Show more

For example, the biggest incident that I know about remains en.wikipedia.org/wiki/XcodeGho, which got into over 4000 apps, which all passed 's review and were shipped by the Apple App Store. All told, those apps were installed 128 million times. Another measure is which seems to have maintained zero click access to and for years. That is spread by exploiting messenger apps, not by or "sideloading" 3/

Show thread

Google and Apple provide data about the malware they catch in their app store review processes. Both of them talk about "sideloading" as a security risk. Notably, neither Apple nor Google provide data on how much malware comes from outside of their app stores. Nor do they provide data-based analysis of which is the bigger threat: malware that makes it into their app stores or from other channels. They have this data, they track installs and active apps plus there is etc 2/

Show thread

In my work with I've discussed our work with gov regulators for South Africa, UK, EU and Japan as well as competition litigators from multiple US States and the EU. From this, I'm starting to see a picture of 's and 's semi-related strategies of making "sideloading" (installing apps outside of their control) look bad as a way to keep their monopolies in the face of and other regulatory actions. I'm still looking for data about the actual real world risks 1/

Perhaps the most difficult case ever for packagers: They do all the things that make packaging a nightmare:

* Build the tool with itself
* Circular dependencies: Gradle needs to build which needs Gradle to build...
* Depend on snapshots to build releases, but then they don't keep a way to reproduce the snapshot releases github.com/gradle/gradle/issue
* Java-style bundling of all dependencies
* Hidden proprietary depends github.com/gradle/gradle/issue

thanks ebourg for keeping on!

🚨🚨WE URGE EVERYONE TO UPDATE THEIR APPLE DEVICES AS SOON AS POSSIBLE.

We have found an actively exploited #zero #click vulnerability that was used to deliver #NSO group’s #Pegasus #spyware citizenlab.ca/2023/09/blastpas

"This bug also shows that we have an over-reliance on for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." blog.isosceles.com/the-webp-0d

The vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of . In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

Our director @rondeibert has a new article in Foreign Affairs called 'The Autocrat in your iPhone," that outlines abuses around the mercenary spyware industry and the risks these pose to liberal democracy. foreignaffairs.com/world/autoc

To deliver on our mission, we are (Update 2) launching our 2023 RFP *today* - and are looking forward to proposals ranging from new original research to implementation of prior findings. Deadline for the Call is October 1st. Apply via fordfoundation.forms.fm/2023-d - All info below.

Google's new Takeout interface (see image). Good stuff: allows storing the data in other non-Drive services (Box, Dropbox), periodic exports, granular selection of data, good coverage of common formats. Bad stuff: still no actual portability through interoperability - you cannot do service-to-service transfer.

From today on the English version of "Ada & #Zangemann - A Tale of Software, Skateboards, and Raspberry Ice Cream" should be available from your preferred book store world-wide with the ISBN 978-1-718-50320-5 or directly from the publisher #nostarchpress

Your help sharing your thoughts about the book with others in different channels would be highly appreciated.

On the public , mystery accounts are creating Old English (ang) and Middle English (enm) in the projects. They don't respond to my messages, or do any translation work. This makes me suspect foul play. Anyone have any ideas?

For example:
* hosted.weblate.org/projects/f-
* hosted.weblate.org/projects/f-

Nice to see the start to influence 's approach to their restrictive policies: looks like is reconsidering allowing users to install APKs outside of . That gives users the freedom to use other app sources like , easily debug apps, and more.

* issuetracker.google.com/issues
* bugs.chromium.org/p/chromium/i

Let's keep the pressure on them so they follow through!

Nice to see the start to influence 's approach to their restrictive policies: looks like is reconsidering allowing users to install APKs outside of . That gives users the freedom to use other app sources like , easily debug apps, and more.

* issuetracker.google.com/issues
* bugs.chromium.org/p/chromium/i

Let's keep the pressure on them so they follow through!

The main public instance meet.jit.si is now requiring logging in with a Google, Facebook or GitHub account in order to create new rooms. jitsi.org/blog/authentication-

Apparently they feel that there was too much abuse of their terms of service, but they do not give any details at all.

Are you at #CCCamp23? Come join us this Friday 14:00 local time at ChaosZone for a casual F-Droid community meetup!

events.ccc.de/camp/2023/hub/ca

@kgbvax TRUST. Yes, that's the key.

With CLOSED source you need to trust the dev, ans solely the dev (unless there were audits).

With FOSS, everyone (technically capable of) can review/audit the source. At F-Droid, that is done: many eyes on the code, many mechanisms cross-checking it. True, not every line and every minute, but it's done.

Knowing the dev behind it then is only needed to put blame – and THAT is not what F-Droid stand for :awesome:

Unlike Google, F-Droid does not force developers to publicize their name or address information.

We understand that people have many reasons to develop under another name than their legal one and to keep their personal information private. And that what matters is the trust between user and developer, not private details of their lives.

For more information on how we designed F-Droid to protect your privacy, see f-droid.org/2022/02/28/no-user.

Show more
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml