Team claims $1 million bounty for remotely jailbreaking iOS 9.1 & 9.2

13

Comments

  • Reply 41 of 78
    gatorguygatorguy Posts: 21,102member

    I do. 250 apps that has already been pulled of the store. 

    There is a problem with this logic. Apple has ability to pull certificates of apps consequently making them inaccessible for new downloads. Also the moment you pull a certificate, you are unable to launch that app from the device regardless of whether you already downloaded it or not.


    However that is not the case with Android. Add to it "freedom" of using third party apps that seems to be a very normal way of downloading apps (not from Google store), and you will get a slightly more interesting picture.

     
    Despite Apple's efforts XCode Ghost is still alive and kicking and now found here in the US too so no longer a China only issue.
    https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

    Like with most of these Android security flaws you keep referencing the 200+ businesses here in the US where it's been discovered lurking may not have been comprised. At least not yet.
  • Reply 42 of 78
    indyfxindyfx Posts: 320member
    Quote:

    Originally Posted by Gatorguy View Post





    Where was the claim it doesn't work with Safari? Missed that one.



    Says it requires chrome

  • Reply 43 of 78
    gatorguygatorguy Posts: 21,102member
    indyfx wrote: »

    Says it requires chrome
    Where?
  • Reply 44 of 78
    indyfxindyfx Posts: 320member

    "The winning team used a combination of Chrome and iOS vulnerabilities to create a browser-based jailbreak"

  • Reply 45 of 78
    gatorguygatorguy Posts: 21,102member
    indyfx wrote: »
    "The winning team used a combination of Chrome and iOS vulnerabilities to create a browser-based jailbreak"
    I saw that but you said it couldn't be done with Safari and thought somewhere it stated specifically that. It doesn't AFAIK. I think it's quite likely the same or similar exploit could use Safari instead. The team only said they used Chrome coupled with iOS exploits for this particular one, not that it was a requirement.
  • Reply 46 of 78
    indyfxindyfx Posts: 320member



    Wow, just wow... I think that just goes to show the mindset.

    Well they didn't also not say that they couldn't make iPhones spontaneously explode, so that must also be a possibility (based on that kind of logic)

  • Reply 47 of 78
    gatorguygatorguy Posts: 21,102member
    indyfx wrote: »

    Wow, just wow... I think that just goes to show the mindset.
    Well they didn't also not say that they couldn't make iPhones spontaneously explode, so that must also be a possibility (based on that kind of logic)
    No. You just can't make the claim that a jailbreak exploit couldn't be done using Safari and iOS instead of Chrome and iOS based on anything revealed by the team that is claiming the prize. I suspect it could considering the shared code. Unlike you arguing just the opposite I wouldn't go so far as to claim it as a fact tho.
  • Reply 48 of 78
    indyfxindyfx Posts: 320member



    Two fundamental flaws in that logic:

    Google (like microsoft) has a history (as bourne out by devices compromised) of writing insecure code.

    Apple on the other hand has a history of extremely secure code.

    Second, chrome is present on a tiny percentage of iOS devices, if they could have made the hack work on safari they no doubt would have, as it would have made a far more impressive splash.

     

    Sorry but your hypothesis makes about as much sense as my spontaneous explosions.

  • Reply 49 of 78
    gatorguygatorguy Posts: 21,102member
    indyfx wrote: »

    Two fundamental flaws in that logic etc etc.
    Whatever you wish to see I suppose. The hackers aren't claiming what your eyes thought they read.

    Did you consider that a flaw that only needed Safari and iOS would be more valuable than the one they're using to collect the $1M bounty, especially so if kept secret and thus much less likely to be discussed? You know the exploits are for sale according to the article. They're not whitehats.

    The company gushing over how secure iOS is has a selfish agenda too IMO. They would of course want to further promote the idea that iOS is so secure that the only way of monitoring iPhones is to come talk to them about buying access to the hack.

    THAT'S using logic.
  • Reply 50 of 78

    Yeah, "more secure" is still explicitly not secure. All popular platforms are demonstrated to be vulnerable. Period.

  • Reply 51 of 78
    Yeah, "more secure" is still explicitly not secure.

    That's not true. That's like saying that adding vibration sensors to a bank vault to make it more secure explicitly means it's not secure. Don't confuse the word security with a hypothetical use of impregnable.
  • Reply 52 of 78
    solipsismy wrote: »
    That's not true. That's like saying that adding vibration sensors to a bank vault to make it more secure explicitly means it's not secure. Don't confuse the word security with a hypothetical use of impregnable.

    I would say Apple has proven that the 6S-series is more bend-resistance than the 6-series, but I doubt you would say that means it explicitly means it's not bend-resistant.
  • Reply 53 of 78

    It's semantic.

     

    The point stands that if the wrong people want access to your phone, they will gain access to your phone.

     

    Smart behavior can prevent nearly all of the publicized malware on all platforms. I really don't care about malware through an app store, because I only use a well-vetted core set of apps. If those are compromised, then the level of capability has clearly surpassed the level of security, and those folks are in the door.

  • Reply 54 of 78
    solipsismysolipsismy Posts: 5,099member
    It's semantic.

    Relating to logic? Absolutely; your comment is illogical.
    The point stands that if the wrong people want access to your phone, they will gain access to your phone.

    So your argument is just to roll over and do nothing?
    Smart behavior can prevent nearly all of the publicized malware on all platforms. I really don't care about malware through an app store, because I only use a well-vetted core set of apps. If those are compromised, then the level of capability has clearly surpassed the level of security, and those folks are in the door.

    Why not consider how nature works since you are part of it — you are a part of it, aren't you? Apex predators aren't always successful in nature. They also don't go for the hardest kill. The old, the young, the informed, the downright stupid and confused get eaten. If only we had a term for natural selection within nature¡

    With humans it's more complex because of varying degrees of cost/effort v reward/penalty. This is why theft is moving online and why those less willing to protect themselves are more likely to fall victim. That doesn't mean I can't, despite my proactive and reactive by proxy protections, nor does it mean you will, with your "if people want to gain access to your phone they will" defeatist attitude, but the odds are clear that those that neither pay attention nor are prepared are more likely to suffer unforeseen issues.
  • Reply 55 of 78
    Quote:

    Originally Posted by SolipsismY View Post





    Relating to logic? Absolutely; your comment is illogical.

    So your argument is just to roll over and do nothing?

    Why not consider how nature works since you are part of it — you are a part of it, aren't you? Apex predators aren't always successful in nature. They also don't go for the hardest kill. The old, the young, the informed, the downright stupid and confused get eaten. If only we had a term for natural selection within nature¡



    With humans it's more complex because of varying degrees of cost/effort v reward/penalty. This is why theft is moving online and why those less willing to protect themselves are more likely to fall victim. That doesn't mean I can't, despite my proactive and reactive by proxy protections, nor does it mean you will, with your "if people want to gain access to your phone they will" defeatist attitude, but the odds are clear that those that neither pay attention nor are prepared are more likely to suffer unforeseen issues.

     

    As I explained, I am protecting myself, and I'm effective enough that the (significant?) difference between iOS security and Android security does not impact me. What would impact me is a capable and motivated adversary, and my point is that no level of security in a standard smartphone environment will protect in that case. So, I'd rather live outside the walled garden where I get to choose my own hardware, since I can adequately protect myself in that environment while enjoying more freedom.

  • Reply 56 of 78
    tenlytenly Posts: 707member
    <span style="line-height:1.4em;">It's impossible to create software that's 100% bug free and secure.

    What makes you think it's impossible? Just because it hasn't been done yet? it *has* in fact been done - many times in many different types of software. Or did you mean to limit your comments to Operating Systems? They are certainly a lot more complex than other types of software - but there is nothing inherently unique about them that would make it *impossible* to secure them.

    I suspect that your only evidence is going to be the statement that "if it were possible, somebody would already have done it". LOL! Do us a favour and please don't try to use such ridiculous logic on us.

    It's (obviously) very, very difficult to do - but that certainly doesn't mean that it's impossible. "Very difficult" does not mean "impossible". One day we'll have it - and the next we won't - because new software is being written all the time - and some of it is sloppy and will introduce new bugs into previously bug-free code.

    There is plenty of software out there that is currently bug free and secure. To my knowledge there aren't any OS platforms that are currently "bug free and FULLY secure" - but again - that doesn't mean it's impossible.

    The simpler the program, the easier it is to create something bug free and secure.

    Impossible means "not able to occur, exist or be done".

    So - enlighten us all with your wisdom....what is it that you think makes it completely *not possible* to create a bug free and secure OS platform (remembering that *unlikely*, *difficult* and *hasnt been done yet* do nothing to prove that it's actually *impossible*!
  • Reply 57 of 78
    solipsismysolipsismy Posts: 5,099member
    So, I'd rather live outside the walled garden where I get to choose my own hardware, since I can adequately protect myself in that environment while enjoying more freedom.

    That reads like you want to hole up in some backwoods Kentucky compound with guns and rations waiting for the US economy to collapse.
  • Reply 58 of 78
    indyfxindyfx Posts: 320member
    Quote:

    Originally Posted by waterrockets View Post

     

    Yeah, "more secure" is still explicitly not secure. All popular platforms are demonstrated to be vulnerable. Period.


     

    This is like saying that a dripping faucet is the same as a water main break because both are leaks, therefor are equivalent.

    Not all platforms are -equally- vulnerable. 

  • Reply 59 of 78
    Quote:

    Originally Posted by SolipsismY View Post





    That reads like you want to hole up in some backwoods Kentucky compound with guns and rations waiting for the US economy to collapse.

     

    Interesting interpretation, especially considering that it's actually the more liberal approach :P

     

    Quote:

    Originally Posted by IndyFX View Post

     

     

    This is like saying that a dripping faucet is the same as a water main break because both are leaks, therefor are equivalent.

    Not all platforms are -equally- vulnerable. 


     

    If both leaks are wetting something easily destroyed by water, what's the difference?

  • Reply 60 of 78
    Quote:

    Originally Posted by Gatorguy View Post





    Despite Apple's efforts XCode Ghost is still alive and kicking and now found here in the US too so no longer a China only issue.

    https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html



    Like with most of these Android security flaws you keep referencing the 200+ businesses here in the US where it's been discovered lurking may not have been comprised. At least not yet.



    Yeah...terrible. Notice figure 3. Notice the first name that is NOT in english. Chinese app.

     XcodeGhost apps are isolated to themselves. They don't hijack phones, don't snoop on other apps since iOS prevents that tight interaction. The only data those apps can get is what they can obtain from accessible iOS APIs (phone number) and what they gather from the user directly. So, if user thinks that it is okay if PhotoScanner Lt app suddenly asks for a password or credit card info, then I have no comment on that.

Sign In or Register to comment.