VideoLAN @videolan App Stores were a mistake. Currently, we cannot update VLC on Windows Store, and we cannot update VLC on Android Play Store, without reducing security or dropping a lot of users… For now, iOS App Store still allows us to ship for iOS9, but until when?

    • Artyom@lemm.ee
      link
      fedilink
      arrow-up
      47
      ·
      edit-2
      8 months ago

      Google is forcing apps to have Google services handle private keys. VLC doesn’t think that’s a good policy for security (it’s not), so they’re refusing to adopt it. Whenever you sign in on an app with your fingerprint, the encryption/authentication is being handled by a different program and stored alongside all your other keys. This creates a single point of failure for all sign-ons on your phone.

    • TORFdot0@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      8 months ago

      My guess is that their update won’t be approved unless they drop support for old OS versions

      • deweydecibel@lemmy.world
        link
        fedilink
        English
        arrow-up
        15
        ·
        8 months ago

        Which is a problem given it’s a media player, and AndroidTVs still on Android 11 or earlier would be denied updates.

        • Em Adespoton@lemmy.ca
          link
          fedilink
          arrow-up
          4
          ·
          8 months ago

          Is it a problem though? Old versions of VLC still work fine; I have it on my iPad 2 but haven’t updated it in over 5 years.

          Old hardware doesn’t have to worry about security updates because it’s already insecure. So unless VLC stops working, I don’t need updates. And it’s not like my iPad is capable of playing HEVC 4k HDR video anyway, so new codec support isn’t a problem.

          • Syn_Attck@lemmy.today
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            8 months ago

            One of the quickest ways to pivot into a corporate intranet is via an old insecure networked printer that Shannon from HR brought in.

            Sure, maybe you don’t have anything worth stealing or leaking, but I bet getting hit with ransomware that encrypts every drive on the network and charges you $2,000 per drive to decrypt will put a damper on your day, month, or year.

            Hope you’re one of the 0.1% of people that actually keep regular backups.

            • Em Adespoton@lemmy.ca
              link
              fedilink
              arrow-up
              2
              ·
              8 months ago

              My point though is that if you’re running the old device without appropriate lockdowns, it’s already leaking like a sieve. It’s been at least five years since the corporate perimeter has been considered more than a minor line of defense, specifically because there are so many pieces of equipment long out of security patch support (if they ever had it) that can’t be trusted.

              And ransomware actors don’t bother with the printer; they get in via phishing emails and misconfigured routers and remote access tools — because it’s too much work to target the printer when there are juicier targets.

              Although there’s been a recent push towards credential management compromise, and if you’ve got an iPad 2 connected to an Apple ID that also happens to include an iCloud keychain with your Exchange server credentials on it….

              • Syn_Attck@lemmy.today
                link
                fedilink
                arrow-up
                2
                ·
                8 months ago

                My thinking was more along the lines of old vulnerabilities in VLC (specifically codecs/implementation) exploiting a set of the most commonly sold TVs, and spreading via torrents. If your malware group can target 6 models of the best selling 5 year old TVs and spread via torrents and then infecting video files, which spread over Windows networks and keep infecting video files, it could be a good few million device strong botnet.

                Seems more like something an APT actor would focus on because the effort:reward ratio isn’t there for most groups, and it would take a lot more effort than the MicroTik botnet or other compromised router nets.

                I’m hesitant to run any outdated network-connected devices on my (read: the one my personal devices use) network. The only older model device we have running is a brother printer but it still receives firmware updates, and it’s segmented so printing is never done directly from anyone’s device, it’s hooked up to an old laptop running a simple custom web server that accepts files and puts them in the printer queue, and tunneling and DNS are configured on the router, if someone needs to print, they go to [thenameoftheprinter].com in their browser and upload the file(s) and it prints. Devices without access to the guest network can print with Bluetooth, it just requires opening the laptop and pairing and manually printing.

                But that was born out of issues of compatibility with the printer running on the guest/kids network, and not wanting to plug it directly into the router or use the Brother apps more than “This printer is older, must not have direct network access.”

    • BolexForSoup@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      8
      ·
      8 months ago

      It’s a frustrated tweet not a hard hitting piece of journalism. Why is everyone here scrutinizing this so much? Do people hate VLC now or something?