| ▲ | drclegg 3 days ago |
| It's pretty likely the guy blocked the author after seeing them link a blog post insulting his work, no? Sure he should take the vulnerability report seriously, but it's pretty clear that bundling a report above the words "activism theater" isn't going to make someone want to read it. Instead, just "hey man, you're on a vulnerable version of httpd" is likely going to be more effective. |
|
| ▲ | thefreeman 3 days ago | parent | next [-] |
| It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there. |
| |
| ▲ | roywashere 3 days ago | parent | next [-] | | Also, Apache 2.4.57 is exactly the version of Apache you get when you'd run RHEL 9 / AlmaLinux / Rocky 9. In that case, the OS would provide backports of the CVE fixes for you and the banner still reads Apache 2.4.57! | | |
| ▲ | capitainenemo 3 days ago | parent [-] | | That was EXACTLY my first thought on skimming the article. There are commercial vulnerability tools that do this to me repeatedly with Debian and Ubuntu - reporting vulnerabilities in things that the Ubuntu and Debian CVE pages clearly state were patched in backports years prior. Often it is in Apache. |
| |
| ▲ | hughw 3 days ago | parent | prev [-] | | I need to see ICE Block's SOC 2 Type 1 audit of their processes for patching vulnerabilities along with their latest SOC 2 Type 2 audit. | | |
| ▲ | tptacek 3 days ago | parent [-] | | Their Type 2 attestation would have everything the Type 1 has. I mean obviously you're not being serious but I can't let that one sail by. | | |
| ▲ | hughw 3 days ago | parent [-] | | Right but the type 2 will prove they actually did what they promised. And yes I’m drawing it out to an absurdity. |
|
|
|
|
| ▲ | JumpCrisscross 3 days ago | parent | prev | next [-] |
| > pretty likely the guy blocked the author after seeing them link a blog post insulting his work, no? No. “Joshua runs two Bluesky accounts: @iceblock.app, the account of the ICEBlock app, and @joshua.stealingheather.com, Joshua's personal account. His personal account had DMs closed, but the ICEBlock account had DMs open, so [the author] sent him DMs there” about the upcoming blog post. Joshua reacted to the blog post by blocking the author on the ICEBlock account. When, “a few days later…[ICEBlock’s] server was still running Apache 2.4.5,” the author “decided to give [Joshua] a deadline to patch his server before [the author] publicly disclosed the vulnerability.” The author sent this deadline to Joshua’s “@joshua.stealingheather.com” account. “An hour and a half” after the deadline was communicated, Joshua blocked the author from his personal account, too. |
| |
| ▲ | frenchtoast8 3 days ago | parent [-] | | It's pretty clear the developer blocked him from the @iceblock.app account because of the blog post criticizing him, and then blocked him from the other account after he said to not respond but got a page of text back instead. It had nothing to do with the vulnerability report. Now, the blog post seems to be reasonable criticism to me so I don't think the developer should have blocked him for it. But I don't know, no one has ever written a blog post about me, and I'm not receiving death threats and being threatened by the federal government. At the end of the day, the author is trying to frame this interaction along the lines of, "Sensitive user data is at risk, and I was blocked for no reason other than for letting the developer know" -- the first part has not been proven to be true, and the second is obviously not true. | | |
| ▲ | JumpCrisscross 3 days ago | parent [-] | | > then blocked him from the other account after he said to not respond but got a page of text back The point is the developer didn’t block “the author after seeing them link a blog post.” They received the disclosure and then blocked the author (on that account). | | |
| ▲ | evilDagmar 2 days ago | parent | next [-] | | The "disclosure" was a big waste of time. It was vague and ill-informed, nothing that came after seems to give the impression that they actually knew what they were talking about. The only serious vulnerability that might have applied would have required the man to be using Apache as a reverse proxy to another server, which is just _extremely unlikely_ considering where it was hosted and what it was being used to do. | |
| ▲ | firesteelrain 2 days ago | parent | prev [-] | | So what? The guy probably feels harassed. He doesn’t know the author from Adam. |
|
|
|
|
| ▲ | hughw 3 days ago | parent | prev | next [-] |
| Also, maybe activism theater isn't so bad. I mean not everyone has the temperament or motivation that the severe activists do, and maybe just "doing something" (as long as it's harmless) raises general awareness and critical mass and eventually creates more activism. |
| |
| ▲ | Kapura 3 days ago | parent | next [-] | | It's a nice theory, but that hasn't been borne out in reality. Activision theater allows people to convince themselves that they don't need to do the actual work to protect their communities or disassemble abhorrent systems. It raises the profile of the app developer at the expense of the community. | | |
| ▲ | watwut 2 days ago | parent [-] | | It is funny, because the amount of people who convinced themselves that they don't need to do the actual work due to activism theater is strictly smaller then amount of people that ... just do not do anything except complaining about activism theater. |
| |
| ▲ | xantronix 3 days ago | parent | prev | next [-] | | Security practices aside, ICEBlock is worse than activism theater; it allows bad actors to intimidate communities with false reports, as it lacks any methods to validate reports and verify users, and was developed without collaboration with the communities it was intended to serve. | |
| ▲ | tibbon 3 days ago | parent | prev | next [-] | | I disagree. It's akin to security theatre. People who engage in it can think they've done the right things, when in reality, they might have created more vulnerabilities or now have a false sense of security. Finding effective, actionable and safe methods is difficult - but that's the work we have to do. | |
| ▲ | cognician 3 days ago | parent | prev | next [-] | | I'd argue making promises of privacy and security that one cannot keep, in enabling civic resistance to unaccountable paramilitary forces, is not harmless. | |
| ▲ | 3 days ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | toss1 3 days ago | parent | prev | next [-] |
| THIS. Conflating a software vulnerability with a criticism of the overall concept is a good way to become non-credible and get both ignored The article repeatedly claims the entire concept is mere "activism theater" yet with zero evidence or even discussion to back up the claims. In fact, this sort of app may be very effective in both helping people evade authoritarian raids and helping generate flash-mob-type protests that impede the authoritarians. Every bit of friction added to authoritarian rule improves the likelihood of successfully defeating it. And, buried in the vague overall accusations of not liking the app, the author is stating he's using the wrong version of Apache. I missed anything about the actual good version if it was in there. And, he openly admits he has no idea if the server in question even houses any significant data. The whole article comes off as the author being an asshat, and even more sore that he's being ignored. TBF, I'd probably ignore him too. But yeah, it probably is a good idea to run the update sooner rather than later. |
| |
| ▲ | evilDagmar 2 days ago | parent [-] | | Oh that app did a huge thing just by showing how far the administration is willing to go with its delusional fascist nonsense. The app was _barely_ functional and available on a minority of the smart phones, and yet there the White House was, making hyperbolic claims on a regular basis about the massive "dangers" it posed. They even went so far as to go after the guy's wife since they didn't have any legal means to oppose him. Things which take minimal effort but produce a massive response are what Trump's fire hose of duplicitous social media posts are all about. It's perfectly fine work to leverage that same asymmetry in response. | | |
| ▲ | toss1 2 days ago | parent [-] | | Yes, and the fact they responded so strongly shows the app IS definitely effective, and not mere "theater" as the author wants to claim (it may not be as effective as it could be, it might be many things, but it is definitely well above "...sound and fury, signifying nothing"). |
|
|
|
| ▲ | zhouzhao 3 days ago | parent | prev [-] |
| If you had read the actual article, you'd know that the headline is fitting.
He got warned, that it is an unflattering article, he got the hint with the insecure web server, he had the chance to explain himself and set things right. It appear this app was vibe coded, has no security, now serves a lot of people, and the author is somehow thinking how to make money out of it, hence the reluctance to make the code open source |
| |
| ▲ | drclegg 3 days ago | parent [-] | | I've read the article. The point I'm getting at is that a vuln report will be taken more seriously if you present yourself in a pleasant manner. It's pretty clear that the app has its issues (especially wrt to false reports), that I'm not disputing. |
|
