- cross-posted to:
- technology@lemmy.world
You must log in or # to comment.
The two comments on the article dismiss the concern as ‘possibly showing the wrong version’ but all it would have taken the dev to do would be to respond with the fact that it is up to date and displaying incorrectly. That would take less effort than blocking and being a jerk about someone trying to bring a security concern to their attention.
It’s bogus security concern and seems like a smear campaign because the dev did not respond “properly”.
Anybody who has set up a webserver on debian or redhat will tell you that apache versions mean nothing. They backport fixes and security patches to seemingly ancient versions of Apache, and then every security scanner will tell you they are vulnerable while actually they are not and have been fixed for years.
I had to fight the security team at my old job because of this very same thing. Just check the redhat/debian release logs for apache and you’ll see the CVE have been fixed.
Doing a whole blog post to shit on the project, then make a bogus security claim while giving them a way too short notice (1.5h is insane) to fix before going public is in extremely bad taste. I totally understand the dev blocking the guy as he contributed nothing here.Edit: From the blog:
Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities.
Tell me you don’t know anything about security without saying it. Anybody worth their salt will know backporting exists.
This is just trying to smear the dev while looking like a fool. Anybody capable of opening the dev tools and checking the header would see the same thing. Guess what? Lots of bots do that already and automatically try known CVEs.Second edit: not trying to rub people the wrong way, but commenters here should really stop giving their opinions on stuff they don’t understand. Yes security is important, but no, an older apache version in the header is not an issue.
Seems like he has an attitude/maturity problem, as he took the criticisms very personally. This isn’t the type of person you’d ever want to work with, and certainly not the type of person you should trust with your data.
The author of this article seems like the jerk to me and acts like he just found a major vulnerability in Android or something not a free app that collects no PII.
This app is about reporting the activities of an increasingly authoritarian state. Security should be top of fucking mind in an app like that. Otherwise the authorities will hack into there in no time and then everyone involved will have a bad time.
A server that received no PII will have a hard time logging them even if the feds take over the server.
Reporting them anonymously, so what exactly is there for the government to hack in and find? This isn’t Facebook where you have to provide them with your photo ID.
You do realize that if they hack in they could simply set it to log user data while making it continue to appear anonymous to the outside? Even just an IP address could be pretty useful in locating who is tipping off the public about ICE raids.
Log what user data ? None is sent and that’s shown by the guy shitting on the project in their blog post.
Plus if they want your IP they don’t need to hack the server, they ask either the provider, cloudflare, your ISP or even just via PRISM.An IP address might not be sufficient to prove someone did something in a court of law, but it will definitely be enough to be thrown in a ICE detention center, assulted, and possibly deported if your skin isn’t white before it gets to court.
You do realize that the extent of this “disclosure” was looking at what version of Apache he’s running and quite literally nothing else? No testing. No verification. No evidence.
As pointed out in the comments on the disclosure, this version of Apache does have the necessary patches in some installs and even if it didn’t, its unlikely to leave any vulnerabilities as his app is completely bare bones intentionally for the very reasons you listed.
You can come up with all kinds of fictional scenarios for what could happen like we’re in some hacker movie where the government just “hacked into the mainframe,” but that doesn’t make them real without any actual evidence.
This dude obviously has a personal agenda here and is trying to make some big scandal out of nothing.
No testing. No verification. No evidence.
what do you mean? that Micah should have tested the vulnerability, by hacking the server? that’s heavily illegal.
That’s usually how that works. You do a pen test and report vulnerabilities found and show a proof of concept of how you did it.
Just checking the version of Apache means absolutely nothing here and any security check that only does that is useless.Defamation is also illegal, so what’s your point? That didn’t stop him from making claims about ICEBlock without any actual proof in his rush to disparage this guy and his app as people do when they have an axe to grind. He clearly “handled it in the worst possible way.”
Yeah, the headline isn’t wrong. The author could be right or wrong, but the point still stands that the dev refused to acknowledge it properly and disclose if there was/wasn’t a vulnerability and giving no assurances whatsoever to their users.
There is no vulnerability because the claim is bogus. Anybody with some experience in cybersec will tell you it’s a nothing burger.
This whole app is so incredibly questionable unfortunately.
