undefined | Better HN

0 pointslern_too_spel5y ago0 comments

> False. If I claimed that, you’d be able to quote me.

Here you go:

>> People using an iOS device can never be sure they are installing the secure app they wanted to install or some switcheroo.

>This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context. I interpreted your response as charitably as possible.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

I explained how app distribution works and assumed you could work it out. It looks like my assumption was mistaken, so here it is step by step: 1. The package sent to the device is not signed by the developer but by Apple or China. https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

> There is no indication of an MITM vulnerability between the developers and Apple, nor is there one between Apple and users.

Once again, the biggest MITM is between the developer and users, which F-Droid's reproducible builds prevent.

> Your claim about aggregate Android malware numbers being lower than iOS was false:

My claim was about malware from the Play Store and the Amazon App Store.

Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.

0 comments

zepto5y ago

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You read something into it that simply isn’t there.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

> 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

If you have a link that does, I would be interested to see one, otherwise I think we can safely assume for now that this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic

I have followed the logic. It relies on unsupported claims, some of which appear may be outright lies. I think that is bullshit.

lern_too_spelOP5y ago

> It makes perfect sense.

To repeat myself, not in the context of what you replied to. If you understood that it works the way you now clearly understand it to, you would immediately see that it does not solve the problem you claimed it did.

> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

I provided link from an Apple employee saying as much.

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

The quora link says iOS devices trust a key from the Chinese government. Where that key exists is irrelevant. What I showed is that your claim that China cannot MITM iOS packages is false.

> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

I showed how they can, and you have not disputed it. You only said that I haven't given evidence that they are, which I never claimed.

> I’m not unconcerned about that

Then your statement about app signing makes even less sense in the context of the user not knowing if they are installing the secure app they wanted to install. It can only make sense if you trust Apple completely (which I found unlikely for anybody to trust any intermediary completely) or if you erroneously thought that the package sent the device was signed by the developer (which seemed to me comparatively more likely). Now you've admitted that the first case isn't true, which only leaves the second case (that I had assumed) or opens a third case, which is that you are arguing in bad faith, knowing that what I said is true but calling it bullshit anyway.

> Yes and it is false.

You say this on the basis of zero evidence. I gave you over a hundred million infections on the App Store from xcodeghost alone that Apple did not have the ability to scan for.

> It relies on unsupported claims, some of which appear may be outright lies.

If that is what you believe, then point them out. You have repeatedly failed to do so, so perhaps you should reconsider whether I am bullshitting.

zepto5y ago

>> It makes perfect sense.

> To repeat myself, not in the context of what you replied to. If you understood that it works the way you now clearly understand it to, you would immediately see that it does not solve the problem you claimed it did.

It solves the problem of China MITMimg iOS packages. That is the context.

>> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> I provided link from an Apple employee saying as much.

That’s a lie. They don’t say anything of the kind. If they did you’d be able to quote them

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

> The quora link says iOS devices trust a key from the Chinese government.

A browser certificate. This has nothing to do with packages from the iOS App Store. I believe you understand the difference.

> Where that key exists is irrelevant.

It is relevant. The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

> What I showed is that your claim that China cannot MITM iOS packages is false.

You haven’t shown this. It’s seems like just a lie.

You have pointed to a key which can’t sign packages, and a conversation where nobody says anything indicating that China can MITM packages.

Neither of these are evidence they can do this. If you have real evidence feel free to present it.

>> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

> I showed how they can, and you have not disputed it.

You have claimed China can MITM iOS packages but you have provided no evidence to support this claim. The links you provided don’t support the claim. It looks like you’re just lying.

> You only said that I haven't given evidence that they are, which I never claimed.

Also false. You said the link to the Apple employee’s statements supported this claim.

Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

1 more reply

zepto5y ago

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You misrepresented my response.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall. If you have a link that does, I would be interested to see one, otherwise I think we can safely call this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.

I will continue to call out lies and bullshit when it’s clear that is what is being presented. You have so far not substantiated the facts you have been challenged on, and your arguments rely on claims which you can’t support.

zepto5y ago

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You misrepresented my response.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

j / k navigate · click thread line to collapse

0 comments

zepto5y ago

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You read something into it that simply isn’t there.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

> 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

If you have a link that does, I would be interested to see one, otherwise I think we can safely assume for now that this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic

I have followed the logic. It relies on unsupported claims, some of which appear may be outright lies. I think that is bullshit.

lern_too_spelOP5y ago

> It makes perfect sense.

> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

I provided link from an Apple employee saying as much.

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

The quora link says iOS devices trust a key from the Chinese government. Where that key exists is irrelevant. What I showed is that your claim that China cannot MITM iOS packages is false.

> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

I showed how they can, and you have not disputed it. You only said that I haven't given evidence that they are, which I never claimed.

> I’m not unconcerned about that

> Yes and it is false.

You say this on the basis of zero evidence. I gave you over a hundred million infections on the App Store from xcodeghost alone that Apple did not have the ability to scan for.

> It relies on unsupported claims, some of which appear may be outright lies.

If that is what you believe, then point them out. You have repeatedly failed to do so, so perhaps you should reconsider whether I am bullshitting.

zepto5y ago

>> It makes perfect sense.

It solves the problem of China MITMimg iOS packages. That is the context.

>> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> I provided link from an Apple employee saying as much.

That’s a lie. They don’t say anything of the kind. If they did you’d be able to quote them

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

> The quora link says iOS devices trust a key from the Chinese government.

A browser certificate. This has nothing to do with packages from the iOS App Store. I believe you understand the difference.

> Where that key exists is irrelevant.

It is relevant. The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

> What I showed is that your claim that China cannot MITM iOS packages is false.

You haven’t shown this. It’s seems like just a lie.

You have pointed to a key which can’t sign packages, and a conversation where nobody says anything indicating that China can MITM packages.

Neither of these are evidence they can do this. If you have real evidence feel free to present it.

>> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

> I showed how they can, and you have not disputed it.

You have claimed China can MITM iOS packages but you have provided no evidence to support this claim. The links you provided don’t support the claim. It looks like you’re just lying.

> You only said that I haven't given evidence that they are, which I never claimed.

Also false. You said the link to the Apple employee’s statements supported this claim.

Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

1 more reply

zepto5y ago

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You misrepresented my response.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

zepto5y ago

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You misrepresented my response.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

j / k navigate · click thread line to collapse