Saagar Jha
(replying to Saagar Jha)
@osy86 The “solution”, as far as I can tell, is that Apple thinks they would catch attempts to hack their servers. Oh yeah also hacking the server is hard because they used Swift and deleted the SSH binary. Not like they ship an OS like that already to a billion people
2 replies →
2 replies
osy
(replying to Saagar Jha)
@saagar I think their "solution" is "look if there's bug in our code, it would be found by the community" which assumes enough security researchers would care to "jailbreak" PCC servers
Saagar Jha
(replying to osy)
@osy86 Well that is part of it but also read the bits where they are like “oh you cannot do a targeted attack without hacking all our servers and we will probably catch you if you do that”
Saagar Jha
(replying to Saagar Jha)
@osy86 It is left as an exercise for the reader if you don’t want to do a targeted attack (?) or you do it so that they don’t catch you (???)
Dominic Hopton
(replying to Saagar Jha)
Saagar Jha
(replying to Saagar Jha)
@osy86 Also other people have been grumbling about this but I’ll come out and say it: gtfo with your “auditability”. You don’t care about auditability. You care about your intellectual property. This blog post is hilariously nonsensical
Saagar Jha
(replying to Saagar Jha)
@osy86 You can’t say “researchers can inspect both hardware and software [for iPhone]” and then later go “this is the first time we are providing plaintext iBoot”. You made it difficult for researchers to do their job for *years*. Now suddenly they are providing a vital service?
Saagar Jha
(replying to Saagar Jha)
@osy86 Like, you decide to hand researchers a decrypted version (of what is still a binary blob, to be clear) the moment you needed to advertise that your cloud was safe and secure? What do you want, a medal?
3 replies →
3 replies
osy
(replying to Saagar Jha)
@saagar I know it's not your intention but I find it funny that all the messages look like they're addressed directly to me. Yes sir I will consult with Mr Cook and get back to you.
Thijs Alkemade
(replying to Saagar Jha)
@saagar They don’t have the budget for a code audit, so they crowdsource it. And they can just close all reports that require Apple to act maliciously as “Informative”.