53
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 08 Sep 2025
53 points (100.0% liked)
Technology
540 readers
296 users here now
Share interesting Technology news and links.
Rules:
- No paywalled sites at all.
- News articles has to be recent, not older than 2 weeks (14 days).
- No external video links, only native(.mp4,...etc) links under 5 mins.
- Post only direct links.
To encourage more original sources and keep this space commercial free as much as I could, the following websites are Blacklisted:
- Al Jazeera;
- NBC;
- CNBC;
- Substack;
- Tom's Hardware;
- ZDNet;
- TechSpot;
- Ars Technica;
- Vox Media outlets, with exception for Axios;
- Engadget;
- TechCrunch;
- Gizmodo;
- Futurism;
- PCWorld;
- ComputerWorld;
- Mashable;
- Hackaday;
- WCCFTECH;
- Neowin.
More sites will be added to the blacklist as needed.
Encouraged:
- Archive links in the body of the post.
- Linking to the direct source, instead of linking to an article talking about the source.
Misc:
Relevant Communities:
- Beehaw Technology- Technology Related Discussions.
- lemmy.zip Technology- Hard Tech news.
founded 4 months ago
MODERATORS
The author of this article seems like the jerk to me and acts like he just found a major vulnerability in Android or something not a free app that collects no PII.
This app is about reporting the activities of an increasingly authoritarian state. Security should be top of fucking mind in an app like that. Otherwise the authorities will hack into there in no time and then everyone involved will have a bad time.
A server that received no PII will have a hard time logging them even if the feds take over the server.
Reporting them anonymously, so what exactly is there for the government to hack in and find? This isn't Facebook where you have to provide them with your photo ID.
You do realize that if they hack in they could simply set it to log user data while making it continue to appear anonymous to the outside? Even just an IP address could be pretty useful in locating who is tipping off the public about ICE raids.
Log what user data ? None is sent and that's shown by the guy shitting on the project in their blog post.
Plus if they want your IP they don't need to hack the server, they ask either the provider, cloudflare, your ISP or even just via PRISM.
You do realize that the extent of this "disclosure" was looking at what version of Apache he's running and quite literally nothing else? No testing. No verification. No evidence.
As pointed out in the comments on the disclosure, this version of Apache does have the necessary patches in some installs and even if it didn't, its unlikely to leave any vulnerabilities as his app is completely bare bones intentionally for the very reasons you listed.
You can come up with all kinds of fictional scenarios for what could happen like we're in some hacker movie where the government just "hacked into the mainframe," but that doesn't make them real without any actual evidence.
This dude obviously has a personal agenda here and is trying to make some big scandal out of nothing.
what do you mean? that Micah should have tested the vulnerability, by hacking the server? that's heavily illegal.
Defamation is also illegal, so what's your point? That didn't stop him from making claims about ICEBlock without any actual proof in his rush to disparage this guy and his app as people do when they have an axe to grind. He clearly "handled it in the worst possible way."
if the iceblock dev weren't such a douchebag, they wouldn't be defamed. It's not good if they didn't update security critical software, but what's much worse is how the dev handled it.
In what way is the dev a douchebag? He blocked some self-important troll who has an axe to grind against him. You literally have no idea whether his Apache needs to be updated or not or whether there are any vulnerabilities in his app.
You clearly also have an axe to grind here which is why you have nothing of substance to say and instead rely solely on unfounded accusations and name calling as an argument.
That's usually how that works. You do a pen test and report vulnerabilities found and show a proof of concept of how you did it.
Just checking the version of Apache means absolutely nothing here and any security check that only does that is useless.
if the operator blocks you instead of giving a fuck, the consent for that cannot be obtained.
An IP address might not be sufficient to prove someone did something in a court of law, but it will definitely be enough to be thrown in a ICE detention center, assulted, and possibly deported if your skin isn't white before it gets to court.