this post was submitted on 28 Jul 2025
328 points (97.4% liked)

Technology

73512 readers
2883 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
328
Women’s ‘red flag’ app Tea is a privacy nightmare (www.theverge.com)
submitted 4 days ago by return2ozma@lemmy.world to c/technology@lemmy.world
106 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] NeilBru@lemmy.world 2 points 4 days ago* (last edited 3 days ago) (1 children)

Encrypting the transmission doesn't do much if every app installation contains access credentials that can be extracted or sniffed.

Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?

Clearly my utter "noobishness" is showing, but at least it's triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.

Any recommendations on literature or articles on how engineers solve these problems in a "best practices" way that you can recommend? I suppose I could just look it up, but I thought I'd ask.

Edit: I don't know why I'm down-voted. My questions were sincere.

[–] nickwitha_k@lemmy.sdf.org 5 points 3 days ago* (last edited 2 days ago) (1 children)

You've got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and only the hash stored. That's like WEBDEV99 (remedial course, not even 101).

Really. Despite your stated "noobishness", you basically landed in the territory of best practices right of the bat.

If you're looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/

[–] NeilBru@lemmy.world 3 points 3 days ago

Brother, I need the "remedial" lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.

I've followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I'm doing okay but I have this ever-present anxiety that I've overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.

Thank you for your recommendation.