←back to thread

265 points todsacerdoti | 2 comments | | HN request time: 0s | source
Show context
ivanjermakov ◴[] No.44083727[source]
If this is the case Apple employed an amazing strategy. By locking all ways to possibly root their devices they patch vulnerabilities discovered for free by jailbreak devs.
replies(1): >>44083824 #
ejpir ◴[] No.44083824[source]
but they haven't, the article says the "private" community still has exploits and apple patches them. The public, like the dev, for some reason, don't anymore.
replies(3): >>44083848 #>>44084161 #>>44084262 #
tptacek ◴[] No.44083848[source]
They're exclusive to private communities because they're very expensive, and getting more expensive over time; in other words, Apple's strategy has driven the cost of exploiting iOS up.

Anything public is dead, which is what you want to see.

replies(1): >>44084113 #
bri3d ◴[] No.44084113[source]
I’m not sure I agree with the premise here, although I agree with the conclusion w.r.t Apple specifically.

I’m 100% positive from experience doing VR in several non-iOS spaces that increased exploit value leads to fewer published public exploits, but! This is not a sign that there are fewer available exploits or that the platform is more difficult to exploit, just a sign that multiple (and sometimes large numbers) of competing factions are hoarding exploits privately that might otherwise be released and subsequently fixed.

As a complementary axiom, I believe that exploit value follows target value more closely than it does exploit difficulty, because the supply of competent vulnerability researchers is more constrained than the number of available targets. That is to say, someone will buy a simple exploit that pops a high value target (hello, shitty Android phones) for much more money than a complex exploit that pops a low value target. There are plenty of devices with high exploit value and low exploit publication rate that also have garbage security.

With that said, Apple specifically are a special (and perhaps the only) case where they are “winning” and people are genuinely giving up on research because the results aren’t worth the value. I just don’t think this follows across the industry.

replies(2): >>44084713 #>>44085497 #
tptacek ◴[] No.44084713[source]
I don't think I reach the deeper questions here, and pretty much just get back to "if it was cheap, Apple would have killed it already"; in that set of circumstances there can't be viable public exploits (or broad workable bug classes to fish from) to work with.

Sucks if you're part of a public jailbreaking community, but, of course, good if you're a user.

replies(2): >>44086683 #>>44089075 #
1. pona-a ◴[] No.44086683{5}[source]
But it's still more of obfuscation. You're effectively reducing the pool of researchers to those most likely to turn to the dark market. There's an entire zero-day industry privately developing exploits, and the public sees none of it. Sure, low-resource attackers can probably forget about exploiting iOS, but stuff like Pegasus still happens regularly.
replies(1): >>44088619 #
2. tptacek ◴[] No.44088619[source]
Literally the alternative is more viable vulnerabilities. It's hard to understand a coherent argument that favors that over what we have now. We're in this situation because Apple has gotten good at killing whole bug classes. That's exactly what users want.