[HN Gopher] Apple silently fixes iOS zero-day, asks bug reporter...
___________________________________________________________________
Apple silently fixes iOS zero-day, asks bug reporter to keep quiet
Author : DemiGuru
Score : 294 points
Date : 2021-10-13 19:14 UTC (3 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| woliveirajr wrote:
| Seems that no credit, no bount, nothing, has become the way that
| Apple deals with the iBugs Hunters.
|
| And all it takes is one of those unsong heros giving up on
| reporting to Apple and, instead, reporting to some 0-day company,
| and some ransonware go brrrr
| croutonwagon wrote:
| I'm surprised it hasnt happened yet. IT seems apple is possibly
| openly hostile and uses "red tape" as an excuse to obfuscate
| communication and frustrate those trying to do right by them
| instead of just posting it to github and calling them out on
| twitter.
|
| Its one of a few reasons I have made some in-roads into moving
| off the platform.
| tptacek wrote:
| These vulnerabilities do not enable ransomware.
| _jal wrote:
| I'm sure people are selling them, although I think it would
| only become public by accident.
|
| At least some are going the back to the Full Disclosure days...
|
| https://twitter.com/jonathandata1/status/1448037463419674625
| threeseed wrote:
| This comment is just nonsense. They regularly credit security
| researchers:
|
| https://support.apple.com/en-au/HT201222
|
| Seems like this in case it's just a mistake that was made.
| supernova87a wrote:
| Why are people out to crucify Apple for a story that's still
| being resolved? The article clearly says:
|
| "... _Due to a processing issue, your credit will be included on
| the security advisories in an upcoming update. We apologize for
| the inconvenience, " Apple told him when asked why the list of
| fixed iOS security bugs didn't include his zero-day_..."
|
| "... _We saw your blog post regarding this issue and your other
| reports. We apologize for the delay in responding to you, " Apple
| told Tokarev 24 hours after publishing the zero-days and the
| exploit code on his blog_...
|
| "... _We want to let you know that we are still investigating
| these issues and how we can address them to protect customers.
| Thank you again for taking the time to report these issues to us,
| we appreciate your assistance_... "
|
| The company hasn't denied the bounty, they're just incompetent /
| slow on this process.
|
| Feels like everyone is out to paint <x> company with just
| confirmatory bias using whatever half-baked story is available.
| Even I feel for company leaders in this kind of shitty journalism
| environment. And the rest of the comments here are just autopilot
| piling on the echo fest.
| smoldesu wrote:
| >Why are people out to crucify Apple for a story that's still
| being resolved?
|
| >The company hasn't denied the bounty, they're just incompetent
| / slow on this process.
|
| People probably expect more from... _checks notes_ The world 's
| most valuable and successful modern corporation.
| efleurine wrote:
| And iOS users should be grateful that they report those bugs
| to Apple to get paid. They could also sell it to some spying
| companies and may be those pay well and very fast
| tptacek wrote:
| Or maybe they don't pay for these bugs at all.
| ewagsjr wrote:
| Ya, if I interpreted this right, also really convenient that
| they seem to be dragging their feet on a $100,000 bounty.
| mike_d wrote:
| Devil's advocate here: I've worked the other side of managing
| bug bounties.
|
| It is entirely possible the researcher found something but
| didn't realize how deep the problem went. Apple may have
| released an incremental patch and is working on fixing a larger
| issue they found when digging into it.
|
| When this has happened in the past, from the researchers
| perspective things seem quiet/delayed because we obviously
| can't share details of a larger vulnerability with them. All we
| can really do is ask for more time. In the end it all works out
| and they get paid out/credited for the original+follow on bug.
| vlovich123 wrote:
| Why wouldn't the company communicate to the researcher "we
| found a larger issue related to this. your bounty will be
| upgraded to X. Please restart the clock for public
| disclosure" or something along those lines. Seems like better
| communication would create a win-win situation.
| thaumasiotes wrote:
| > In the end it all works out and they get paid out/credited
| for the original+follow on bug.
|
| I've worked on the company end of bug bounties too, and it
| does happen that a report just falls through the cracks.
| Seemingly-inactive reports do need a certain amount of
| maintenance; you don't want to just trust that everything
| will work out in the end. (That said, as long as you get
| responses when you ping the company, things are working in
| the background.)
|
| (edit to followup: in about 18 months of this, I encountered
| one report that had fallen through the cracks. Obviously,
| there might have been others that never came to my attention
| at all, but the companies are tracking things much more
| carefully than researchers often assume.)
| bellyfullofbac wrote:
| Because those emails are probably lies, they're just delaying
| and delaying and hoping it will just go away, and writing fake
| "We're sorry"'s when they're forced to.
| Spooky23 wrote:
| Some security people love to hand-wave and issue prophecies of
| doom for attribution and attention. It's great chum for writers
| -- easier to run with some guys grievance than research a more
| substantive story.
| tptacek wrote:
| There's a spectrum of quality to these stories, and one sign
| that you're tending towards an end of that spectrum is the
| use of the term "zero-day" without qualification. These are
| bug bounties; _all of these bugs are zero days_ , no matter
| how severe (or not) they are. It's literally the least
| important detail in the story about how a bounty is being
| handled.
| xondono wrote:
| The "Apple Hater" market is as big as the "Apple fanboy"
| market, maybe even bigger!
| throwaway37284 wrote:
| I understand what you're saying and in most cases, most
| companies, most products, you are correct and I would
| absolutely agree. In this case it is an IOS zero-day. I'm not
| sure of the number of people on the planet using IOS but the
| chances of that zero-day being applicable to the phone in your
| pocket at one point aren't too bad. I do think Apple should be
| held responsible, their massive amount of sales has given them
| a massive amount of responsibility that they are not stepping
| up to.
| polack wrote:
| "Since then, Apple published multiple security advisories (iOS
| 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS
| vulnerabilities but, each time, they failed to credit his
| analyticsd bug report."
|
| "Two days ago, after iOS 15.0.2 was released, Tokarev emailed
| again about the lack of credit for the gamed and analyticsd
| flaws in the security advisories."
|
| They didn't give him credit in the last 5 advisories. Really no
| excuse for that imho. If Apple keeps this up then why would
| anyone report bugs to them when you can just post it online and
| get credit for it right away? Or sell it on some 0-day site.
| glenstein wrote:
| Exactly, that's the issue. This is a RT*A scenario.
| tptacek wrote:
| If credit is what you care about, it's straightforward to
| ensure you get credit without working with Apple's bounty
| program. You can do what P0 does and provide a fixed timeline
| after which you're publishing, and nobody credible is going
| to hold that against you (in part because P0 has established
| this norm).
| efleurine wrote:
| Obviously credit is important for them as a proof of
| competence. If the company does not give them credits how can
| they build their business, portfolio. You can jus say I was
| the one who discovered this.
|
| Every field works in a certain way and when it comes to
| bounty you want to make a name for yourself. You can't just
| pull up and say you are the one
|
| But yeah may be they should just sell it to third-parties
| stefan_ wrote:
| > they're just incompetent / slow on this process
|
| > I feel for company leaders in this kind of shitty journalism
|
| You're not making sense. Plus Apple has a history of being
| incompetent and slow on this.
| coldtea wrote:
| > _Plus Apple has a history of being incompetent and slow on
| this_
|
| Have they, really? Just because you find this instance here
| and there of such a story where they were, doesn't mean they
| have a history of being incompetent and slow on this (the
| same way someone who hit 99% of their three-pointers doesn't
| have a history of being an awful shooter).
|
| That's how they fare long term:
|
| https://www.pandasecurity.com/en/mediacenter/mobile-
| security...
| smoldesu wrote:
| Apple's bug bounty is notoriously slow to respond, to the
| point that it has posed legitimate security concerns in the
| past: particularly their rhetoric around Thunderspy amused
| me.
|
| https://habr.com/en/post/579714/
|
| https://thunderspy.io
| QuizzicalCarbon wrote:
| How can we reasonably say Apple is moving slowly to fix
| bugs when we don't know how much work is going on behind
| the scenes? A slow response can just be a slow response.
| smoldesu wrote:
| I can reasonably say it because _all_ of their
| competitors have less cash, yet many of them respond
| faster than Apple does.
| calibas wrote:
| You're framing this as if it's all about the bounty and Apple
| just hasn't gotten around to it yet. That's only a small
| fraction of the story and could easily be forgiven. If I wanted
| to make Apple look good, I'd focus on that part, but that would
| be rather biased to ignore the whole picture...
|
| Tokarev discovered 4 iOS 0-days, then reported them all to
| Apple back in May. After months of Apple's continued refusal to
| fix or even publicly acknowledge all four of the issues,
| Tokarev made all of them public on GitHub.
|
| Weeks passed, and now it's today. Apple has yet to fix or
| publicly acknowledge two of the four security vulnerabilities.
| That should make Apple look bad because it's some fundamentally
| irresponsible security practices.
|
| Yes, I'm biased. I'm human, not a computer, and it's stuff like
| this that makes me biased towards Apple. They should receive
| negative publicity for this, then they should change how they
| do things. At the very least, app developers and users should
| be warned about the two issues that have yet to be fixed.
| tptacek wrote:
| I don't know anything about Apple's bug bounty program except
| that there's a prevailing attitude that it is not the well-
| oiled machine that Google's bug bounty program is perceived
| to be, and I'm not super interested in making a case for
| Apple here. But because this is a recurring theme in every
| discussion about every bug bounty run by anyone:
|
| * There are valid reasons that bugs can take longer to fix
| than you'd expect; the most notable of them is when the bug
| you found is actually systemic, or has a deep root cause, and
| the real fix for the vulnerability is more complicated than
| the surface bug. Without a hard timeline, some shops will
| work to get the root cause fixed on some bugs even at the
| cost of an increased timeline, because the patch for the
| surface bug reveals the pattern and amplifies risk to
| customers.
|
| * As a reporter, you can take some measure of control over
| the process back by providing a fixed timeline (like the P0
| 90 days). There's no negotiation needed; you give the vendor
| time to fix and they either do or don't, but either way
| you're going public. That is a valid way to go about things,
| but may cost you the bounty.
|
| * These things are bug-dependent, and the process that runs
| for a zero-interaction RCE won't be the same as the process
| that runs for a bug that requires a malicious app store app
| and only gives access to the contact database.
|
| * Message boards tend to expect that big vendors can just
| shell out for the bounty as a show of good faith. It's easy
| to see why they believe that. It makes sense. But it also
| creates broken incentives. The limiting reagent on bugs isn't
| bounty dollars (these are indeed barely even rounding errors
| to major vendors), but rather programmer time. If you pay out
| for weak, stuck-in-process bugs, you create incentives that
| redirect programmer time to those weak bugs and away from
| more significant bugs; as angry as you can reasonably be
| about a malicious app being able to snarf your contacts, if
| you're rational, you're a lot more concerned about memory
| corruption flaws, which is what you really want people
| spending their time on.
| amatecha wrote:
| Probably because the 0days have been fixed and the public have
| received the benefit of the security researcher's report to
| Apple, but he hasn't received any recognition or compensation
| through the bounty program via which he reported the
| vulnerabilities?
| [deleted]
| kamilman0 wrote:
| Could it be that maybe they try to uphold the reputation of Apple
| by doing so? But it doesn't make sens either way because they
| could have just paid those guys and then everyone is happy.
| That's just some ass-backwards logic. I am an Apple fan and I'm
| not going to defend this. It's just plain bad behavior on their
| side.
| kjaftaedi wrote:
| It seems like the last person you would want to dick around
| would be someone who seems to be extremely good at finding
| extremely valuable vulnerabilities.
| aborsy wrote:
| The need for Linux phones, in a market dominated by two companies
| and one government, is more than ever!
|
| Hope we soon get a usable Linux phone.
| beermonster wrote:
| Such a market need grows daily. Hopefully only a matter of
| time.
| reginold wrote:
| PinePhone is our only hope! Still a ways off from being
| consumer ready but it's heading in the right direction.
| Buttons840 wrote:
| "Only option"? What about Purism phones?
| coldtea wrote:
| >Apple silently fixes iOS zero-day, asks bug reporter to keep
| quiet
|
| Isn't that standard procedure for any company faced with a 0-day,
| prudent, and the right thing to do?
| jtsiskin wrote:
| Zerodium (https://zerodium.com/program.html) pays out $2 million
| dollars for an iOS "full chain with persistence" exploit. $500k
| for an iMessage RCE. Up to $100k for an iOS "information
| disclosure" exploit (likely what this would have fallen under).
| Paid for via bank wire or Bitcoin/Monero/Zcash in 1 week or less.
| And legal.
|
| Next time someone finds one of these, I wonder where they will
| report it to....
| netsec_burn wrote:
| See my comment history for a firsthand account of Zerodium.
| DSingularity wrote:
| Is it moral though? What do they do with these exploits? If it
| is to help advance the agendas of countries like Israel and
| Saudi Arabia how would you feel submitting exploits to them?
| lccarrasco wrote:
| People worried about the morality aspect could sell the
| exploit, donate the money and report the issue to the
| manufacturer anyways.
| doopy1 wrote:
| I don't think Zerodium payouts are lump sum... I believe
| they are staggered in order to mitigate against this stuff.
| tptacek wrote:
| So far as I know, essentially all grey market
| vulnerability sales are tranched, which is an important
| consideration when comparing bounty payouts to the grey
| market.
| tptacek wrote:
| They sell them to the IC.
| miohtama wrote:
| You can choose between a rich murderous dictator and an
| arrogant IT company that does not give you a proper credit.
| Either way you are screwed as a security researcher :(
| [deleted]
| ethanbond wrote:
| Uh, if your consideration is purely what happens to _you_ ,
| sure. If you have any thought in your mind about what will
| happen to other people due to your work, then it's nowhere
| near the same.
| AustinDev wrote:
| Trillion dollar companies are people under the US
| constitution and they don't seem to care about that so
| why should everyday citizens?
| tptacek wrote:
| Zerodium doesn't list "information disclosure" for smartphones.
| "Information disclosure" from an email server means
| exfiltrating the emails. Zerodium will almost certainly not
| outbid Apple for the `gamed` vulnerability here (maybe for
| publicity).
| comeonseriously wrote:
| I wonder what would happen if everyone that knows about this just
| starts pounding Apple's online presence (twitter, fb, etc) in
| protest of their actions. Would they relent and pay up?
| threeseed wrote:
| Apple definitely needs to improve its processes in order to
| ensure he and others gets credit.
|
| But he is over-reacting about the confidential line. When I
| worked at Apple years ago I added a similar line when dealing
| with external people. And in every email I have sent whilst
| working for telcos, banks etc over the last decade a similar line
| has been included automatically at the footer. It's more a
| boilerplate polite request not a demand.
| wilde wrote:
| That's not clear at all. I'd be twitchy too if I had $100k on
| the line and the other party had repeatedly messed up over
| months of interactions.
| ziddoap wrote:
| It is of note that this is not the standard footer attached to
| outgoing e-mails.
|
| It's the first line of the email after the greeting, manually
| written in.
| threeseed wrote:
| Not all emails will trigger the automated footer if they use
| it at all. They never did when I was there.
|
| And being a very serious security vulnerability (enough to
| warrant its own release) they are probably just being
| cautious.
|
| It really is a polite request not some legal demand.
| ziddoap wrote:
| I didn't mean for my comment to come across as disagreeing
| with your overall point - just highlight that there is (in
| my mind) a fairly big difference between auto-generated
| footers attached to outgoing emails that you referenced (re
| banks, teclos) and explicitly written instructions at the
| beginning of an email.
| IndySun wrote:
| Apple the corporation religiously and sometimes aggressively
| portray themselves as virtuous, safe, and honest, but this
| behaviour suggests those qualities are marketing tools.
| DemiGuru wrote:
| As an apple fan myself, I agree that this type of practice
| renders the platform less secure rather than more secure.
| Everyone ends up losing.
| killingtime74 wrote:
| For want of a nail the kingdom was lost. Just pay the stupid
| bounty
| o_m wrote:
| I wish Apple would do a feature freeze for iOS and macOS for a
| couple of years, then focus on fixing bugs, improving security
| and optimizing performance instead.
| sbarre wrote:
| But money!
| ballenf wrote:
| Here's a fun conspiracy theory proposed entirely in jest:
|
| Apple doesn't want to patch zero-days used by US authorities in
| order to alleviate pressure on its encryption practices.
|
| So they really only want to fix zero-days that are known broadly
| or get media attention. And they don't want to give too much
| incentive to researchers to report zero-days to Apple instead of
| selling them to the highest bidder (which may ultimately be the
| largest governments with the greatest ability to regulate Apple).
| jjcon wrote:
| > alleviate pressure on its encryption practices.
|
| Apple is not that different from the status quo on end to end
| encryption as to necessitate a conspiracy (probably even in
| jest ). They have no icloud encryption, no photos encryption,
| no device backup encryption etc etc.
| ballenf wrote:
| Would that still apply if a target has iCloud backup turned
| off?
| dev_tty01 wrote:
| One small correction. They do have backup encryption. As a
| matter of fact, your various account passwords are only
| backed up if you keep the encrypt option turned on.
|
| https://support.apple.com/en-us/HT205220
|
| As far as the original article, I agree completely that not
| paying and crediting these folks in a timely manner is just
| stupid and will reduce Apple security long term.
| heavyset_go wrote:
| Apple holds the keys to encrypted iCloud backups.
| dev_tty01 wrote:
| Yes, they do have some way of using your iCloud account
| credentials to get to the backup key. Given the level of
| customer support needed for forgotten backup keys, they
| have probably chosen this as the lesser of two evils.
|
| If you don't like that "feature," don't do iCloud
| backups. I do direct backups as described in the support
| link. Apple doesn't have those keys.
| ballenf wrote:
| I do wonder how much longer local, machine-based backups
| will continue to be supported. Could easily see a future
| model dropping the cable entirely, dropping local backup
| and modestly upping the free iCloud storage.
| selectodude wrote:
| iPhones have supported Wifi backup to local computer for
| a decade now.
| threeseed wrote:
| So then explain this page:
|
| https://support.apple.com/en-au/HT201222
|
| Why would they bother fixing any of the bugs ?
| rlt wrote:
| Next level conspiracy theory: Apple employs, knowingly or
| unknowingly, CIA/NSA agents who intentionally introduce these
| bugs.
| [deleted]
| tptacek wrote:
| It would indeed be a next-level conspiracy theory to suggest
| the NSA planted an employee at Apple to introduce a
| GameCenter bug that lets you read a cache of contacts, rather
| than, you know, just taking the whole device over, which is
| what "zero day" usually implies.
| tptacek wrote:
| This is indeed silly, because the zero-day vulnerabilities that
| the IC exploits provide full kernel-level access to devices,
| and this just lets you read contacts from an app you install
| from the app store (which does local API-level surveillance
| already) on the device.
| smoldesu wrote:
| You've got the wrong ideas. The government isn't using the same
| exploits as you and me, their backdoors are hidden much better
| and offer far more comprehensive control than just a silly
| Gamecenter vuln.
| paxys wrote:
| If Apple was complicit in US authorities breaking into their
| devices they wouldn't be doing so via publicly exploitable
| vulnerabilities. Bugs making their way into the "wrong" hands
| decreases trust in their ecosystem. It makes much more sense to
| just add a backdoor.
| post_break wrote:
| What a slap in the face. This guy is owed a boatload of cash, and
| typical Apple just kicks the can down the road. Next time I hope
| he sells his next vuln to the highest bidder.
| tptacek wrote:
| Who's the next highest bidder after Apple for a bug in `gamed`
| that allows you to access GameCenter and download contacts?
| It's a significant vulnerability, but there's e.g. no price
| list entry on Zerodium (you can take Zerodium more or less
| seriously, this is just a data point) for anything but code
| execution, which this vulnerability isn't.
| WesolyKubeczek wrote:
| > Who's the next highest bidder after Apple for a bug in
| `gamed` that allows you to access GameCenter and download
| contacts?
|
| Anyone who actually pays money or golden bars within a
| reasonable timeframe?
|
| > It's a significant vulnerability, but there's e.g. no price
| list entry on Zerodium
|
| On this scale I think it's "Contact us and we negotiate" sort
| of price.
| tptacek wrote:
| Who? Speculate as to who they might be. The six figure
| numbers you're familiar with are for code execution bugs.
| This is obviously not that. So they're not anybody that
| quotes prices for bugs, or anyone directly comparable to
| them.
|
| Governments can already pay prices comparable to the
| supposed bounty valuation of this bug for code execution.
| They're probably not shelling out six figures in gold bars
| for a bug that exfiltrates contact lists from apps that
| have to be installed from the app store.
|
| The non-bounty market clearing price for a lot of scary
| sounding vulnerabilities is $0.
| gjs278 wrote:
| there is no next highest bidder, you live in a cyberpunk
| fantasy land
| ambientenv wrote:
| > Next time I hope he sells his next vuln to the highest bidder
|
| And thereby accomplishing what, exactly? There is still merit,
| albeit not from a material wealth standpoint, for doing the
| right thing for the right reasons.
| ClumsyPilot wrote:
| "There is still merit, albeit not from a material wealth
| standpoint, for doing the right thing for the right reasons"
|
| There seems to be the strange wordview where ordinary joe
| must be morally impeccable but its corporate leadership can
| be as immoral as they come.
|
| Like the richer you are, the less rules you have to follow.
| Surelly it should be the other way round?
| celim307 wrote:
| I agree somewhat, the users which include me get caught in
| the crossfire if someone releases a zero day out in the wild,
| but I also think there needs to be a negative feedback to
| these tech giants that expect work for free.
|
| But in the grand scheme of things, does it even punish the
| tech giants? They have so many claws in a users life, and in
| the case of apple, your only other choice is google or a
| bunch of shady oems.
|
| At the end of the day the only people who pay for it are
| users themselves, their data is comprised and irreversibly
| out there
| aviraldg wrote:
| Forcing Apple to do the right thing the next time.
| kbenson wrote:
| You can rely on the vast majority of people to do the right
| thing when it's in their best interests.
|
| You can likely rely on a good majority of people to do the
| right thing when it isn't for or against their interests in
| any substantial way.
|
| I'm not sure the amount of people that will do the right
| thing when it's not in their best interests by some small but
| noticeable amount.
|
| I'm also not sure the amount of people that will do the right
| thing when it's vastly against their best interests, but it's
| bound to be far less that the prior group, and I suspect it's
| way below a majority.
|
| The point isn't that these people aren't doing the "right
| thing", it's that these programs are designed to align doing
| the right thing with the best interests of the researchers,
| so noting that we might get more results that are not in the
| best interests of society at large or the company in question
| if they don't hold up to what they agreed to is not only a
| valid observation, it's the likely outcome if we're to expect
| these programs exist for a reason.
|
| To put this in perspective, say you find a suitcase with a
| million dollars in it. You can turn it in, or you can keep it
| for yourself. If there's no real expectation you'll get
| anything if you turn it in, how does the reasoning go in your
| head? What if you know you'll get 10% for finding it and
| turning it in? What if you live in abject poverty? What if
| you have $60k worth of medical bills for a family member to
| pay off?
| vadfa wrote:
| >And thereby accomplishing what, exactly?
|
| ...$$$$?
| basisword wrote:
| I could accomplish the same thing by robbing a bank -
| doesn't make it the right thing to do.
| akomtu wrote:
| Unless it's a mafia's bank.
| spicybright wrote:
| Doesn't make free work for a for trillion dollar
| corporation something noble to do.
|
| By that logic, a grocery store giving away everything for
| free is the right thing to do. Doesn't lead to anything
| sustainable though.
| young_unixer wrote:
| Robbing a bank is immoral, selling information about how
| a piece of software works, in my humble opinion, is not.
| Or if it is, then it's not even close to the level of
| "wrong" that is robbing a bank.
| mrtesthah wrote:
| And what if that information gets weaponized against
| journalists in an authoritarian regime?
| ClumsyPilot wrote:
| You know what gets weaponised?
|
| Actual weapons our government sold to Saudi and other's.
| Bud wrote:
| Except that as this thread demonstrates, there is no
| realistic possibility of this researcher _actually making
| more $$$ in real life_ by trying to find another bidder.
| smoldesu wrote:
| Zerodium pays more for the exploits, and unlike Apple, is
| willing to compensate you in non-traceable currency.
| AustinDev wrote:
| Trillion dollar companies don't care about merit for doing
| the right thing. Why should this guy in the future?
| pcbro141 wrote:
| Maybe he doesn't want dissident journalists and activists
| to get spied on and chopped to pieces?
|
| That sounds like a good enough reason to report these bugs
| for someone with morals.
| lern_too_spel wrote:
| Dissident journalists and activists can use devices from
| vendors that care about security enough to run a working
| bug bounty program.
| rurp wrote:
| Unfortunately exercising consumer choice works a lot
| better in a healthy free market than it does in one
| controlled by an oligopoly. I totally agree that people
| should try to avoid buying from companies that do immoral
| things, but it can be quite hard in a consolidated
| market.
| afrcnc wrote:
| No, he's not. Those are low-priority bugs and the only thing
| that made them stand out was the fact that he dropped them
| online without a patch. RCEs get priority in patching, and his
| priv esc issues were not as important.
| r00fus wrote:
| He dropped them online after a significant period of delay.
| Already discussed here on HN. [1]
|
| [1] https://news.ycombinator.com/item?id=28637276
| bawolff wrote:
| Can't we hope they go for full-disclosure instead of selling to
| the highest bidder? Selling to the highest bidder just hurts
| apple users not apple.
| akira2501 wrote:
| > just hurts apple users not apple.
|
| As a first-order effect, sure.. but Apple is not immune to
| the damage that this causes either. More importantly, their
| failure to pay or honor their commitments would be the root
| cause of this in the future.
|
| They opened this "bug bounty" door on their own, they are
| solely responsible for it's success or failure.
| artful-hacker wrote:
| This is just one more nail in the already air-tight coffin Apple
| has built for themselves. I seriously don't understand why people
| stick with Apple products, they are getting much harder to use,
| they lock you in to their gimped ecosystem, and their hardware is
| constantly failing to be reliable.
| watermelon0 wrote:
| There is no better alternative (at least for some people)?
|
| Just some examples:
|
| - Integration between their devices cannot be matched by others
|
| - Apple Watch has the largest app collection, great integration
| between iOS and Watch apps, smooth animations/UX, the most
| accurate GPS of smart watches
|
| - Handover of AirPods between Apple devices is a lot better
| than with other Bluetooth headphones
|
| - (subjective) iOS has a lot better UX/animations than Android
| slownews45 wrote:
| Are these comments real? They are surprisingly close minded for
| a hacker news site.
|
| If you can't see the value apple offers, that's fine, but to be
| blind to what they offer others seems odd.
|
| I've yet to be scammed by apple's app store. Ie, I can cancel
| my subscriptions easily, bad apps you can even get a refund on
| if prompt etc.
|
| I have been repeatedly screwed by websites run by developers
| outside of apple. These websites have been LOADED with
| trackers, they have impossible to cancel subscriptions, they do
| all sorts of dirty tricks (I'm tired of the intercom type
| follow-up emails - sorry I missed you, give me one last chance
| etc).
|
| I get it, the dog eat dog crapfest is appealing to some, but
| Apple offers an alternative, and for some people that has
| value. And yes, I get it, the folks making these eye blinding
| slow websites have lots to say about apple, but my weather app
| opens promptly on apple, whereas the ad littered weather pages
| online bog my machine (with 100x the memory) down.
| johnmaguire wrote:
| I'm so happy Linux is an option on the computer.
|
| When it comes to phones I feel stuck behind a rock and a hard
| place - choose iPhone, with poor Linux integration and threats
| to passively scan files on my phone and forward them to LEO?
| Sure, they have a decent record with security but these bug
| bounty reports haven't been great.
|
| Or choose Android, with its poor privacy record, a result of
| being built by an ad company that's already scanning my phone
| and mining it for data?
|
| edited to add - While I'd love to see a true competitor in this
| space (i.e. not based on Android - those projects don't seem to
| work out well as a result of being half-in/half-out of the
| ecosystem) I don't see how it's possible without the support of
| the large tech players - Facebook, Instagram, Snapchat,
| WhatsApp, Twitter, and Spotify at minimum, to say nothing of
| the long tail.
| atatatat wrote:
| > Or choose Android, with its poor privacy record, a result
| of being built by an ad company that's already scanning my
| phone and mining it for data?
|
| GrapheneOS.org
| lern_too_spel wrote:
| Android doesn't scan your phone and mine it for data. Apps on
| Android scan your phone and mine it for data. Apps on iOS
| _also_ scan your phone and mine it for data. The major
| difference between the two is that Android lets you choose
| which apps to put on your phone.
| nijave wrote:
| "Android" doesn't but Google Play services & bundled apps
| do
| noneeeed wrote:
| Likewise. I'm in the market for a new phone. I want to get
| something top of the line and then keep it for at least 5
| years, so good updates etc. But I have serious issues with
| both Google and Apple at this point.
|
| For me it isn't really the tech companies that need to buy in
| to make an alternative phone OS viable, but things like
| banks. Online mobile banking is one of the main things I use
| my phone for after web browsing and messaging. The
| probability that it won't work on some third OS is what puts
| me off trying some of the alternatives.
| johnmaguire wrote:
| Great point. I recall some banking apps placing
| restrictions on logging in without SafetyNet, e.g. which
| also puts some of the other Android-based OS's out of the
| running.
| h4waii wrote:
| I get that a lot of the Android-based projects don't pan out,
| but LineageOS has been going for quite a while now, CalyxOS
| is relatively new, and GrapheneOS (previously CopperheadOS)
| have successfully established themselves as the defacto
| hardened Android platform.
|
| You can download the source, modify it, and build them all
| freely. Hopefully more people can get involved and move the
| needle instead of only lamenting how they don't succeed while
| not actively trying to help them succeed. I mean this in a
| respectful way.
| johnmaguire wrote:
| > Hopefully more people can get involved and move the
| needle instead of only lamenting how they don't succeed
| while not actively trying to help them succeed.
|
| That's totally fair. I don't really have the time or
| Java/Kotlin/mobile familiarity to jump in here, and these
| aren't skills I can easily apply elsewhere in my career,
| personally.
|
| > LineageOS has been going for quite a while now, CalyxOS
| is relatively new, and GrapheneOS (previously CopperheadOS)
|
| My impression of these OSes is that they still rely on
| Google Play Services - or if not, micro-G which has many
| shortcomings. When most of the ecosystem doesn't work until
| you invite Google back in, it doesn't seem like a true
| alternative IMO.
|
| Admittedly I haven't personally tried running any of them.
| Which one would you recommend trying if I were aiming to
| rid myself of Google's omnipresence?
| ev1 wrote:
| You can install Lineage without Play, and only use
| Lineage.
|
| Graphene does not require Play Services, but it only runs
| on a small subset of Android phones that are ~$500+ here
| (heavily discouraged to use anything older than 4a 5G)
| rOOb85 wrote:
| You can run one of those os's without any Google
| services. Paid apps are almost certain to not run, and a
| bunch of other apps that rely on the services. But almost
| all the apps I use work great.
|
| I have used CalyxOS and it's a great os. I did use microG
| and 98% of the apps I use worked flawlessly. If you have
| a supported phone, I'd definitely give it a shot.
| heavyset_go wrote:
| > _I don 't see how it's possible without the support of the
| large tech players - Facebook, Instagram, Snapchat, WhatsApp,
| Twitter, and Spotify at minimum, to say nothing of the long
| tail._
|
| This wouldn't be much of a problem if it wasn't for Google's
| SafetyNet that prevents Android apps from running on hardware
| and software platforms that Google doesn't approve of. You
| wouldn't need support from large companies if you were able
| to run the apps they already release for Android.
|
| Compatibility layers like Anbox or Waydroid that allow you to
| run Android apps on Linux can't run SafetyNet-enabled apps,
| despite having no problem running other Android apps.
|
| SafetyNet prevents compatibility layers like WSL 1 & 2,
| Proton or WINE with Android support from coming to Windows or
| other platforms, as well.
| nijave wrote:
| What's SafetyNet have to do with anything? It's opt it
| device attestation the app creator has to implement
|
| It's not Android/Google forcing SafetyNet on you, it's app
| developers insisting you need some special end user setup
| paul7986 wrote:
| iOS 15 from release date has had the most bugs I've ever
| experienced with any former versions of iOS. Siri would revert
| back to Dragon style text to speech randomly is one thing I
| noticed frequently.
| rgovostes wrote:
| The advisory credit and bug bounty fiasco aside, when I reported
| a security vulnerability to Apple in 2010, they wrote, "Because
| of the potentially sensitive nature of security vulnerabilities,
| we ask that this information remain between you and Apple while
| we investigate it further." It seems to just be a standard
| inclusion in their correspondence, and not unique to this
| exchange.
___________________________________________________________________
(page generated 2021-10-13 23:00 UTC)