[citation needed]

The trouble is Android's permission model is crap. If an app has a feature that requires a permission the app may need at any point in the future, it has to be approved by the user at install time, and the app cannot control how the permissions are described or even explain to the user why it needs that permission. And lots of innocuous permissions are bundled up together non-granularly with scary dangerous (or dangerous-sounding) ones, so the app only needs EraseBunnyDrawing permissions but to get that it has to request KillFamily permissions, which doesn't actually mean kill *your* family, it means kill a process family, but all the user sees is "Permission to kill family members without warning" and OH GOD WHY DOES AN APP ABOUT DRAWING FLUFFY BUNNIES REQUIRE MY FAMILY TO DIE?! THIS APP SUCKS!!!!!!1111!!!!!oneoneonetyone1!!!

And then the story hits TechCrunch, where it's summarized so that it sounds like there have been actual deaths of family members, and then the mainstream press and the Today show start calling the app developer asking "Why are you a horrible person whose app killed little Stacey's favorite uncle?? :( :( :("

And all because Google can't get security UI right.

Sure there is. If Uber is doing anything that can't (or for some reason they they don't want to) be handled over HTTP, the app will need full network access. (I don't know what the Uber app uses it for, but apparently WhatsApp uses it for IM communications with other app users.) "Modify system settings" is apparently (per the linked explanation from WhatsApp) the only way to get permission to read system settings. "Read Google service configuration" (again, per previous link) is used for interacting with Google services like Maps, which you can easily imagine why Uber's app would want to do.

NO HE DID NOT.

Sorry for yelling, but it's an important point.

Go back and read the original GironSec blog post where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.

> Gregory Perry
> Chief Executive Officer
> GoVirtual Education
>
> "VMware Training Products & Services"

So I'm seeing a chain of thought like this:

"I'm a bit player in the VMware training market. I need to get my name out there somehow if I want to expand. Maybe if I can make somebody big like Scott Lowe look like an idiot... Hmmm, he's been pushing OpenBSD lately, and I bet Theo still remembers me. Maybe if I concoct a story that Lowe is complicit in some kind of subversion of OpenBSD, Theo will want to get to the bottom of it so he'll tell people about it -- and then no matter what, people will just remember that Lowe was rumored to be doing something shady."

Also, as another poster noted, government NDAs regarding something like this (which would be considered classified info) never "expire" (until the info is declassified, and then only to that extent). So this guy is either lying, or violating federal law, by making this claim. He doesn't even know that EOUSA is a parallel division of Justice, not "the parent of the FBI", so my bet is on "lying".

Actually, back inthe day, the IRS wanted to do exactly that, but the entire tax industry screamed "unfair competition" and threatened to sue. Ultimately the IRS agreed to not do its own tax software, but only if the industry collectively would provide free online filing to a certain increasing percentage of Americans each year.

One of the subcontractors was Kollsman AG, a subsidiary of Israeli firm Elbit, that makes their border cameras.