Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/tab2space/statuses/114393255155949804">Richard Johnson (tab2space@mastodon.social)'s status on Friday, 25-Apr-2025 01:12:48 JST</a><a href="https://mastodon.social/@tab2space" title="tab2space@mastodon.social"><img src="https://gnusocial.jp/avatar/213404-48-20240729063456.webp" width="48" height="48" alt="Richard Johnson" style="position: absolute; left: 0; top: 0;">Richard Johnson</a><div><a href="https://infosec.exchange/@david_chisnall/114393211349275552" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/31034" title="signalapp@mastodon.world">Signal</a></li><li><a href="https://gnusocial.jp/user/40873" title="dalias@hachyderm.io">Rich Felker</a></li><li><a href="https://gnusocial.jp/user/153731" title="guardianproject@social.librem.one">Guardian Project</a></li><li><a href="https://gnusocial.jp/user/241214" title="david_chisnall@infosec.exchange">David Chisnall (*Now with 50% more sarcasm!*)</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@david_chisnall">@david_chisnall</a> <a href="https://hachyderm.io/@dalias">@dalias</a> <a href="https://social.librem.one/@guardianproject">@guardianproject</a> <a href="https://mastodon.world/@signalapp">@signalapp</a> <a href="https://floss.social/@fdroidorg">@fdroidorg</a> </p><p>I see a real point challenging your overstatement. This doesn't strike me as arguing for the sake of arguing, but rather as correcting the myth of live code injection into signed builds.</p><p>This converts the original overstatement from "signal (and everything else?) will run arbitrary code downloaded at runtime" into "blobs are a risk".</p><p>This is a much less compelling and startling (headline-worthy) claim.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4792902#notice-9691484">In conversation</a><time datetime="2025-04-25T01:12:48+09:00" title="Friday, 25-Apr-2025 01:12:48 JST">about 6 days ago</time> <span>from <span><a href="https://mastodon.social/@tab2space/114393255155949804" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@tab2space/114393255155949804">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Richard Johnson (tab2space@mastodon.social)'s status on Friday, 25-Apr-2025 01:12:48 JSTRichard Johnson
in reply to
@david_chisnall @dalias @guardianproject @signalapp @fdroidorg
I see a real point challenging your overstatement. This doesn't strike me as arguing for the sake of arguing, but rather as correcting the myth of live code injection into signed builds.
This converts the original overstatement from "signal (and everything else?) will run arbitrary code downloaded at runtime" into "blobs are a risk".
This is a much less compelling and startling (headline-worthy) claim.
In conversationabout 6 days ago from mastodon.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice