Last Active
  • Apple 'poisoned the well' for client-side CSAM scanning, says former Facebook security chi...

    lkrupp said:
    Remember, people, this is the former 'Facebook security chief’. Facebook and security are mutually exclusionary terms. It’s like trying to put a square peg into a round hole. It ain’t happening.
    Stamos is *highly* respected in the information security community. Speaking as someone who's job title includes the words chief, information, security, and officer, when he says something I almost always find it worth considering and never dismiss it outright based on where he's worked. For what it's worth, by all account his time at Facebook wasn't a harmonious one. 

    He's guest hosted the Risky Business security podcast numerous times. If you want to get a sense of the guy, I recommend listening to those episodes. 
  • Microsoft suggests shift to iPhone as Windows 10 Mobile end of support date announced

    That headline, while strictly true, is a touch misleading. Microsoft is suggesting a move to Android or iOS, something that's mentioned, but the headline makes it look as if they're recommending only iOS. *I* recommend only iOS, but Microsoft seems to be less convicted :P 
  • Two vulnerabilities patched in iOS 12.1.4 were exploited by hackers, Google researcher say...

    lkrupp said:

    How, exactly, the vulnerabilities were exploited and by whom is unknown.

    Both bugs were detailed in Apple documentation detailing security changes delivered with the iOS 12.1.4 package.
    That’s the 64 Thousand Dollar Question.  Saying the bugs were exploited and explaining how are two different things. iOS is the Walled Garden so were apps downloaded from the App Store that did the exploit or were they confined to jailbroken iOS devices? 
    Neither has to be the case: If the bugs are in iOS itself then *any* apps using the vulnerable code (if, for example, it’s in a library) have the potential to be the vector for exploitation. For example, if there is a security vulnerability in an image handling iOS library, any app that uses that library to deal with images can, if presented with a malicious image (let’s say hosted on a website), cause exploitation. I believe this has happened with both Safari and Messages in the past.
  • Editorial: Why Microsoft Surface isn't growing after seven years of trying

    melgross said:
    Because it’s not really true. That is, neither DED’s, or Apple badger. When I go to conferences, I see a mix of Apple laptops, iPads, Windows laptops, and some Surface Pro models. Depending on the conference, the ratios change. But normally, Apple’s products are at least 50%.
    Since I'm talking about my own observations, which I reality admit(ted) are anecdotal evidence by definition, I'm not sure how you can say that what I'm saying isn't really true. My observation, when talking about tablet-like things, has been that I see a lot of Surface Pros around where it used to be a sea of only iPads. Depending on the people in the group, mine may be the only iPad in the room, but that's rare. Manager sorts seem to prefer the Surface Pro, while technical folks and students tend to go for the iPad. Again, this is what I have noticed; you can have a completely different experience and we can still both be right :) 

    Overall, when you include notebooks, the number of Apple devices that I see seems to be more than half, but I'm not sure if that's just down to Apple stuff being more noticeable. As the glowing Apple logo fades into history, that bias will become less relevant. 

    If we want to venture out of the anecdotal space, I can tell you that over time the number of Apple devices, as a percentage of the total number of devices) on my workplace WiFi network (I work at a small Canadian university) has declined, though absolute numbers have increased. In 2010-ish, the number of Apple devices was well over 2/3s on any given day and these days it tends to be around 40%. I know this because I was challenged by a former CIO on my assertion that Apple devices made up the majority of devices on our WiFi network, so I wrote a script that tracks that :) 

    That decline is not, in my opinion, any indicator of trouble for Apple; it's just a sign that in the mobile space the competition has gotten better. Apple isn't in trouble; the iPad is doing very, very well, but this fixation on pushing the narrative that the Surface Pro is failing seems weird to me. 
  • Apple says iOS Mail vulnerabilities do not pose immediate threat, patch coming

    It's probably a good idea to read the original release from ZecOps ( or at least their FAQ for this ( They lay out their case for why they think there's been exploitation and also explain that this is, by itself, not enough to fully take over the phone. 

    Speaking as someone who works in IT security, I'm going to make two observations:

    1. Gaining control of an email account can have catastrophic consequences, both for the individuals and organizations. 

    2. Whenever some locally exploitable bug is reported on here, there is always a chorus of people who disclaim it based on the fact that you need access to the device or to be running software on the device in order to exploit it, and they only get their software from the App Store, or some such thing. This is the other half of the exploit chain that makes local vulnerabilities so dangerous; this is the kind of thing that makes local vulnerabilities into remote ones. 
  • New 2021 12.9-inch iPad Pro can't use previous Magic Keyboard

    I just taped a piece of cardboard to the front of my iPad and tried to close the MagicKeyboard... and it closed just fine. I suspect that this is a nonissue that's on its way to becoming the next something-gate. 
  • Zoom 5.0 update bolsters encryption, adds meeting security features

    anome said:
    Upping the security isn't that much of an improvement if it isn't end-to-end. The whole architecture of Zoom is basically a man-in-the-middle vulnerability.
    I keep seeing people decry its lack of end-to-end encryption. Their initial instance that they provide it was stupid, as was how long they held on to that claim before eventually dropping it, but beyond that I do not understand the shortcoming. There is no video conference service that offers end-to-end encryption at scale for large, multipoint sessions. How could that possibly work? That's a genuine question, not rhetorical. I cannot fathom how multiple video sessions could be combined into a single session without a central server that decrypts the individual sessions, combines them, and then sends the combined stream to each percipient. The alternative would be fully meshed connections of each endpoint to all the others but that can't scale out. 
  • U.S. Senate, Google ban Zoom days after its launch of 'security council'

    dysamoria said:
    Can anyone explain to me how this previously utterly-unknown-to-me Zoom suddenly became the video conference product of choice before the current round of realizations about how shitty it is?
    They've been making waves for the past year or two. Other issues notwithstanding, the quality of the service, its ease of use, and its scalability are all well beyond what most competitors seem to be able to manage. I'm not endorsing them or defending them here, but that's really why they became the go to choice for so many in recent weeks.