It's pretty likely the guy blocked the author after seeing them link a blog post insulting his work, no?
Sure he should take the vulnerability report seriously, but it's pretty clear that bundling a report above the words "activism theater" isn't going to make someone want to read it.
Instead, just "hey man, you're on a vulnerable version of httpd" is likely going to be more effective.
To be fair, even if he did update apache. It's running at linode. One phone call from the feds and they have what want.
Either don't collect anything useful or at least host the server somewhere where a US warrent doesn't as easily work as cutting butter with a hot knife...
I don’t think anybody has gone out of their way, even the creator of IceBLOCK himself, to suggest that the creator is an IT security expert. He’s just some guy who accidentally landed in a role and is doing what he can.
Yeah he's always been block happy for ANY amount of criticism. Really seems like this guy is more interested in looking like a good person for making this app.
Unless I've got the timeline wrong did the author contact ICEBlock's creator about the outdated Apache version and then a few hours later post publicly about it? If that's the case I can understand why he blocked the author.
Me having no idea what ICEBlock was thinking that they sent laywers after the author and ignored the warnings. This isn't that but its almost. He seems to genuinely want to help people but doesn't seem to know what he is doing, especially in relation to security.
Hopefully it doesn't end up doing more harm than good
The author comes off a bit as a prick there... why didn't he just say "hey man I think you have an issue, it's there, now here's how to fix it (he didn't tell him, he just says in his blog post "it's easy"), and BTW I'm here for a video call if you want me to get through it together"
I’ve never built something like ICEBlock that puts me personally in the crosshairs of not just normal hacking attempts, but also the political will of the federal government. I can’t imagine the cess pool that is Joshua’s DMs. I think OP makes all the right assessments when examining how seriously ICEBlock is taking the risks here. The Android push notifications assertion is proof enough to make me raise a pretty big question, let alone the other issues raised.
Were I building something that I would want to assert the level of privacy claims that ICEBlock asserts, I would absolutely be taking any/all reports about security extremely seriously.
> run something like sudo apt update && sudo apt upgrade
I assume this means that the author of this post has seen the Debian version in their nmap. The latest version of which would be 2.4.65-1~deb12u1[1]. You'll notice that there is a Debian version number attached to the Apache version number which means that the version number NMAP found doesn't necessarily mean software is unpatched. I've never used Iceblock or talked to this developer but I have no doubts he's dealing with beg bounties[2], harassment, and bad faith critique of his software which the screenshotted messages look like.
EDIT: For the sake of clarity, I think I should have phrased it the other way around. Bad faith messages look like the ones the author sent. I'm not discussing the actual intention of the messages but the pattern seeking brain's reception to them.
Checking version numbers usually isn’t a good way of determining whether software on Linux is vulnerable to CVEs. Big distros (especially Red Hat derivatives) lock software versions but back port security patches. Reporting “vulnerabilities” solely based on reported version number is pure noise.
No PoC exploit, no real exploitability. I propose we use the term "CVE Kiddie" until this bullshit stops. It could even be a fake-advertised version header.
Assuming Debian because why not, (and because I don't want to look at RHEL):
2.4.57 never made it into Debian stable, only went as far as testing and unstable.
2023-10-19 was when 2.4.57 was superseded by 2.4.58 in unstable.
So assuming they are not using RHEL or similar, they have either pinned Apache httpd, used a custom build, or haven't updated their server since the start of 2024.
- - -
Since then, there have been 11 moderate, 8 important security fixes according to Apache.
Disclaimer: UK citizen. I don’t know anything about ICE or whose side I’m “supposed to be on” politically here. I’m just responding to the details in the article. The app might as well be TodoApp.
The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app.
OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one.
Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too.
But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”.
And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline.
Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why this post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably.
48 comments
[ 1.8 ms ] story [ 70.3 ms ] threadI've been burned in the long past when trying to be helpful to an activist. The accuracy of information provided was never a consideration.
Sure he should take the vulnerability report seriously, but it's pretty clear that bundling a report above the words "activism theater" isn't going to make someone want to read it.
Instead, just "hey man, you're on a vulnerable version of httpd" is likely going to be more effective.
https://micahflee.com/unfortunately-the-iceblock-app-is-acti...
Either don't collect anything useful or at least host the server somewhere where a US warrent doesn't as easily work as cutting butter with a hot knife...
Hopefully it doesn't end up doing more harm than good
Were I building something that I would want to assert the level of privacy claims that ICEBlock asserts, I would absolutely be taking any/all reports about security extremely seriously.
Maybe I missed it, but was it ever established that these general vulnerabilities are actually relevant to this specific system/implementation?
I assume this means that the author of this post has seen the Debian version in their nmap. The latest version of which would be 2.4.65-1~deb12u1[1]. You'll notice that there is a Debian version number attached to the Apache version number which means that the version number NMAP found doesn't necessarily mean software is unpatched. I've never used Iceblock or talked to this developer but I have no doubts he's dealing with beg bounties[2], harassment, and bad faith critique of his software which the screenshotted messages look like.
EDIT: For the sake of clarity, I think I should have phrased it the other way around. Bad faith messages look like the ones the author sent. I'm not discussing the actual intention of the messages but the pattern seeking brain's reception to them.
[1]: https://security-tracker.debian.org/tracker/source-package/a...
[2]: https://www.troyhunt.com/beg-bounties/
2.4.57 never made it into Debian stable, only went as far as testing and unstable.
2023-10-19 was when 2.4.57 was superseded by 2.4.58 in unstable.
So assuming they are not using RHEL or similar, they have either pinned Apache httpd, used a custom build, or haven't updated their server since the start of 2024.
- - -
Since then, there have been 11 moderate, 8 important security fixes according to Apache.
The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app.
OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one.
Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too.
But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”.
And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline.
Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why this post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably.
Post script: I followed up and read the original blog post (https://micahflee.com/unfortunately-the-iceblock-app-is-acti...), which I largely agree with. I still think Micah has mishandled communicating the vulnerability.