←back to thread

Tachy0n: The Last 0day Jailbreak

(blog.siguza.net)
265 points todsacerdoti | 1 comments | 24 May 25 19:50 UTC | HN request time: 0.302s | source
Show context
ivanjermakov ◴[24 May 25 20:48 UTC] No.44083727[source]
If this is the case Apple employed an amazing strategy. By locking all ways to possibly root their devices they patch vulnerabilities discovered for free by jailbreak devs.
replies(1): >>44083824 #
ejpir ◴[24 May 25 21:11 UTC] No.44083824[source]
but they haven't, the article says the "private" community still has exploits and apple patches them. The public, like the dev, for some reason, don't anymore.
replies(3): >>44083848 #>>44084161 #>>44084262 #
tptacek ◴[24 May 25 21:16 UTC] No.44083848[source]
They're exclusive to private communities because they're very expensive, and getting more expensive over time; in other words, Apple's strategy has driven the cost of exploiting iOS up.

Anything public is dead, which is what you want to see.

replies(1): >>44084113 #
bri3d ◴[24 May 25 22:14 UTC] No.44084113[source]
I’m not sure I agree with the premise here, although I agree with the conclusion w.r.t Apple specifically.

I’m 100% positive from experience doing VR in several non-iOS spaces that increased exploit value leads to fewer published public exploits, but! This is not a sign that there are fewer available exploits or that the platform is more difficult to exploit, just a sign that multiple (and sometimes large numbers) of competing factions are hoarding exploits privately that might otherwise be released and subsequently fixed.

As a complementary axiom, I believe that exploit value follows target value more closely than it does exploit difficulty, because the supply of competent vulnerability researchers is more constrained than the number of available targets. That is to say, someone will buy a simple exploit that pops a high value target (hello, shitty Android phones) for much more money than a complex exploit that pops a low value target. There are plenty of devices with high exploit value and low exploit publication rate that also have garbage security.

With that said, Apple specifically are a special (and perhaps the only) case where they are “winning” and people are genuinely giving up on research because the results aren’t worth the value. I just don’t think this follows across the industry.

replies(2): >>44084713 #>>44085497 #
tptacek ◴[25 May 25 00:46 UTC] No.44084713[source]
I don't think I reach the deeper questions here, and pretty much just get back to "if it was cheap, Apple would have killed it already"; in that set of circumstances there can't be viable public exploits (or broad workable bug classes to fish from) to work with.

Sucks if you're part of a public jailbreaking community, but, of course, good if you're a user.

replies(2): >>44086683 #>>44089075 #
1. bri3d ◴[25 May 25 16:55 UTC] No.44089075[source]
I agree with this. I also agree that there's no preferable situation. Apple have done a great job building mitigations and it shows in how difficult, expensive, and rare it is to fully exploit their platforms. I certainly wasn't intending to form a counter-argument that public exploits existing would be a positive signal, or that there's a preferable alternative situation.

My only point was that "anything public is dead is what you want to see" is not a particularly useful rubric in general. I get nervous when I see statements that suggest an absence of public exploit material or high "bid" price for grey market exploits as evidence that a platform is less vulnerable. My experience suggests this isn't really how the market works in general. There are way too many additional factors that affect both pricing and publication to use "public exploit availability" or "grey-market bid price" as a signal about a platform's security posture overall.

Anyway, reading back, I realize that you specifically weren't trying to draw that conclusion, but sibling comments are now - and it seems to be a really easy trap to fall into. See: every "security journalism" outlet every time a broker posts an Android bid that's higher than their standing iOS bid, or vendors and OEMs claiming their devices are secure because no public exploits exist.