- all contacts, including 3rd party messaging apps, with metadata (interactions, timestamps, other stats) - full address book - whether any app is installed - SSID of connected wifi

and formerly,

- medical info - device usage - screen time - device accessories

I don't keep anything mission critical on mobile, but this is still a gargantuan set of exploits, and each appear extremely straightforward to validate and pay out the security researcher (and maybe even patch). It's utterly tragic how Apple (and others) have devolved to become the same monolithic, careless organizations they once displaced.

I really, really hope something changes. Soon.

That being said, this is more or less the industry standard. And even if the other person mentioning this was downvoted, they are right: this has been the case since forever and can only be remedied through laws making companies responsible for their failures. But neither the US government nor said companies want this. It will have to get so bad that it visibly harms US or EU security for something to move in this space.

Apple does not have security in its DNA, as is obvious from all these exploits. Apple lives in the past where it was OK to kinda fudge it, to kinda give home apps special passes, to bypass stuff to make the game center work, and so on and so forth. These are all red flags.

Apple's threat model is script kiddies and Russian hacker groups. It's very naive vs real world exploits conducted by state level actors, companies serving state level actors, and a $1M market rate for iPhone zero day p0wn exploits.

In this cat and mouse game, the hackers are leagues ahead at this point - motivated by money and a whole different mindset.

Relying on the app store review process to catch these things is naive. A company that takes security seriously would never even think this way, obviously there's many ways around app store reviews, and hackers who went through all the trouble of finding exploits will find a way around the app store reviews, too.

I would not hold my breath... it's been like this for decades at least.

Exploits often feel like pathogens, probably why they share the term virus. If a virus has a high mortality rate, contagion is lower, because it frequently kills the host before it can spread.

Similarly, I think a 'complete device compromise' is much more likely to be identified, prioritized, and patched. The vulnerabilities mentioned here represent the highest severity without an immediately noticeable fallout. Props to the researcher.

P.S. I wonder if the researcher's Russian nationality (assumed from their other post) had any impact on their lack of payout.

It's a much higher bar when it's a targeted attack but not necessarily if it's a dragnet like when a malicious party buys a browser extension from the creator to harvest user data. The only real difference between the two scenarios is iOS's significantly stricter review process and sandbox - if this exploit can bypass both [1], it doesn't matter whether the malicious developer can be traced because it'll just be some indie dev who just sold his username/password and signing keys for $X0-Y00k to some shell corp in the Bahamas.

[1] Are these exploits detectable through static analysis or some other automation? (I have no idea)

A drive-by exploit has a lot fewer of these constraints.

Except Facebook. Or another behemoth that felt they could weather Apple's wrath if it ever came to it. Or a company that Apple had granted special permission to do this, like they did with Uber.

The point isn't that this isn't a serious vulnerability or is somehow unexploitable. It's just that there's a great deal of friction in exploiting it for relatively paltry returns. Nobody is going to get into a spat with Apple and invite regulatory and law enforcement attention to traceably and with undeniable intent steal your contact list. Nobody is going to (like another commented hypothesized) launch a supply chain attack to steal your contact list with this vuln. At that point you'd find a better vuln. This one isn't all that much better than just misleading people into giving you contact list permission.

The OP is saying it's somehow worse than drive-by or low-interaction vulns that own up entire devices and have been repeatedly found in the wild. I don't think that holds up.

Possibly world ending, at least from the perspective of the user whose phone explodes next to their face?

At best id be blind and unable to use my hands. I don’t give a stuff about my bank account compared with that.

https://youtu.be/osfgkFyq7lA?t=246

A complete compromise can also get access to your bank, mail accounts, message history, mic and camera. Which vulnerability would you prefer be used against you?

Besides, why focus on something as superficial as keeping your private data safe when the new iPhone now comes in a gorgeous pink finish. And with Ceramic Shield and the lightning-fast A15 chip? It’s truly the best iPhone they’ve ever made.

These puppies sell themselves without all that expensive privacy talk.

Honestly their attitude to the bug bounty makes me wonder if there’s not a small group of engineers that keep screaming about this problem just to have the door closed behind them and a “lol nerds” giggle heard from the execs on the other side of the door.

I would think that, given the profitability and positioning of Apple in the marketplace, that they would be heavily incentivized to provide large bounties for finding such destructive vulnerabilities. And I imagine that there are plenty of security people working there who genuinely care about fixing fix these issues right away.

So a security threat gets reported to this bug bounty team. They are able to reproduce and confirm. The bug is in some deep, crusty part of the kernel; the code for which isn't available to this team, because Silos.

The team who does have access to this Silo is tracked down. It gets processed into a ticket. Maybe it gets done, maybe it doesn't. Their backlog is already maxed out, as is everyone's.

The security team says "we've done all we can".

This is not a matter of "lol just hire a team". You need leadership aligned, so the manager's manager can see their task list, or open security issues, and say "what the fuck, why are you not prioritizing this".

That's not Apple. Apple is product-driven. They actually, legitimately don't care about Privacy and Security. Their manager-managers get mad when products aren't delivered on time. They may also push-back on purposeful anti-privacy decisions. Its not in their culture to push back on Security issues, or latent Privacy issues resulting from those Security issues.

"Just tear down the silos" > Working for Apple is a cult. The silos are a part of the cult; left-over from one of the worst corporate leaders of all time, Jobs. Try telling a cult member their beliefs are false.

"Grant the security team access to everything" > And, I guess, also hire the smartest humans to ever exist on the planet to be able to implement security improvements across thousands of repositories in dozens of programming languages, billions of lines of code? And, even if they could, push those changes through a drive-by review and deployment with a team on the other side of the planet you've never met? You, coming into their house, and effectively saying "y'all are incompetent, this is insecure, merge this" (jeeze ok, we'll get to it, maybe in... iOS 18)

Scaling development is hard, and Apple has never really gotten it right. I am wondering if a zero day is $1M on the open market - wouldn't it be easier and cheaper to get an engineer inside Apple to leave some plausible deniability bugs in the code? Or compromise an engineer already there?

Software engineering never had security as its main goal - but today, if you had to do it all over, security would be built into all processes from the get go, and that's likely the only way software could be made secure.

It always amazes me Apple (and others) can't even make a browser that doesn't have a drive by zero day that can take over my computer. Why is that? There must be something fundamentally wrong in the system here. And I think what's wrong is that security was not even in the minds of engineers when most of these software modules were created.

BSD had it built in, but they watered it down instead of - what they should have done - doubling down on it.

Is probably less than believable to read because it sounds like it should be easy. I don’t have any good answers there. I’m also not suggesting that customers and researchers accept that, but saying it’s easy just diminishes the efforts of those that run good ones.

Not to say that people 'pass the buck' or are not taking responsibility exactly, just that teams can be insular, and they're all going to view it from the perspective of their side of the 'API', and not find a problem. (Of course with a strict actual API that couldn't be the case, but I use it here only loosely or analogously.) Someone has to coordinate them all, and ultimately probably work out (or decide somewhat arbitrarily - at least in technical terms, but perhaps on the basis of cost or complexity or politics or cetera) whose problem to make it.

- The security researcher community is composed of a broad spectrum of people. Most of them are amazing. However, there is a portion of complete assholes. They send in lazy work, claim bugs like scalps and get super aggressive privately and publicly if things don't go their way or bugs don't get fixed fast enough or someone questions their claims (particularly about severity). This grates on everybody in the chain from the triagers to the product engineers.

- Some bounty programs are horribly run. They drop the ball constantly, ignore reports, drag fixes out for months and months, undercut severity...all of which impact payout to the researcher. These stories get a lot of traction in the community, diminishing trust in the model and exacerbating the previous point because nobody wants to be had.

- Bug bounties create financial incentives to report bugs, which means that you get a lot of bullshit reports to wade through and catastrophization of even the smallest issues. (Check out @CluelessSec aka BugBountyKing on twitter for parodies but kind of not) This reduces SnR and allows actual major issues to sit around because at first glance they aren't always distinguishable from garbage.

- In large orgs, bug bounties are typically run through the infosec and/or risk part of the organization. Their interface to the affected product teams is going to generally be through product owners and/or existing vulnerability reporting mechanisms. Sometimes this is complicated by subsidiary relationships and/or outsourced development. In any case, these bugs will enter the pool of broader security bugs that have been identified through internal scanning tools, security assessments, pen tests and other reports. Just because someone reported them from the outside doesn't mean they get moved to the top of the priority heap.

- Again in most cases, product owns the bug. Which means that even though it has been triaged, the product team generally still has a lot of discretion about what to do with it. If its a major issue and the product team stalls then you end up with major escalations through EVP/legal channels. These conversations can get heated.

- The bugs themselves often lack context and are randomly distributed through the codebase. Most of the time the development teams are busy cranking out new features, burning down tech debt or otherwise have their focus directed to specific parts of the product. They are used to getting things like static analysis reports saying 'hey commit you just sent through could have a sql injection' and fixing it without skipping a beat (or more likely showing its a false positive). When bug reports come in from the outside, the code underlying the issue may have not been touched for literally years, the teams that built it could be gone, and it could be slated for replacement in the next quarter.

- Some of the bugs people find are actually hard to solve and/or the people in the product teams don't fully understand the mechanism of action and put in place basic countermeasures that are easily defeated. This exacerbates the problem, especially if there's an asshole researcher on the other end of the line that just goes out and immediately starts dunking on them on social media.

- Most bugs are just simple human error and the teams surrounding the person that did the commit are going to typically want to come to their defense just out of camaraderie and empathy. This is going to have a net chilling effect on barn burners that come through because people don't want to burn their buddies at the stake.

All of this to say it takes a lot of culture tending and diplomacy on the part of the bounty runners to manage these factors while trying to make sure each side lives up to their end of the bargain. Most of running a bounty is administrative and applied technical security skills, this part is not...which is why I said it can be the hardest.

Maybe the reports get to the tech teams, the tech team figures out that this bug will definitely be caught by the static analyzer, and they have other more pressing issues.

The main problem today IMO is that the incentives for finding and actively using exploits are much higher than the incentives for fixing them, and certainly much higher than building secure code that doesn't have the issues in the first place.

After all, nobody will give you a medal for delivering secure code. They will give you a medal for delivering a feature fast.

I’ve worked at some of the largest financial institutions and they spend billions on security every year to achieve something slightly better than average. Building products with a step function increase in security would incur costs in time and energy and flexibility that very few would be willing to pay.

Bug bounty programs are significantly more difficult to run than a normal bug reporting service, so the fact that they're so bad at handling the easy case makes it no surprise that they're terrible at handling security bugs too.

Their management of the bug bounty program seems like a reflection of their secretive (and perhaps sometimes siloed) internal culture. I'd argue that for any bug bounty program to be successful, there needs to be an inherent level of trust and very transparent lines of communication - seeing as though Apple lacks it internally (based on what I've read in reporting about the firm) it is not particularly surprising that their program happens to be run in the shadows as the OP describes.

I forget the exact term for it, but there is a "law" in management which postulates that the internal communication structures of teams are reflected in the final product that is shipped. The Apple bug bounty seems to be an example of just that.

Edit: Its called Conway's Law

Hubris.

Apple's culture is still fundamentally the same from the day they ran ads saying "Macs don't get viruses" to today. They used a misleading ad copy to convince people they could just buy a Mac and be safe, not needing to do anything else... ignoring that Macs still got malware in the form of trojans, botnets and such... and encouraging a culture of ignorance that persists to this day. "It just works." etc.

So now their primary user base is majorly people who have zero safe online habits.

And that sort of mentality feeds back into the culture of the company... "Oh, we're not Windows, we don't get viruses. We don't get viruses because our security is good. Our security is good, obviously, because we don't get viruses." It, in effect, is a feedback loop of complacency and hubris. (A prime example of this is how Macs within the Cupertino campus were infected with the Flashback botnet.)

Since their culture was that of security by obscurity (unlike, say, Google's explicit design in keeping Chrome sandboxed and containered for sites), closed source and again, hubris... it's coming back to bite Apple in the ass despite their ongoing "We don't get viruses" style smugness. If it's not about Macs not getting viruses, it's about how Apple values your privacy (implying others explicitly don't) and like with everything else, it's repeated often enough to where the kool aid from within becomes the truth.

Apple's culture is that of smugness, ignorance and yep... hubris. Why should they have a serious, respectable bug bounty program if they've been busy telling themselves that they don't simply have these kinds of security problems that they've bragged about never having?

The short version is that if the bounties become too large they'll lose internal talent who can just quit to do the same thing outside the org. Another reason was that they can't offer competitive bounties for zero days because they'll be competing with nation states, effectively a bottomless bank, so price will always go up.

I don't know much about this topic, but surely there are some well structured bounty programs Apple could copy to find a happy middle ground to reward the white hats.

A good iOS 0-day is worth hundreds of millions of dollars in contracts with shady governments. Apple can't compete with that multiple times a year

My guess would be, that MSRC and Apple's equivalent have an OKR about keeping bounties under a certain level. Security is seen as a cost centre by most companies, and what do "well run" companies do with cost centres... they minimize them :)

I don't think that organizationally either company wants to have bad security, and I don't think that individual staff in those companies want to have bad security, but I do think that incentive structures have been set-up in a way that leads to this kind of problem.

I've seen this described as lack of resources in the affected teams, but realistically these companies have effectively limitless resources, it's that they're not assigning them to these areas.

That doesn't mean the functional areas don't have a budget or resource constraints, but Apple's structure is quite different from most companies.

I'd agree with the other comments that pin Apple's specific issues on their insular culture that discourages all forms of external communication if you're not part of marketing. Great bug bountry programs require good communication with researchers and some level of transparency, two things apple is structured to avoid and discourage.

Hacking is much more profitable than preventing hacking.

Incentives are heavily biased towards security exploits on all levels.

End of story.

There's no reward for "your code never got hacked". There's a reward for delivering a feature in time and a penalty for not doing so.

You'll get a bonus or promotion for delivering features. If you take twice as long because you made your code really secure - no one will know.

I think that's really all there is to it. Security is obscure and complicated.

It would have to be this.

If you start to increase the payout, you get more people wanting the payout.

Let’s say they have a team of 6 engineers tasked with this. They probably receive hundreds of reports a day, many bogus, some real, but all long winded descriptions like this framed to make the vuln seem as bad as possible. In addition many vuln reports are generated by automated tools and sprayed to thousands of sites/vendors daily in the hope of one of them paying out, they seem coherent at first glance but are often nonsense or not really a vuln at all, and of course there are many duplicates or near duplicates.

If each of these takes 20 mins to triage, 1 hour to properly look at and days to confirm, you can see how a team of any reasonable size would soon be completely submerged and unable to respond to anything but the most severe and succinct vulnerability reports in a timely way.

It's not a case of "someone missed this" it's "this seems dysfunctional".

I agree they could and should do a lot better, I'm just imagining the probable reasons for this level of dysfunction - the most likely explanation to me is an overwhelmed, overworked department submerged in so many requests that they can't filter out the useful ones or respond in a timely way.

Just as one other example of this, the bug reporting system at Apple is antiquated and seen as a black hole outside the company, probably again due to underinvestment.

ironically, spoken by Gates @0:52 https://www.youtube.com/watch?v=H27rfr59RiE

Evidently apple see failures like bugs as a problem to be avoided and are just trying to avoid the problem with the obvious result that they have problems and look like a failure.

Companies that accept failure as a consequence of trying will learn and improve until they achieve success.

This is roughly how I have seen things work internally:

* When a bug report comes in, the bug bounty triage team tries their best to triage the bug and if legit, passes it on to the infosec team situated within the organization where the bug belongs.

* Security team for the org then scrambles to figure out which exact team the bug belongs to assigns it to them.

* A day or two later that team picks up the bug and there is usual back forth on ownership, "oh, this is that part which this another team wrote and no one from that time now works at the company" or "its not us, its another team, please reassign."

* Even when the right team is assigned to the bug, there are discussions about priority and severity - "oh we dont think its a high sev issue" types of discussions with PMs who have no knowledge about security.

* Even when everything gets aligned, sometimes the fix is so complicated that it cant be fixed within SLA. In the meantime, security researchers threaten to go public, throws tantrums on Twitter while Bug bounty chases internal teams for a fix.

* When the bug cannot be fixed within SLA, the engineering folks file for an exception. This then gets escalated to a senior leader who needs to approve an exception with agreement from a leader within security. This takes a couple of days to weeks and in the meantime, security researcher has now completely lost it because they think no one is paying attention to this crazy oh so critical bug they spent day and night working on.

* When exception is granted, bug bounty swallows the pill and tries to make up excuses on why it cant be fixed soon. Eventually, 90days are over and researcher feels disrespected and establishes animosity and starts to think everyone on the other side a complete idiot.

* A blog shows up on HN and gets picked up by infosec twitter and slowly media catches up. Now, internally everyone scrambles to figure out what to do. Bug bounty team says "we told you so" and engineering team figures out a magical quick band-aid solution that stops the bleeding and partially fixes the bug.

Case in point, Apple likely could have come out of this looking much better if they didn't ignore and then actively lie to illusionofchaos. That really isn't a very high bar to clear.

Sitting at home looking at a monitor and typing is largely the same doing the same thing in an office. They're not service sector workers, doctors, nurses, or truck drivers who actually have had to deal with the impact of this head on.

Surely even if it were true, that is no excuse for a company like Apple?

Did I say it was an "excuse"? No.

Please don't put words in my mouth. The -4 downvotes made your point well enough. I get it: people want to trash Apple by any means necessary and that's way more important than a free and open discussion of the issue. Thanks.

After claiming that I am putting words in your mouth, you go ahead and accuse me of only wanting to trash Apple and not caring about having a discussion.

I would have preferred it if you had simply told me to fuck off.

I just updated to iOS 15 and it now tells you which sites you have been compromised on, or had your passwords/info compromised on. To be clear, I use a password manager with a unique password on every site, so it is difficult for something like this to have a significant impact. Nethertheless, I was compromised on hundreds of sites and products, and those were just the accounts that iOS Safari knew about. None of them bothered to reach out and tell me. Even my coffee machine was compromised. Ridiculous.

Further to this, you claim that you have been compromised on HUNDREDS of sites even though you use a unique password everywhere?

How is this happening to you? Isn't this a huge concern?

It’s not too far-fetched.

I’ve been compromised on dozens of sites out of ~1.500 sites on which I have accounts, all of them with unique email addresses and unique passwords. Those dozens accounts are just those I happen to know about (through HIBP, incoming email spam, or the occasional site owner’s disclosure) so they’re probably just the tip of the iceberg.

Sites are being breached left and right. If you’re lucky, the site owner tells you. Many won’t.

Lots of people will get their regular coffee maker ready the night before with water and ground beans. At a specific time in the AM it will brew. Lots of old models have timers you can set. I avoid smart devices like the plague. My Bosch fridge is a smart fridge and I plan on putting it on a VLAN.

As another new owner of a Bosch fridge, why put it on anything at all? I just peeled the sticker that told me how to connect off, threw it in the trash, and treat it just like my old non-connected fridge. Is there actually some beneficial feature that makes it worth connecting at all?

Problem: Right french door is hard to close and user often leaves it open. User does not hear alarm.

Solution 1: Make french door easier to close / close automatically.

Solution 2: Make alarm louder. Adjustable even.

Solution 3: Add networked computer, software, mobile phone application, and wire them all up.

French door fridges have this flat piece that slides behind one of the doors to make it airtight. Our previous place had a Samsung that did the same thing, except it was the left door and easier to shut.

It’s made by Germans, they don’t always make things usable or even serviceable (German cars).

But even then, I’m pretty sure you can buy simple electric ones with timers…

/s, since it is not the specialized coffee machine on the office floor which is the biggest problem but the thousands of ones at home where people do not even bother to firewall it.

Only if you count "tracking users on first visit before they do anything else" as normal. Otherwise, there isn't a banner needed; sites could simply have a link to opt-in to tracking in the header or footer, and not track unless the user opts in.

This is like passing a law making it illegal to just hit people in the street, requiring you have to ask them for consent first. So most of the people who want to hit others up come up with some gish gallop that most people fall for, and then hit them.

And people bitch about the law, and claim it "makes it necessary for people to chew off the ear of other people they pass by in the streets"... with a straight face, that's what they twist it into, with an air of indignation even... and not just for a few weeks, until they read up and the initial misunderstandings are cleared up, but year in and year out, because they never read up, and the falsehoods you just posted keep getting repeated.

I've never met anyone in real life who wasn't creeped out by a targeted ad. Everyone nowadays has a story about how they were having a conversation with someone about something, and then one of their devices served them an advertisement for the thing they were talking about.

Everyone finds that creepy as hell, but it's hard to attribute it to any particular device/company, and even if you find out that it's your Alexa that's spying on you, it's hard to throw it out. Not only is it a waste of money, it's a loss of a convenience, and there's some social pressure involved. Like do you really want to be seen as that one paranoid weirdo who doesn't trust technology that everyone else is using?

I think it's bizarre that people are not only OK with having their house bugged with a device that listens to their every conversation - but they're happy to pay for the privilege.

Do you know that when you have an argument with your partner, Alexa is listening to the whole thing? Sensitive business meetings... etc... very strange!

If you annoy users into clicking "accept" then you are in breach and may as well just track users without asking at all.

People are out of their mind to think that governments are working to "protect" them - hello? Govern ment means to rule the mind, mind control, that's the word, and the main mind control governments are interested in perpetuating is to make you believe you need them.

If people didn't think they need their government, there would be no more governments - and they couldn't control us.

Logically, if I was the government, I would mainly work on making sure that people think they need me. I would have every incentive to create catastrophes, pandemics, wars, in fact I would have every incentive to create any problem that has, as its solution, more governmental control.

Yes! You should!

This is the same as if your small, non-profit club deals with dangerous chemicals - it needs to make sure that the appropriate risk assessments are done, and safety information is available to users. Or any club dealing with children - it may need to make sure that the people have an appropriate background check.

Likewise, holding personal data is a risk to the people whose data is held. If you want to hold on to that data, your responsibility should include making sure that it is stored and used safely. If you don’t want to pay that cost, then stop holding it.

To use your metaphor of chemicals:

I see the current situation as if the soccer club is handling a 1L container of consumer-grade vinegar weedkiller, and is required to do pretty cumbersome things to document their use and keep it "safe". Many of them have consulted some firm or expert to get boiler-plate documentation, because even if fines are unlikely they are anxious about them.

At the same time, we have enormous commercial actors that handle millions of liters of radioactive wastewater in rusty containers. These companies have, for sure, spent a lot of money on "compliance". Some small improvements have surely been made, but the fundamental business practice among these actors of handling radioactive wastewater have not changed. Some "large" fines have been given, but they barley make a dent in the enormous profitability of handling these toxic things.

At least not yet, 3 years in. Maybe it will change in the future, and the big actors will fundamentally change their behaviour.

If that happens, I can agree that the weedkiller documentation is worth the cost, but so far I'm sceptical.

(Since this is an Apple thread, I think its interesting to compare the _real_ privacy gain of GDPR as a whole, vs Apple's simple tracking-popup)

What if one of the kids' parents is on a protection program? What if two years later you find to have the contacts details of a famous star/politician/CEO? What if one of the people on your lists gets in a controversy and you happen to have certain proof of events? And so on.

I'm trying to argue how apparently innocent data might very well be highly sensitive instead, but that without a proper framework to assess that, you never know.

That's a far cry from "they make these cookie banners necessary". Tracking people without consent on first visit is what makes them necessary. The anger is consistently misdirected at the people who violate the boundaries of others, not the law that requires consent for it.

> So let's say you have a printed list where kids and their parents signup with name and phone numbers, you should probably have a data integrity policy and someone akin to a DPO. In your small non-profit soccer club!

"We'll ask them if it's okay to store it, and once they leave the club we delete their contact information after N months." Now you have a policy. The person who does everything else, the person who is already secretary, receptionist, accountant, project manager, janitor, coach, counselor, CEO, is now also the PDO.

Human rights being trampled on with an ever increasing mesh of surveillance by big agencies and corporations as well as little informants are such gross violations, such a terrible trajectory we put society on, that mere complication and discomfort is not something that can ever trump them in my book. I would even say if you can't put food on the table without ignoring the human rights of others, just don't put food on the table -- because that's the negotiable part, while the preservation of human rights is not. We need human righs, we don't need ad-hoc low-effort soccer clubs. Like, at all. Just get a ball and some friends in that case.

GDPR restricts companies from using data however they want, makes you able to obtain a copy, and makes you able to require it deleted. It also required the company to document, provide a person responsible to contact, etc.

It only benefits you as a consumer, and the downside in proper uses is that the webpage/app might have a page somewhere with data processing information should you be curious. Nothing major.

Any nuisance are poor implementations or because companies can no longer do terrible unexpected things, like selling your data to hundreds of companies just by accessing a page, without permission, because it is nonsense no one would expect or want.

And with everyone clicking "no" (which must be at least as easy as clicking "yes" as determined in court), the practice would die eventually.

The only reason these illegal banners still get used is a lack of enforcement. Right now, the enforcement process is rather slow, which is in part due to all this stuff being "new" (the cookie ePrivacy is technically from 2009 already, but regulatory bodies with a clear focused mandate to enforce infractions only really came into existence with the GDPR) and thus regulatory bodies and sometimes courts still trying to figure out the legal details, and acting slow and (overly) cautious in order not to embarrass themselves by issuing fines that are later thrown out in a high court. (And then there is Ireland...). And more generally, the law is rather slow regardless; the time it takes to conclude any "important" case is measured in years, and sometimes decades.

There are civil organizations such as noyb[1] trying to get things going and "nudge" regulators into action, but even with that it will be a few more years at least until the legal questions around "what is an acceptable cookie banner" are settled.

[1] https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...

Please note if you have strictly necessary cookies, you don't need to have cookie banners, and if your cookies are anonymous, you don't need them either !

The proliferation of cookie banners just means that people running such websites are usually terrible with regards to consent, personally identifiable information, and so on.

Worst case scenario is I have to log in again.

Otherwise you don’t even need a cookie banner.

Almost always it's between a 2-5 magnitude order of difference in price between a bug bounty and what a company like Zerodium pays. When they have a valuable enough customer asking for something specific they'll even give bonus rates between 2x-10x above their normal rates.

Here have a tweet where Zerodium is doing exactly that: https://twitter.com/Zerodium/status/1437884808257024008

Note: not sure they would pay for these private information leaks. They'd probably prefer a local escalation and then do the data collection themselves.

By that same logic we coul include mass ad/surveillance companies like Google and Facebook to the list. IMHO those do way more damage to society as a whole. Where do we draw the line?

We have tons of jobs you're even legally not allowed to do, no matter how profitable. We're literally talking about people who deal in vulnerabilities in software used by minors, with the express intent of keeping these open.

In my book, that is beyond the line. Change my mind.

Apple's published rates are high (up to $1M), but in practice they pay a lot lower.

I used to believe that iphones were more secure than android and was considering making the switch. After reading this article and with some other recent news (CSAM[1], spam on the app store[2]) I don't think I'll be hopping on the iOS train anytime soon.

[1]:https://www.apple.com/child-safety/ [2]:

Surprisingly MSFT still hired her after this

How long till this "It's fixed" comment appears. Might come in a different submission. For some folks, Apple can do no wrong. No amount of truth can change their views. The only issue to these folks is "fixing"; they are content to use software that is a WIP but marketed as ready for primetime and to dismiss any ideas about using software that is considered finished.

The best place for important data is external media not a "smart" phone running an OS and software that the user does not have control over. "Everyone else is doing it" doesnt transform a stupid practice into a smart one, it just means no one will criticise the choice. That of course also opens the door for those following the herd to attack anyone who dares to suggest deviating from the mainstream because "how can the majority of people be wrong".

1 The purchaser cannot remove it and install their own replacement.

It is a shame that the author didn’t get replies in time and felt the need to disclose. I’m sure it’ll at least get quickly patched now.

We have now seen bugs that have been around for 4-5 years before being discovered by ethical hackers and subsequently patched.

No, the issue is despite disclosure two of them still aren't fixed.

Please point me to a consumer OS that doesn't have security vulnerabilities.

This is their main claim atm.

It's the same never-ending war as anti-cheat vs cheat.

Another example: my grandma doesn’t have WiFi, and I bought her an iPhone, but iOS updates can’t be done on 4G, which can only be bypassed by internet-tethering a computer (which she doesn’t have), downloading the full IPSW, and installing it. She was on iOS 14.0 until 2 weeks ago when I fixed it. And with Safari being, according to security researchers, much less secure than Chrome, that makes me shudder. This isn’t an “anecdote” or an edge case, not everyone lives in a developed country and millions are just like my grandma, and Apple’s poor security design leaves her vulnerable for zero good technical reason, where Android wouldn’t. (They just dropped Google Play Services support for Jelly Bean a few months ago, so even an old Android phone would be reasonably secure). Caring about security requires thinking of details like this.

Print Nightmare was part of a risky call in the printing subsystem design which was recognized as such when they made it in the 90s. That specific vulnerability was disclosed to Microsoft in 2020, accidentally disclosed in public in June, flailed at with incomplete patches and bad documentation all summer while ransomware gangs exploited it, and has theoretically finally been patched in the September release following multiple incomplete patches.

The Exchange auto discover bug announced yesterday had previously been reported with Microsoft telling the reporter that it wasn’t a bug. Oops.

This is hard but it’s also important to remember that this is an industry-wide failure because it’s been cheaper to clean afterwards than invest in proactive cleanup of old “stable” code, and it will likely continue as long as there are no financial consequences for a breach. Adding consequences would change that dynamic but would also be a massive change to the industry. It could endanger open source and would almost certainly make everything more expensive.

Ransomware has already changed this somewhat: now the cost is halting operations for a potentially lengthy period of time, and that has spurred a lot more awareness that the current model is insufficient but not from what I've seen significant efforts to change it.

Having attempted (unsuccessfully) to write a resumable HTTP/HTTPS downloader, which is what I suspect nsurlsessiond is using behind the scenes - it's really hard to get it right. Meanwhile I expect to be able to start a BitTorrent download, throw the laptop down the stairs, take out the hard drive and be able to successfully resume it on a different computer because that's a protocol that was actually designed for it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Range_requ...

And if they need to get more clever than that, why not have a BitTorrent-like map of chunk hashes. So you download the update, check the hash of the whole thing and if it fails the hash check, download the chunk hashes which will be say a 256 bit hash for every individual 32 MB chunk of the file. And for any chunk that fails the hash check, use a HTTP range request to download it again.

We are pretty heavy Internet users at home (Starlink), but the cell plan is 2GB per month, shared between me and my wife. We rarely overrun that.

I think that there are a lot of retired people with small phone plans and no WiFi. All they do is a few phone calls and a bit of email with the family. So, updating those phones frequently is problematic. They probably take them to the phone store where they bought them.

Tech workers have difficulty taking into consideration lifestyles they don't know exist, which is understandable. At the end of the day this comes as another consequence of the lack of diversity in tech, I guess.

All these groups have different needs and expectations to the products they buy or lease. And development teams and their business cannot expect to understand that by having a more diverse development team. They have to do better requirements engineering, they have to listen better to their customers and they have to decide and prioritize those needs and expectations. E.g. A/B testing has abysmal consequences for the needs and expectations of minorities.

We are in the B2B/B2EDU space so the "As a grandmother, I think..." line of thought does not apply. However, she has frequently had insights and observations that none of us would have come up with. Once implemented, they have been very successful/profitable.

So yes, absolutely, unless your company wants to be in a very specific niche, the lack of true diversity in your company is a drag on your success.

PS - my grandfather had a tech job in Sunnyvale. He passed away last year at the age of 92. Point is - everyone alive has lived in a world with pervasive technology and computing. "They're old and can't understand this stuff" is pure BS.

> However, she has frequently had insights and observations that none of us would have come up with

> So yes, absolutely, unless your company wants to be in a very specific niche, the lack of true diversity in your company is a drag on your success.

The conclusion you are drawing here, does not follow from your two observations above. The fact that your product manager has had insights, that nobody else had in team, does not mean a "lack of true diversity in your company is a drag on your success." Some diversity may help in certain situations and in others not. The above mentioned insights and observations might just be the result of competence and more experience of the product manager or incompetence of the rest of the team. There may be many other reasons. We don't know. We have one observation and should refrain from generalizing. That this is because of more diversity is just a speculation. A speculation that fits an often repeated narrative, but that doesn't make it a logical conclusion.

Once you have that you create a user journey map for each of those personas - in this case they need a user journey map for updating. Your test teams then have to take each persona and run through testing with those constraints and capabilities in mind.

They don't have a high-speed network or are using a cellular network? One or more personas should have accounted for that. Color blind? One or more personas should have accounted for that and there's software available that can make your screen as it appears to those who are colorblind.

These personas should be corporate-wide - these are your customers after all. I would be shocked if Apple isn't doing something like this, but then again, after getting a glimpse at how the sausage is made I've come to the conclusion Big Tech isn't any better at creating and testing software (well, not that much better) than anyone else.

Before Apple or any other customer company describes personas, there is an explicit or implicit decision of which personas to consider and which not. But most consumer targeted companies hide which personas they consider and which not.

When I mentioned diversity, what I actually had in mind was that all tech workers in California have wifi, and probably find this so normal to connect your phone to wifi that they expect any normal user will do this on a daily basis.

I'm not a grandma but I'm a tech worker with a very different life style. Like the person I was replying to's grandma, I have no wifi. Like her, I have to fake it from time to time so that my Android phone will backup photos, accept to download Google drive documents, etc.

So the diversity I had in mind is rather a diversity in location and lifestyle.

You may love cars. You might think Tesla’s are amazing. But if you live on a small island without an electrical grid, it might not be the car for you just because it doesn’t come with its own solar panels.

I think its more a legacy thing, when iPhones first came out this made somewhat sense, to spare the mobile networks the load.

If you have a 5G iPhone you can set it to download updates over 5G but its just plain stupid you can't do it over 4G. Over 2G or 3G it makes a little bit sense.

If Apple really cared, it would have changed this scenario by now. A 7year old android device which can download/sideload latest Firefox is technically more secure for web browsing than an latest iOS device which is yet to receive an OS update with the critical patch for the Safari.

But as Tim Cook proudly claims, People who use Apple products are those 'don't want to take risky decisions themselves' maybe they'd be willing to wait for that OS update however long it takes.

Written five years ago but sadly still relevant: https://steveblank.com/2016/10/24/why-tim-cook-is-steve-ball...

> This isn’t an “anecdote” or an edge case, not everyone lives in a developed country and millions are just like my grandma

In too many countries, mobile data is incredibly expensive. If Apple were to allow over-the-air OS updates, you can bet it would take only a week until the first class-action lawsuit by people having their data caps blown through because they did not understand that updates are huge.

They don't see a need for a modem hooked to a wired line necessitating a second subscription and procedures to follow when you move apartments, when in any case you will have a 4G connection that follows you around on your smartphone.

Is there a better way than providing a wifi hotspot with your mobile phone?

I hear that Android lets you enable updates-over-4G, but allows carriers to block the feature. That's detestable! Surely, if I pay for data, I should be able to use it for anything (legal) I deem important? I don't like corporations making those decisions for me.

I'm German, and ... wtf, I'm envious. We have three carriers: O2 (which is cheap, but their network is horrible), Vodafone (which is expensive, has a good network, and is constantly plagued by issues with its customer service) and Telekom (expensive, good network and decent customer service).

Telekom's cheapest plan is 40€ a month which has 6GB, and the biggest plan before flat-rate (at 85€) is 24 GB for 60€ a month...

14 GB for 13€ (https://www.handyvertrag.de - it's a brand of Drillish, reseller of the O2/Telefónica/E-Plus network)

40 GB for 19€ (https://bestellung.vitrado.de/offer/index/2b5pv1)

Your comment seems to be implying that Apple could simply ship the delta in the source code: i.e. something like `git diff --minimal --word-diff=porcelain head^1`. Would this not require iOS to be compiled on the device, and store its own source code, à la `.git`? How would you address the issue of the compiler itself needing to be updated as part of this process?

Or are you suggesting they would ship the diff for the binary? For one, I don't think the delta in the resulting binary would be as small as the delta in the source, due to addresses changing, etc. There are tools like bsdiff which can 'intelligently' handle this, but I believe they aren't widely used for operating system updates, as opposed to standard userspace binaries.

In addition to this, the diff shipped would be relative to whatever version the device is currently using, which would necessitate storing a very large number of diffs, especially for binaries, or else computing it on the fly (which simply shifts the burden from disk space to CPU cycles).

Or have I misunderstood you entirely?

https://en.wikipedia.org/wiki/Patch_(computing)

In particular, bsdiff has been around for a very long time and is an industry standard binary diffing tool.

Indeed, Apple used to distribute patches this way in the past.

You also could ship a list of updated system files hashes, compare to the installed files and just download the changed ones, like rsync.

Better than shipping a whole new disk image every small update they do.

It's the same lazy dev culture that gives us Electron apps, or the lazy sysadmin culture that gives us docker.

It's cheaper to create massive incomprehensible and unmaintainable edifice that requires massive storage / processor / network inefficiency to maintain versus well thought-out and "clever" systems that work efficiently.

Personally, I wish the days of optimizing for low-resource machines, slow network connections, and expensive storage weren't gone. As an end-user I think the results of moving away from a culture of optimization haven't been good. I think the ship has sailed, though.

The reason Apple doesn’t is because they like to ship updates as bootable disk images. This makes it easier to roll back from than an in—place update, since you can just boot the old image if the update fails.

Sure, there are always going to be problems you miss. I can forgive them shipping with zero-days, it happens. Failing to respond to reports is just that: failing.

In case there is any confusion, there has been at least one of those a year for the past 3 years.

It’s extremely common for an attacker to find a way to exploit a maliciously crafted image. Take a look at libpng, https://www.cvedetails.com/vulnerability-list/vendor_id-7294...

This is hard for me to believe for a company the size of Apple. They were recently the wealthiest company on the planet and are worth over a trillion dollars IIRC. They could slow down their software development process, focus less on adding new features, and prioritize fewer security holes. It seems like such a huge risk to them that their devices are basically always vulnerable. But the general public never really hear about these 0-days so they may have some ability to ignore the problem.

The cynic in me imagines that someone at Apple knows about these bugs and they are shared with spooks for exploitation. One could imagine that even for a responsible disclosure program, they could share details of every new vulnerability with some three letter agency who could have months of use out of them before a patch is finally released.

My inner cynic¹ has a slightly different take on that: You don't get to be the wealthiest company on the planet by doing the right thing at the expense of the profitable things.

¹ He says, pretending it isn't also his outer and all-consuming cynic!

Or at least that's what I just realized.

I've had this conversation too many times. Security isn't hard, it's just that nobody has respect for it. The guy who understands software security isn't getting the respect he deserves. The situation is so bad, some companies are literally hiring people who know the equivalent of script kiddie "penetration-testing".

Pay security engineers enough and listen very carefully to what they have to say. Literally the only companies who seem to understand this basic concept seem to be the intelligence agencies, and a few other high profile companies.

I think it’s less about disclosure handling but more about being motivated to pay for or build a black magic code analysis tools.

I don't believe that. Making perfectly secure software at large scale is indeed very hard, but a lot of security issues we see every day have little to do with lack of perfection. There's a ton of low hanging fruit out there.

> The junior to senior developers are just using existing frameworks with poor documentation.

Yes, I do believe that the modern way of quickly ducktaping junk together while paying little attention to security does make for lots of security issues, which might give someone the impression that cybersecurity is ridiculously hard.

Security requires proactive effort. It's not ridiculously hard, but it needs to be done, it requires time (just as anything). Leaving it for "hope you don't write buggy code" and "does colleague notice the gaping hole in code review" is not doing security, it's just winging it.

And I've never really been asked to do security, even when literally working on a security product. Everyone just seems to assume security is an automatic byproduct of skilled programming, but it's not when the pressing concern is "how many hours/days/.. does it take to ship this new feature oh and we have three dozen other features that need to be implemented soon" and "can we get it sooner?" and "why is it taking so long, it's not that hard!"

It needs to be discussed, planned, designed, reviewed, tested, verified, questioned, audited. Just like anything else, if you want quality. None of this is ridiculously hard, but it needs to be done for it to be done. If it's not being done, it's that the organization doesn't care about it.

In a lot of ways it's similar to technical debt. Are you taking the time to avoid it, reduce it, get rid of it? No? Then you're accumulating it. Security issues accumulate just like technical debt when ignored. And even the most skilled programmers do generate technical debt (because they don't jump into a problem with perfect knowledge of what needs to be done). Depending on the organization, they may or may not get to fix it. Many organizations just don't care and would rather have the devs work on something "more productive."

Building secure software and building anti-cheat are nothing alike.

Anti-cheat is fundamentally impossible (on a true general purpose computer) because you’re building software that has to run in an environment where it can be dissected and modified.

Building a secure device (something which has to satisfy certain security properties for all inputs through a constrained API) is fundamentally possible. We’re just too lazy and cheap to do it. I don’t even think it’s “ridiculously hard” - we would just have to spend more money on correct by construction designs, formal methods, etc instead of spending money on flashy UIs and random features no one cares about.

The number of employees at Apple working on security is vanishingly small compared to the number of employees, say, working on random siri features. And the way they approach security in many apps is also wrong. Instead of having people with formal correctness backgrounds designing the APIs against which apps are built, they just have developers with no security background putting everything together and then have a few security people trying to pick up the pieces.

(1) We used safe languages like Go, Rust, C#, Java, and Swift instead of 1970s YOLO languages like C and C++.

(2) Our operating systems were designed from the ground up to be secure in a modern environment.

Unix (all flavors) and Windows were both built long before security was anywhere near as much of a concern as it is today. Their security posture is very lax by modern standards. Applications have a ton of permissions by default including seeing the whole network and filesystem. Everything runs with only basic memory isolation. Everything has access to an enormous system call surface area.

It is extremely hard to apply security in retrospect to an insecure system, especially a complex one with lots of legacy support requirements. You are going to be playing a whole lot of "whack a mole."

A modern secure OS would begin with the principle of least privilege and be built from the ground up to isolate applications as much as possible from anything they are not entitled to access.

Oddly enough the web browser might be the best attempt. When you browse the web you are basically swimming in malware, and you are relatively safe.

This is why I wonder why "minimize your data exposure" is such a controversial opinion.

Security is challenging, but there are lots of things we know how to do better that many software developers still aren't doing. For example, if you're still writing application-level software in an inherently dangerous programming language in 2021 and that application handles important data in a connected device, you're part of the problem. If you ship a networked hardware product with a standard password for all devices or forget to disable the backdoor access used during development, if you use encryption or hashing methods that are known to be weak, etc. These things obviously won't solve all security problems, but they are low-hanging fruit that is still being left on the tree far too often.