- cross-posted to:
- [email protected]
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
- [email protected]
You must log in or register to comment.
An important part of the effort is culture and esthetics. “ICE SUCKS DONKEY BALLS AND YOU SHOULD AVOID THEM LIKE THE PLAGUE INFESTED RAT FASCISTS THEY ARE” is a message worth amplifying, even if the tool to actually do the avoidance is flawed.
Yes, it’s theater. But theater is praxis too.
deleted by creator
It sounds like he’s just a dev who’s in over his head but either doesn’t want anyone to take his baby or doesn’t want people to see his sloppy and possibly insecure code. It’s probably a hack job behind the scenes and he’s not really as sure of its security, so he might be opting for security through obscurity.
But this isn’t really taking up space. Someone else can make a better app. If this guy isn’t the one to really make a useful crowd sourced anti ICE app, that’s not a problem. Let’s get that OS crowd together and work with local groups and make something better. In the meantime, this is a statement.
The problem is that people are falling over themselves to help him and he keeps declining while looking at them like they’re the idiots.
So what’s the complaint here, that he’s being rude? The only thing lost if people build an alternate app rather than being allowed to work on his app is him.
The complaint is: Narcissistic incompetent dev spreads FUD while putting vulnerable people at risk.
The risk appears to be anxiety, not an active threat to their safety. The black box security analysis did not indicate any direct data leakage. We don’t know the app is safe, but we also don’t have any indication it’s doing anything particularly risky.
For the most part, we don’t know what the risks are, because the app is closed-source.
What we do know is that Apple logs the downloads of every account on their platform. That alone is enough to paint a target on the backs of vulnerable people.
We also know that the gov is intercepting notification data, in the form of " which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."
You can bypass this data collection by using UnifiedPush on Android. Apple has no such alternative.
These are all things that I, a random internet dumbass with no development experience, knows, but somehow this fool does not, despite being educated over and over.
I appreciate the link about the potential for push harvesting. That was not something I was aware of.
It doesn’t sound like they’re intercepting though, it sounds like they’re asking the platform to provide it. That should require a warrant unless Apple has gone full collaboration, but that does make it insecure to a targeted search. And paired with fake reports could potentially be used to geolocate someone to a rough area with some work.
Though I think if they have enough to compel cooperation from the platform they could also just get cell tower or direct GPS info. I’m not sure this really opens up a new vulnerability separate from the general risk of using a smartphone when the government can produce a warrant (which with the coopting of the judiciary may not be as high a bar as it once was).
That should require a warrant
Pretty meaningless in the context of our current dictatorship.
they could also just get cell tower or direct GPS info. I’m not sure this really opens up a new attack vector.
Cell towers and GPS info don’t provide any information about what the user is doing on the device.
No, the thing that’s lost is all the vulnerable people using an app filled with vulnerabilities waiting to be exploited by a vindictive government.
If you actually read the post they go into detail about this.
I agree that there should be an alternative, open-source project, though I know I’m not all that qualified to support outside of financially, (which I would).
I disagree that this isn’t taking up space. Notoriety is a huge asset, especially for tools like this that rely on crowd-sourced information. It would be far better, all other things being equal, to start with the user base and name of ICEBlock than to make a competitor and need to promote it enough to get people to use it over ICEBlock. I highly doubt that a competitor will get anywhere close to the same media attention that this got.
It sounds like he’s just a dev who’s in over his head but either doesn’t want anyone to take his baby or doesn’t want people to see his sloppy and possibly insecure code
I’d bet it’s a LOT more along the lines of the second guess, because it’s now cost his wife her job and has gotten him quite publicly tagged along with it. He’s got a large portion of himself invested in it, and of course it will sting and suck for a bunch of folks to come along and point out, both gently and horribly, knowing OSS folks, all the shortcomings and then make changes.
It doesn’t really seem like there’s any “secret sauce” there. What’s to stop someone who knows more about development from making a better version?
There are lots of better versions that exist. Unfortunately they haven’t received the same amount of traction, which is important for this type of app. Here’s one: https://fire-app.net/
How is this any better? From the site it appears to also be closed source with no security audit and using push notifications.
It’s better because you can download it directly from the site. And also they have a web version.
That only solves one problem, unfortunately. Other than that, the FIRE app seems to have the same problems as the ICEBlock app.
I’m down to do it, I just need to figure out a way not to get deported over it.
Isnt that they same App that got completely obliterated by a single Mastodon post by GrapheneOS?
Doesn’t seem like it? https://grapheneos.social/search?q=iceblock&type=statuses
It was BlueSky, not Mastodon and is linked in the article: https://bsky.app/profile/grapheneos.org/post/3lt2prfb2vk2r
All activism is activism theater if it does not serve to direct counter-battery fire
Mobilization is the spark; organization is the fire. If you have the first and not the latter, you’re not moving the needle. Governments love mobilization because they can co-opt it. They can waste people’s energy via constant mobilization without established organizations.
Aren’t they going to dismantle any organization that works to undermine them ?
Maybe even shortcircuit it covertly to serve their own ends ?
I think the mobilization has to point toward something self-organization, an air-tight logic of action that operated randomnly enough that they don’t see it coming and therefore their bureaucracy can’t stop it or recuperate itYep, that’s why the super mainstream organizations putting marches together are always suspicious to me. They get their funding from somewhere and the overarching goal is never 100% clear. Often times it’s good people at the center that aren’t aware of the ulterior motive behind the ones bankrolling it.
Even smaller orgs can be easily manipulated. They often don’t do any real research on people before giving them access to internal information that they could easily send to whoever they are working for. It’s something I wish more activist and other organizations would invest their time into.
Has anyone else already read the whole thing and could save us a little time?
- The creator is not an immigrant
- Nothing preventing malicious users from flooding the app with false reports
- Author estimates 98% of reports are false positives, whether malicious or not
- Dev demonstrates lack of understanding of basic privacy and security principles live at HOPE conference
- Doesn’t distribute Android version due to previously-mentioned lack of understanding
- Refuses open sourcing while demonstrating that he doesn’t understand how that works either
- Overall does more harm than good
An excerpt
Jen asked:
There’s a lot of secure software, that probably people in this room work on, that is developed in the open, and that is used primarily by at-risk users, including things like Tor, Signal, SecureDrop. That’s great, because it makes it easy for folks to contribute. Maybe you don’t want that, I understand that can be hard. But it also makes it easier for people to audit and gain assurance that the app is doing what you claim without having to have, you know, EFF reverse engineer it. Would you be open to making the app open source?
His answer: “Absolutely not.”
Why? “I don’t want anybody from the government to have their hooks in how I’m doing what I’m doing. Once you go open source, everybody has access to it. So I’m just going to keep the codebase private at this time.”
He also claimed that the government can’t learn everything about how an app works by reverse engineering it, which isn’t true.
I agree with Jen. His answers are very concerning.
The first one seems irrelevant. The second is sort of inevitable without making it hard to report anything.
Everything else is just exactly what people were saying from the start. I dont know why people keep defending this privacy nightmare of an app.
The first one seems irrelevant.
I agree. I’m just repeating what I read.
Yeah i know. Wasnt judging your comment, only the original article based on the info in your comment. :)
