Be Savvy

• 29 July 2025
• privacy,
• cunts,
• opsec

I was going to title this something like "The smart person's guide to tech bullshit", but that pretty much would go against one of the points that I'm trying to make: "smarts" is very hard to define. I mean, you can be smart enough to start a business, get funding, grow a customer base, and, by many conventional metrics, be successful. And you can be dumb enough to actively sabotage all that by making stupid business decisions.

You have a business dedicated to facilitating confidential communication between people. You make the very, very dumb decision to demand some sort of KYC process in order to "ascertain" that the person signing up is a "woman" (and let's not even get into that), and, despite the fact that there are several third-parties you can hire to do that for you, you think "how hard can it possibly be?", and you roll your own. And you are so incredibly stupid that you make the architectural decision to use an unsecured Firebase storage bucket to hold that data. You know, for your confidential communication service.

So, you cannot call the people running the show at Tea "smart". At least not in some important contexts.

"But Scar! You're blaming the victim!"

No, I am not. The victims are the people who trusted a company with their data, just to see said company treat said data with the utmost contempt.

You see, broken access control is literally OWASP Top 10's A01. Like, the number one thing in that list that everyone knows. Except the smart people at Tea. And that list is from 2021. Oh yeah! AES, the Advanced ENCRYPTION Standard was standardized in 2001. TWO THOUSAND AND ONE. We, as in humankind, know how to prevent those things. And we have known this for a while. We know how to do those things, and we know what happens when you don't do those things. They take security and privacy seriously, though.

Next thing you know, Tea rebrands as Chai, everyone forgets about what just happened, and another unsecured Firebase storage bucket is born. And that's where you must be savvy, because this particular leak is "just" your face, photo ID, and messages. The next one might be worse.

Being savvy here means understanding all this, and making decisions based on the apparently never ending supply of preventable cybersecurity and privacy fuck ups: at this juncture, you should know that no one gives a shit about the confidentiality of your data. And you know they don't give a shit because none of those leaks were caused by some nation-state-sponsored l33t h4x0r deploying the latest and greatest exploits. This was some rando with a Python script.

Anyone who's not actively not giving a fuck would stop that deployment and say "You guys, we need to consider the confidentiality of our user's data. Let's do the very well-documented hardening procedures on this bucket, and use an encryption algorithm that's been around for two decades. That outta do it." However, if you're actively not giving a shit about your users, you do what they did and just YoloOps.

The only other alternative is that the people at Tea don't know what they're doing. Unfortunately, in that case, we don't have a technical fix. Or a legal one, because my preferred solution would be "you're not legally allowed to deploy code that will be used by the general public unless you know what you're doing." Alas.

Sorry, back to being savvy. Know for a fact that, by and large, these folks don't care, don't know what they're doing, and will face no consequences. Knowing that, you can act accordingly. Sketch app doing KYC shit? Fuck that. Apps promising confidentiality with no evidence whatsoever? Fuck that, too. Services from a brand new Silicon Valley startup where the employees need to be morons in several fields? Check.

Friends: these people don't care. They really don't. A leak like this, or any other, might not seem like a big deal now, but they can absolutely come back to bite you in the ass down the line. Be savvy. Avoid this bullshit. Don't treat your own data with the same disdain.

Don't know how? Want to get better at opsec? Swing by our Discord. I will personally help you out.

• Previous: When You Wish Upon a Star
• Next: Fork that.