ICEBlock handled my vulnerability report in the worst possible way
ICEBlock handled my vulnerability report in the worst possible way
micahflee.com
ICEBlock handled my vulnerability report in the worst possible way
4 comments
-
-
I agree that security by obscurity is a terrible security policy. But you have to cut the developer a little slack, he goes and makes a nice thing to put immigrants at ease (95% incorrect reports still better than no report information as one can just assumes ICE is everywhere), with proven by reverse engineering he doesn't collect or store data and he's not interested in storing aggregate data. In return he gets threats from government on him and his family, praise but also criticism and hatespeech from random internet folks.
This dev does appear to have a problem with separating wheat from chaff. While the security researcher does raise several legitimate points, the way it is presented and the way it was reported to the dev sounds a bit adversarial and can be interpreted like a conclusion in search of evidence. Disclosure periods are usually days at minimum, weeks to months depending on the severity. There would be more time to properly explain, rather than "You need a warrant canary!", which will simply be met with "No, I don't!".
Edit: sorry for triple commeting, app was timing out
-
I suppose there's just no helping some people.
-
-
uh.. So that's it, the apache server version? That's all? I looked at the critical cve's for that version, and honestly, they'd require a pretty specific setup to be abused if I understood them correctly. Most of them were various DoS with no information disclosure, and the only spooky one I saw require the server to have scripts the server is allowed to execute, but outside of the normal url mapping. Which then would have to be disclosing some info or doing something spooky. The rest seem to require the attacker to control the app behind the apache2 server.
Would be better to upgrade, of course, but it looks nowhere near as bad as the blog author makes it sound.
The actual vulnerability doesnt matter, its the way the guy handled it and keeps handling everything. He is just not mentally and technically equipped to run a project like this. He is completely out of his depth.
The only thing he should be doing is publishing his source code and handing the project over to people that know how to deal with things like this. But he just really wants to play the hero instead of actually making sure that people can effectively avoid ICE.