Disclaimer: UK citizen. I don’t know anything about ICE or whose side I’m “supposed to be on” politically here. I’m just responding to the details in the article. The app might as well be TodoApp.
The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app.
OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one.
Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too.
But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”.
And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline.
Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why the post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably.
The operation is important too. Square matrices over integers with matrix multiplication is (just) a monoid. Square matrices with addition are a monoid too (but also a group, because there is an additive inverse).
My point is that there will be too many who will look at this and start using CSS in ways it is not intended. Even today, far too many people attempt to use CSS for things best left for SVG.
These sorts of CSS experiments have been around for as long as CSS. There even used to be a site where an entire community would take basic markup and use CSS to turn it into something else.
(I just googled that phrase - the site is CSS Zen Garden. It’s impressive Google found it because that was a bad search.)
Some people did create monstrosities, others learned the limits of CSS and used that knowledge to advance CSS. So my point is that I believe in the ability of people to advance through discovering all the things they shouldn’t do.
CSS Zen Garden is not an experiment as shown in the title of this post. The Garden shows how CSS can style the HTML elements in many different ways but it is not there to create or manipulate images as shown in the subject of this post.
That said, I have not looked at the Garden in many years so if you fine one, then you found .... one ... and I loop back to my original comment: that such things are impractical, it's not what CSS is for, and should be avoided.
In other words, you don’t learn through experimentation and your learning style is the only valid one? Okay…this isn’t worth debating but science has proven that to be wrong.
CSS Minecraft, or CSS CAPTCHAs, or sign up / login modals cannot be done via SVG. This is needed for JS-less websites (e.g. Tor). CSS with HTML is perfect for this use-case.
If anything these tricks enable people to build stuff without JS.
I'm still here waiting for someone at W3C to get their stuff together and provide a spec for something that could enable an accessible hamburger menu with plain HTML + CSS.
Or a sane details element that DOES NOT REQUIRE JS TO CHANGE STATE (without interaction). Jesus.
The point is that this is not a punishment against "them", it's a loss for everyone (human kind), who affects for the vast majority innocent people both in Iran and all over the world.
I don't see a world where this is "ideal", even if you agree with the block.
We don't know where the people who will make scientific breakthrough will be. Imagine losing the cure for cancer, or a form of clean energy (or anything that could change the world for everyone) due to this.
That’s nice and wishful thinking. This is just the sad truth regarding sanctions. If your country cannot participate on the global stage at least partially than the people suffer. No different than North Korea. It sucks but life is unfair and sucks.
The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app.
OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one.
Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too.
But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”.
And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline.
Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why the post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably.
Post script: I followed up and read the original blog post (https://micahflee.com/unfortunately-the-iceblock-app-is-acti...), which I largely agree with. I still think Micah has acted unreasonably RE the vulnerability.
reply