Komunitas
lemmy.today
encrypted over https The TLS handshake will generally – through there are some ways to avoid this, and people are banging on it – expose hostnames in the clear. So even if the IP address that you’re talking to serves multiple virtual hosts, your ISP is likely to know who it is that you’re talking to. https://en.wikipedia.org/wiki/Server_Name_Indication Even if your browser is using DNS-over-HTTP, which it may or may not be doing, most software doesn’t, so outside of your browser, DNS is generally visible. Some protocols still are not encrypted; I was looking at MUDs the other day, and few of them support encrypted connections. The networks that I’m most worried about are random WiFi access points, and VPNs solve that well. The network provider can still see which addresses and ports someone is connecting to and to where the traffic goes, and how much traffic is sent. Some network providers blacklist material – as is the case in OP’s article. For example, one of my first experiences on the Threadiverse was kbin sending me to a random discussion on policy that Ada (the lemmy.blahaj.zone admin) was having with some gay user who lived somewhere in the Middle East. Lemmy.blahaj.zone had been blocked in that country – the country presumably didn’t like something related to the server having LGBT content. The Threadiverse is semi-resillient to that – they could still connect to a federated server and see comments. But it meant that images on lemmy.blahaj.zone were blocked in that country. For another contemporary example, Russia has cracked down on politics online. Can’t block access to content without killing off VPNs, and they went after those too. For people who maintain a long-running IP address, it’s possible to cross-correlate logs from various services. So, okay, let’s say that a given IP address has been logged downloading BitTorrent content. That same IP address is linked to, at various times, use of an app where a particular unique phone ID has shown up, or maybe that a user has logged into some account service on, which is linked to personal information. Even a party who is not someone’s ISP can cross-correlate logs using the IP. A VPN doesn’t absolutely avoid that, but it makes it harder. Without a VPN, anyone can get at least a rough geographical location of a user by geolocating their IP address. IPv4 scarcity has made this harder than it once was, reduced geography/address correlation, but I expect that IPv6 will make it easier. People don’t need to write their network software securely. Your cool multiplayer network game may-or-may not be encrypted and may-or-may-not be resillient to modified network traffic. If there are buffer overflows in how Quake or whatever handles network traffic, I’d rather not let the network provider be an attack vector. This has been exploited before, and while a typical ISP probably isn’t generally a real risk, I’d trust random WiFi networks a lot less. A VPN will get cleartext traffic off their network. Probably more, but that’s some off-the-cuff.
Komunitas
hexbear.net
i can’t even really remember how long ago it was that i looked into league of legends, but it was a long time ago. i don’t think it was brand new, because lots of people were already playing it. i was looking for a game to play with friends online and so a friend of mine told me about how two guys we knew back in high school played it all the time now and we could play with them / use it as a way to keep in contact. and it was “Free” so what was there to lose? so we download it and get online, only the guys from school are not really interested in showing us what’s up because they are trying to achieve something and insisted we play some randoms for a while to figure it out and get better. and we quickly find that the options for noobs not paying money are limited. so we join a game anyway, and start getting told me we suck and are ruining the game because the acronym commands we are being issued by someone who has decided they are in charge of this “game” are inscrutable. this experience was supposed to sell us on investing more time into it so we could buy stuff in game to “be better”. i think i uninstalled it after a few hours. people look for different experiences in games. personally, my idea of free time isn’t something where i want to let some random asshole frustratedly boss me around so i can make numbers go up and have fake money to spend on becoming more comfortable with being bossed around and eventually become one of the people who bosses others around. seems a bit too much like some other game we all have to play already.
Komunitas
europe.pub
When looking to ensure that our computers are running free software, we usually turn our attention to the operating system and programs we install. Increasingly, we also need to look at the Web sites we visit. Simply visiting many sites loads software onto your computer, primarily JavaScript, that carry proprietary licenses. If we want to be able to browse the Web without running nonfree software, we need to work together to call for change. The Free JavaScript campaign persuades companies, governments, and NGOs to make their Web sites work without requiring that users run any proprietary software. We pick one site at a time and focus energy on it, working as a team to send many polite but firm messages to the site maintainers. The JavaScript programs in question create menus, buttons, text editors, music players, and many other features of Web sites, so browsers generally come configured to download and run them without ever making users aware of it. Contrary to popular perception, almost no JavaScript runs “on the Web site” – even though these JavaScript programs are hidden from view, they are still nonfree code being executed on your computer, and they can abuse your trust. Join us in calling for a Web that respects our freedom by being compatible with free software. Use the action box on the right to contact the organization we’re currently focusing on and ask them to make their site work without nonfree JavaScript. https://ghostarchive.org/search?term=https%3A%2F%2Fwww.fsf.org%2Fcampaigns%2Ffreejs I guess the lemmy javascript my instance runs ins open source software, right?
Komunitas
lemmy.dbzer0.com
I do miss the days when you could just download a keygen and get something licensed. Nowadays most keygens are just virus/malware installation packages unfortunately, with a few exceptions. To be honest it’s probably easier and safer to just use one of the repacks from a trusted source since they are ‘precracked’ and that work has been done for you.
Komunitas
lemmy.sdf.org
What will be effective depends on the nature of the site and that of the bots causing trouble. For example, a forum can limit posting privileges until an account builds a reputation, a paid goods/services site can restrict access until a purchase is made, a web service can use revocable credentials, and a data download site can use rate limits. (That last one is actually useful in a variety of situations, and can be done at the network level instead of or in addition to the application level.) There is no silver bullet, but there are lots of small measures that can be very effective when applied thoughtfully, without turning a site into a frustrating-to-use surveillance tool for Google at the expense of the humans who want to or have to use it. Even a small, locally hosted, activate-only-once, simple image or text-based CAPTCHA would be preferable to the ones operated by third parties.
Komunitas
lemmy.ca
It’s very unlikely you are infected by anything unless you were using some crazy settings or addons, or unless you were hit by some extreme 0-day exploit that hasn’t become widespread yet. Firefox does not and normally cannot execute files it downloads automatically nor are videos a likely risk for remote code execution now that we have technologies like data execution prevention built into processors, if you’re attacked by malware it will rely on some other vector or trickery to get you to execute the file. I would expect that your performance issues are unrelated, but you should also check Firefox’s addons and extensions as well as your task manager startup tab to make sure nothing has obviously been installed without your knowledge. One thing that sticks out at me is the fact that you only mention the file’s “title” and if you haven’t already you should make sure Windows Explorer is set up to ALWAYS show full file extensions, that’s like a basic safety measure that really should be on by default but isn’t, and it’s really mandatory if you’re messing around on the darker parts of the web. You have to know what kind of file extension it is because that affects what Windows is going to do with it, and when it’s supposed to be one thing and Windows is going to do something different with it that’s a huge red flag that it’s malware trying to trick you into running it. You can upload the file to virustotal if you want to scan it but it doesn’t sound likely that it even ran unless you did something bad by accident.
Komunitas
lemmy.world
So just to illustrate, I went to the normal FileZilla download page and downloaded the Win64 package. Then I submitted it to VirusTotal. https://filezilla-project.org/download.php?platform=win64#close https://www.virustotal.com/gui/file/dbde8a4bd71bb1fbc0511cdb657dfeffdaedc513aa425f856043532a7cba6fce
Komunitas
feddit.org
E: apparently it needs to be said that I am not suggesting you switch to Linux on your phone today; just that development needs to accelerate. Please don’t be one of the 34 people that replied to tell me Linux is not ready. Android has always been a fairly open platform, especially if you were deliberate about getting it that way, but we’ve seen in recent months an extremely rapid devolution of the Android ecosystem: The closing of development of an increasing number of components in AOSP. Samsung, Xiaomi and OnePlus have removed the option of bootloader unlocking on all of their devices. I suspect Google is not far behind. Google implementing Play Integrity API and encouraging developers to implement it, which prevents apps from the Google Play Store from being downloaded without a system-wide OS-level account login. Notably the EU’s own identity verification wallet requires this, in stark contrast to their own laws and policies, despite the protest of hundreds on Github. And finally, the mandatory implementation of developer verification across Android systems. Yes, if you’re running a 3rd-party OS like GOS you won’t be directly affected by this, but it will impact 99.9% of devices, and I foresee many open source developers just opting out of developing apps for Android entirely as a result. We’ve already seen SyncThing simply discontinue development for this reason, citing issues with Google Play Store. They’ve also repeatedly denied updates for NextCloud with no explanation, only restoring it after mass outcry. And we’ve already seen Google targeting any software intended to circumvent ads, labeling them in the system as “dangerous” and “untrusted”. This will most certainly carry into their new “verification” system. Google once competed with Apple for customers. But in a world where Google walks away from the biggest antitrust trial since 1998 with yet another slap on the wrist, competition is dead, and Google is taking notes from Apple about what they can legally get away with. Android as we know it is dead. And/or will be dead very soon. We need an open replacement. E2: thank you to everyone stopping by from Hacker News, Reddit, etc. to check out the threadiverse. I hope you’ll stick around for a while. Check out https://phtn.app/ and the Voyager and Blorp apps for a nicer UI. Fuck Spez!
Komunitas
pawb.social
I’ll do you one better: I’m using Debian Stable for gaming and there’s nothing bad to report. Based on my experience I’d recommend that you use Stable first, unless you feel you really need Sid. I previously ran Arch Linux, but after switching to Stable and manually sourcing a few critical cutting-edge applications through e.g. Flatpak, it feels the exact same. I don’t feel like running the entire system as bleeding edge is a good idea when you can just run a couple dozen things as cutting-edge instead. If you plan on using Sid instead of Stable, most of the following will not apply: Lutris has its own Deb repo if you need the latest updates, or it’s available as a Flatpak. If you use Flatpak Lutris and want to use MangoHud, you’ll need to install the Flatpak version with flatpak install flathub org.freedesktop.Platform.VulkanLayer.MangoHud (I don’t think it shows up in the normal store) The one gotcha I’ve found regarding Debian Stable and gaming is that Mesa will fall out of date as the release cycle goes on and probably won’t be backported. The solution is that running games via Flatpak (Lutris, Steam, etc.) uses Flatpak’s Mesa instead, which is cutting-edge. You can also try to compile a local Mesa version with this script, and you can manually trigger games to use this version instead of the system version. It does work, but it’s more complicated and a little bit more messy. I use the Xanmod “Main” kernel for a more recent kernel that isn’t too bleeding-edge - it stays on the previous Linux kernel version until a few point releases have come out. CoreCtrl is available as a bookworm-backport. I manually backported it myself but it looks like it’s official now. I’m running Wayland and KDE, with no issues to report (even with gaming) I’ve manually compiled Libstrangle for FPS limiting, but I’ve found that I can use MangoHud to transparently limit FPS as well, by using the following environment variable: MANGOHUD_CONFIG=fps_limit=YOURFPSHERE,fps=0,frame_timing=0,cpu_stats=0,gpu_stats=0,background_alpha=0. When I want MangoHud to act as normal, I switch it to MANGOHUD_CONFIG=readcfg which uses my normal config instead. Notably, Libstrangle cannot be used with Flatpak Lutris, so FPS limiting will need to be done with MangoHud if you want to limit Linux games. DXVK games can be limited with DXVK_FRAME_RATE as well, if that’s all you need. I make heavy use of Flatpaks for any user applications that I need to keep more modern If it’s not available as a Flatpak, I tend to use Homebrew to keep any other critical applications up-to-date (usually some CLI tools) I use cargo through rustup to keep some rust programs updated I use deb-get with a couple programs that aren’t on any real repos in order to get updates I’ve compiled a couple backports by following this guide in a stock Debian Stable VM, then copying the .deb files back out to my main system. So far this has been super easy, but I don’t want to do this unless I have to. If a program needs to be manually compiled, I try to install it using checkinstall. checkinstall basically fake-runs an installation and notes where everything goes, then stuffs it all into a .deb for you for a proper installation that can be uninstalled later. It’s a little buggy and doesn’t always work, but if it does it’s preferable. I rarely am forced to compile something that actually needs to be installed to system, but I’ve used it a few times with good success. (Do not make a FrankenDebian) I can’t think of anything else regarding Debian Stable that I’ve done at the moment. Anything else has just worked as I’m used to on a bleeding-edge distro like Arch Linux. Debian’s large package base has really helped me with obscure programs that I used to need to compile manually with Arch Linux.
Komunitas
lemmy.bestiver.se
Comments
Komunitas
ibbit.at
Download this meme from Into Action here. Hi, all, and happy Monday. Of course, it’s not super happy. We got a couple of terrible SCOTUS rulings this morning (here and here, if you haven’t yet seen them.) The immigration-related decision, announced with no explanation, is especially heinous, as it gives ICE free rein to continue its policy of rampant racial profiling. This is in clear violation of the 4th Amendment, which protects everyone in the U.S. from “unreasonable search and seizure.” It’s depressing stuff, and there’s no quick antidote to it. There is, however, a long term fix: term limits, court expansion, and ethics reform. Don’t let anyone tell you this is an insoluble problem—it’s not. It’s simply going to require a galvanized Democratic trifecta to get it done. I highly recommend checking out Demand Justice, the Brennan Center and/or the Alliance For Justice if you’d like to learn more about Supreme Court reform. There is hope! In the short term, however, this decision is disastrous. There’s no sugar coating it. So instead of digging into more news items I want to share, with permission, a note that subscriber Christopher T. Wood just sent me. I think it’ll inspire you and maybe lift you out of the doldrums a bit. He said: Disappointed with the election results in January, my wife formed a little group called the Tropical Meme Society (@tropical.meme.society). We met at our local coffee house, Café Tropical, in the Silverlake section of LA. A few folks gathered on a bi-weekly or monthly basis. We decided to do a few bridge drops (hang signs with pro-democracy messages) over the 101 Freeway. One of our group is French and went home this summer for vacation. She noticed that all or most of the news outlets in France seemed to be voicing the opinion that while the Trump Administration had fascist tendencies, all or most Americans appeared to be fine with it. Not agreeing with that assessment, she wrote in to her local paper in Bordeaux and told them about what our group and others had been doing in support of democracy, including the No Kings Day protests. She had pictures and video, so her local paper ran the story. [Here is the link.] Within a day or so, all or most of the major news outlets had picked up the story about “La Resistance” in the US. No longer were the major media outlets of France saying all Americans were fine with what Trump was doing. The entire narrative had changed. Why? Because a few people gathered in a small café in the Silverlake section of LA to talk about what they could do. My wife has shown us, never doubt what effect a few committed people can have. Beautiful, right? Never forget—your voice has power. Every one of us is simply called to do what we can in this moment. Sometimes it will feel like our impact is minimal. Other times we’ll stumble into something that will create large ripples. The truth is we just don’t know how our actions will affect those around us, or, for that matter, history itself. It doesn’t matter. We take them anyway. Ours is not to predict outcomes. Ours is simply to do the next right action, trusting that it will lead to some good. That’s what this group did, and look at the ripples their actions created! One last thing before I go: I want to apologize for unknowingly posting misinformation in yesterday’s good news list. Chicago officials did not, in fact, use salt trucks to block ICE this weekend. The story that they did do that was—and still is—everywhere, but I should have fact checked it more carefully. I’ll endeavor to avoid similar mistakes in the future. OK, folks. I’ll be doing my Substack Live at 4PM solo, so if you want to come for an update on all the day’s news and a pep talk, join me! Now let’s get to work. Call Your Senators (find yours here) 📲 Hi, I’m a constituent calling from [zip]. My name is ______. [If Democrat:] Democrats shouldn’t provide a single vote to keep funding Trump’s repressive agenda this September. No compromises, no folding, no caving by Chuck Schumer. There should be no yes vote unless the White House guarantees, among other things, that funds will be distributed as appropriated, that there will be a 60-vote requirement for any recission, and that they will institute a ban on masked ICE/DHS agents without court orders. Democrats have power here. If they want to win back the voters who have abandoned them they’d better use it. Thanks. [If GOP:] I’m disgusted by Trump’s threat to declare war on Chicago. And please don’t tell me he was quoted out of context. We all know he wasn’t. Declaring war on an American city is arguably treasonous and definitely grounds for impeachment. Trump is dangerous, he’s unfit, and he needs to be impeached and removed. I want to hear the Senator speak out clearly against this lawless attack on American cities. Thanks. Call Your House Rep (find yours here) 📲 Hi, I’m a constituent calling from [zip]. My name is _______. First, I want the House to fully fund NIOSH [pronounced nye-osh] in 2026, consistent with the recent bipartisan Senate appropriations bill. I also want Trump and Kennedy to fully reinstate all NIOSH researchers who are still not back to work. Second, I ONLY support a government spending bill that reverses Medicaid cuts and blocks tax breaks for the rich and big corporations. I oppose any package that doesn’t contain those two provisions. [Only if Democrat add:] Finally, I want to put in a word of support for Rep. Monica McIver. I’m glad to see that the motion to censure her was tabled, and I want to see House Democrats continue to stand with her every time she’s attacked. She deserves our unqualified support. Thanks. [Only if Republican add:] Finally, has the representative signed on to Rep. Massie’s discharge petition to release the full Epstein files yet? If not, I expect him/her to do so today. The House Oversight Committee is releasing redacted papers and things we’ve already seen. It’s gaslighting. We want to see the files. The victims deserve no less. Thanks. Extra Credit ✅ The FTC is trying to attack gender-affirming care under the guise of consumer protection and the Christopher Street Project is trying to get as many public comments as possible to oppose their action. In order to make the process safer, they published a comment portal that they will use to submit on your behalf: christopherstreetproject.org/FTC. Please help uplift the portal and this instagram post: christopherstreetprojectA post shared by @christopherstreetproject . We have until September 26th to make our voices heard! Get Smart! 📚 WHY FASCISTS FEAR TEACHERS W/ RANDI WEINGARTEN Tuesday, September 9, 7:30PM ET Fascists fear education! Defunding public education, banning books, and censoring history are all part of the extremist playbook. It’s no wonder that teachers who empower students to think critically and ask questions are under attack. Join Red, Wine and Blue to hear from Randi Weingarten, President of the American Federation of Teachers, as we talk about this coordinated assault on education and why concepts like curiosity and empathy outrage fascists. Learn what’s at stake, how these attacks hurt our kids and our country, and how we can fight back. SIGN UP NOW Messaging! Messaging! Messaging! 📣 Here are some key facts on Trump’s economic failures, courtesy of Defending American Democracy. Make sure to share widely! Trump’s tariffs will cost families an additional $2,400 this year. The U.S. added just 22,000 jobs in August, while June revisions revealed the economy actually lost jobs that month. U.S. factory orders fell 4.8% in June and construction spending collapsed. Trump says he will put a 100% tariff on semiconductors. Beef prices are hitting record highs, rising nearly 9% this year. Electricity prices rose 6.5% in the last year. Trump’s tariffs are expected to impact 75% of U.S. food imports. Vegetable prices increased by nearly 40% from June to July. Get excited about campaign finance reform! I just heard a presentation from someone at CAP Action about the Montana Plan, an initiative that can essentially overturn Citizens United without actually overturning it, one state at a time. It’s very exciting and it may start in Montana! Read all about it here. Attend a Town Hall—MICHIGAN! 🪧 The amazing folks are the Progressive Caucus Center are holding a Progress for the People Town Hall in Warren, MI, on Friday Sept 12 at 1pmET with Michigan Rep. Talib & Vermont’s Rep. Balint. If you live in the area please join them to learn what the Republican budget law means for you, hear from your neighbors, and ask your questions! RSVP here. Grab Your Wallet! 💳 Rolex sponsored Trump at the U.S. Open. It’s probably a moot point for most of us, but if you’re in the market for a luxury watch please choose a different brand! Win Races! 🗳 Markers For Democracy and a coalition of grassroots groups are launching a series of four National Virtual Postcard Parties for Virginia. Join them weekly, when Virginia candidates will tell you what they are seeing and hearing in their districts. Write for the candidates of your choice, celebrate VA Dems running 100 candidates in 100 districts, and enjoy being with grassroots activists from around the country. More details here. Each evening has its own Zoom registration link: Monday, Sept 8, 2025 7-9 pm ET - Zoom Registration Link Monday, Sept. 15, 2025 7-9 pm ET - Zoom Registration Link Sunday, Sept. 21, 2025 7-9 pm ET - Zoom Registration Link Tuesday, Sept. 30 - 7-9 pm ET - School Board Night - Zoom Registration Link Chop Wood, Save the Planet 🔥 From climate denial to pandemic disinformation, powerful forces are working overtime to undermine facts and delay vital action.On Friday, September 12 at 7 PM ET, join Climate Action Now for an Action Party about the powerful forces fueling today’s war on science—and what we can do to fight back. You’ll be joined by leading climate scientist Dr. Michael E. Mann, who will share powerful insights from his newest book in a conversation moderated by Climate Action Now President Tim Guinee.Together, let’s challenge disinformation, call for accountability, and stand up for science! REGISTER NOW Resistbot Letter (new to Resistbot? Go here! And then here.) 💻 [To: all 3 reps] [H/T ] [Text SIGN PMSILR to 50409, or to @Resistbot on Apple Messages, Messenger, Instagram, or Telegram] (Note that for the most effective RESISTBOT it’s best to personalize this text. More about how to do this here. But if you’re short on time just send it as is using the above code.) Donald Trump has crossed a constitutional red line. By threatening to unleash federal immigration raids, militarized crackdowns, and what he himself calls a “Department of WAR” against Chicago, he is not merely using inflammatory rhetoric—he is levying war against an American city. The Constitution defines this as an act of treason. Trump’s “Chipocalypse Now” post, accompanied by an image evoking Apocalypse Now, was not satire or bluster. It was a declaration of intent to use the power of the federal government against U.S. citizens and local governments who defy him. This is authoritarianism, plain and simple. The threat is also baseless. Crime in Chicago has been dropping sharply, with homicides down nearly 30% and shootings down over 40%. There is no emergency that could justify such an extraordinary federal assault. Local leaders have resisted: Governor J.B. Pritzker labeled Trump a “wannabe dictator,” and Mayor Brandon Johnson has barred city agencies from assisting with raids. Thousands of Chicagoans have protested in defiance, even as community events were canceled under pressure. Congress cannot treat this as political theater. The stakes are constitutional and historic. When a president declares war on his own people, silence is complicity. I urge you to: • Hold hearings immediately to expose Trump’s threats as unconstitutional and potentially treasonous. • Legislate strict limits on the use of federal forces and immigration agencies in domestic political disputes. • Protect sanctuary jurisdictions from federal overreach and retaliation. • Affirm the principle that no president can wield war powers against the states or their people. This is bigger than Chicago. If Trump succeeds here, every city, every state, and every community is at risk. Congress must act now to defend the Constitution, protect American democracy, and stop Trump from levying war against his own country. OK, you did it again! You’re helping to save democracy! You’re amazing. Talk soon. Jess Chop Wood, Carry Water is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber. Share Leave a comment From Chop Wood, Carry Water via this RSS feed
Komunitas
ibbit.at
Last week, I wrote about how Joshua Aaron’s ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua’s talk at HOPE where he made it clear that he isn’t taking the advice of local community groups, that ICE sightings aren’t verified in any way, and that he doesn’t know what he’s doing when it comes to security and privacy. In that post, in the section about his “HIGHLY secure” server that he kept mentioning, I wrote: Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities. I was intentionally vague because I knew that his server was vulnerable at the time of writing, and I didn’t want anyone to exploit one of these vulnerabilities before he had a chance to fix it. ICEBlock has been downloaded over one million times from the App Store. I don’t know whether Joshua’s server stores data related to these users or the reports they submit, but it might, and he certainly bragged about the security of it in his HOPE talk. I’m publishing this because it’s important for people who are trusting ICEBlock to know that the developer is careless about computer security, even when people specifically point out security issues and give him time to fix them. Hopefully his server doesn’t have any user data. Hopefully no one will hack his server despite the fact that he’s making it easy for them to. And hopefully this blog post will compel him to finally fix the issue. UPDATE: It worked! Hours after I published this, Joshua has updated Apache in his server, fixing the issue. Joshua runs two Bluesky accounts: @iceblock.app, the account of the ICEBlock app, and @joshua.stealingheather.com, Joshua’s personal account. His personal account had DMs closed, but the ICEBlock account had DMs open, so I sent him DMs there. On September 1, I wrote: Hey Joshua, I’m one of the people who saw your HOPE talk and asked some of the questions. I’m giving you a heads up that I’m preparing to publish a blog post about the app and your talk that isn’t very flattering. But also, I wanted to give you notice that you’re running a vulnerable version of Apache on your linode server. I’m not mentioning this specifically, but you should install updatesYou seem to be running Apache httpd 2.4.57. See https://httpd.apache.org/security/vulnerabilities_24.html for more details, but this version of Apache has multiple critical CVEs which could take over your server. Like for example, this one https://nvd.nist.gov/vuln/detail/CVE-2024-38476 Then, an hour and a half later, I published my blog and sent him my Bluesky post about it: I wrote about @iceblock.app, the developer’s infuriating HOPE talk, and how it’s unfortunately basically activism theater micahflee.com/unfortunatel… — Micah Lee (@micahflee.com) 2025-09-01T22:56:27.196Z He didn’t respond from the @iceblock.app account other than blocking me. (Which, honestly, isn’t very fair, since I’m not ICE.) Screenshot from Bluesky of @iceblock.app blocking me after my responsible disclosure He did, however, send me a DM from his @joshua.stealingheather.com account, saying: It would be so great if you could stop lying about me and ICEBlock. You are doing nothing to help. You don’t know me, my history, my knowledge, or anything more than hearing me at Hope.Don’t bother responding because this will be my last and only communication with you. Do better. To which I replied: If I got anything wrong in my blog post, please let me know and I’d be happy to post a correction Here’s a screenshot of the exchange. Screenshot from Bluesky DMs with @joshua.stealingheather.com telling me I’m lying about him and his app A few days later, on September 3, I decided to check again. His server was still running Apache 2.4.57, which has multiple vulnerabilities. He ignored my report and didn’t fix it. And just so you know, fixing this problem is extremely easy. He just needs to SSH in and run something like sudo apt update && sudo apt upgrade, wait for the Apache updated package to install, and his server would no longer be vulnerable. Seeing that he wasn’t taking this seriously, I decided to give him a deadline to patch his server before I publicly disclosed the vulnerability. I sent his @joshua.stealingheather.com account these messages: Hey Joshua, I noticed that you still haven’t updated Apache on your server. I disclosed that you’re running Apache 2.4.57, which has known critical vulnerabilities, on September 1. I don’t know what data (if any) related to [ICEBlock] and its users that you store on your server. But until you update Apache, it might be trivial for anyone to hack your server and steal all of it. So, please install updates.I’m giving you a week from when I first disclosed this before I write about it (so, September 8), which should give you more than enough time to update a package.Just so you’re aware, I determined the version of Apache using nmap’s version detection feature. You can run nmap -p443 -sV iceblock.app to test the version yourself, and it should show you this:PORT STATE SERVICE VERSION443/tcp open ssl/http Apache httpd 2.4.57 ((Unix) OpenSSL/3.0.9)As a reminder, you can find the known vulnerabilities for this version of Apache here: https://httpd.apache.org/security/vulnerabilities_24.htmlAnd, as I showed you before, just one of the vulns is CVE-2024-38476, which you can read about here: https://nvd.nist.gov/vuln/detail/CVE-2024-38476. This is a “critical” vulnerability that could potentially be used to execute scripts on your server. Please get back to me. He didn’t get back to me. And an hour and a half later, he blocked me from this account too. Screenshot from Bluesky DMs with @joshua.stealingheather.com, where I disclose his vulnerability again, and he blocks me It’s now been a week, and I checked again: Joshua’s “HIGHLY secure” server is still running a version of Apache with multiple known critical vulnerabilities. And even with plenty of time to fix the issue, he still hasn’t. I hope he isn’t storing any ICEBlock-related data on there. From micahflee via this RSS feed
Komunitas
ibbit.at
Photograph Source: Embajada de EEUU en Argentina – CC BY 2.0 During his confirmation hearings to serve as Secretary of Health and Human Services (HHS), Robert F. Kennedy Jr. emphatically pledged to prioritize tackling Long COVID, a debilitating chronic condition that develops after COVID-19 infections and leaves many patients with lasting symptoms, such as fatigue, brain fog, and respiratory problems. Sen. Todd Young (R-Indiana) asked Kennedy if he would commit to funding research into treatments and diagnostics for Long COVID. Kennedy’s response? “Absolutely, senator, with enthusiasm.” Fast forward to August 2025, and Kennedy has dismantled not only federal COVID prevention programs but also much of the research infrastructure devoted to understanding and treating Long COVID. He closed the Office of Long COVID Research and Practice, a central coordinating body established in 2023 to unify agency efforts on Long COVID, and failed to meaningfully replace it. His sweeping reorganization of HHS eliminated or consolidated key centers essential for disease surveillance and chronic illness response, including the National Center for Chronic Disease Prevention and Health Promotion. Reckless funding cuts have dealt a significant blow to ongoing research, derailing NIH-funded clinical trials on antivirals and immunotherapies for Long COVID, halting large-scale cohort studies that track patient outcomes, and stalling the development of new diagnostics to improve detection and classification. Long COVID is a chronic, multisystem condition that follows COVID‑19 infection. It can arise regardless of the severity of the initial illness and is characterized by symptoms that may persist or emerge weeks to months after the acute phase of infection. Researchers have drawn parallels between Long COVID’s impact and that of a stroke or Parkinson’s. Long COVID also shares similarities with other post-viral syndromes such as myalgic encephalomyelitis/chronic fatigue syndrome (ME/CFS), which similarly involve long-term fatigue and autonomic dysfunction. Studies have shown that both Long COVID and ME/CFS can lead to quality-of-life impairments that outstrip many advanced cancers. Additional research suggests that Long COVID may be just the tip of the iceberg. Studies of large patient cohorts have found that COVID infection significantly increases the risk of cardiovascular complications, including myocarditis, arrhythmias, heart failure, and blood clots, even in people without prior heart disease. Other studies have documented a higher incidence of metabolic conditions such as new-onset diabetes. There are also neurological sequelae; COVID infections can cause or accelerate cognitive decline and dementia. Evidence suggests that repeated infection may accelerate cancer risk, in part due to inflammation and immune dysregulation. Taken together, these findings suggest that the long-term burden of COVID may extend far beyond what is captured by “Long COVID” alone. Kennedy is not a solo actor in this. Closing the Long COVID office, for example, coincided with a Trump executive order to “reduce the federal bureaucracy.” The involvement of others does not absolve Kennedy — the head of HHS — of responsibility for what takes place in his agency on his watch. It does, however, suggest that this is not a one-man problem but something more systemic and entrenched. The issue is not limited to HHS; the Occupational Safety and Health Administration (OSHA), for example, is currently seeking to remove the few remaining emergency reporting requirements for hospitals. Creating Barriers to COVID Vaccines Of course, one of the best ways to avoid Long COVID is to avoid getting infected with COVID. Kennedy has spoken about wanting to address root causes, and the root cause of post-COVID complications is infection with COVID, making prevention efforts a key way to prevent new health problems. Unfortunately, Kennedy has approached COVID prevention the same way he has approached measles prevention. He has gone after COVID vaccines, both the currently available shots and promising research into improved versions. As a form of protection from Long COVID, the current vaccines appear to be useful, albeit insufficient on their own. Most studies indicate that vaccination reduces the risk of Long COVID, and several find additional benefits from boosters, although this varies by timing and variant. One meta-analysis found that COVID vaccination reduces the risk of developing Long COVID by around 30 percent, depending on variant and timing of vaccination. A more recent study suggested that vaccination had played a major role in observed declines in new cases of Long COVID during later infection waves. Primary series vaccinations appear to be the most effective in reducing the risk of developing Long COVID following infection. Subsequent variant-specific shots appear largely helpful as a means of preventing infection (as imperfectly measured by symptomatic disease), which in turn lowers the downstream risk of Long COVID. However, such protection is limited and short-lived. Vaccine effectiveness against symptomatic disease peaks at 50 to 70 percent within a few weeks of administration and declines substantially over the following months. It often approached negligible levels within six months, particularly in the face of immune-evasive variants like XBB and its descendants. Taken together, the evidence suggests that vaccines, although far from a silver bullet, are a useful tool for reducing Long COVID. Cutting off access to vaccines will almost certainly mean more Long COVID cases and more people with lasting complications. Unfortunately, Kennedy’s leadership thus far has culminated in new barriers to COVID vaccination that threaten to severely limit this year’s uptake (assuming new vaccines become available at all). The Food and Drug Administration (FDA) declined to approve COVID vaccines for those under age 65 without high-risk conditions, instead requiring randomized controlled trials in those groups before considering future approval. This includes both primary series vaccinations and additional variant-specific shots for those who have already received their primary series. The FDA also revoked the Emergency Use Authorization for Pfizer’s vaccinein children under the age of 5, leaving Moderna’s formulation as the only authorized option for high-risk children in this age group. For healthy children under 5, the only remaining path to vaccination is now through off-label use by a healthcare provider. The new framework imposes similar restrictions on adults: as of August 22, individuals under the age of 65 without high-risk conditions became ineligible to receive COVID vaccines through standard authorization channels. The effort was touted as a cautious, evidence-driven approach, but its effect is to delay and potentially deny broad access to vaccines that were previously available (if not always affordable) to a much wider population. Limited access for children younger than 5 years old could be especially devastating. This age group has experienced some of the highest COVID-19 hospitalization rates of any pediatric cohort. Emerging data suggests that Long COVID may have overtaken asthma as the most common chronic illness affecting US children, with nearly 5.8 million affected by post-COVID conditions. Kennedy has gone after public health officials who don’t share his approach to vaccination. Earlier this summer, Kennedy fired every member of the Centers for Disease Control and Prevention (CDC) Advisory Committee on Immunization Practices (ACIP), a critical advisory body, replacing many of them with known vaccine skeptics. The ACIP’s role is to make recommendations within the boundaries of FDA approval; its personnel shake-up suggests that even within the FDA’s more restrictive framework, the CDC’s recommendations will be guided by an anti-vaccine political agenda rather than science. While ACIP had not always taken Long COVID seriously before, it did greenlight broad COVID vaccine eligibility in 2024, even if said vaccines remained financially out of reach for far too many. Kennedy, CDC Firings, and Massive Research Cuts And this past week, President Trump (at Kennedy’s behest) fired Susan Monarez, the director of the Centers for Disease Control and Prevention (CDC). A wave of protest resignations followed across senior leadership, including Chief Medical Officer Dr. Debra Houry, Director of the National Center for Immunization and Respiratory Diseases Dr. Demetre Daskalakis, and Director of the National Center for Emerging and Zoonotic Infectious Diseases Dr. Daniel Jernigan. In his resignation letter, Daskalakis opined, “Having worked in local and national public health for years, I have never experienced such radical non-transparency, nor have I seen such unskilled manipulation of data to achieve a political end rather than the good of the American people.” The insufficient protection afforded by current vaccines makes ongoing research into the next generation of prophylactics that much more crucial. But this month, Kennedy unilaterally slashed $500 million from mRNA-related research, which encompassed, among other things, vaccines targeting COVID, H5N1 bird flu, and RSV. Kennedy justified the cuts in part by suggesting that mRNA technology is inherently unsafe, an assertion not supported by scientific evidence. Earlier this year, Kennedy’s HHS issued a stop-work order to CastleVax for its development of an intranasal COVID vaccine. Intranasal vaccines have shown promise in inducing the mucosal immunity necessary to better prevent transmission. The Trump government, however, has declared COVID “over” (despite evidence to the contrary), and thus all further research related to it is considered expendable. This month, Kennedy’s HHS also took aim at wastewater surveillance, a crucial tool for people trying to use real-world data to calibrate their preventive measures. Wastewater monitoring provides an early warning system for spikes in COVID and other infectious diseases, helping immunocompromised individuals — such as those recovering from cancer — decide when it may be safer to risk exposure from necessary activities like visiting the dentist. Kennedy’s HHS has doubled down on a favorite minimization tactic of the previous administration, and has changed the thresholds for transmission categories, such that virus levels that were previously categorized as “high” are now considered “very low.” More alarmingly, under Kennedy, the CDC has quietly stopped normalizing wastewater data (that is, adjusting for things like rainfall levels), a technical change that will significantly degrade its quality and comparability over time. Without normalization, raw viral counts are misleading, making it far harder for individuals, communities, and health systems to gauge real infection trends. This change threatens to undermine one of the most important and cost-effective surveillance tools still available. Kennedy is clearly not interested in keeping the promise he made to the American people to tackle Long COVID. His behavior does, however, track with the ableist healthism that Julie Doubleday lucidly identifies as the beating heart of Kennedy’s “Make America Healthy Again” (MAHA) movement. Ableist healthism is an ideology that equates being healthy with virtue and reframes public health as an individual lifestyle project rather than a collective obligation. It also conflates “natural” with “good,” which explains why MAHA advocates seem so unfazed by preventable deaths from ‘natural’ diseases like measles. Given MAHA’s complacency in the face of preventable death and disability from measles, it’s unsurprising that they would shun interventions like vaccines and other preventative medical interventions for COVID. To be sure, Kennedy has capitalized on the earned mistrust of his predecessors. That mistrust was fueled by a series of blunders, including but not limited to downplaying the threat of long-term COVID sequelae, failing to fully grapple with the reality of airborne transmission, and an unwillingness to meaningfully revisit the “vax and relax” strategy even as evidence increasingly failed to support that approach. Many but not all of these blunders appeared to originate from corporate pressure to return to a “normal” with a weaker social state and fewer protections for workers. However, rather than building back trust based on sound science, Kennedy has doubled down on misinformation. Rather than leveling with people about both the benefits and limitations of existing COVID vaccines, for example, he has cast ill-founded aspersions on their safety profile (and the safety profile of other preventative medicine). He has also actively made it more difficult for those who want to use vaccines to protect themselves to do so. Where the agency once sowed confusion through poor messaging, Kennedy has actively weaponized that communications weakness to recast scientific uncertainty as evidence of conspiracy, replacing cautious half-truths with clear falsehoods. It is abundantly evident that Kennedy does not intend to prioritize the well-being of Long COVID patients. Instead of using his immense power to expedite research to help current patients and prevent new cases, he has taken a hatchet to the limited systems of care that were already in place. But disabled lives are not expendable. Millions of people living with Long COVID and other post-viral and chronic conditions deserve dignity, care, and a government that values their survival and well-being. Investing in scientific research and robust public health infrastructure is not charity, but a commitment to a collective future that values and includes everyone in our community. The Trump government’s abandonment of Long COVID patients and disdain for prevention is not acceptable and should be recognized for what it is: a political choice to deepen suffering rather than relieve it. This first appeared on CEPR. The post RFK Jr Doesn’t Care About Long COVID appeared first on CounterPunch.org. From CounterPunch.org via this RSS feed
Komunitas
ibbit.at
Something which may well unite Hackaday readers is the experience of being “The computer person” among your family or friends. You’ll know how it goes, when you go home for Christmas, stay with the in-laws, or go to see some friend from way back, you end up fixing their printer connection or something. You know that they would bridle somewhat if you asked them to do whatever it is they do for a living as a free service for you, but hey, that’s the penalty for working in technology. Bad Laws Just Make People Avoid Them There’s a new one that’s happened to me and no doubt other technically-minded Brits over the last few weeks: I’m being asked to recommend, and sometimes install, a VPN service. The British government recently introduced the Online Safety Act, which is imposing ID-backed age verification for British internet users when they access a large range of popular websites. The intent is to regulate access to pornography, but the net has been spread so wide that many essential or confidential services are being caught up in it. To be a British Internet user is to have your government peering over your shoulder, and while nobody’s on the side of online abusers, understandably a lot of my compatriots want no part of it. We’re in the odd position of having 4Chan and the right-wing Reform Party alongside Wikipedia among those at the front line on the matter. What a time to be alive. VPN applications have shot to the top of all British app download charts, prompting the government to flirt with deny the idea of banning them, but as you might imagine therein lies a problem. Aside from the prospect of dodgy VPN apps to trap the unwary, the average Joe has no idea how to choose from the plethora of offerings. A YouTuber being paid to shill “that” VPN service is as close of they’ve ever come to a VPN, so they are simply unequipped to make a sound judgement when it comes to trusting a service with their web traffic. They have no hope of rolling their own VPN; setting up WireGuard and still further having a friend elsewhere in the world prepared to act as their endpoint are impractical. It therefore lies upon us, their tech-savvy friends, to lead them through this maze. Which brings me to the point of this piece; are we even up to the job ourselves? I’ve been telling my friends to use ProtonVPN because their past behaviour means I trust Proton more than I do some of the other well-known players, but is my semi-informed opinion on the nose here? Even I need help! Today Brits, Tomorrow The Rest Of You At the moment it’s Brits who are scrambling for VPNs, but it seems very likely that with the EU yet again flirting with their ChatControl snooping law, and an American government whose actions are at best unpredictable, soon enough many of the rest of you will too. The question is then: where do we send the non-technical people, and how good are the offerings? A side-by-side review of VPNs has been done to death by many other sites, so there’s little point in repeating. Instead let’s talk to some experts. You lot, or at least those among the Hackaday readership who know their stuff when it comes to VPNs. What do you recommend for your friends and family? Header image: Nenad Stojkovic, CC BY 2.0. From Blog – Hackaday via this RSS feed
Komunitas
hexbear.net
cross-posted from: https://ibbit.at/post/42569 At this summer’s HOPE conference, Joshua Aaron spoke about ICEBlock, his iPhone app that allows users to anonymously report ICE sightings within a 5 mile radius, and to get notifications when others report ICE sightings near them. You can see the full talk, and the lively/infuriating Q&A, here, starting at 6:12:10. Thanks to repression from the highest levels of the Trump administration, his app has gone viral and garnered over a million downloads from the App Store. Karoline Leavitt called it “an incitement of further violence against our ICE officers.” Tom Homan said, “DOJ needs to look at this and see if they’re crossing that line.” Kristi Noem called the app “obstruction of justice.” Pam Bondi announced “we are looking at it, we are looking at him, and he better watch out, because that’s not a protected speech.” (Notifying people about ICE sightings is protected speech, no matter what the fascist Attorney General says.) Joshua and his family have been receiving threats. But unfortunately, despite the app’s goal of protecting people from ICE, its viral success, and the state repression against it, ICEBlock has serious issues: Most importantly, it wasn’t developed with input from people who actually defend immigrants from deportation. As a result, it doesn’t provide people with what they need to stay safe. Because ICE sightings in the app aren’t verified in any way, it’s likely that most reports in the app aren’t actually ICE, even if they’re posted by people who mean well – as I describe below, the vast majority of ICE reports are false positives. And judging by the App Store reviews, it’s clear that not everyone means well. One review says: “This is a great app for safety information. Unfortunately MAGA is now posting false information on there and making racist comments in the comment section.” Joshua makes strong claims about the security and privacy of his app without backing any of them up with technical details. Many of his claims are false. He also chose to target only iOS, and not Android, because of a misunderstanding about how Android push notifications work. And even worse, during the Q&A, he made it clear that he didn’t understand terms like “warrant canary,” “reverse engineering,” or “security through obscurity,” which doesn’t inspire confidence. Privacy promises without the evidence When I first heard about ICEBlock, I liked the idea, but I – and others in various group chats I’m part of – were skeptical. Joshua promises that ICE reports are “completely anonymous,” that the app doesn’t store any personal data, and that it’s “impossible to trace reports back to individual users.” These are bold claims that he hasn’t backed up with evidence. Unlike reputable privacy tools, ICEBlock isn’t open source (in the talk, he explicitly rejected the idea of open sourcing it or allowing the security community to help him improve it), and Joshua hasn’t published a threat model or technical documentation explaining how his app keeps these promises. My friend Cooper Quintin, a security researcher at EFF, was also skeptical of ICEBlock, and so he reverse engineered it, and spoke to 404 Media about his findings. He largely confirmed Joshua’s claims: The TL;DR is that I didn’t find anything suspicious, the app doesn’t talk to any third parties, and it doesn’t send your location to the developer. Neither your phone ID or iCloud account are associated with the requests the app sends to the apple cloud servers to run. (2/11) — Exploit Code Not People (@cooperq.com) 2025-07-15T18:52:15.697Z This is great, and it’s the reason that (despite his hostility towards transparency) I really do think that Joshua means well. Even if we can trust that Joshua isn’t collecting data himself, it’s difficult to discern what Apple would be able to hand over if it got subpoenaed for data related to his app. The website simply says it’s “completely anonymous,” without any caveats. But ignoring the lack of transparency, there’s an even larger problem. ICEBlock spreads unverified information, making it useless for defending immigrants Local immigrant defense groups around the country have been defending people from deportation for the last decade or more. In a training with NorCal Resist, I learned that when people post (and repost) unverified reports of ICE sightings on social media, it does more harm than good. Millions of people are living in a state of fear. From my experience working with NorCal Resist, most ICE sightings that people hear about aren’t real, even when the person reporting it believes that they are. It’s common for someone to see a bunch of dudes in uniforms, or sketchy looking vans, and assume it’s ICE, when it’s actually something else. If I had to guess, I’d say about 98% of reports are false positives. False reports encourage panic, which doesn’t help anyone. Meanwhile, what people actually need are legal observers – people to document the behavior of federal agents, and provide this evidence to their lawyers. They also need help with connecting families of kidnapped people with information and lawyers, and they need communities coming out to defend their neighbors. When I asked Joshua about this during the Q&A of his talk, he didn’t answer the question. Here’s my question and his non-answers: 0:00/4:46 1× Joshua’s non-answer to my question about false positives and user research Specifically, I asked: With my local group, they put a whole lot of energy into verifying every single report before spreading information about it. My question is, how do you know that ICEBlock isn’t just full of false positives? And have you done any user research, or worked with local immigration groups to figure out how reliable this is, how much it’s actually helping people versus causing panic? In an attempt to answer the question about user research, Joshua said, “No, we do not do any user data or metrics.” He misunderstood the question, apparently thinking that I meant collecting data from users rather than talking to humans who know more than he does and incorporating their feedback into the design of the app. He then explained what ICEBlock does to prevent malicious people from making false reports — including falsely claiming that it’s “not possible” to make tons of simultaneous fake reports (more on this below). ICEBlock doesn’t verify anything, and instead only spreads unverified rumors. To be fair, verification is a very hard problem. In my local group, we have announcement-only Signal groups full of volunteers who physically verify every single ICE sighting that’s reported to our rapid response hotline. The vast majority of reports are false positives. There might be several reports a day, but actual ICE or CBP activity is much more rare. I’ve personally gone to check out maybe 10 to 15 different ICE sightings, only one of which turned out to be actual immigration enforcement (though by the time I got to the location, ICE had already left the area). None of these false reports were malicious: they were simply scared people who saw a bunch of vehicles and people in uniforms and reported an ICE sighting, when it was actually something else. Another person in the audience asked a similar question: I’m wondering, I think someone asked earlier, if in the design of ICEBlock, or even now, are you currently working with immigrant communities to figure out what resources they need? 0:00/3:18 1× Another question about if Joshua has engaged with community groups His answer was that ICEBlock has been translated into many different languages. And that the community organizers he’s spoken with told him that ICEBlock doesn’t meet their needs. So, he decided to not worry about their feedback and do his own thing instead. If you want to support people who are actually protecting immigrants from deportation, please donate to NorCal Resist or your local community rapid response networks. What’s GPS spoofing? When Joshua explained the safeguards against abuse in the app, he claimed that it’s “not possible” to make 100 fake reports in a single morning, in part because you can only make reports within a 5 mile radius of your location. But apparently, Joshua has never heard of GPS spoofing. Even though I’m sitting at my house in California right now, here’s a screenshot I just took of the ICEBlock app from the Eiffel Tower in Paris. While I won’t go into details of the masterful hacking skills that this took, I’ll give you a hint: it’s the same technique kids use to cheat at Pokemon Go. Screenshot of ICEBlock app, with GPS location spoofed to make it think I’m in Paris Make ICEBlock open source? “Absolutely not.” Someone asked whether Joshua would be interested in collaborating with the hacker community on ICEBlock, so they could provide him with advice and help him with feature development. Joshua rejected the idea, saying that he believes that he’d need to completely trust anyone he collaborated with. “Believe me when I say I would love help. I’m supporting over a million users myself. There’s not some giant company behind this,” he said. “But it’s really really hard for me to put my trust in somebody, and share the source code, and share the access to this.” 0:00/1:49 1× Joshua explaining that he’s building ICEBlock all on his own because he can’t trust outside contributors This is, of course, not how secure software development works. The most widely trusted security and privacy tools that exist, like Signal and Tor, are open source, and they accept peer review and code contributions from the public. The thing that makes this perfectly reasonable and safe is code review. If Joshua published the ICEBlock source code, experts in the hacker community could add features or fix bugs for him, and make pull requests with their changes. He could then carefully review the changes before merging them into his codebase. He could reject whatever changes he wants. You don’t actually need to trust – or even know the identity of – hackers who help you develop software. This is a solved a problem, and Joshua seems utterly unaware of it. My friend Jen Helsby, the CTO of Freedom of the Press Foundation and a SecureDrop developer, explicitly asked if he would be open to making ICEBlock open source. Here’s the clip: 0:00/1:40 1× Joshua will not release ICEBlock as open source because he doesn’t believe in reverse engineering and thinks keeping the implementation details of his app obscure makes it more secure Jen asked: There’s a lot of secure software, that probably people in this room work on, that is developed in the open, and that is used primarily by at-risk users, including things like Tor, Signal, SecureDrop. That’s great, because it makes it easy for folks to contribute. Maybe you don’t want that, I understand that can be hard. But it also makes it easier for people to audit and gain assurance that the app is doing what you claim without having to have, you know, EFF reverse engineer it. Would you be open to making the app open source? His answer: “Absolutely not.” Why? “I don’t want anybody from the government to have their hooks in how I’m doing what I’m doing. Once you go open source, everybody has access to it. So I’m just going to keep the codebase private at this time.” He also claimed that the government can’t learn everything about how an app works by reverse engineering it, which isn’t true. I agree with Jen. His answers are very concerning. What’s security through obscurity? Another person asked specifically how concealing the details of how the app works from the government is distinguishable from security through obscurity, Joshua agreed that security through obscurity is terrible… and denied that he’s doing it? 0:00/0:37 1× Joshua falsely claiming he doesn’t do security through obscurity In case you’re not aware of this term, the first sentence of the Wikipedia article on security through obscurity has a concise definition: In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. NIST’s General Guide to Server Security lists “Open Design” as a core security principle, saying that, “System security should not depend on the secrecy of the implementation or its components.” Minutes before this, Joshua had just finishing explaining that he definitely won’t open source his app because, “I don’t want anybody from the government to have their hooks in how I’m doing what I’m doing.” He’s implying that his code includes some “secret sauce” that, if it were made public, would make the app less secure, so he can’t risk letting anyone discover how it works. This is the definition of security through obscurity. My server is “HIGHLY secure,” he says to a room full of hackers Throughout the Q&A, Joshua kept referencing the security of his server. At one point, he even said that he built it himself and it’s “HIGHLY secure.” He also assured the audience, “Trust me when I tell you, I think about EVERYTHING to the Nth degree.” It took about 20 minutes of digging around to discover that the server that hosts the iceblock.app website is running on Linode and also hosts the websites of several of Joshua’s other projects, going back decades. This includes a website for his IT consulting business, his band, etc. If any one of those old websites gets hacked, it’s possible that the hacker could more easily access ICEBlock data that’s stored on the same server. Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities. What’s a warrant canary? At one point, a lawyer asked some excellent legal questions: I’m curious if ICEBlock either currently or has intentions to implement something like a warrant canary or other method. And more generally, whether you have received anything like search warrants, or All Writs Act requests, or anything else. Things like more intrusive means of obtaining information from ICEBlock. Things like requests for live interception, which would be authorized under a search warrant. And if you have a response plan in place already for those. 0:00/3:56 1× A lawyer asking Joshua about warrant canaries and data requests If you’re not familiar with warrant canaries, these are basically public notices that say, “I’ve never been forced to give up user data.” If the notice ever gets taken down, the public can infer that the service was in fact forced to hand over user data. Joshua said, “No on the warrant canary, because it would probably require some sort of user data to do that.” He seemed to think that a warrant canary would be a new feature in the app (that’s uh, not what a warrant canary is), and he completely ignored the legal questions, instead opting to talk about why it’s important to keep the app design simple. When the lawyer asked again what he would do if the government tried to compel him to spy on his users, Joshua simply said, “I’d just tell them to go fuck themselves.” It’s a good answer, but it’s also naive. Government requests can include gag orders, preventing him from telling anyone that he has received them, and punishment for disobeying them can include threats of jail time. It’s good to plan ahead. Luckily, he has EFF and ACLU offering him legal support, in case he ever actually has to face something like this. It’s not too late Despite everything, I do think that Joshua’s heart is in the right place and that he genuinely wants to help people. He’s sticking his neck out to fight fascism, and the far right is harassing him and his family for it. This is why I, and several other hackers who attended his HOPE talk, spent so much time and energy (both during his talk and in the days after it) trying to encourage him to open things up so that ICEBlock, and its million-strong userbase, might yet become a helpful tool in defending immigrants against Trump’s fascist plans. He has rejected our offers. It’s possible for him to turn things around, but sadly, I’m not holding my breath. From micahflee via this RSS feed
Komunitas
ibbit.at
At this summer’s HOPE conference, Joshua Aaron spoke about ICEBlock, his iPhone app that allows users to anonymously report ICE sightings within a 5 mile radius, and to get notifications when others report ICE sightings near them. You can see the full talk, and the lively/infuriating Q&A, here, starting at 6:12:10. Thanks to repression from the highest levels of the Trump administration, his app has gone viral and garnered over a million downloads from the App Store. Karoline Leavitt called it “an incitement of further violence against our ICE officers.” Tom Homan said, “DOJ needs to look at this and see if they’re crossing that line.” Kristi Noem called the app “obstruction of justice.” Pam Bondi announced “we are looking at it, we are looking at him, and he better watch out, because that’s not a protected speech.” (Notifying people about ICE sightings is protected speech, no matter what the fascist Attorney General says.) Joshua and his family have been receiving threats. But unfortunately, despite the app’s goal of protecting people from ICE, its viral success, and the state repression against it, ICEBlock has serious issues: Most importantly, it wasn’t developed with input from people who actually defend immigrants from deportation. As a result, it doesn’t provide people with what they need to stay safe. Because ICE sightings in the app aren’t verified in any way, it’s likely that most reports in the app aren’t actually ICE, even if they’re posted by people who mean well – as I describe below, the vast majority of ICE reports are false positives. And judging by the App Store reviews, it’s clear that not everyone means well. One review says: “This is a great app for safety information. Unfortunately MAGA is now posting false information on there and making racist comments in the comment section.” Joshua makes strong claims about the security and privacy of his app without backing any of them up with technical details. Many of his claims are false. He also chose to target only iOS, and not Android, because of a misunderstanding about how Android push notifications work. And even worse, during the Q&A, he made it clear that he didn’t understand terms like “warrant canary,” “reverse engineering,” or “security through obscurity,” which doesn’t inspire confidence. Privacy promises without the evidence When I first heard about ICEBlock, I liked the idea, but I – and others in various group chats I’m part of – were skeptical. Joshua promises that ICE reports are “completely anonymous,” that the app doesn’t store any personal data, and that it’s “impossible to trace reports back to individual users.” These are bold claims that he hasn’t backed up with evidence. Unlike reputable privacy tools, ICEBlock isn’t open source (in the talk, he explicitly rejected the idea of open sourcing it or allowing the security community to help him improve it), and Joshua hasn’t published a threat model or technical documentation explaining how his app keeps these promises. My friend Cooper Quintin, a security researcher at EFF, was also skeptical of ICEBlock, and so he reverse engineered it, and spoke to 404 Media about his findings. He largely confirmed Joshua’s claims: The TL;DR is that I didn’t find anything suspicious, the app doesn’t talk to any third parties, and it doesn’t send your location to the developer. Neither your phone ID or iCloud account are associated with the requests the app sends to the apple cloud servers to run. (2/11) — Exploit Code Not People (@cooperq.com) 2025-07-15T18:52:15.697Z This is great, and it’s the reason that (despite his hostility towards transparency) I really do think that Joshua means well. Even if we can trust that Joshua isn’t collecting data himself, it’s difficult to discern what Apple would be able to hand over if it got subpoenaed for data related to his app. The website simply says it’s “completely anonymous,” without any caveats. But ignoring the lack of transparency, there’s an even larger problem. ICEBlock spreads unverified information, making it useless for defending immigrants Local immigrant defense groups around the country have been defending people from deportation for the last decade or more. In a training with NorCal Resist, I learned that when people post (and repost) unverified reports of ICE sightings on social media, it does more harm than good. Millions of people are living in a state of fear. From my experience working with NorCal Resist, most ICE sightings that people hear about aren’t real, even when the person reporting it believes that they are. It’s common for someone to see a bunch of dudes in uniforms, or sketchy looking vans, and assume it’s ICE, when it’s actually something else. If I had to guess, I’d say about 98% of reports are false positives. False reports encourage panic, which doesn’t help anyone. Meanwhile, what people actually need are legal observers – people to document the behavior of federal agents, and provide this evidence to their lawyers. They also need help with connecting families of kidnapped people with information and lawyers, and they need communities coming out to defend their neighbors. When I asked Joshua about this during the Q&A of his talk, he didn’t answer the question. Here’s my question and his non-answers: 0:00/4:46 1× Joshua’s non-answer to my question about false positives and user research Specifically, I asked: With my local group, they put a whole lot of energy into verifying every single report before spreading information about it. My question is, how do you know that ICEBlock isn’t just full of false positives? And have you done any user research, or worked with local immigration groups to figure out how reliable this is, how much it’s actually helping people versus causing panic? In an attempt to answer the question about user research, Joshua said, “No, we do not do any user data or metrics.” He misunderstood the question, apparently thinking that I meant collecting data from users rather than talking to humans who know more than he does and incorporating their feedback into the design of the app. He then explained what ICEBlock does to prevent malicious people from making false reports — including falsely claiming that it’s “not possible” to make tons of simultaneous fake reports (more on this below). ICEBlock doesn’t verify anything, and instead only spreads unverified rumors. To be fair, verification is a very hard problem. In my local group, we have announcement-only Signal groups full of volunteers who physically verify every single ICE sighting that’s reported to our rapid response hotline. The vast majority of reports are false positives. There might be several reports a day, but actual ICE or CBP activity is much more rare. I’ve personally gone to check out maybe 10 to 15 different ICE sightings, only one of which turned out to be actual immigration enforcement (though by the time I got to the location, ICE had already left the area). None of these false reports were malicious: they were simply scared people who saw a bunch of vehicles and people in uniforms and reported an ICE sighting, when it was actually something else. Another person in the audience asked a similar question: I’m wondering, I think someone asked earlier, if in the design of ICEBlock, or even now, are you currently working with immigrant communities to figure out what resources they need? 0:00/3:18 1× Another question about if Joshua has engaged with community groups His answer was that ICEBlock has been translated into many different languages. And that the community organizers he’s spoken with told him that ICEBlock doesn’t meet their needs. So, he decided to not worry about their feedback and do his own thing instead. If you want to support people who are actually protecting immigrants from deportation, please donate to NorCal Resist or your local community rapid response networks. What’s GPS spoofing? When Joshua explained the safeguards against abuse in the app, he claimed that it’s “not possible” to make 100 fake reports in a single morning, in part because you can only make reports within a 5 mile radius of your location. But apparently, Joshua has never heard of GPS spoofing. Even though I’m sitting at my house in California right now, here’s a screenshot I just took of the ICEBlock app from the Eiffel Tower in Paris. While I won’t go into details of the masterful hacking skills that this took, I’ll give you a hint: it’s the same technique kids use to cheat at Pokemon Go. Screenshot of ICEBlock app, with GPS location spoofed to make it think I’m in Paris Make ICEBlock open source? “Absolutely not.” Someone asked whether Joshua would be interested in collaborating with the hacker community on ICEBlock, so they could provide him with advice and help him with feature development. Joshua rejected the idea, saying that he believes that he’d need to completely trust anyone he collaborated with. “Believe me when I say I would love help. I’m supporting over a million users myself. There’s not some giant company behind this,” he said. “But it’s really really hard for me to put my trust in somebody, and share the source code, and share the access to this.” 0:00/1:49 1× Joshua explaining that he’s building ICEBlock all on his own because he can’t trust outside contributors This is, of course, not how secure software development works. The most widely trusted security and privacy tools that exist, like Signal and Tor, are open source, and they accept peer review and code contributions from the public. The thing that makes this perfectly reasonable and safe is code review. If Joshua published the ICEBlock source code, experts in the hacker community could add features or fix bugs for him, and make pull requests with their changes. He could then carefully review the changes before merging them into his codebase. He could reject whatever changes he wants. You don’t actually need to trust – or even know the identity of – hackers who help you develop software. This is a solved a problem, and Joshua seems utterly unaware of it. My friend Jen Helsby, the CTO of Freedom of the Press Foundation and a SecureDrop developer, explicitly asked if he would be open to making ICEBlock open source. Here’s the clip: 0:00/1:40 1× Joshua will not release ICEBlock as open source because he doesn’t believe in reverse engineering and thinks keeping the implementation details of his app obscure makes it more secure Jen asked: There’s a lot of secure software, that probably people in this room work on, that is developed in the open, and that is used primarily by at-risk users, including things like Tor, Signal, SecureDrop. That’s great, because it makes it easy for folks to contribute. Maybe you don’t want that, I understand that can be hard. But it also makes it easier for people to audit and gain assurance that the app is doing what you claim without having to have, you know, EFF reverse engineer it. Would you be open to making the app open source? His answer: “Absolutely not.” Why? “I don’t want anybody from the government to have their hooks in how I’m doing what I’m doing. Once you go open source, everybody has access to it. So I’m just going to keep the codebase private at this time.” He also claimed that the government can’t learn everything about how an app works by reverse engineering it, which isn’t true. I agree with Jen. His answers are very concerning. What’s security through obscurity? Another person asked specifically how concealing the details of how the app works from the government is distinguishable from security through obscurity, Joshua agreed that security through obscurity is terrible… and denied that he’s doing it? 0:00/0:37 1× Joshua falsely claiming he doesn’t do security through obscurity In case you’re not aware of this term, the first sentence of the Wikipedia article on security through obscurity has a concise definition: In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. NIST’s General Guide to Server Security lists “Open Design” as a core security principle, saying that, “System security should not depend on the secrecy of the implementation or its components.” Minutes before this, Joshua had just finishing explaining that he definitely won’t open source his app because, “I don’t want anybody from the government to have their hooks in how I’m doing what I’m doing.” He’s implying that his code includes some “secret sauce” that, if it were made public, would make the app less secure, so he can’t risk letting anyone discover how it works. This is the definition of security through obscurity. My server is “HIGHLY secure,” he says to a room full of hackers Throughout the Q&A, Joshua kept referencing the security of his server. At one point, he even said that he built it himself and it’s “HIGHLY secure.” He also assured the audience, “Trust me when I tell you, I think about EVERYTHING to the Nth degree.” It took about 20 minutes of digging around to discover that the server that hosts the iceblock.app website is running on Linode and also hosts the websites of several of Joshua’s other projects, going back decades. This includes a website for his IT consulting business, his band, etc. If any one of those old websites gets hacked, it’s possible that the hacker could more easily access ICEBlock data that’s stored on the same server. Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities. What’s a warrant canary? At one point, a lawyer asked some excellent legal questions: I’m curious if ICEBlock either currently or has intentions to implement something like a warrant canary or other method. And more generally, whether you have received anything like search warrants, or All Writs Act requests, or anything else. Things like more intrusive means of obtaining information from ICEBlock. Things like requests for live interception, which would be authorized under a search warrant. And if you have a response plan in place already for those. 0:00/3:56 1× A lawyer asking Joshua about warrant canaries and data requests If you’re not familiar with warrant canaries, these are basically public notices that say, “I’ve never been forced to give up user data.” If the notice ever gets taken down, the public can infer that the service was in fact forced to hand over user data. Joshua said, “No on the warrant canary, because it would probably require some sort of user data to do that.” He seemed to think that a warrant canary would be a new feature in the app (that’s uh, not what a warrant canary is), and he completely ignored the legal questions, instead opting to talk about why it’s important to keep the app design simple. When the lawyer asked again what he would do if the government tried to compel him to spy on his users, Joshua simply said, “I’d just tell them to go fuck themselves.” It’s a good answer, but it’s also naive. Government requests can include gag orders, preventing him from telling anyone that he has received them, and punishment for disobeying them can include threats of jail time. It’s good to plan ahead. Luckily, he has EFF and ACLU offering him legal support, in case he ever actually has to face something like this. It’s not too late Despite everything, I do think that Joshua’s heart is in the right place and that he genuinely wants to help people. He’s sticking his neck out to fight fascism, and the far right is harassing him and his family for it. This is why I, and several other hackers who attended his HOPE talk, spent so much time and energy (both during his talk and in the days after it) trying to encourage him to open things up so that ICEBlock, and its million-strong userbase, might yet become a helpful tool in defending immigrants against Trump’s fascist plans. He has rejected our offers. It’s possible for him to turn things around, but sadly, I’m not holding my breath. From micahflee via this RSS feed
Komunitas
lemmy.world
There are even fewer of us that remember the totally text based forums and IRC that was in many ways the innocent Garden of Eden era, before Eternal September happened. I was very much a child, so I’m not really nostalgic about that era of the net, since it was far more of an echo chamber in many ways back then, but it was “safe” and “innocent” back then. You had to verify sources even more, since the majority of sources weren’t available online, but the vast majority of people using it were not only fluent in at least one human language, they were also fluent in multiple programming languages, Assembly being far more popular than than it is now. This is when you could trust any link. The false actors hadn’t managed to infiltrate the protected Geek Sphere, quite yet. Then CompuServe happened, and it was no longer a refuge for us computer geeks, all of a sudden there were business people looking at our ideas. They didn’t like them much at all, to say the least. AOL followed and further saturated the net with people who had no idea what they could do with it. This is when us netizens started warning to check the link address before you clicked. Back then, you could easily keep a database list of the false actor domains. Then the late 90s and mostly 2000 happened. That’s the Wild West you’re talking about. All of a sudden, you HAD to have antivirus programs, you needed many programs such as adblockers that wouldn’t exist for another few years, IRC and Use.net had been piracy hubs, but all of a sudden Napster and Bearshare made those archaic forums unnecessary. Metallica did their thing, accidentally creating a bunch of Metallica fans that would never buy anything by Metallica, but they had access to their entire discography. Hell discography downloads became a thing about this time. Don’t download the entire discography of The Kinks. That shit contains literally 40 to 120 gigs of MP3s across 40(?) albums, depending on compression quality. I’m a Xennial being born in 1980 and on the net as early as late 1986, early 1987, my father was in the industry and literally helped code parts of UNIX, while he was in The Navy in the early 1970s. I’ve been shown evidence that we were the first household in a multi-state area, thanks to the meticulous data keeping of The Baby Bell that we were part of, that had two dedicated phone lines far earlier than anyone else except my father’s colleagues, all of whom lived multiple states away from us since my father has been remote working as much as he can since SSH was adopted as standard in UNIX. He rejects all technology that he can. He claims that it is all based on extremely faulty programming, and we can’t trust it. There have been several periods as the net gets bigger, and I don’t doubt that we will look at right now as a “special time” in the future. I’m not sure if that will be because we finally found the limits of LLMs or if it’s because the net will evolve into something that is closer to the spirit of “a place to find the truth through facts,” which is what it started as.
Komunitas
lemmy.world
Hi all! I’ve posted a couple times in the past about Pinepods. The ultimate self-hosted podcast server that syncs times between devices, archives, plays, and manages your podcasts. I’ve just finished up the very first builds of the official Pinepods mobile apps for both Android and iOS and they are now in testing phases for both the Google Play Store and the App Store respectively. However, I’m at a small stop gap, and I need help from the selfhosted community. I need some people willing to sign up for the testing program and download the app in order to get them posted officially to the store fronts. You don’t even really have to use it (though I would really appreciate it if you gave it a try as Pinepods has really made strides in becoming the best it can be as one of the most feature rich Podcast platforms around) I just need people to join the programs and install the apps in order to get on the app stores. Oh and yes, before you ask, Android Auto and CarPlay support are coming in the next update. Not here yet, but very soon. I’ve done quite a bit of work to make sign ups for the beta program as easy as possible, you can simply do it here. Simply choose your platform of choice and you’ll get an email with a link. And as an aside, Pinepods 0.8.0 is days away from fully releasing and has had it’s api FULLY rebuilt in rust. The entire app is now 100% rust and is blazingly fast because of it. If you do want to test out Pinepods, I would highly recommend pulling down the :nightly docker tag rather than latest for the time being. It’s really close to bug free at this point. I could say more about Pinepods itself but I’ll let the site speak for itself, it got an overhaul in preparation for 0.8.0 and can really sell it. I’ve even just rolled out an official TUI based client called Firewood. I’m really trying to make the best self-hosted Podcast platform that does it all. GitHub: https://github.com/madeofpendletonwool/Pinepods Official site: https://pinepods.online/ And the beta testing link once more: https://www.pinepods.online/internal-testing Feel free to reach out via Github Issues, the feedback page on the site, or messages if you run into any problems!
Komunitas
lemmy.world
I worked in my university’s computer lab and one time I had a girl complain that the computer wasn’t allowing her to do something (like download or save a file, this was over a decade ago) and she was frustrated. I asked her to show me what the issue was. She did what she was trying to do, a pop-up appeared and without reading it she clicked “no” and then proceeded to removed about it not working. I did it again and the pop-up was asking for permission but she kept denying it, and then complaining that it didn’t work 🤦♂️
Komunitas
lemmy.world
This is why I’ve never liked the idea of flatpak, it really seems like the Windows way of doing things. It honestly still kind of surprises me that Linux people really wanted to download random binaries from non-trusted distributors that contain a copy of every library that software needs to run. wedontdothathere.jpg