undefined | Better HN

0 pointszepto4y ago0 comments

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You read something into it that simply isn’t there.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

> 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

If you have a link that does, I would be interested to see one, otherwise I think we can safely assume for now that this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic

I have followed the logic. It relies on unsupported claims, some of which appear may be outright lies. I think that is bullshit.

0 comments

lern_too_spel4y ago

> It makes perfect sense.

To repeat myself, not in the context of what you replied to. If you understood that it works the way you now clearly understand it to, you would immediately see that it does not solve the problem you claimed it did.

> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

I provided link from an Apple employee saying as much.

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

The quora link says iOS devices trust a key from the Chinese government. Where that key exists is irrelevant. What I showed is that your claim that China cannot MITM iOS packages is false.

> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

I showed how they can, and you have not disputed it. You only said that I haven't given evidence that they are, which I never claimed.

> I’m not unconcerned about that

Then your statement about app signing makes even less sense in the context of the user not knowing if they are installing the secure app they wanted to install. It can only make sense if you trust Apple completely (which I found unlikely for anybody to trust any intermediary completely) or if you erroneously thought that the package sent the device was signed by the developer (which seemed to me comparatively more likely). Now you've admitted that the first case isn't true, which only leaves the second case (that I had assumed) or opens a third case, which is that you are arguing in bad faith, knowing that what I said is true but calling it bullshit anyway.

> Yes and it is false.

You say this on the basis of zero evidence. I gave you over a hundred million infections on the App Store from xcodeghost alone that Apple did not have the ability to scan for.

> It relies on unsupported claims, some of which appear may be outright lies.

If that is what you believe, then point them out. You have repeatedly failed to do so, so perhaps you should reconsider whether I am bullshitting.

zeptoOP4y ago

>> It makes perfect sense.

> To repeat myself, not in the context of what you replied to. If you understood that it works the way you now clearly understand it to, you would immediately see that it does not solve the problem you claimed it did.

It solves the problem of China MITMimg iOS packages. That is the context.

>> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> I provided link from an Apple employee saying as much.

That’s a lie. They don’t say anything of the kind. If they did you’d be able to quote them

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

> The quora link says iOS devices trust a key from the Chinese government.

A browser certificate. This has nothing to do with packages from the iOS App Store. I believe you understand the difference.

> Where that key exists is irrelevant.

It is relevant. The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

> What I showed is that your claim that China cannot MITM iOS packages is false.

You haven’t shown this. It’s seems like just a lie.

You have pointed to a key which can’t sign packages, and a conversation where nobody says anything indicating that China can MITM packages.

Neither of these are evidence they can do this. If you have real evidence feel free to present it.

>> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

> I showed how they can, and you have not disputed it.

You have claimed China can MITM iOS packages but you have provided no evidence to support this claim. The links you provided don’t support the claim. It looks like you’re just lying.

> You only said that I haven't given evidence that they are, which I never claimed.

Also false. You said the link to the Apple employee’s statements supported this claim.

Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

lern_too_spel4y ago

> It solves the problem of China MITMimg iOS packages. That is the context.

Lie. Here is the context to which you replied that packages are signed by Apple and the developer: "People using an iOS device can never be sure they are installing the secure app they wanted to install or some switcheroo."

As you've admitted, Apple can do the switcheroo.

> They don’t say anything of the kind.

Lie. Here's what they said:

"All of the major iPhone vendors in China do this by using an enterprise enrollment certificate to adda new certificate to the code signing certificate chain of trust.

"And then when they repackage the government malware, they do so by signing it with the enterprise signing certificate, which allows them to bypass the Apple signing certificate for code execution on the device."

> A browser certificate

Lie. See above.

>> Where that key exists is irrelevant.

> It is relevant.

Then why don't you explain why where the keys are is relevant to whether something is possible instead of ignoring where the keys are and saying the following?

> The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

Lie. See above.

> You have pointed to a key which can’t sign packages

Lie. See above.

> You have claimed China can MITM iOS packages but you have provided no evidence to support this claim.

Lie. See above together with my description of how to use that key together with the Great Firewall and a proxy.

> Also false. You said the link to the Apple employee’s statements supported this claim.

Lie. I used the Apple employee's statements to say that they can, not that they do. Quote: "they can [emphasis added] replace the Signal package with a compromised one."

> Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

I sort of understand how you would be confused. The statement I was responding to here was not about China MITMing the App Store but about China signing iOS packages delivered to devices. The quote above shows that they do.

1 more reply

j / k navigate · click thread line to collapse

0 pointszepto4y ago0 comments

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You read something into it that simply isn’t there.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

> 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

If you have a link that does, I would be interested to see one, otherwise I think we can safely assume for now that this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic

I have followed the logic. It relies on unsupported claims, some of which appear may be outright lies. I think that is bullshit.

0 comments

lern_too_spel4y ago

> It makes perfect sense.

> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

I provided link from an Apple employee saying as much.

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

The quora link says iOS devices trust a key from the Chinese government. Where that key exists is irrelevant. What I showed is that your claim that China cannot MITM iOS packages is false.

> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

I showed how they can, and you have not disputed it. You only said that I haven't given evidence that they are, which I never claimed.

> I’m not unconcerned about that

> Yes and it is false.

You say this on the basis of zero evidence. I gave you over a hundred million infections on the App Store from xcodeghost alone that Apple did not have the ability to scan for.

> It relies on unsupported claims, some of which appear may be outright lies.

If that is what you believe, then point them out. You have repeatedly failed to do so, so perhaps you should reconsider whether I am bullshitting.

zeptoOP4y ago

>> It makes perfect sense.

It solves the problem of China MITMimg iOS packages. That is the context.

>> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> I provided link from an Apple employee saying as much.

That’s a lie. They don’t say anything of the kind. If they did you’d be able to quote them

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

> The quora link says iOS devices trust a key from the Chinese government.

A browser certificate. This has nothing to do with packages from the iOS App Store. I believe you understand the difference.

> Where that key exists is irrelevant.

It is relevant. The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

> What I showed is that your claim that China cannot MITM iOS packages is false.

You haven’t shown this. It’s seems like just a lie.

You have pointed to a key which can’t sign packages, and a conversation where nobody says anything indicating that China can MITM packages.

Neither of these are evidence they can do this. If you have real evidence feel free to present it.

>> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

> I showed how they can, and you have not disputed it.

You have claimed China can MITM iOS packages but you have provided no evidence to support this claim. The links you provided don’t support the claim. It looks like you’re just lying.

> You only said that I haven't given evidence that they are, which I never claimed.

Also false. You said the link to the Apple employee’s statements supported this claim.

Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

lern_too_spel4y ago

> It solves the problem of China MITMimg iOS packages. That is the context.

As you've admitted, Apple can do the switcheroo.

> They don’t say anything of the kind.

Lie. Here's what they said:

"All of the major iPhone vendors in China do this by using an enterprise enrollment certificate to adda new certificate to the code signing certificate chain of trust.

> A browser certificate

Lie. See above.

>> Where that key exists is irrelevant.

> It is relevant.

Then why don't you explain why where the keys are is relevant to whether something is possible instead of ignoring where the keys are and saying the following?

> The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

Lie. See above.

> You have pointed to a key which can’t sign packages

Lie. See above.

> You have claimed China can MITM iOS packages but you have provided no evidence to support this claim.

Lie. See above together with my description of how to use that key together with the Great Firewall and a proxy.

> Also false. You said the link to the Apple employee’s statements supported this claim.

Lie. I used the Apple employee's statements to say that they can, not that they do. Quote: "they can [emphasis added] replace the Signal package with a compromised one."

> Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

1 more reply

j / k navigate · click thread line to collapse