On Apple's Response To Google's Project Zero 54
Last week, Apple published a statement in which it disputed Google's Project Zero team's findings about the worst iOS attack in history. Alex Stamos, adjunct professor at Stanford University's Center for International Security and Cooperation and former CSO at Facebook, writes on Twitter: Apple's response to the worst known iOS attack in history should be graded somewhere between "disappointing" and "disgusting". First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people." The use of multiple exploits against an oppressed minority in an authoritarian state makes the likely outcomes *worse* than the Huffington Post example a former Apple engineer posited. It is possible that this data contributed to real people being "reeducated" or even executed. Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.
Second, the word "China" is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world's most valuable public company. To be fair, Google's post also didn't mention China. Their employees likely leaked attribution on background. Third, the pivot to Apple's arrogant marketing is not only tone-deaf but really rings hollow to the security community when Google did all the heavy lifting here. I'm guessing we won't hear Tim talk about how they are going to do better on stage next week. Dear Apple employees: I have worked for companies that took too long to publicly address their responsibilities. This is not a path you want to take. Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work. Demand better. Michael Tsai raises further questions about the way Apple framed its statement: "A blog," rather than "a blog post"? I love how Apple is subtly trying to discredit Project Zero by implying that it's a mere blog. And let's be sure everyone knows it's affiliated with Google, the privacy bad guys, even though it's a responsible, technically focused group. Apple says: "First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described."
Project Zero literally referred to "a small collection of hacked websites" that received "receive thousands of visitors per week." And it does seem like a particular subpopulation was targeted "en masse." The sites in question were on the public Internet; it wasn't links being sent to target particular individuals. Apple is blaming the messenger for things it didn't even say.
Apple adds: "The attack affected fewer than a dozen websites that focus on content related to the Uighur community."
Oh, I get it. Most people would consider "fewer than a dozen" to be "a small collection." But in Apple-speak, there were "a small number" of corrupt App Store binaries causing crashes, and "a small number" of MacBook Pro users experiencing butterfly keyboard problems, not to be confused with the "very small number" of iPhones that unexpectedly shut down. So, yeah, I can see why Apple wants people to know that this "small collection" doesn't mean "millions." Although there are apparently 10 million Uigurs in China. Apple adds: "Google's post, issued six months after iOS patches were released[...] It's great that Project Zero reported this in a responsible way, because now we can downplay it as old news.
Second, the word "China" is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world's most valuable public company. To be fair, Google's post also didn't mention China. Their employees likely leaked attribution on background. Third, the pivot to Apple's arrogant marketing is not only tone-deaf but really rings hollow to the security community when Google did all the heavy lifting here. I'm guessing we won't hear Tim talk about how they are going to do better on stage next week. Dear Apple employees: I have worked for companies that took too long to publicly address their responsibilities. This is not a path you want to take. Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work. Demand better. Michael Tsai raises further questions about the way Apple framed its statement: "A blog," rather than "a blog post"? I love how Apple is subtly trying to discredit Project Zero by implying that it's a mere blog. And let's be sure everyone knows it's affiliated with Google, the privacy bad guys, even though it's a responsible, technically focused group. Apple says: "First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described."
Project Zero literally referred to "a small collection of hacked websites" that received "receive thousands of visitors per week." And it does seem like a particular subpopulation was targeted "en masse." The sites in question were on the public Internet; it wasn't links being sent to target particular individuals. Apple is blaming the messenger for things it didn't even say.
Apple adds: "The attack affected fewer than a dozen websites that focus on content related to the Uighur community."
Oh, I get it. Most people would consider "fewer than a dozen" to be "a small collection." But in Apple-speak, there were "a small number" of corrupt App Store binaries causing crashes, and "a small number" of MacBook Pro users experiencing butterfly keyboard problems, not to be confused with the "very small number" of iPhones that unexpectedly shut down. So, yeah, I can see why Apple wants people to know that this "small collection" doesn't mean "millions." Although there are apparently 10 million Uigurs in China. Apple adds: "Google's post, issued six months after iOS patches were released[...] It's great that Project Zero reported this in a responsible way, because now we can downplay it as old news.
Hitler first post (Score:4, Insightful)
First time a godwin's law response might be worth it here. But when people tweet casually that apples response was racist it seems way out of line. not worth continuing the conversation
Brilliant (Score:2, Insightful)
Was going to post something about this strange mouth frothing anti-apple summary and article, but why bother? Your post is the best possible response and saves a lot of everyone's time.
Re: (Score:2)
First time a godwin's law response might be worth it here. But when people tweet casually that apples response was racist it seems way out of line. not worth continuing the conversation
That's exactly my take as well. I literally said out loud "Jesus fucking Christ they just played the race card on an iOS exploit" like what in the actual fuck? Of all the companies to accuse of racism they went for Apple? Guess they couldn't play the homophobic card with Tim Apple in charge.
Re: (Score:2)
Jesus fucking Christ they just played the race card on an iOS exploit
...as if the race card applies anywhere? I live in Alabama, and even I know that "racism" is just a fancy one-word for "ignorant with low self-esteem".
Re: (Score:3)
People who carry on and denigrate others
Re: (Score:2)
FWIW Apple's response to the celebrity iCloud hacks a few years back was similarly shit. That incident was less serious but suggests that the issue is Apple PR trying to pretend that things aren't so bad. Almost like they took "you're holding it wrong" and made that their PR strategy for dealing with disasters.
Re: (Score:2)
Those weren't hacks. Those were just celebrities with shitty passwords and no 2FA.
Re: (Score:2)
"Jesus fucking Christ they just played the race card on an iOS exploit"
From what I observe, when folks run out of logical arguments and true evidence, they play the race card.
Across all races, creeds, religions, sexual orientations, etc.
I get this creepy feeling that whole world is getting more belligerent against each other.
Hell, even Joe Biden, who served as Vice President under the first black President got dealt the race card!
Re: (Score:2)
First time a godwin's law response might be worth it here. But when people tweet casually that apples response was racist it seems way out of line. not worth continuing the conversation
Yeah I didn't get past the first paragraph of the summary before I decided this was just someone who hates Apple trying to raise a stink.
Google handled this poorly. There are a billion iOS devices out there. Most of them in active use have been patched. Google is always trying to pretend that it's devices aren't the most insecure mobile devices on the market but they are.
Re: (Score:2)
Re: (Score:2)
Re:Hitler first post (Score:4, Informative)
Google is always trying to pretend that it's devices aren't the most insecure mobile devices on the market but they are.
Judging by 0day costs (Android exploits are more expensive than iOS exploits; Zerodium pays $2.5M for a no-interaction remote code execution vuln on Android, and only $1M on iOS), hacking competitions (e.g. Mobile Pwn2Own, where the Google Pixel has been undefeated for three years, and Samsung devices have been popped half as often as iOS) and "critical" or "high" CVEs (iOS has as many in a typical month as Android has in a year), Android is more secure than iOS.
Yes, Android has a patching problem, but the Android Security team recognized that long ago and has been working for several years now to compartmentalize Android so that a vulnerability in one component doesn't lead to a whole-system compromise, and it's paying off. Successful Android exploits these days tend to require five or more vulnerabilities chained in sequence because of the extensive internal firewalling, and most such chains only work on a small subset of devices.
Frankly, I think iOS engineers have depended too heavily on fast patching, because they've been able to. Android engineers have not been able to do that, so have had to invest in mitigations that can be effective even when patches don't get delivered. The result is that patched-up Android devices are generally more secure than iOS devices, and even somewhat out-of-date Android devices are arguably about as secure. I expect Apple will catch up... though Android is also working on addressing the patching problem. In particular, Project Treble, to make it easier for OEMs to push updates, and Mainline Modules, to allow Google to take control of updating particularly important components.
Re: (Score:1)
Successful Android exploits these days tend to require five or more vulnerabilities chained in sequence because of the extensive internal firewalling ...
Perhaps you might want to look up what a firewall actually is.
Bonus points, if you figure how it works
Hint: there is no compartmentalizing done by firewalls, what eve you man with "compartmentalize".
Re: (Score:3)
Re: (Score:2)
I thought the GP was referring to the fact that Google has removed most stuff from the kernel, the bit that manufacturers are slow to patch. Most stuff is user space now, and can be updated via Google Play Services so it doesn't matter so much if the core OS itself doesn't get updates from the manufacturer.
Re: (Score:3)
I thought the GP was referring to the fact that Google has removed most stuff from the kernel, the bit that manufacturers are slow to patch. Most stuff is user space now, and can be updated via Google Play Services so it doesn't matter so much if the core OS itself doesn't get updates from the manufacturer.
Not really. The Play Services strategy was a short-term workaround, but it's the opposite of compartmentalization. I was referring to the tightening up of the per-app UID separation, the hardening of the sandboxing, the imposition of a strict and comprehensive set of SELinux rules to minimize what a compromised component can reach, the use of TEE and eSE hardware, and the careful decomposition of system components, using all of the above to isolate them.
Looking to the future, the mainline modules featur
Re: Hitler first post (Score:3)
He's probably referring to sandboxing. But anyways, I guarantee that iOS would fare much worse than Android if users were able to install applications without the Apple store. Although I rarely use apps installed from outside of Google play these days, I like having the option.
Apple users used to say the same thing about Windows, but it was never really true. Once malware stopped being a prank and started becoming an industry, Apple users bore the brunt of the worst kind of malware whereas windows was alrea
Re: (Score:3)
He's probably referring to sandboxing.
Sandboxing is one form of compartmentalization used in Android. SELinux Mandatory Access Control rules are crucial, too, as well as the use of per-app UIDs to enable kernel-enforced app separation (which has always been around, but there used to be a lot of ways to bypass it). Increasingly Android also makes use of an additional OS running in a certain sort of virtual machine (a Trusted Execution Environment), and on discrete secure processors on flagship devices (and eventually on all devices).
And, of c
Re: (Score:2)
He's saying he wants you to program him a worm, make it a hydra.
Re: (Score:3)
Successful Android exploits these days tend to require five or more vulnerabilities chained in sequence because of the extensive internal firewalling Perhaps you might want to look up what a firewall actually is. Bonus points, if you figure how it works ...
Hint: there is no compartmentalizing done by firewalls, what eve you man with "compartmentalize".
I'll grant that I used the words in a somewhat uncommon way (I wasn't referring to network firewalls), but the concept is a core element of secure system design. Use "isolation" instead of "firewalling" if you prefer.
A perhaps more commonly discussed application of the notion of compartmentalization / decomposition is in microkernels vs monolithic kernels. The thing about any "full" kernel is that it does a lot of things and therefore has a large "attack surface" -- an industry term for the number of in
Re: (Score:3, Insightful)
SJWs rarely have a coherent argument or position, they're just silly little kidults shouting divisive insults and hoping that'll cause the other party to back down. Which unfortunately with a lot of spineless corporate and government body PR depts actually happens.
Re: (Score:1)
Re: (Score:1)
Apple fanbois ignoring racism to prove their dick is bigger when its not (so small), somehow I'm not surprised.
Re: (Score:1)
1) I did not see Nazis being referenced by anyone, so Godwin's Law is inapplicable. But go ahead and be first to obfuscate the issue.
2) When you can't credibly argue the point the original spokespeople say, use the statements of rando commenters and then imply it was a rhetorical attack used by the original spokespeople.
When Apple's products victimizes minorities, apparently that's okay in your book. Your duplicity and venality is not worthy conversation.
Sounds similar to what the UAE mercenaries did (Score:2)
Former NSA Tailored Access Operations employees were (are?) working as mercenaries for the United Arab Emirates and were hacking Arab peoples iPhones:
https://mobile.reuters.com/art... [reuters.com]
Re: (Score:2, Funny)
Tech tribalism is a security research nightmare (Score:5, Insightful)
I had friends who called out Google for being petty for researching vulnerabilities in Apple products.
However:
* Project Zero also researches Google's own products.
* Google has products that run on Apple operating systems, and has every right to try to protect their systems, data, and customers through security research.
* Security research leads to everyone being safer.
Tech tribalism should not be applied to security research. If your product has vulnerabilities acknowledge them, say thank you to the person who invested their time discovering them, and for the fact that they didn't then try to sell them on the black market but instead offered up the details to help you fix your product.
If egos were bruised then perhaps it was only because of the false premise you were either touting or leaning on in the first place (the idea that one brands product is much more secure than the other).
Re: (Score:2, Interesting)
Re: (Score:1)
It's not the research that's the issue, it's the PR. If Project Zero found a similar vulnerability in Android, would they have made a similarly dire post about their users having been vulnerable for years? Google's statement just reeks of PR masquerading in security researcher's clothing to protect it from the clawback.
Exactly.
Re:Tech tribalism is a security research nightmare (Score:5, Informative)
It's not the research that's the issue, it's the PR. If Project Zero found a similar vulnerability in Android, would they have made a similarly dire post about their users having been vulnerable for years?
Yes, they would, if they found something being actively exploited in the wild. Project Zero is an equal-opportunity attacker, and holds firm to their 90-day disclosure policy (I'm actually quite surprised they waited longer in this case. Probably because the vulns were so severe and actively being exploited). Project Zero has even 0dayed Android when the Android team wasn't fast enough to meet the 90-day deadline.
I know most of the P0 team, and they view themselves as independent from Google. P0 team members are not under the standard employee NDAs and avoid any internal communications that might give them Google-internal information that might limit their ability to research and publish attacks on Google products. They're paid by Google, but operate as an independent security research team.
After all of the people asking the questions you are, I'm sure P0 is anxious to do exactly the same thing for a Google product, just to prove their independence. Of course, to do that they will first need to find a similar set of vulnerabilities that are being actively exploited.
Re: (Score:2)
So a user who works for Google on Android Security is here to defend the name of "Project Zero". At this point, your connection to the topic I think deserves to be clearly documented, for those who don't click through and read the profile of every commenter.
I know most of the P0 team, and they view themselves as independent from Google
TFA states Project Zero was using data from "Google's Threat Analysis Group (TAG)", which reads as other groups in Google feeding them data, which Project Zero dutifully turned into a lovely, Android-friendly PR report.
Regardless of what Project Zero may
Re: (Score:2)
So a user who works for Google on Android Security is here to defend the name of "Project Zero". At this point, your connection to the topic I think deserves to be clearly documented, for those who don't click through and read the profile of every commenter.
Sorry, I thought I had made my employment clear. You're right that I didn't, thanks for the clarification. I do want to add that I'm not "here to defend" Project Zero. I was a slashdot poster long before I was a Google employee (I'd like to say that I'll be a slashdot contributor long after I'm not a Google employee, but I'm not sure how much longer I'm going to hang out here), and I've always given my honest take. In this case, that looks like defense, because I think P0 did a great job. Though, in a
Re: (Score:1)
If egos were bruised then perhaps it was only because of the false premise you were either touting or leaning on in the first place (the idea that one brands product is much more secure than the other).
You seriously think that it is a "false premise" that iOS is much more secure than Android?
Care to try and prove that with some statistics?
I'll wait.
Re: (Score:2)
You seriously think that it is a "false premise" that iOS is much more secure than Android?
Care to try and prove that with some statistics?
I'll wait.
Woooooooooosh!
Re: (Score:3)
I agree Tech tribalism should not be applied to security research.
However we seem to not have a good independent fair judge of it.
* Project Zero also researches Google's own projects... However if a flaw is found in Googles products, how public will they be? Being that Google is paying their salaries, finding data against Apple, may mean Google will be more likely to allow a blunt release of the flaws, than if it was a google project, which its response may be more tempered.
* Google has products that run o
Re:Tech tribalism is a security research nightmare (Score:5, Informative)
* Project Zero also researches Google's own projects... However if a flaw is found in Googles products, how public will they be? Being that Google is paying their salaries, finding data against Apple, may mean Google will be more likely to allow a blunt release of the flaws, than if it was a google project, which its response may be more tempered.
Why are we asking these as if there are no answers? All their stuff is on their blog. You can go see it. It includes Android stuff.
https://googleprojectzero.blog... [blogspot.com]
Re: (Score:3)
I worked for a security company that found issues with some Apple products and was going to present them at a conference. Apple insinuated it "might" get very litigation-heavy on any copy that painted them in a poor light.
PRISM (Score:1)
China can also do very legal collection?
Respect the NSA when it makes a request?
Do the same for China?
Apple Responded Where it Counted (Score:1, Insightful)
Apple fixed the Exploit 10 days after being informed of its existence.
Regardless of any rhetoric, that is the ONLY "Response" that counted, and Apple certainly can't be faulted for closing the vulnerability with all due speed:
https://www.theverge.com/2019/... [theverge.com]
Google and these other FUD-rakers should be sued by Apple for Libel.
Re: (Score:1)
To be fair, Apple and Google are both bastards (Score:3)
Second, the word "China" is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world's most valuable public company. To be fair, Google's post also didn't mention China.
To be fair, both companies make products which can be and are used for surveillance of the populace, and both companies willfully participate in such in one way or another.
To be even fairer, Google is way more cooperative with China's nefarious acts of suppression than is Apple.
If I had to pick one of those companies to disappear off the face of the earth tomorrow it would still be Apple, because I actually use Google. But if the goal is to make Google look better than Apple, it's better not to go down that road at all.
Re: (Score:2)
How is exactly google cooperating with China and their acts of suppression? This isn't sarcasm I am genuinely curious what I don't know.
Google is nuts (Score:1)
First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people."
What the fuck? Did a C-level exec just went race-baiting on behalf of Google? I hope resignation is the next step after sobering up.
Re: (Score:1)
Re: (Score:2, Troll)
First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people."
What the fuck? Did a C-level exec just went race-baiting on behalf of Google? I hope resignation is the next step after sobering up.
Race baiting is OK as long as it's white people who are being put down.
attitude status in hindi (Score:1)
Alex Stamos (Score:1)
"Racist Exploit"?? (Score:1)
This statement is incredibly dumb (Score:2)
I think my head just exploded.
Re: (Score:1)
"Reporting a found exploit in a product is racism" I think my head just exploded.
Re-read the summary. The implication of racism is 1) By Stamos 2) Against Apple and 3) for downplaying a campaign targeted at a religious and ethnic minority by an authoritarian state.
You have the party accusing, the party being accused, and the action, all wrong.