Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties (threatpost.com)

Posted by msmash on from the how-about-that dept.

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. The Verge: "Their focus is on the design of the system and not on exploitation. Please, we need to stop just spot-fixing bugs and learn from them, and act on that," he told a packed audience. Per Beer, Apple researchers are not trying to find the root cause of the problems. "Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could [have] found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn't they report it?" He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability. In a provocative call to Apple's CEO Tim Cook, Beer directly challenged him to donate $2.45 million to Amnesty International -- roughly the equivalence of bug bounty earnings for Beer's 30-plus discovered iOS vulnerabilities.

79 comments

  1. From Google? by Anonymous Coward · · Score: 1

    The company with the most Swiss cheese mobile OS on the market today? Unbelievable.

    1. Re:From Google? by AmiMoJo · · Score: 0, Troll

      You can buy a device that unlocks the supposedly super secure iPhone. Every time they update the iPhone software and hardware, the device gets updated very quickly. That strongly suggests that he is right, Apple just fix each bug as they find it and don't fix the underlying flaws.

      On the other hand, no such box exists for Google Pixel phones, for example.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:From Google? by Anonymous Coward · · Score: 1, Interesting

      "The Box", is simply a PR trick invented to provide a win-win for Apple and the Government.

      1. Apple spawns new company under untraceable ownership.
      2. Comply with government requests to unlock phones by providing the fake company vulnerabilities.
      3. Win with consumers because they don't know it's Apple selling backdoors,

      The whole thing reeks of a collaboration with the government to both comply with FISA/NSLs and appeal to consumers by pretending not to at the same time.

      Wake up.

    3. Re:From Google? by Anonymous Coward · · Score: 0

      A box like that would be difficult to do for Android, especially if the phone just doesn't accept a connection, presents itself as a MTP device, or even just presents itself as a USB flash drive that goes to an image. There are even apps that will present ISO images as CD-ROMs. One only can download what the Android phone exposes, and it it exposes nothing, the only thing that can be done is to reboot, and if configured right, an Android phone will boot and ask for the dm-crypt or LUKS password for the /data partition, and the phone doesn't have that data present, so even if someone were able to image off /data, it would be protected by the boot password, and the TPM chip.

      iOS seems like a "magic box". It does encryption on some parts but not others. It seems like Apple plays games with both police and users, offering a "security improvement" which doesn't really fix the issue. Of course, there is nothing stopping LEOs from demanding the iCloud backup image from Apple, and not even bothering with the phone itself.

    4. Re:From Google? by DarkOx · · Score: 1

      Or if you are cynical it suggests Apple wants to have it both ways. They want to show the public they are not kowtowing to anyone and offering consumers good privacy protection. At the same time they don't want to make the devices so secure LEOs can't get into them when the crimes get serious enough to justify paying some security "researchers" a few hundred thousand dollars. I for one think Tim Cook is not dumb.

        I suspect he was pretty confident for example that the FBI was going be able to get into the San Bernardino shooter's iPhone without Apple's help. I suspect strongly Apple would have cooperated and assisted in unlocking the phone if they had believed that was the only way the FBI was going to get access in a timely fashion. If the FBI had not got access to that phone what do think the mainline political conversation pushed by the news outlets and repeated congressional caucus talking points would have been? Face facts they public values privacy but they are more scared of 'teh terrorists..' had the situation come to a head and the conversation about the iPhone angle moved out the technical press and into the main headlines the outcome would have been different. The regulators would have had their excuse...

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    5. Re:From Google? by TheFakeTimCook · · Score: 3, Insightful

      You can buy a device that unlocks the supposedly super secure iPhone. Every time they update the iPhone software and hardware, the device gets updated very quickly. That strongly suggests that he is right, Apple just fix each bug as they find it and don't fix the underlying flaws.

      On the other hand, no such box exists for Google Pixel phones, for example.

      No.

      It strongly suggests that that device maker is being helped with Industrial Espionage.

    6. Re:From Google? by omnichad · · Score: 1

      If that were true (not totally discounting it), it would also be a way to actually get paid for all that effort rather than doing it for free or nearly free.

    7. Re:From Google? by Anonymous Coward · · Score: 0

      apple is great at Industrial Espionage. Its a slimy shitshow of a company

    8. Re:From Google? by Demena · · Score: 1

      Yep, if this is not sarcasm then it just is not rational.

    9. Re:From Google? by TheFakeTimCook · · Score: 1

      apple is great at Industrial Espionage. Its a slimy shitshow of a company

      Citation or STFU.

    10. Re:From Google? by Anonymous Coward · · Score: 0

      You know its true. Admit it.

    11. Re:From Google? by tsa · · Score: 1

      Feeding trolls makes them worse.

      --

      -- Cheers!

    12. Re:From Google? by Demena · · Score: 1

      Given the lack of actual facts supplied in your post it remains an unsubstantiated, unquantified allegation. ie. noise.

      Please support your assertions or shut the fuck up.

    13. Re:From Google? by TheFakeTimCook · · Score: 1

      Feeding trolls makes them worse.

      I assume you mean the AC, right?

    14. Re:From Google? by tsa · · Score: 1

      Indeed.

      --

      -- Cheers!

    15. Re:From Google? by TheFakeTimCook · · Score: 1

      Indeed.

      ;-)

    16. Re:From Google? by Anonymous Coward · · Score: 0

      You can buy a device that unlocks the supposedly super secure iPhone.

      You don't have to buy a $10k device to unlock the supposedly just as super secure Android. You could buy a $25 Rubber Ducky, but you don't even need to.

  2. HAHAHAHA by Anonymous Coward · · Score: 0

    Google Bug Hunter, who couldn't make Android secure, tries to tell Apple how to do proper security ?

    Android is a security nightmare, it ranked way under other systems on that point. They have no solid grounds to talk to people about security.

    1. Re:HAHAHAHA by Type44Q · · Score: 1

      Android is a security nightmare,

      That's why I still can't unlock the bootloader on this fucking S8+.

      Moron, I almost wish you were right. ;)

    2. Re: HAHAHAHA by Anonymous Coward · · Score: 0

      Yup, that's why any app can affect the accuracy of the GPS.

      Pokemon go spoofers can modify the phone's location and they don't need to do anything special - just install an app and they're done.

      Meanwhile, Android users have to fight with them every few months as they close up methods.

    3. Re:HAHAHAHA by Anonymous Coward · · Score: 0

      Google Bug Hunter, who couldn't make Android secure, tries to tell Apple how to do proper security ?

      Android is a security nightmare, it ranked way under other systems on that point. They have no solid grounds to talk to people about security.

      Anonymous Coward who couldn't even read the article bitches about what other people couldn't do.

      This guy's job at google is not to develop android. His job is specifically to look for vulnerabilities in other companies products. Does your boss just let you spend your work hours working on whatever project you want?

    4. Re:HAHAHAHA by TheFakeTimCook · · Score: 1

      Google Bug Hunter, who couldn't make Android secure, tries to tell Apple how to do proper security ?

      Android is a security nightmare, it ranked way under other systems on that point. They have no solid grounds to talk to people about security.

      Exactly.

    5. Re:HAHAHAHA by Anonymous Coward · · Score: 0

      Oh please? iOS has been a complete shit show the last couple years. Running around screaming absurd fanboy rants doesn't make you anything but a naive idiot.

  3. He missed something...no surprise by malchus842 · · Score: 3, Insightful

    Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth. But I suppose that's what you get when you're click-seeking. See: https://www.apple.com/business... Can we find holes in that? I'm sure. But they do have a plan. And that's the public one. I'd wager there's an even more detailed internal one.

    1. Re:He missed something...no surprise by Anonymous Coward · · Score: 2, Interesting

      You're kidding, right?

      Apple's stance on bugs is "we don't care until it makes the press."

      Remember that bug where you could log in as root with a blank password on almost every Mac? Turns out Apple knew about it for months. They only bothered fixing it when the tech press found out about it.

      This is pretty much the only way security fixes ever happen for Apple products: the tech press hears about the flaw, then Apple decides "OK, now we'll fix it."

    2. Re: He missed something...no surprise by Anonymous Coward · · Score: 0

      Kind of curious what you think this will thought out design is.

      Can you describe what you think this design entails?

    3. Re:He missed something...no surprise by Jaime2 · · Score: 5, Insightful

      Guy who found more than 30 iOS bugs says he sees a pattern that indicates Apple is failing at the fundamentals. Guy with access to a PDF say he's wrong. Guess who has the stronger case?

    4. Re:He missed something...no surprise by bill_mcgonigle · · Score: 4, Interesting

      No, you're talking about something completely different. Back when Apple was working on the 5S, and they developed the whole Secure Enclave architecture, it did have some really good engineers working out good security for system. What this guy's talking about is the past few years where they have the iOS bugs that have been identified, patched, and then in the next go-round we find out that they only patched the extremely specific bug, on one line. The next exploit is a few lines down, the same darn thing, in a slightly different way. The most likely explanation for this is that they lost the talent that was working there, making the system good. Why would top people stay when Apple doesn't innovative any more? It's clear from the results that they lost their performance engineering people, for about four major iOS releases, with only iOS 11 having any kind of decent performance again. Now that they are going into the thought police business, good luck getting anyone worth their salt to work there.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:He missed something...no surprise by orlanz · · Score: 3, Informative

      So true. Our company's iOS count is in the mid 5 digit range. And early on, there was a Exchange Calendar glitch that we just couldn't solve. It would only appear on iOS and not the numerous non-iOS devices.

      It took us MONTHS to get Apple to even see that there was an issue. Some guy in a forum figured it out but it took us MONTHS to have them accept that it was an issue with how they implemented the ActiveSync protocols. It took almost 18 months for Apple to actually fix the problem (the fix itself was fairly simple, related to assigning a meeting ID properly).

      On one meeting, we were literally told. "Corporate isn't really our target audience, so this is a low priority issue." Which is FINE, just don't be telling us this 6 months into the discussions! Atleast accept the fact that something is wrong and put a communication about it.

    6. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Now that they are going into the thought police business, good luck getting anyone worth their salt to work there.

      Hate to break it to you, but Apple has been in the thought police business for quite some time. Since they have a "walled garden" they've always banned certain types of speech within it - mostly "adult" things (like porn) but also various types of "offensive" political speech as well. It's (sadly) not new, and the reason quite a few popular apps will never been seen on an Apple device. If you, as an app developer, allow free speech on your platform, Apple will ban your app.

      And, yes, it's already cost them a lot of people, as their current "diversity over talent" model has seen a lot of very talented people flee to places that value merit over virtue signaling.

    7. Re:He missed something...no surprise by TheFakeTimCook · · Score: 1

      Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth. But I suppose that's what you get when you're click-seeking.

      See: https://www.apple.com/business...

      Can we find holes in that? I'm sure. But they do have a plan. And that's the public one. I'd wager there's an even more detailed internal one.

      Yeah. It is EXTREMELY suspicious why a non-Apple "engineer" would have ANY special knowledge of what Apple's bug-fixing policies are.

      EXTREMELY suspicious.

      Or, as is much more likely, he is talking out his ass.

    8. Re:He missed something...no surprise by TheFakeTimCook · · Score: 1

      This is pretty much the only way security fixes ever happen for all "$OEM" products: the tech press hears about the flaw, then the $OEM decides "OK, now we'll fix it."

      FTFY.

    9. Re:He missed something...no surprise by johanw · · Score: 1

      Not that Google is much different - for example the free-speech social network Gab ( https://gab.ai/ ) is not available in either appstore.

    10. Re:He missed something...no surprise by Dr.+Evil · · Score: 1

      "Corporate isn't really our target audience, so this is a low priority issue."

      This has always been stunning to me about Apple. They're madly successful and have machines snuck in the back doors of corporate, but they seem to show no interest in selling hardware into corporate.

      Even the AppleID scheme is a pain in the butt in Corporate environments. Who owns the Apple ID? My last talk with Apple, they said they would have the employee carry it from employer to employer... We preferred to give the employees Apple IDs and $50 gift cards for the itunes store to re-buy whatever dumb utilities they needed and bigger purchases on a case-by-case basis.

      Else the employee exit process requires employees to un-link the corporate machine from their personal ID. These are not things at the top of mind when an employee is leaving.

    11. Re:He missed something...no surprise by captaindomon · · Score: 1

      "Corporate isn't really our target audience, so this is a low priority issue." Yeah, corporate SALES are not their target SALES audience. Guess who is their target audience? Higher-income corporate employees, mostly. Who need to connect to their work accounts. It's amazing how narrow-sighted their approach to playing nicely with ActiveSync is. It makes all of their most valuable individual customers extremely frustrated.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    12. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Provably false: we routinely hear about big security fixes only after the patch has been deployed for both Android and Windows. Not so with Apple: the route Apple always goes is "security researcher finds flaw, Apple ignores security researcher, security researcher decides enough time has elapsed to publicly disclose the flaw, the tech press finds out about it, the tech press makes a big deal about it, Apple finally releases a patch."

      The simple fact is that Apple doesn't care about security, they only care about not receiving bad press.

    13. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Guy is a nobody that’s talking out of his and should be ignored.

    14. Re:He missed something...no surprise by 93+Escort+Wagon · · Score: 2

      Ian Beer has found numerous, significant iOS bugs. Significant enough and low-level enough that two of his discoveries made the most recent two iOS jailbreaks possible. If he sees a pattern, it is assuredly there.

      --
      #DeleteChrome
    15. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Did you read the actual article or just roll off on another rage fueled Apple apologist tirade? This guy has, WITH DOCUMENTED PROOF, found over 30 vulnerabilities. Having submitted those he knows more about Apple's bug fixing policies then some dopey Apple iTard on an internet forum. Your just flat out embarrassing yourself at this point...

    16. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Google allows side loading of apps. So yes google is different and better because they offer a choice. So GAB just has to have their hatespeach app on their website and people can sideload it.

    17. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Sure. Lets take the word of apples head cheerleader on here instead of a tech professional.

      Fucking idiot

    18. Re: He missed something...no surprise by Anonymous Coward · · Score: 0

      He's used to it. He's basically the new APK. We tear him a new asshole every thread he pops up in and spreads his Apple propaganda.

    19. Re:He missed something...no surprise by Registered+Coward+v2 · · Score: 1

      Apple does have a well-thought-out security design. Maybe there are things wrong with it, but to say they 'just fix bugs' and don't think about overall security ignores the truth.

      His point seems to be not that Apple doesn’t have well thought out security system but rather how they respond to bugs. Patching them is important but he is advocating also looking at the root causes of how they came into being so you can rework process to reduce the chances bugs are introduced. Patching problems rather than fixing causes is not unusual, I once had a plant manager tell me he didn’t have time to fix small problems because he had too many big ones. He was not happy when I pointed out the causes of both were usually the same, just some of the small ones never became big ones because of quick intervention or sheer luck.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    20. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Its EXTREMELY suspicious why an asshole like you on the internet has so much time to spread lies about apple all day.

    21. Re: He missed something...no surprise by Anonymous Coward · · Score: 0

      How many millions was your iOS bug bounty cheque for?

    22. Re:He missed something...no surprise by Anonymous Coward · · Score: 0

      Not that Google is much different - for example the free-speech social network Gab ( https://gab.ai/ ) is not available in either appstore.

      What does alt-right conspiracy bullshit (shit doesn't even qualify as theories) have to do with free speech?

  4. We shall soon see... by Type44Q · · Score: 0

    We shall soon see how tight Cook's ass really is.

    What?

    1. Re:We shall soon see... by Anonymous Coward · · Score: 0

      If we measured it in microns it would be 8.26. What's mystifying is that when we simply use different units, like newtons, the value morphs into 9.03. There's plenty of more examples, but my toast is ready and I have a hankering for some good jelly.

    2. Re:We shall soon see... by Anonymous Coward · · Score: 0

      Not exactly the best comment to make when talking about a gay man.

  5. He fails to understand the point of Apple products by Anonymous Coward · · Score: 1

    Why would a jewelry maker be interested in security?
    You could remove the touch screen and replace it by a "predictive AI" user interface animation that does what it assumes is most likely what the "owner" wants to see, and half the Apple clients would take longer to notice, than the lifetime of the soldered-in battery.

    Google shouldn't talk about security anyway, when their primary business model is snooping on users to enable sleazebags to lie to them (aka advertisement) and rip them off better.

  6. This dude is a parasite trying to suck on a $cow$ by Anonymous Coward · · Score: 0

    This dude is a parasite just trying to suck the blood out of a cash cow.
    If you want privacy, you need to ditch your phones. Your friends will contact you the old way.
    All phones have backdoors. The NSA wouldn't have it any other way.

  7. Software security condundrum by jellomizer · · Score: 4, Insightful

    You have software that took months/years to plan and develop.
    A problem is found.
    You need to Fix it Fast, before it goes out to the wild.
    It will need to be tested to make sure it doesn't break compatibility or break something else.

    If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

    A security first design of software made in the 1980's would just have a password login and permissions on what the user could see and do.
    1990's Memory checking and limitation to prevent buffer overflow
    2000's Memory randomization and removing from an ask to allow to don't allow, and you will need to do extra work to allow.
    2010's Application Sand-boxing, Full Encryption, tiered design, redundant checking...

    iOS being a product of the 2000's Is actually stronger then some other systems, but it has a lot of once good practices which are now bad practices in-place. But there hasn't been a massive iOS outbreak of security issues. Like with Windows a decade ago. Makes me figure that the current patching routine is still good enough.

    Will they need an architectural redesign in the future. Probably. Like when Apple moved from MacOS (Classic) to OS X. They will need to upgrade iOS to a new system at some point just to stay current.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Software security condundrum by orlanz · · Score: 2

      Delaying a release for a better fix is not what Mr Beer is complaining about. Basically he is saying Apple releases a bug fix (assuming they agree it is important enough) and then just moves on. They don't do a process or infrastructure review to see if other similar bugs exist or if future similar bugs will be created.

      Few bugs actually need infrastructure changes. But many bugs hint at process problems that could have been prevented and could still be prevented.

      This ignorance is generally true of most companies. However, Apple really takes it to a new level.

    2. Re:Software security condundrum by Anonymous Coward · · Score: 1

      Few bugs actually need infrastructure changes. But many bugs hint at process problems that could have been prevented and could still be prevented.

      Two recent Apple bugs are perfect examples of this: "goto fail" and "passwordless root." Both are symptoms of either Apple not testing, or more likely, Apple only doing positive testing (this works with the values it's supposed to), but never any negative testing (this fails properly when given bad values). As I recall, both bugs were also likely caused by bad merges: fixes were merged from other branches but done incorrectly, so that essential "else if" blocks were missing from the final result, leaving the resulting code to allow various inputs to incorrectly fall through to default behavior.

      Both of those are process problems. Failing to do negative tests is a very common process flaw: it's very easy to write a "positive test" that ensures that a correct value produces a correct result. Writing a negative test is much harder and is why fuzzing is so important: it's fairly easy to come up with "obvious" wrong values but the pool of bad values is generally enormous, so it's very easy to write negative tests that miss scenarios which would cause wrong behavior.

      Bad merges are another common process problem, where merges are blindly accepted with no one reviewing the changes in them for correctness or, in some cases, that the changes were applied correctly. Proper testing can frequently "catch" a bad merge, but as above, it's clear Apple isn't doing complete testing.

    3. Re:Software security condundrum by Anonymous Coward · · Score: 0

      If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

      Thanks for the bullshit false dichotomy. The guy has found 30 bugs over the last couple years. While it'd be unreasonable to expect that every form of bug that he's discovered to be fixed, it's clear that Apple follows more closely the

      You have software that took months/years to plan and develop.
      A problem is found.
      You need to Fix it Fast, before it goes out to the wild.
      It will need to be tested to make sure it doesn't break compatibility or break something else.

      approach but without actually learning any lessons for the "plan and develop" step for the future. That's the complaint. Just a few of the exploits he's found old and new seem to suffer from the same sort of incompetence that should have been addressed a long time ago.

      I say, look at Microsoft. By no means was or is Microsoft a bastion of bug-free software, but they did in the mid/late-00s actually strive to actually take security seriously and work to minimize bugs and discover what practices were creating them. There's already whole classes of static code analysis tools that likely would have found at least have the bugs Mr Beer found. They didn't/don't need to wait until 2018 to finally do something especially when it was released at precisely the time Microsoft, a clear industry leader, was finally getting its act together and pushing towards the reasonable position that connected devices should put security as a high priority.

      Perhaps if Apple was focused less on UI "design" and more on architectural "design" we wouldn't be in this mess? Certainly, they've had plenty of time to shift their focus. Perhaps now with some urging from outsiders, just like how Microsoft had to change maybe Apple will too.

    4. Re:Software security condundrum by jellomizer · · Score: 1

      It is still a case of back seat development.
      Sometime what may seem like they are not doing a full review, is actually an outcome of a full review. Sometimes that quick fix, is the safest fix. Because having to fix it across the board may be affecting a set of other systems.

      Lets say the fix for the USB hack into the phone is due to a software design problem needed for the Licensed repair team. If they fix the software to stop that hack, then the repair teams will need system updates as well, and need to make sure it works... Or you can just cut power off the data ports on the device, until a login turns them on. It is an easier fix, doesn't fix the core problem but good enough.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:Software security condundrum by TheFakeTimCook · · Score: 1

      If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

      Precisely.

    6. Re:Software security condundrum by TheFakeTimCook · · Score: 1

      Apple really takes it to a new level.

      Unless you are actually ON the iOS OS Development Team, how would you know that?

    7. Re:Software security condundrum by jittles · · Score: 1

      Delaying a release for a better fix is not what Mr Beer is complaining about. Basically he is saying Apple releases a bug fix (assuming they agree it is important enough) and then just moves on. They don't do a process or infrastructure review to see if other similar bugs exist or if future similar bugs will be created.

      Few bugs actually need infrastructure changes. But many bugs hint at process problems that could have been prevented and could still be prevented.

      This ignorance is generally true of most companies. However, Apple really takes it to a new level.

      Now add to this the fact that Apple typically fails to merge fixes from master into dev and you have an issue where the team working on the next year’s release pushes out an OS that contains a lot of the security issues and other bugs that existed in the previous iteration and the new master branch takes a month or two to eventually get the fix from what was the previous version of the OS.

    8. Re:Software security condundrum by omnichad · · Score: 1

      Finally an explanation for why everyone always waits for an x.1 OS release for anyone Apple. I've done it, but I never knew why it was so bad.

    9. Re:Software security condundrum by Anonymous Coward · · Score: 0

      Because he can report bugs and see what impact the "bugfix" has down stream. Clearly you know nothing about software development, let alone security research. Maybe you should leave this to the adults...

  8. Whats to change? by Anonymous Coward · · Score: 0

    Doesnt apple still try and sue people who find bugs in there system.

  9. i wonder why everyone says Apple is better... by Anonymous Coward · · Score: 0

    at security and privacy? I don't trust them 1 bit.

    1. Re: i wonder why everyone says Apple is better... by Anonymous Coward · · Score: 0

      with a google phone, it is trivially easy to sneak in malware. android security model is outrageously permissive. google doesnâ(TM)t provide end- user support for when things go wrong. google is in ghe business of harvesting and seeling your data, and lets others do it too.
      Apple is on the opposite end of the spectrum in all cases above. Does not make iOS perfect by any stretch of imagination, but itâ(TM)s much better starting point.

  10. Ha ha ha, the CIA/NSA would not allow it by Anonymous Coward · · Score: 0

    and Tim Cook is not interested in paying for fixing critical bugs. They make spying-devices branded as luxury phones, do you really think they will donate money or fix critical security bugs at the root?

    That is not what Apple does.

    1. Re:Ha ha ha, the CIA/NSA would not allow it by TheFakeTimCook · · Score: 1

      and Tim Cook is not interested in paying for fixing critical bugs. They make spying-devices branded as luxury phones, do you really think they will donate money or fix critical security bugs at the root?

      That is not what Apple does.

      Dumbass.

      Apple Engineers are SALARIED. It really doesn't matter WHAT they are working on; they cost Apple the same amount of money.

      Idiot.

    2. Re:Ha ha ha, the CIA/NSA would not allow it by Anonymous Coward · · Score: 0

      Shut up Tim Cook.

    3. Re:Ha ha ha, the CIA/NSA would not allow it by Anonymous Coward · · Score: 0

      Aren't you supposed to be in school? Software development doesn't work like that. Engineers work on what is prioritized by company policy. Features sell phones, bugfixes dont. That is why Apple has had a busted ass OS for the last couple years. They had to be shamed into making iOS 12 essentially a bugfix release.

    4. Re:Ha ha ha, the CIA/NSA would not allow it by Anonymous Coward · · Score: 0

      So are you salaried by apple? Or paid by the stupid comments you make?

  11. YOU can't. App developers don't need to. by Anonymous Coward · · Score: 0

    So the actual owners very well can put malware on there. You just can't, because it is not your phone. You are just the livestock resource that's milked. The clients are the "apply app app" (as a troll here put it) developers, and they get to milk you in every way, as long as Google isn't angered.

  12. Pot, meet the black kettle by Anonymous Coward · · Score: 0

    Hey Google... Why not fix your own shit first and mind your own business. Maybe you could start with your API's for products that don't work as documented....

  13. Bigger issue by Anonymous Coward · · Score: 0

    "... we need to stop just spot-fixing bugs and learn from them ..."

    The entire industry needs to learn from bugs. We need to get over the idea that they just happen and accept responsibility for putting them in.

  14. Re:He fails to understand the point of Apple produ by Anonymous Coward · · Score: 0

    Advertising isn't all sleazebags. It exists to some degree, but there is also useful advertising.

  15. disqual by Anonymous Coward · · Score: 0

    first, working for google disqualifies you from being taken seriously - especially on security. second, this guy talks in a weasly way - you can tell these pricks by the fact they always knowingly ask totally basic questions as if nobody else knows anything.
    Of course, seriously doubt bugs he has found are worth anywhere near 2M - the typical bullshit from âoesecurity researchersâ overinflates the severity.

  16. So much this. Must test the fail case by raymorris · · Score: 1

    > Two recent Apple bugs are perfect examples of this: "goto fail" and "passwordless root." Both are symptoms of either Apple not testing, or more likely, Apple only doing positive testing (this works with the values it's supposed to), but never any negative testing (this fails properly when given bad values). ...
    > Both of those are process problems. Failing to do negative tests is a very common process flaw: it's very easy to write a "positive test" that ensures that a correct value produces a correct result.

    Exactly. It is common. They tested that "it works" putting in the correct password gets you access. They totally forgot to test what happens when you DON'T put in the correct password - you still get access anyway.

    In the famous "go-to fail" bug, a TLS certificate was accepted of it was valid - and accepted just the same of it was invalid. They probably tested that worked, that it trusted a valid cert. But they didn't test that it did not trust an invoice cert.

    There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in. It's just a policy change - all Pull Requests need at least two test logs attached - one showing that it does the new / positive thing when it should, one showing it does NOT do it when it shouldn't.

    At my own company, on my team, we recently had the same problem. We added some code to handle the eccentricities of a certain CDN (proxy network) whose engineers have obviously never glanced at the RFC for how proxies are supposed to work. Our code was basically:
    if (looks_like_akamai) {
            do_weird_akamai_stuff;
    }

    We tested that it did in fact invoke the special behavior for Akamai. We didn't test that it did NOT invoke the special behavior when it's NOT Akamai.

  17. Trying again with fewer typos by raymorris · · Score: 1

    Wow that had a lot of typos. Let's try that paragraph again:

    In the famous "go-to fail" bug, a TLS certificate was accepted if it was valid - and accepted just the same if it was invalid. They probably tested that it worked - that it trusted a valid cert. But they didn't test that it did not trust an invalid cert.

    There is no "architectural redesign" required to start testing the negatives, checking that NOT entering a password does NOT log you in.

  18. It's not an architecture issue by raymorris · · Score: 1

    Their major security bugs show a simple PROCESS issue, not an architectural issue.

    You don't have to completely rewrite the architecture in order to test that NOT entering a password, leaving the password field empty, doesn't log you in. You just have to start testing not only "it does the good thing with good input", but also "it does the negative / error case with bad input".

    Their famous "go-to fail" is another example. Their code was basically:
    If certificate is valid {
          trust the certificate
    }
    trust the certificate

    That bug would have been prevented by testing their "validate certificate" code with an invalid cert. They. Probably tested that it correctly trusted a valid certificate, but clearly never tested it with an invalid certificate. That's kind of important for code that's supposed to tell the difference between the two.

    See also this post and its parent:
    https://slashdot.org/comments....

    1. Re:It's not an architecture issue by Anonymous Coward · · Score: 0

      Their code wasn't that bad, but it showed another process issue. It was caused by a bad merge or a bad copy and paste job. Basically, their original code was something like (this is made up but you can look up the real code, they did it in an open source part of their code):

      int validate_certificate(cert* cert, sha1_hash* expected_hash)
      {
        int err;
        sha1_hash* hash;
       
        if ((err = make_hash(&hash)) != 0)
          goto fail;
        if ((err = update_hash(hash, cert->data)) != 0)
          goto fail;
          goto fail;
        if ((err = finish_hash(hash)) != 0)
          goto fail;
        err = hash_matches(hash, expected_hash);
      fail:
        free_hash(hash);
        return err;
      }

      The problem was that something got merged or copied over that created that second "goto fail" meaning that, if there had been no errors until that point, ANY certificate hash returned a "success" (0) value.

      A proper merge process where new code is verified by another developer and a proper test process where there are negative tests both would have caught this. That the bug made it to production is evidence that Apple has neither.