Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday September 09 2019, @12:38AM   Printer-friendly
from the own-your-mistakes dept.

Apple takes flak for disputing iOS security bombshell dropped by Google

Apple is taking flak for disputing some minor details of last week's bombshell report that, for at least two years, customers' iOS devices were vulnerable to a sting[sic] of zeroday exploits, at least some of which were actively exploited to install malware that stole location data, passwords, encryption keys, and a wealth of other highly sensitive data.

Google's Project Zero said the attacks were waged indiscriminately from a small collection of websites that "received thousands of visitors per week." One of the five exploit chains Project Zero researchers analyzed showed they "were likely written contemporaneously with their supported iOS versions." The researcher's conclusion: "This group had a capability against a fully patched iPhone for at least two years."

Earlier this week, researchers at security firm Volexity reported finding 11 websites serving the interests of Uyghur Muslims that the researchers believed were tied to the attacks Project Zero identified. Volexity's post was based in part on a report by TechCrunch citing unnamed people familiar with the attacks who said they were the work of [a] nation—likely China—designed to target the Uyghur community in the country's Xinjiang state.

[...]For a week, Apple said nothing about any of the reports. Then on Friday, it issued a statement that critics are characterizing as tone-deaf for its lack of sensitivity to human rights and an overfocus on minor points.

[...]

Nicholas Weaver, a researcher at UC Berkeley's International Computer Science Institute, summed up much of this criticism by tweeting: “The thing that bugs me most about Apple these days is that they are all-in on the Chinese market and, as such, refuse to say something like ‘A government intent on ethnic cleansing of a minority population conducted a mass hacking attack on our users.’"

[...]Apple had an opportunity to apologize to those who were hurt, thank the researchers who uncovered systemic flaws that caused the failure, and explain how it planned to do better in the future. It didn't do any of those things. Now, the company has distanced itself from the security community when it needs it most.

See also: The stakes are too high for Apple to spin the iPhone exploits
Apple says Uighurs targeted in iPhone attack but disputes Google findings

Related: China Forces its Muslim Minority to Install Spyware on Their Phones
China Installs Surveillance App on Smartphones of Visitors to Xinjiang Region


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by RamiK on Monday September 09 2019, @09:07AM (3 children)

    by RamiK (1813) on Monday September 09 2019, @09:07AM (#891597)

    Which is why we should be demanding FOSS: Corporations will always sell out to governments so demanding everything to be open source and with reproducible builds is the only way to prevent them from thinking they can easily get away with it.

    --
    compiling...
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday September 09 2019, @12:27PM (2 children)

    by Anonymous Coward on Monday September 09 2019, @12:27PM (#891640)

    open source and with reproducible builds

    Here in the real world, even with complete source code available, Bob's build is reproducible only on Bob's rig, and Fred's build is only reproducible on Fred's rig.

    You don't do any software development at all, do you?

    • (Score: 3, Informative) by RamiK on Monday September 09 2019, @02:18PM

      by RamiK (1813) on Monday September 09 2019, @02:18PM (#891688)

      Here in the real world, even with complete source code available, Bob's build is reproducible only on Bob's rig, and Fred's build is only reproducible on Fred's rig.

      You don't do any software development at all, do you?

      While I agree the world gone rather surreal this last decade or so, be sure to let Bob and Fred know they can use Nix to get 100% reproducibility for their projects unless they intentionally embed compile dates or whatever in their make files. It's how NixOS gets 98% of its base packages reproducible: https://r13y.com/ [r13y.com]

      --
      compiling...
    • (Score: 2) by Freeman on Monday September 09 2019, @02:49PM

      by Freeman (732) on Monday September 09 2019, @02:49PM (#891694) Journal

      Perhaps, but I'm not Bob or Fred, thankfully. I'm by no means a great coder, but my build is reproducible on multiple computers.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"