Apple Says It's Already Fixed Many WikiLeaks Security Issues (usatoday.com) 109
An anonymous reader quotes a report from USA Today: Apple says many of the vulnerabilities to its devices and software that came to light in WikiLeaks' revelations of CIA cyber weapons were already fixed in its latest updates. Late Tuesday, Apple emailed the following statement to USA TODAY: "Apple is deeply committed to safeguarding our customers' privacy and security. The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest OS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates." For its part, Samsung emailed its own statement Wednesday: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."
Good. (Score:4, Interesting)
Re:Good. (Score:5, Insightful)
Who cares? A response doesn't have to be original to be appropriate and sincere.
"My cat died yesterday."
"Oh, I'm sorry for your loss."
"You're 'sorry.' Everybody's 'sorry!' What kind of generic bullshit sentiment is that?! Make an effort next time, asshole!"
"I am no longer sorry."
Re: (Score:2)
Who cares? A response doesn't have to be original to be appropriate and sincere.
In general, yes, but Samsung has a long, long history of not giving a shit about security on their smartphones even though they always pretend to.
Re: (Score:2)
A response doesn't have to be original to be appropriate and sincere.
Well, there lies the rub. Why should I believe they are 'sincere' every time they cough up this response when this happens?
Re: (Score:1)
Re: (Score:2)
I think the problem is it isn't sincere. Apple have repeatedly demonstrated that Security is a long way down the list to things they consider more important like usability, convenience and whether or not they have the time or desire to fix a problem.
Yeah, that's why what Apple says after the boilerplate is "While our initial analysis indicates that many of the issues leaked today were already patched in the latest OS, we will continue work to rapidly address any identified vulnerabilities.", while Samsung says "We are aware of the report in question and are urgently looking into the matter."
Because Apple is not sincere and doesn't really care about security and Samsung is sincere and does care about security.
Re:Good. (Score:4, Insightful)
When Apple are selling privacy as a premium over M$ and the Windows probe, not bullshit any more but a serious full on business principle that will win the their market. Privacy is pretty much becoming Apple's most valuable selling point (consider the poor get free and probed again and again and again ad infinitum not right to freedom and the better off pay for and get privacy and they will pay a premium for it ie freedom ain't free nowadays and you have to pay for it, want to be free of the probe prodding and a pounding up there, then you will have to pay and even when you pay in M$s case ha ha pound your privacy harder).
There is billions in protecting privacy and make no mistake, you could imagine a company like Apple starting to sue people who invade the privacy of Apple customers via Apple devices (very, very expensive suits as they are also a financial attack on Apple, you can not sell privacy if they steal it from you, and I am talking Apples privacy that they are selling). Privacy is becoming serious business, really serious business.
Keep an eye out for Unlocked Phones (Score:4, Informative)
I'm glad to see positive response across the board, from Apple, Samsung, and I'm sure others. Especially Apple and Samsung, though, as I have many devices from both of them in my home.
Keep an eye out for updates on "Unlocked" Phones that have switched networks. For some insane reason phones are marketed as "unlocked" when they can be used on another carrier's network, but *the security updates don't work* if you use them on the other network. These should probably be considered unmarketable and therefore not unlocked--and there should be a convenient way to pull signed security updates from the manufacturer instead of the carrier. Samsung and Apple issuing patches doesn't help if Verizon and AT&T fail to talk to each other enough for users on both networks to get the security updates, regardless of who originally installed a given phone's O/S.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.
Re: (Score:2)
Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.
It's called a "cloud", not a "clout".
Use a spellchecker, dude!
Re: (Score:3)
Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.
It's called a "cloud", not a "clout".
Use a spellchecker, dude!
From https://www.vocabulary.com/dictionary/clout [vocabulary.com]
clout
When you speak of someone having clout, it usually means that they communicate a sense of power or influence, particularly in the political sense. "You’ll wanna talk to that big guy over there if you want me to let you in. He’s got clout."
Use a dictionary, dude!
Re: (Score:2)
AC's apparently too dumb to get jokes,
probably due to living in a country with a poor education system...
I recommend that you continue to post as AC for the sake of your reputation
sigh
Re: (Score:2)
AC's apparently too dumb to get jokes, probably due to living in a country with a poor education system...
I recommend that you continue to post as AC for the sake of your reputation
sigh
Wait, the "joke" was that somebody only pretended to be uneducated, and to an American being uneducated is funny. Yeah, that explains a lot.
Re: (Score:2)
What's a locked phone? Is that an American thing? I thought the entire world abolished carrier locking in the 90s.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
It used to not be an issue for me either. However, with the CPU performance bottleneck receding for most of my phone needs, updating a phone has become much less pressing over the past 3 years. At this point the only thing really motivating an update outside of various types of hardware failures including, ahem, dropping your device in a pool or the like.... is lack of updates.
Note also that AVRs, TVs, BD players, and a host of other devices all desire internet connectivity these days. Mine don't have it,
Re: (Score:2)
It's also not one of the models with a mic and/or camera, so I feel I'm being just the right level of paranoid; I just don't want it getting an "update" that ends up pwning my network
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
It's also possible that the CIA leaked the documents themselves after a number of the vulnerabilities had already been discovered. I find this less likely, as there were many vulnerabilities disclosed which have not yet been patched.
Those, of course, are only two possibilities; both of which are pure speculation.
That said, Apple has known about th
You forgot one possibility (Score:1)
Re:Extraordinary (Score:1)
Re: (Score:2)
Come on, I know you can read and comprehend better than that; I've seen you follow a conversation here before.
Nice bit of speculation, though.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I can think of more possibilities: the zero day bugs were already discovered independently and were already fixed when the CIA leaks were published.
Less likely, Apple had agreed to delay fixing some bugs. More likely , Apple knew there were some zero day bugs the CIA was making use of but did not know which ones, and was not trying to find out.
Re: (Score:2)
So you're saying we have known knowns, unknown knowns, and known unknowns?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Seeing as these companies stop issuing software updates for previous models before (in some cases well before) telcos' scheduled replacements for the last ones they sent to customers come up, it's hard not to read these statements as basically "the security of our customers is a such a high priority that we will actually try to ensure it, some of the time, if you're lucky".
And we believe them... (Score:1)
why? Because they don't opensource a thing.
Re: (Score:3)
Because it's testable? The vulnerabilities are known now. You can easily take an iOS device, update it and test to see how many vulnerabilities are fixed and how many are still open.
And Apple opensources the core - the kernel and low level code is open source. Not that it means it's bug free (Heartbleed anyone? Shellshock?) since many can exist for years before discovery and exploit.
See the open source stuff for Apple here: https://opensource.apple.com/ [apple.com]
Not Buying It (Score:5, Insightful)
Re: Not Buying It (Score:2, Interesting)
CIA et al didn't develop this. They bought them from black hats.
Re: (Score:1)
They came from a different sources. Some in-house; some from private companies; some from collected exploits from other intelligence agencies; and some collected from foreign intelligence sources.
Re: (Score:2, Interesting)
According to the Apple announcement, the vulnerabilities were patched prior to the leak, so your insinuation doesn't fit with the facts.
Re: (Score:1)
According to the Apple announcement, the vulnerabilities were patched prior to the leak... What 'facts' are you talking about?
Re:Not Buying It (Score:4, Insightful)
That would be pretty silly for Apple, since now anyone who cares to download and figure out the exploits can test them for themselves. Someone checking them on this would be easy, and a huge black eye for Apple. You really are off into conspiracy theory territory.
Re: (Score:2)
Re:Tipped off? (Score:1)
Re: (Score:1)
Anyone other than me believe that Apple, Samsung et al. (at a minimum) didn't look the other way before the Wikileaks dump?
Nope.
Just you.
Re: (Score:1)
Perhaps, the only reason the information was leaked in the first place is because 'those' vulnerabilities have been fixed and there's no value to them anymore.
So now WIKILEAKS is part of the Conspiracy?!?!?
Re: (Score:1)
> What about the other elephant in the room... firmware?
I honestly wonder if Intel's IME & AMD's equivalent wasn't designed by the government. Hmm, so you have a processor on my processor that's totally a black box and it can control the entire machine? Who here doesn't believe they own that thing completely?
Re: (Score:2)
Re "The OS-level issues really were unknowns for a long enough time that the CIA and other agencies could develop and deploy a playbook for hacking high value targets? What about the other elephant in the room... firmware?"
The trendy device is the "elephant in the room". Interesting people want to carry and be seen with a US designed device. A powered device with a mic, camera, gps,
The difference (Score:5, Insightful)
Apple is actually capable of making things relatively secure and makes choices that are unpopular but increase security (walled garden, deep restrictions on app access to platform, signing Mac apps required by default). They are looking out for people who truly cannot and will not understand security around technical devices.
Samsung meanwhile may talk a good security game, but they put out truly half-assed effort with a billion exploit channels. How about TV's that can record audio and have full android installations to exploit? They put zero thought in how to handle the security implications of this system (to be fair, Amazon and Google are not far behind with Alexa like devices). Samsung and other companies consider user convenience first and security second - if at all.
As for the rest of your absurd anti-Trump fantasy - Russia expected Hillary to win too. They only reason they gathered so much from the DNC was so that they'd have dirt to hold over on Hillary!
Trump had zero to do with Russian hacks, I would love to hear your frothing rabid explanation for how exactly Russia "hacked the election". After all, all the hackers every did was show us what Hillary and the rest of teh elite DNC members said and did when people were not looking. Hillary lost because she is even more Hillary than people thought, not because Russia.
Re: (Score:2)
Samsung meanwhile may talk a good security game, but they put out truly half-assed effort with a billion exploit channels. How about TV's that can record audio and have full android installations to exploit?
Samsung's phones, at least those with Knox, are DoD approved for government communications. Just sayin'.
Re: (Score:2)
Samsung's phones, at least those with Knox, are DoD approved for government communications. Just sayin'.
You mean the same government that just had a giant dump of classified NSA stuff leaked? HMMMMM. They sure do know security!
Re: (Score:2)
That said, Google did recently identify a vuln in the ASLR used by Knox, which Samsung is working on fixing. There's not a whole lot you can do with it on the typical non-rooted Samsung
Re: (Score:1)
Lol my Anti-trump fantasy is tweeting dumb shit from the oval office every week. That man is his own worst enemy. Trump getting in to office was the accident and we're now in the consequences phase.
At what point did I suggest Russia hacked the election? This isn't about the election. That's your hangup. Your desperate rationalization to prove to yourself that "leftists" are all frothing morons and that that things aren't as bad as they seem.
This is about how team's Trump's squad of losers almost certianly p
Re: (Score:2)
Or, more simply: with Apple, you are the consumer. With Samsung or any other Android manufacturer, the user is the product for Google's advertising and data mining businesses.
That's exactly right (Score:2)
I was just thinking the other day, the insanity of this Russia stuff is just like those idiots that kept claiming Obama was not born in the U.S.
Great comparison.
Re: (Score:2)
They are looking out for people
They achieve security, but don't pretend for a moment that the above ways of doing it is "looking out for people". They look out for people's wallets, but that's where their interest with people ends.
Walled garden while adding security is no because of security, and the same can be said for your other points.
Re: (Score:2)
Now companies need spies in the CIA/FBI (Score:4, Interesting)
Since the CIA & FBI are keeping the vulnerabilities they find secret, these companies just need to start planting spies in the CIA & FBI to find out what bugs they have on their software.
Re: Nope (Score:1)
I think you're on the wrong side of the usability/security tradeoff for most people.
If you read it "of the technologies available to most people, an IOS device is the most secure", its probably true.
Re: (Score:2)
That argument falls apart when you realize that TrueCrypt hasn't been under active development in quite some time and has, in fact, been abandoned by its developers with a warning that it may be vulnerable. Coupled with the fact tha
Re: (Score:2)
It might not be the simplest of operations for some safes but, again, it's trivial in comparison to cracking decent encryption. If you can crack the encryption, the safe will barely slow you down; if you can't, then I don't care if you have a copy of the encrypted data.
Re: (Score:1)
What if I can't crack the encryption but I am capable of slipping in something to log your keystrokes?
Re: (Score:2)
Re: (Score:1)
Re:Nope (Score:4, Funny)
TrueCrypt FDE on a laptop stored in a safe.
... encased in cement sitting on Mars.
"Legitimate documents" (Score:1)
I guess that answers whether the leaks were legitimate. The first spate of news after the leaks tried to paint a "if you've done nothing wrong" picture and adding speculation on if it was even legit.
And, of course, the "if you've done nothing wrong, you have nothing to hide" argument is complete BS when it comes to privacy issues.
Re: (Score:3)
Ok.
Apple doesn't fix known exploit for 3 years: /got bored and didn't read the other 3 million search hits.
http://www.cultofmac.com/13261... [cultofmac.com]
Re: (Score:2)
https://www.youtube.com/watch?... [youtube.com]
IF (Score:2)
IF they were deeply committed, they would have fixed them all by now.
Re: (Score:2)
If they were deeply committed, well, they wouldn't be able to fix code while in a straight jacket and heavy meds.
If they were really deeply committed, they'd write code without security holes in it.
Pointless subject line that I dont need (Score:2)
Isn't it sort of a fact that the security holes haven't even been fully sorted out yet?