Guardian Project @guardianproject@librem.one

Mozilla is ringing the alarm bell on a dangerous EU regulation.

https://last-chance-for-eidas.org

Willkommen bei #ORFodon!

Der @ORF_News Bot hat jetzt seine eigene Instanz und eine Menge neuer Funktionen. Die Sparten und Bundesländernachrichten haben jetzt ihre eigenen Konten und dementsprechend ist eine viel flexiblere Filterung der Nachrichten und Beiträge des #ORF möglich.

Um Mehrfachbeiträge zu vermeiden, boosten die Kanäle einander.

Der Dienst wird weiterhin inoffiziell und privat betrieben.

Viel Spaß!

Weitere Informationen:
https://orfodon.org/about

#Mastodon #Fediverse #News

austrian public broadcaster is on the fediverse, in case you are into monitoring int'l news: https://orfodon.org/@ORFodon/111375092254666650

For example, the biggest #mobile #malware incident that I know about remains #XCodeGhost https://en.wikipedia.org/wiki/XcodeGhost, which got into over 4000 apps, which all passed #Apple's review and were shipped by the Apple App Store. All told, those apps were installed 128 million times. Another measure is #NSOGroup #Pegasus which seems to have maintained zero click access to #Android and #iOS for years. That is spread by exploiting messenger apps, not by #AppStore or "sideloading" 3/

Google and Apple provide data about the malware they catch in their app store review processes. Both of them talk about "sideloading" as a security risk. Notably, neither Apple nor Google provide data on how much malware comes from outside of their app stores. Nor do they provide data-based analysis of which is the bigger threat: malware that makes it into their app stores or from other channels. They have this data, they track installs and active apps plus there is #PlayProtect #XProtect etc 2/

In my work with #FDroid I've discussed our work with gov regulators for South Africa, UK, EU and Japan as well as competition litigators from multiple US States and the EU. From this, I'm starting to see a picture of #Apple's and #Google's semi-related strategies of making "sideloading" (installing apps outside of their #gatekeeper control) look bad as a way to keep their monopolies in the face of #DMA and other regulatory actions. I'm still looking for data about the actual real world risks 1/

Perhaps the most difficult case ever for #Debian packagers: #Gradle They do all the things that make packaging a nightmare:

* Build the tool with itself
* Circular dependencies: Gradle needs #Kotlin to build which needs Gradle to build...
* Depend on snapshots to build releases, but then they don't keep a way to reproduce the snapshot releases https://github.com/gradle/gradle/issues/26516
* Java-style bundling of all dependencies
* Hidden proprietary depends https://github.com/gradle/gradle/issues/16439

thanks ebourg for keeping on!

🚨🚨WE URGE EVERYONE TO UPDATE THEIR APPLE DEVICES AS SOON AS POSSIBLE.

We have found an actively exploited #zero #click vulnerability that was used to deliver #NSO group’s #Pegasus #spyware https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

"This bug also shows that we have an over-reliance on #fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote #exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." https://blog.isosceles.com/the-webp-0day/ #libwebp #WebP

The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

Our director @rondeibert has a new article in Foreign Affairs called 'The Autocrat in your iPhone," that outlines abuses around the mercenary spyware industry and the risks these pose to liberal democracy. https://www.foreignaffairs.com/world/autocrat-in-your-iphone-mercenary-spyware-ronald-deibert

To deliver on our mission, we are (Update 2) launching our 2023 RFP *today* - and are looking forward to proposals ranging from new original research to implementation of prior findings. Deadline for the Call is October 1st. Apply via https://fordfoundation.forms.fm/2023-digital-infrastructure-insights-fund-rfp/forms/9724 - All info below.