VideoLAN @videolan App Stores were a mistake. Currently, we cannot update VLC on Windows Store, and we cannot update VLC on Android Play Store, without reducing security or dropping a lot of users… For now, iOS App Store still allows us to ship for iOS9, but until when?
Okay, but are they still releasing updates via other channels? The newest version on their website is 3.5.4, the same that I got through the play store.
Is it a problem though? Old versions of VLC still work fine; I have it on my iPad 2 but haven’t updated it in over 5 years.
Old hardware doesn’t have to worry about security updates because it’s already insecure. So unless VLC stops working, I don’t need updates. And it’s not like my iPad is capable of playing HEVC 4k HDR video anyway, so new codec support isn’t a problem.
One of the quickest ways to pivot into a corporate intranet is via an old insecure networked printer that Shannon from HR brought in.
Sure, maybe you don’t have anything worth stealing or leaking, but I bet getting hit with ransomware that encrypts every drive on the network and charges you $2,000 per drive to decrypt will put a damper on your day, month, or year.
Hope you’re one of the 0.1% of people that actually keep regular backups.
My point though is that if you’re running the old device without appropriate lockdowns, it’s already leaking like a sieve. It’s been at least five years since the corporate perimeter has been considered more than a minor line of defense, specifically because there are so many pieces of equipment long out of security patch support (if they ever had it) that can’t be trusted.
And ransomware actors don’t bother with the printer; they get in via phishing emails and misconfigured routers and remote access tools — because it’s too much work to target the printer when there are juicier targets.
Although there’s been a recent push towards credential management compromise, and if you’ve got an iPad 2 connected to an Apple ID that also happens to include an iCloud keychain with your Exchange server credentials on it….
My thinking was more along the lines of old vulnerabilities in VLC (specifically codecs/implementation) exploiting a set of the most commonly sold TVs, and spreading via torrents. If your malware group can target 6 models of the best selling 5 year old TVs and spread via torrents and then infecting video files, which spread over Windows networks and keep infecting video files, it could be a good few million device strong botnet.
Seems more like something an APT actor would focus on because the effort:reward ratio isn’t there for most groups, and it would take a lot more effort than the MicroTik botnet or other compromised router nets.
I’m hesitant to run any outdated network-connected devices on my (read: the one my personal devices use) network. The only older model device we have running is a brother printer but it still receives firmware updates, and it’s segmented so printing is never done directly from anyone’s device, it’s hooked up to an old laptop running a simple custom web server that accepts files and puts them in the printer queue, and tunneling and DNS are configured on the router, if someone needs to print, they go to [thenameoftheprinter].com in their browser and upload the file(s) and it prints. Devices without access to the guest network can print with Bluetooth, it just requires opening the laptop and pairing and manually printing.
But that was born out of issues of compatibility with the printer running on the guest/kids network, and not wanting to plug it directly into the router or use the Brother apps more than “This printer is older, must not have direct network access.”
Google is forcing apps to have Google services handle private keys. VLC doesn’t think that’s a good policy for security (it’s not), so they’re refusing to adopt it. Whenever you sign in on an app with your fingerprint, the encryption/authentication is being handled by a different program and stored alongside all your other keys. This creates a single point of failure for all sign-ons on your phone.
Mastodon and other federated platforms are still confusing to normies and less ideologically-minded users. Aside from that, unless VLC starts hosting their own instance, it is hard to say if the particular one they decide to use will stick around. They can relocate by taking some extra steps of course. But they would likely care to put that effort into making VLC Player better instead of into social media. For now at least. X has been more or less the same for a long time (even with the past couple of years) for what they use it for. I am sure they would like to be on an open platform over propriety if that were the only difference. And nothing is stopping them from using both at the same time in order to reach as many people as possible.
I’ve scrolled through the F-Droid repositories in Droidify app and see that VLC does not have their own F-Droid repository ? They could create one, and set up mirrors for it, think of a way to cover the hosting costs, why not ? Making yourself depend on Apple and Google and saying that app stores were a mistake feels wrong.
Generally with small time apps, sure, but VLC are trustworthy enough to get it straight from the source. However, it’s not like VLC is an app that you need to keep up to date as soon as possible.
Several projects have their own F-Droid repository. A few years ago VLC was not updated for some time for some reason. A project like NewPipe has their own F-Droid repository making it possible to let users download the latest version, which can be useful when there is issues with the main F-Droid repository.
I don’t think app stores are the problem. I think big company app stores are the problem, such as the Google Play Store and the Apple App Store. I think something like F-Droid where you can add your own app sources or Droid-ify that has a ton of sources by default you just need to enable is the way to go.
There’s plenty of examples of FOSS devs selling out to corps who dramatically change the apps they produced. Not saying that would happen to Fdroid, but ultimately, unless you yourself control the software and its updates, you can never be 100% sure.
That’s right. Fdroid the app is just a program that accesses repositories. It’s not even the only one, Aurora has a similar version of their own called Aurora Droid.
Fdroid the repo is a repository of FOSS apps maintained by the Fdroid team with apps they’ve reviewed and compiled themselves, to provide an element of trust that you might not get from every random developer.
There’s no fool proof way of handling app trust other than developing your own understanding of the code. Otherwise you have to trust someone. Fdroid seem pretty trustworthy, more than the big corporations, and more than many unknown small time developers - however you can get app updates quicker direct from the developer, through the Fdroid app, if you’re willing to trust them.
Theoretically yes, but in practice for the vast majority of users it makes no difference. Very few people are going to go through the trouble of vetting another source, adding it, etc. That’s what the tyranny of the default is all about.
Fdroid is the obvious answer me thinks. Anyway love you guys/gals at videolan still haven’t come across a piece of software that destroys every other in its field in every aspect.
No, 7z is not better. RAR is more reliable, has repairing and archive lock options and provides builtin recovery record option. It also provides full preservation of UNIX timestamps down to the nanosecond. Discounting archive repair feature is not a good approach.
7z is open source and has 2-5% better compression ratio, but RAR has proved its credibility and reliability over the past couple decades.
How about winget or the other commandline package managers? winget does have VLC according to winget-pkgs. This is the kind of “stores” we need, ones that emulate Linux repositories instead of locked down smartphone garbage.
Pretty sure they’re signed by Microsoft instead? At least that’s what other app stores do.
It’s all a game of shifting the point of trust around. Personally, I’d trust most small time developers more than the likes of Microsoft and Google, however I’d trust Fdroid more than unknown developers (but still go direct to the developers I do trust).
The good ones are signed by the devs, otherwise there’s a risk of malicious modifications at upload or on the publishing infrastructure. This is how Maven works. All packages MUST be signed with PGP by the devs.
Apt isn’t signed by the devs but its signed by the package maintainers, whose job it is to verify the packages that they prepare (devs can’t upload software in Debian)
You can pay a one time fee if $25 to get Microsoft to sign your app on the Microsoft store, or you can pay $400+ per year to buy your own certificate. So Microsoft Store is sadly the cheap way to release apps on Windows. (Without users getting scary warnings from Windows and AV about installing unsigned aoftware)
The certs are sold by certificate authority companies, and Microsoft doesn’t get a share of that, though I’m not sure.
Yeah, software being signed says nothing about it not being malicious or insecure, but it does prove the author is what it says, and if it is malicious then the responsible party is clearly visible.
For non-commercial hobby/open-source software the certificate price is prohibitive, so the only 2 options are Microsoft Store or accepting that users will see the scary warnings, and of course complain to the developer about it.
The assumption is that legitimate companies who sell software will sign it and that signature proves it came from that company who you trust because of their publicly known legitimacy. It’s a bit of circular reasoning. But it does round back towards that legitimacy - if it is found that they violate your trust, they lose public trust and thus lose sales.
Luckily new OSes (cough NOT WINDOWS) are able to sandbox applications and prevent them from accessing resources without declaring the need to access it.
And as for the signing certificate, I think the MS Store will allow any signed app. They just offer the cheaper signing service.
Add comment