undefined | Better HN

0 pointsGeekyBear11d ago0 comments

One of the things Apple's Lockdown mode does is disable previews of images or links that are sent to you.

It seems like the lesson is that you shouldn't be processing data sent to the device by random strangers without the user explicitly choosing to open the file or follow the link.

0 comments

thewebguyd11d ago

That should be the default behavior, not a special lock down option that also disables other features.

Why can't they just make it like most email clients? No preview by default, give a banner with an option to explicitly allow a preview for that specific message or conversation?

Barbing10d ago

>That should be the default behavior

It is! The phishers try to socially engineer their way into getting link previews or in fact clickable links period.

Screenshot here of the automatic link/preview disable-

https://www.bleepingcomputer.com/news/security/phishing-text...

thrownthatway11d ago

I tend to agree.

But how does that prevent one from receiving and opening a malicious message?

lupire11d ago

Because many people know not trust unknown senders.

1 more reply

marysol510d ago

You know that E-Mail clients blocking stuff came after right?

jiggawatts11d ago

Sorry, but that is an insanely defeatist attitude blended with a hint of blaming users for wanting features.

Image decoders are pure functions and all should have been rewritten as 100% safe Rust years ago.

Users need functionality.

It’s up to us to figure out how to provide that safely.

Saying to users they shouldn’t have those features isn’t sage advice, it’s admitting failure.

microtonal10d ago

They are actually pushing Rust quite hard now in Android:

https://blog.google/security/rust-in-android-move-fast-fix-t...

Even to the baseband firmware:

https://blog.google/security/bringing-rust-to-the-pixel-base...

yencabulator9d ago

Since it's a pure function, you can even keep using the legacy C code while still putting it in a sandbox: compile to WASM, then AOT transform to native code, and now it runs in the WASM sandbox at practically-native speed.

https://hacks.mozilla.org/2021/12/webassembly-and-back-again...

(Of course, new code is preferred in Rust over C, for sure.)

anthk10d ago

Rust wont save you from malicious SVG+JS files, EPS/PostScript files and so on.

michaelt11d ago

The thing is, nobody's happy just previewing jpegs and pngs.

Before you know it, people want to preview SVGs, PDFs, video, HTML and so on.

And to do that properly means you've got to support obscure formats like JBIG2 and CCITT Fax. Malicious vector images with a billion elements to render. XML that lets one file embed another.

And good luck getting the budget to re-implement them all from scratch in a better language, when the only business value the feature delivers is a postage-stamp-sized preview image.

amarant11d ago

Perfection is the enemy of the perfectly good.

And let's be honest, you'll have what, 0.0001% of users who want to preview CCITT in 2026? Less? Probably less.

1 more reply

denkmoon10d ago

The business value is reduced attack surface which is a marketable attribute. Seems like the exact type of thing Apple would do.

marysol510d ago

At what point do we just refuse to parse obscure rarely used formats

jiggawatts11d ago

Most of these are solved problems to one degree or another. Web browsers have generally switched over to decoding legacy unsafe formats like PDF using safe managed languages, typically JavaScript.

> JBIG2 and CCITT Fax

Since performance isn't such a critical concern with obscure legacy formats, it really wouldn't be much more than a day or two of work for a competent developer with AI agent tooling to convert an existing decoder to safe Rust.

Meta set nearly a hundred billion dollars on fire for a total failure that everybody saw coming, a trillion dollars is what the current AI investment crazy is pouring into concrete and TSMC chips, but... a couple of days for a developer is asking too much!?

1 more reply

j / k navigate · click thread line to collapse

0 comments

thewebguyd11d ago

That should be the default behavior, not a special lock down option that also disables other features.

Why can't they just make it like most email clients? No preview by default, give a banner with an option to explicitly allow a preview for that specific message or conversation?

Barbing10d ago

>That should be the default behavior

It is! The phishers try to socially engineer their way into getting link previews or in fact clickable links period.

Screenshot here of the automatic link/preview disable-

https://www.bleepingcomputer.com/news/security/phishing-text...

thrownthatway11d ago

I tend to agree.

But how does that prevent one from receiving and opening a malicious message?

lupire11d ago

Because many people know not trust unknown senders.

1 more reply

marysol510d ago

You know that E-Mail clients blocking stuff came after right?

jiggawatts11d ago

Sorry, but that is an insanely defeatist attitude blended with a hint of blaming users for wanting features.

Image decoders are pure functions and all should have been rewritten as 100% safe Rust years ago.

Users need functionality.

It’s up to us to figure out how to provide that safely.

Saying to users they shouldn’t have those features isn’t sage advice, it’s admitting failure.

microtonal10d ago

They are actually pushing Rust quite hard now in Android:

https://blog.google/security/rust-in-android-move-fast-fix-t...

Even to the baseband firmware:

https://blog.google/security/bringing-rust-to-the-pixel-base...

yencabulator9d ago

https://hacks.mozilla.org/2021/12/webassembly-and-back-again...

(Of course, new code is preferred in Rust over C, for sure.)

anthk10d ago

Rust wont save you from malicious SVG+JS files, EPS/PostScript files and so on.

michaelt11d ago

The thing is, nobody's happy just previewing jpegs and pngs.

Before you know it, people want to preview SVGs, PDFs, video, HTML and so on.

And to do that properly means you've got to support obscure formats like JBIG2 and CCITT Fax. Malicious vector images with a billion elements to render. XML that lets one file embed another.

And good luck getting the budget to re-implement them all from scratch in a better language, when the only business value the feature delivers is a postage-stamp-sized preview image.

amarant11d ago

Perfection is the enemy of the perfectly good.

And let's be honest, you'll have what, 0.0001% of users who want to preview CCITT in 2026? Less? Probably less.

1 more reply

denkmoon10d ago

The business value is reduced attack surface which is a marketable attribute. Seems like the exact type of thing Apple would do.

marysol510d ago

At what point do we just refuse to parse obscure rarely used formats

jiggawatts11d ago

Most of these are solved problems to one degree or another. Web browsers have generally switched over to decoding legacy unsafe formats like PDF using safe managed languages, typically JavaScript.

> JBIG2 and CCITT Fax

1 more reply

j / k navigate · click thread line to collapse