undefined | Better HN

0 pointssaurik13y ago0 comments

1) A more relevant example in this case might be Spotify in specific, but sure: Facebook. Do you honestly disagree? If so, I am pretty certain you are in the minority. In a list of 7 reasons a reporter from the Huffington Post "left iTunes for Spotify", #7 was "Spotify gets social" (with specific contrast to Ping).

http://www.huffingtonpost.com/2011/07/18/left-itunes-for-spo...

4) I currently host jailbreakme.com, but comex developed that specific jailbreak. I helped with Corona (5.1 exploit) and run Cydia, Substrate, etc.; I guess thinking about it more, I produced the protection fix for one of comex's JailbreakMe PDF exploits (making me somewhat relevantly related to that project).

Apple does not, in fact, have a good reputation when it comes to malicious code: they are simply sufficiently small players that people don't target them. A lot of people believe otherwise, but as far as I can tell this is because their knowledge of Apple products comes only from Apple's marketing efforts.

In fact, in 2010, reknowned security researcher Charlie Miller (who was winning Pwn2Own every year until he decided to stop attending to protest a rules change) was fuzzing PDF renderers, and found many more exploitable PDF files against Apple's Preview (30-60 failures) than in Adobe's Acrobate (only 3-10).

^ This, combined with first-hand experience with the zero-day PDF exploits from comex (where the second exploit was to the same mechanism as the first, as Apple apparently failed to fix it the first time around) are the reason I install Adobe Acrobat and deactivate Preview on my Mac: at least Adobe manages to fix the bugs that are found.

5) iOS 6 was not released in May. In fact, no iOS version was released concurrent to that reported issue, AFAIK. How is this relevant to the example I dragged up and posted? I specifically went out of my way to find an example that would not fall to simple "but the bandwidth is too much for Apple/Akamai to handle!" arguments, and you didn't even pay attention.

0 comments

dvanduzer13y ago

1) I think Ping was a shitty idea, and that no one anywhere has gotten "social" right.

4) I said hello on IRC a little bit ago. I'm not going to argue the point on security when I'm clearly outclassed.

5) Whoops. I'm just being careless there. Sorry about that.

I'm really only arguing any of this because of the remark "Apple actually makes this kind of mistake often." This maps thing is a rare, but colossal fuckup from Apple. First other thing that came to mind was when they cut the original iPhone sticker price by $200 only a couple weeks after it came out.

jlmendezbonini13y ago

I realize my question will be off topic but I'm sure everyone in this thread would appreciate the answer. Apart from deactivating Preview, what other measures do you take to protect your Mac?

archagon13y ago

saurik, thank you so much for responding in this thread. Your answers are very insightful. In regards to 4, I've always assumed that to an extent, Apple tolerates jailbreakers and doesn't put as much effort as they could into fixing the exploits (unless they're critical, like the PDF one.) What do you think?

saurikOP13y ago

Apple has a schedule by which they fix bugs; if an exploit is not "dangerous" (such as a remote web browser vulnerability), they do not seem to alter their schedule to fix it, even if it helps people jailbreak: they treat it like any other bug.

As an example, 5.1.1 was subject to Rocky Racoon for many months throughout the beta releases of 6.0. This exploit requires physical access to an unlocked (as in, not at the lock screen: PIN code already entered) device; once the device is unlocked, you can just use it, getting access to e-mails, the address book... whatever you'd like: it isn't really a serious security hazard to also be able to jailbreak it.

j / k navigate · click thread line to collapse