- use this url to browse Zune market for apps:
http://catalog.zune.net/v3.2/en-US/apps?q=Ebook Reader&clientType=WinMobile 7.0&store=zest
replace Ebook%20Reader to any your search term, don't exactly know about "store" field and en-US. You'll get an XML in response with found apps info.
To get an app full download url, I believe, you'll need some additional requests but I don't have time (and interest!) now to play with Wireshark and track Zune's and WP marketplace requests...
sensboston said:
This "proof of concept" shows only one thing (according to youtube video) - guys intercepted search requests from Zune, parse the responce and make a simple app to duplicate Zune's functionality. Anyone who can spend 30 minutes to WireShark and couple hours for coding can do the same app (actually, I've already posted a direct URL's to the marketplace apps on this forum)
As for .NET apps vulnerability: does anybody here have an experience to disassemble and compile back a really complicated and large application, obfuscated by the latest commercial version of Dotfuscator (actually, the wp7 devs can obtain it for free until March 2011)? I've tried once (of course I'm not a "some hat - white or black, just a pro developer)... Results are negative.
Click to expand...
Click to collapse
Really? You should be able to decompile it and recomplie it with Reflector though, right? Even if the actual meaning of the code is hard to deduce after that point.....The CIL is stack-based, so you should be able to break it up into functions if nothing else.....
sensboston said:
This "proof of concept" shows only one thing (according to youtube video) - guys intercepted search requests from Zune, parse the responce and make a simple app to duplicate Zune's functionality. Anyone who can spend 30 minutes to WireShark and couple hours for coding can do the same app (actually, I've already posted a direct URL's to the marketplace apps on this forum)
Click to expand...
Click to collapse
Ya, this guy is lame. Let's ignore him and get back to work getting real stuff done.
n0psl3d said:
It is possible to get back to similar to the source equivalent (with a lot of manual tweaking) ... At the end of the day it still needs to execute.
Click to expand...
Click to collapse
This ^^
Reflector is great, but it's not a one-stop-recompile-shop. It still takes a massive amount of restructuring to get even an un-obfuscated application back together.
Also, WP7 business logic is almost always in the cloud. For 90% of applications, XAPs are basically just UIs - especially with the intense restrictions imposed on development right now.
digger1985 said:
Any chance of sharing the (Free) HTC Youtube app? That's the only I desire desperately.
Click to expand...
Click to collapse
I've got it running, but it doesn't function at the moment because HTC decided to use their own native functions tied to their driver, rather than the inbuilt .NET classes. All the network requests the app makes fails. Thinking of possible ways round this, but it would probably end up being so much work, it might just be quicker to create a clone.
Blade0rz said:
This ^^
Reflector is great, but it's not a one-stop-recompile-shop. It still takes a massive amount of restructuring to get even an un-obfuscated application back together.
Also, WP7 business logic is almost always in the cloud. For 90% of applications, XAPs are basically just UIs - especially with the intense restrictions imposed on development right now.
Click to expand...
Click to collapse
This. Reverse-engineering, and even modifying an existing app is one thing in Reflector, but copy/pasting code will never work in large quantities, it's just not that accurate in my experience. So sure, your tips and tricks might not be safe, but your app as a whole isn't going to be just duplicated and reuploaded to the marketplace.
Of course, "cracked" for piracy is a whole other matter.

heartbleed bug

xda-developers.com is listed as one of the sites affected by the heartbleed bug, but testing tool now shows no vulnerability. A quick search shows no
Why aren't you bragging about patching this bug and how awesome you are at protecting our data?
At the very least, a notice about what's being done to protect xda and how it affects users would be much appreciated.
dstarfire said:
xda-developers.com is listed as one of the sites affected by the heartbleed bug, but testing tool now shows no vulnerability. A quick search shows no
Why aren't you bragging about patching this bug and how awesome you are at protecting our data?
At the very least, a notice about what's being done to protect xda and how it affects users would be much appreciated.
Click to expand...
Click to collapse
I'm curious what site it was listed on?
Just for anyone who is interested...
As soon as the severity of the flaw was clear, we began updating our machines. Some services use pre-built packages and others use custom-compiled software (using the flawed openssl version). We updated all of our services within 30 minutes or so.
The forum.xda-developers.com hostname uses a 3rd party service who was still vulnerable to heartbeat after we patched our internal services. We opened a ticket with them - I'm sure by that point they were aware of the issue and a fix was already in the works. About an hour after that they had patched their services.
This is definitely one of the worst security flaws in the history of the internet - you pretty much have to assume that any communications thought protected by https have been compromised unless there were other protections in addition to SSL.
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
please patch asap
Isriam said:
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
please patch asap
Click to expand...
Click to collapse
That list is old... see my statement above.
thats fine, but just so you know that link is posted on front page msn.com under heartbleed headlines.
Isriam said:
thats fine, but just so you know that link is posted on front page msn.com under heartbleed headlines.
Click to expand...
Click to collapse
Sure, but not too much I can do about old information.
The link loriam posted is the one I found xda mentioned on. However, before I posted, I also checked a live testing website that showed xda as safe.
If anybody is interested, the url for that site is filippo.io/Heartbleed/
Unless there is updated information that I was unable to see, your SSL certificate is showing as being from 7 months ago. Shouldn't it be updated since that was part of the information that was vulnerable to Heartbleed?
Are there any plans to replace and revoke the SSL certificates that were on the vulnerable servers? Since there are no logs it is impossible to know if anyone was able to obtain the private key for these certificates, and until revoked xda remains vulnerable to stealth MITM attacks.
wto605 said:
Are there any plans to replace and revoke the SSL certificates that were on the vulnerable servers? Since there are no logs it is impossible to know if anyone was able to obtain the private key for these certificates, and until revoked xda remains vulnerable to stealth MITM attacks.
Click to expand...
Click to collapse
New certs are in process... the CA's are a bit backlogged.
We are vulnerable to stealth MITM attacks only if someone has recorder/intercepted our traffic, and also if someone was able to decode our private key. Of which both are unlikely (but possible). So while we do work to replace our certs, the priority is "hey, we are doing this" and not "hey, let's shut down our ssl services."
bitpushr said:
New certs are in process... the CA's are a bit backlogged.
We are vulnerable to stealth MITM attacks only if someone has recorder/intercepted our traffic, and also if someone was able to decode our private key. Of which both are unlikely (but possible). So while we do work to replace our certs, the priority is "hey, we are doing this" and not "hey, let's shut down our ssl services."
Click to expand...
Click to collapse
I totally agree (and believe me I'm hating this crap as much as I'm sure you guys are)... I just wanted to make sure it was in progress as I'm waiting to change my password until then.
Well, I'm glad that you guys are taking the necessary steps to keep your and your users information safe. I feel bad for whoever would try and hack XDA-Developers, because they would probably receive a huge backlash.
Probably bad enough to melt their computer.
Sent from my dictionary.
Some progress in updating androids vulnerable openssl 1.0.1e ? Heartbleed is disabled (for me) but somehow i imagine unwanted changes like from apps etc
Sent from my GT-I9505 using xda app-developers app
GrammarNazi said:
Well, I'm glad that you guys are taking the necessary steps to keep your and your users information safe. I feel bad for whoever would try and hack XDA-Developers, because they would probably receive a huge backlash.
Probably bad enough to melt their computer.
Sent from my dictionary.
Click to expand...
Click to collapse
We would blow up all mobiles they own. Mwahahahah!
Sent from my HTC Explorer A310e using XDA Premium 4 mobile app
Our new SSL certificates are in place.
Glad to hear were safe. Maybe XDA should force all users to change their passwords?? In the security world it's just better off and safer to assume everything was compromised.
Sent from my Galaxy S4 using Tapatalk
bitpushr said:
Our new SSL certificates are in place.
Click to expand...
Click to collapse
Hi bitpushr,
How to use the secured connection when logging in and/or changing password in this forum? I haven't noticed any ssl connection when logging in and/or changing password from the control panel.
Online test for Heartbleed
There are sites that will test for it.

Google and Facebook infiltrated the Internet.

Deleted.

			
				
Yeah it's so funny can't handle the laugh h a h a h a
PageXray by FouAnalytics
pagexray.fouanalytics.com
Interesting how many connections XDA makes, very legit.
I don't see nothing wrong that Google and Facebook is login options. Two of biggest companies what people use these days.
Two of the biggest companies in terms of stealing personal data and seeling it.
Two massive companies that track and spy on your every move.
Not going to lie, you have to be somewhat stupid to use their services, which makes alot of people stupid considering that you are correct, alot of people use it.
LineageOS is focused on privacy, im pretty sure the main reason for majority of xda visitors is to download lineageos for their phone after not finding it on the official site.
A website like XDA that offers privacy operating system should not have ANY contact/interaction with google or facebook, simple as that period.
That's your opinion..
Privacydroid said:
..As many others i use LineageOS for privacy, to avoid the standard OS from Google that is constantly 24/7 github which is owned by microsoft, this is just wrong.
Click to expand...
Click to collapse
The source code for LineageOS is available on GitHub.
https://github.com/LineageOS
Many Devs use GitHub to build Roms, maybe the Rom you are using right now.
I agree. I never use G and F logins. No G services on my phone, either. Won't stop everything but gets rid of a lot of the tracking.
May I offer a suggestion? I agree with you, the present-day internet has been dominated by big tech and their surveillance. But you will get further by not calling most people who have no idea of the bs going on behind their back, stupid. I don't think XDA is going to change its website for the small number of privacy focused users. Be thankful we can express our opinion and learn about this stuff. Just block G and F, ad and tracking sites on your router or pihole. You might wish to consider giving xda a donation.
Just my .02
Privacydroid said:
Two of the biggest companies in terms of stealing personal data and seeling it.
Two massive companies that track and spy on your every move.
Not going to lie, you have to be somewhat stupid to use their services, which makes alot of people stupid considering that you are correct, alot of people use it.
LineageOS is focused on privacy, im pretty sure the main reason for majority of xda visitors is to download lineageos for their phone after not finding it on the official site.
A website like XDA that offers privacy operating system should not have ANY contact/interaction with google or facebook, simple as that period.
Click to expand...
Click to collapse
Deleted by author...
ardwivedi16 said:
If you have problems with these things then don't use them. For you it's a privacy issue but for many others it's a convience.
Click to expand...
Click to collapse
A bit of convience to give up all of your privacy, makes me question how braindead people have gone, this will have consequences.
I can't live without Google. Google is best
Dayuser said:
I can't live without Google. Google is best
Click to expand...
Click to collapse
Obviously now you are trying to provocate a reaction, google isn't "best" and it isn't even "good" infact what they do has the scale of a massive criminal conglomerate. If you can't live without google you should question yourself.
Live without google is easy and it's better as you don't give your private data away.
But hey i don't even know why i'm replying to the guy who's first response was
Must be a 12yo, time to let this thread die as there is nothing useful being commented other than nonsense.
Privacydroid said:
Live without google is easy
Click to expand...
Click to collapse
It is not easy live without google if you want easiest way to backup everything important.
Source: https://pagexray.fouanalytics.com/q/forum.xda-developers.com?f=
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
XDA seems to have ALOT of connections.
Since this site is mainly focused on mobile operatingsystem with a priority on privacy OS'es, how come that the site itself appears to be in support of tracking/profiling?
Is the money?
What's the history of this forum? At which point was the decision taken to support google and facebook login?
Privacydroid said:
...Since this site is mainly focused on mobile operatingsystem with a priority on privacy OS'es, ...
Click to expand...
Click to collapse
How did you come to that conclusion, it is not stated anywhere on the site, that I've seen.
Privacydroid said:
What's the history of this forum?
Click to expand...
Click to collapse
Privacydroid said:
At which point was the decision taken to support google and facebook login?
Click to expand...
Click to collapse
Google sign-in was added at least since SEP 17, 2013
Authenticate Your XDA Account with Google
www.xda-developers.com
Facebook and Github Added ~26 March 2021
https://web.archive.org/web/20210326194333/https://forum.xda-developers.com/login/
Twitter added ~08 Oct 2021
https://web.archive.org/web/20210408155309/https://forum.xda-developers.com/login/
You didn't look that hard did you, it took me like 5 mins to find this.
Edited:
Authenticate Your XDA Account with Google
BY
SVETIUS
PUBLISHED SEP 17, 2013
-How did you come to that conclusion, it is not stated anywhere on the site, that I've seen.
Just from looking around, was my impression.
Google is tracking this forum since 10 years, that's disturbing., yeah i didn't look you're correct.
What's the matter all sites have the fancy google and facebook logins anyway, it's not just xda, it's likey the infilitrated the whole internet.
Privacydroid said:
View attachment 5713077
I downloaded LineageOS for my phone from XDA because the official site lineageos.org does not support my phone model.
As many others i use LineageOS for privacy, to avoid the standard OS from Google that is constantly 24/7 tracking my location aswell as basically anything i do on my phone, even facebook was preinstalled and could not be deleted, this is madness, in my opinion companies such as google and facebook are criminal conserind the amount of data/knownledge they collect and share/sell about every single one of us. I do not use a single google services and yet google trys to stalk/track me on websites as this one. Chances are, if a website has a google/facebook login option, that means the site also has google/facebook tracking cookies/ beacons or similar technologies present on that website.
Now is it not ironic considering i came here to download a "privacy" os and even here google and facebook are present...?
I strongly advise against allowing google and facebook to spy on xda's website, no matter how much money is involved, it's simply innapropriate.
If you take a look at the websites statistics, i doubt that many people use google/facebook to login on xda, however some people surely do use these options.
Obviously these people are pretty dumb, considering by logging into XDA with google or facebook you grant google/facebook access to spy on every single thing you do on the XDA website.
Stop feeding criminal companies that have nothing good in their interest with your data, because data = money and money = influence.
You dont want google/facebook to have any influence, they already have enough of that and see what happened with the internet, with censorship, with depression of young people.
Questions is, why does XDA have a login option for google and facebook and github which is owned by microsoft, this is just wrong.
Click to expand...
Click to collapse
Hate to be the barer of bad news, but no matter where you go on the internet you will be tracked. Google, Facebook, etc aren't the only ones that track/profile you. Yeah, Google is harvesting my data, but at least they provide useful services such as Google Drive, YouTube, Docs, etc. Don't want to be tracked? You'll have to pull the ethernet cable or SIM card out.
Privacydroid said:
-How did you come to that conclusion, it is not stated anywhere on the site, that I've seen.
Just from looking around, was my impression.
Google is tracking this forum since 10 years, that's disturbing., yeah i didn't look you're correct.
What's the matter all sites have the fancy google and facebook logins anyway, it's not just xda, it's like the infilitrated the whole internet.
Click to expand...
Click to collapse
The beginning is your internet service provider. They know you best! Then comes everything else.
If you have a land line they know your complete address which Google doesn't know.
The ISP is your primary DNS provider too, they can view all your internet activity in certain cases.
You didn't know that?
Datastream33 said:
Hate to be the barer of bad news, but no matter where you go on the internet you will be tracked. Google, Facebook, etc aren't the only ones that track/profile you. Yeah, Google is harvesting my data, but at least they provide useful services such as Google Drive, YouTube, Docs, etc. Don't want to be tracked? You'll have to pull the ethernet cable or SIM card out.
Click to expand...
Click to collapse
I'm aware of that.
I just think it's sad that XDA is a part of the tracking/profiling. If i was a website owner i wouldn't want to do this to my users.
Google is the single one most evil company, they where originally a CIA/NSA project, and no this is not conspiracy.
Ever heared about prism and xkeyscore?
To be honest google and facebook have broken so many laws, tracking minors, tracking without consent, they are making billions with our personal information and it's not just meaningless information because if you combine everything they know about you... it becomes a massive detailed personality profile.
I don't use google chrome, google search, gmail, google android, google drive, youtube, docs or drive but google still tracks me when i visit websites like XDA because someone who has influence over this site, most likely the owner decided to grant them permissions to track and profile users here in return for money (ads).
Why use google chrome when you have librewolf or brave?
Why use google search when there is searX or bravesearch?
Why google drive when you have mega? Mega offers 20 GB for free...
I know pulling the cable is the only way to be 100% sure you ain't tracked expect surveillance cameras with facial recognition, police robots, stores that refuse cash, are a thing now.
I refuse to buy anythin from a store that doesn't want my cash, ridiculous.
Even using linux with librewolf and searX will leave some traces on the internet but it's SO MUCH BETTER than using google. Your digital footprint is minimized and it's worth it.
About youtube, the censorship is EXTREME, heared about the channel "china uncenosred" they make videos about recent events in china, for example when the hongkong freedom protest happened they showed footage (with no violence!!) but the video was still delete by google! I'm saying it, google is evil, most likely internal corrupted.
I do use youtube but not like most people, https://yewtu.be is an instance from https://invidious.io and they have no cookies or tracking, also hosted over a proxy, they access googlevideo.com to share youtube videos, a great way to watch censored videos like the hongkong freedom protest.
Great that you mentioned "sim card out" i want to ask about that, if my phone uses lineageos and has no sim card attached, is geolocation tracking still possible?
I've heared that if you connect to a wifi (without a simcard) even if using a vpn they can still determine your real location and the only way to avoid that is by connecting the phone via ethernet, is that true and how does this work?
strongst said:
The beginning is your internet service provider. They know you best! Then comes everything else.
If you have a land line they know your complete address which Google doesn't know.
The ISP is your primary DNS provider too, they can view all your internet activity in certain cases.
You didn't know that?
Click to expand...
Click to collapse
The first thing i do after booting is connect to a VPN and i've changed my DNS server to Quad9.
So my internet provider knows nothing about me, unless they're listening to the wire or something..

Categories

Resources