this post was submitted on 24 Mar 2024
385 points (96.2% liked)

Privacy

32383 readers
146 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

VideoLAN @videolan App Stores were a mistake. Currently, we cannot update VLC on Windows Store, and we cannot update VLC on Android Play Store, without reducing security or dropping a lot of users... For now, iOS App Store still allows us to ship for iOS9, but until when?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 26 points 8 months ago* (last edited 8 months ago) (4 children)

So, uh, why not? The link doesn't answer that.

[–] [email protected] 47 points 8 months ago* (last edited 8 months ago) (2 children)

Google is forcing apps to have Google services handle private keys. VLC doesn't think that's a good policy for security (it's not), so they're refusing to adopt it. Whenever you sign in on an app with your fingerprint, the encryption/authentication is being handled by a different program and stored alongside all your other keys. This creates a single point of failure for all sign-ons on your phone.

[–] [email protected] 13 points 8 months ago

This creates a single backdoor for all sign-ons on your phone.

[–] [email protected] 6 points 8 months ago
[–] [email protected] 13 points 8 months ago (1 children)

My guess is that their update won’t be approved unless they drop support for old OS versions

[–] [email protected] 15 points 8 months ago (2 children)

Which is a problem given it's a media player, and AndroidTVs still on Android 11 or earlier would be denied updates.

[–] [email protected] 4 points 8 months ago (1 children)

Is it a problem though? Old versions of VLC still work fine; I have it on my iPad 2 but haven’t updated it in over 5 years.

Old hardware doesn’t have to worry about security updates because it’s already insecure. So unless VLC stops working, I don’t need updates. And it’s not like my iPad is capable of playing HEVC 4k HDR video anyway, so new codec support isn’t a problem.

[–] [email protected] 4 points 8 months ago* (last edited 8 months ago) (1 children)

One of the quickest ways to pivot into a corporate intranet is via an old insecure networked printer that Shannon from HR brought in.

Sure, maybe you don't have anything worth stealing or leaking, but I bet getting hit with ransomware that encrypts every drive on the network and charges you $2,000 per drive to decrypt will put a damper on your day, month, or year.

Hope you're one of the 0.1% of people that actually keep regular backups.

[–] [email protected] 2 points 8 months ago (1 children)

My point though is that if you’re running the old device without appropriate lockdowns, it’s already leaking like a sieve. It’s been at least five years since the corporate perimeter has been considered more than a minor line of defense, specifically because there are so many pieces of equipment long out of security patch support (if they ever had it) that can’t be trusted.

And ransomware actors don’t bother with the printer; they get in via phishing emails and misconfigured routers and remote access tools — because it’s too much work to target the printer when there are juicier targets.

Although there’s been a recent push towards credential management compromise, and if you’ve got an iPad 2 connected to an Apple ID that also happens to include an iCloud keychain with your Exchange server credentials on it….

[–] [email protected] 2 points 8 months ago

My thinking was more along the lines of old vulnerabilities in VLC (specifically codecs/implementation) exploiting a set of the most commonly sold TVs, and spreading via torrents. If your malware group can target 6 models of the best selling 5 year old TVs and spread via torrents and then infecting video files, which spread over Windows networks and keep infecting video files, it could be a good few million device strong botnet.

Seems more like something an APT actor would focus on because the effort:reward ratio isn't there for most groups, and it would take a lot more effort than the MicroTik botnet or other compromised router nets.

I'm hesitant to run any outdated network-connected devices on my (read: the one my personal devices use) network. The only older model device we have running is a brother printer but it still receives firmware updates, and it's segmented so printing is never done directly from anyone's device, it's hooked up to an old laptop running a simple custom web server that accepts files and puts them in the printer queue, and tunneling and DNS are configured on the router, if someone needs to print, they go to [thenameoftheprinter].com in their browser and upload the file(s) and it prints. Devices without access to the guest network can print with Bluetooth, it just requires opening the laptop and pairing and manually printing.

But that was born out of issues of compatibility with the printer running on the guest/kids network, and not wanting to plug it directly into the router or use the Brother apps more than "This printer is older, must not have direct network access."

[–] [email protected] 0 points 8 months ago

Some still sold and serviced are Android 8 i think?

[–] [email protected] -5 points 8 months ago (1 children)

It’s a frustrated tweet not a hard hitting piece of journalism. Why is everyone here scrutinizing this so much? Do people hate VLC now or something?

[–] [email protected] 9 points 8 months ago (1 children)

Huh?

We're just curious behind the causation for the tweet. Why won't Apple and Microsoft allow them to update? Is it DRM? Security? Fear?