Last week, I wrote about how Joshua Aaron's ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua's talk at HOPE where he made it clear that he isn't taking the advice
Honestly, apart from the report being potentially wrong, the researcher seems pretty entitled as well. Like good intentions and all that, but he’s given him a week to fix the issue, usual practice in responsible disclosure are 90 days. We’re not talking about a company here, it’s some single random dude providing the app.
This really sounds like some personal issue written down for public drama, while making himself ridiculous for not knowing his own shit properly.
Security researchers feel entitled to use any kind of practice that does not comply with the security best practice homonculus to barge into the affairs of others, anyone found in default MUST remedy the situation of discontinue operations immediately, the security researcher has graced the community with his works and now that a flaw has been found it MUST be remedied and the security researcher is to be rewarded and adulated for his diligence and high moral standing !
So fucking what? He is not being paid in any kind, and anything he does on that project is volunteer work. If he was not able to do anything on that project due to regular work, vacation, personal issues, or the simple fact that he didn’t want to?
If you don’t pay for a service, you don’t get to decide what people do, deal with it
On the other hand, detrimental reliance is a tort and if someone is relying on an app for a specific safety function, the app could be civilly liable if it fails it’s function in some way.
Imagine if you had this attitude about an insulin use tracker/calculator, that sometimes gave wildly wrong insulin dose numbers.
Maybe down the road, it’s decided that aiding and abetting ICE is a crime, and providing misinformation intentionally or unintentionally is a criminal act. App developer dude could be criminally liable if he knew or ought to have known he had vulnerabilities. You know, in your New Nuremberg trials that you are going to get sometime in the next decade or so.
That’s not to say the researcher is in the clear, the timeline is too tight for his end of this to be a responsible disclosure.
Without providing more details, I also discovered that his server is running outdated software with known vulnerabilities.
I was intentionally vague because I knew that his server was vulnerable at the time of writing, and I didn’t want anyone to exploit one of these vulnerabilities before he had a chance to fix it.
Also, this is not vague, profiling techniques exist, and it puts a clear target on the iceblock servers.
On the other hand, detrimental reliance is a tort and if someone is relying on an app for a specific safety function, the app could be civilly liable if it fails it’s function in some way.
Yes, if the app would be any kind of official tool.
Imagine if you had this attitude about an insulin use tracker/calculator, that sometimes gave wildly wrong insulin dose numbers.
Yes, and that’s why regulations for those kinds of things exist, that prevent those things. There is no regulation for the ice tracker.
Maybe down the road, it’s decided that aiding and abetting ICE is a crime, and providing misinformation intentionally or unintentionally is a criminal act. App developer dude could be criminally liable if he knew or ought to have known he had vulnerabilities. You know, in your New Nuremberg trials that you are going to get sometime in the next decade or so.
If down the road a regulation would happen for, app developer dude would be forced to either comply or to stop operations.
No matter how well reasoned, allegedly fit for purpose or how much something pretends to be it, we shouldn’t be trusting those promises, especially not from people we don’t know. That does not end well neither for the free candy van nor for cybersecurity. Trust like that has been responsible for a lot of attacks over varying vectors and for projects going wrong.
Well yeah, that just requires a consensus on what is trustworthy. There are some things that are trustworthy, and you need to have some way to identify that, if you are going to protect yourself.
But that just shifts the blame to the user, who is a non expert, and we don’t really have good ways to identify safe software products. There’s stuff like CSA for physical products. It’s short-sighted to say “well if you don’t know, use nothing”, because that’s not going to happen.
I’m also in Canada. Just because I’m not using it, I’m not going to give either of these guys a pass on maybe hurting people, or even putting them at risk of harm.
Honestly, apart from the report being potentially wrong, the researcher seems pretty entitled as well. Like good intentions and all that, but he’s given him a week to fix the issue, usual practice in responsible disclosure are 90 days. We’re not talking about a company here, it’s some single random dude providing the app.
This really sounds like some personal issue written down for public drama, while making himself ridiculous for not knowing his own shit properly.
Security researchers feel entitled to use any kind of practice that does not comply with the security best practice homonculus to barge into the affairs of others, anyone found in default MUST remedy the situation of discontinue operations immediately, the security researcher has graced the community with his works and now that a flaw has been found it MUST be remedied and the security researcher is to be rewarded and adulated for his diligence and high moral standing !
This is an Apache server version error it takes 5 minutes to fix.
So fucking what? He is not being paid in any kind, and anything he does on that project is volunteer work. If he was not able to do anything on that project due to regular work, vacation, personal issues, or the simple fact that he didn’t want to?
If you don’t pay for a service, you don’t get to decide what people do, deal with it
Well on one hand sure.
On the other hand, detrimental reliance is a tort and if someone is relying on an app for a specific safety function, the app could be civilly liable if it fails it’s function in some way.
Imagine if you had this attitude about an insulin use tracker/calculator, that sometimes gave wildly wrong insulin dose numbers.
Maybe down the road, it’s decided that aiding and abetting ICE is a crime, and providing misinformation intentionally or unintentionally is a criminal act. App developer dude could be criminally liable if he knew or ought to have known he had vulnerabilities. You know, in your New Nuremberg trials that you are going to get sometime in the next decade or so.
That’s not to say the researcher is in the clear, the timeline is too tight for his end of this to be a responsible disclosure.
Also, this is not vague, profiling techniques exist, and it puts a clear target on the iceblock servers.
Yes, if the app would be any kind of official tool.
Yes, and that’s why regulations for those kinds of things exist, that prevent those things. There is no regulation for the ice tracker.
If down the road a regulation would happen for, app developer dude would be forced to either comply or to stop operations.
Wouldn’t need so much regulation if things were just well reasoned and fit for purpose. Or if they would stop only pretending to be those.
No matter how well reasoned, allegedly fit for purpose or how much something pretends to be it, we shouldn’t be trusting those promises, especially not from people we don’t know. That does not end well neither for the free candy van nor for cybersecurity. Trust like that has been responsible for a lot of attacks over varying vectors and for projects going wrong.
Well yeah, that just requires a consensus on what is trustworthy. There are some things that are trustworthy, and you need to have some way to identify that, if you are going to protect yourself.
But that just shifts the blame to the user, who is a non expert, and we don’t really have good ways to identify safe software products. There’s stuff like CSA for physical products. It’s short-sighted to say “well if you don’t know, use nothing”, because that’s not going to happen.
You don’t like it, don’t use it. Lol
I’m also in Canada. Just because I’m not using it, I’m not going to give either of these guys a pass on maybe hurting people, or even putting them at risk of harm.