
Here's an idea
Add time and financial motivation, he said, and you get more bugs.
How about paying people to find the bugs before release? I dunno, maybe put them together and call it a Test or QA department perhaps?
< looks for airborne pork >
Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply. "We will NOT be acquiring any new Apple iOS LPE [local privilege escalation], Safari RCE [remote code execution], or …
How about paying people to find the bugs before release?
It's worth noting that not all exploits stem from bugs, quite often they come from finding different ways to use "good" code. This is why pen-testing is a separate discipline from both testing and QA. That said, there's no doubt that Apple's software management could and should be improved: less secrecy and some degree of peer reviewing would be possible. Maybe even their own Project Zero team?
Some features are broken by design. Bad design is not a bug.
Take 99% of website and GUI design. Someone *chose* that button to be hidden under a box the same colour as the background and put the menu popup of the text field over the question box so you don't know what field is being populated (or the android keyboard covering the entire webpage so you cannot actually input text!) are examples.
It's not a bug in the software, if the programmers/managers never actually added security. It's an omission!
Bugs traditionally refer to code not doing what it is supposed to do. For a simple example, consider a birthday calculator that does not take leap years into consideration: works well most of the time so not necessarily easy to spot.
Hacks are also known as exploits because they often exploit the side-effects of well-tested code doing what it should. This is very often related to permissions but also underlying flaws (memory, timing, etc.) and is difficult or almost impossible to avoid in modern OS with internet connectivity and multimedia. We're learning all the time how to provide advanced features such as GPU acceleration for video chat without compromising the hardware.
Security is hard, m'kay? It takes more than a bit of QA. More even than a lot of QA.
Apple does, mostly, a pretty good job of patching vulnerabilities when they hear about them. So does Microsoft, for that matter. And when that happens, both of them will do their best to push out the fix to as many users as possible (which puts them ahead of Linux or Android as far as regular users are concerned).
But nobody, not even Linux, can keep them from ever being released in the first place.
When you have a professional opinion stating that iOS security is fucked, with a list of breach types that are so common that bounty prices are in freefall, you're beyond the realm of security is hard.
Yes, security is hard. especially if you don't give a shit about it.
No denying adhering to security practices is hard.
However, some exploit broker saying a specific popular OS security has issues, especially when compared to said OS's track record - I just find hard to accept right away.
Maybe it's a sign of the paranoid times we live in, but I have to ask the question: does the exploit broker gain any monetary advantage by making such a statement?
Security tends to cause increased code size and lower performance - Spectre is a prime example. Another example might be the locating of display systems inside the kernel.
My beef with the vendors is that we could fix all this. We could have a "security boot" where we have proper security because we have a system where we prefer security over speed. We could also have a "games mode" were the security is traded for speed. With SSD's, rebooting is not the issue it used to be. Maybe we even run the high-security mode a virtualised, because
These days, most business laptops have performance which exceeds requirements - we could have a boot flag which tunes the OS appropriately without impeding the user experience significantly. They won't do it though. It appears vendors have abandoned the desktop for the cloud.
Exactly, exactly. I'm reading these stories within minutes of each other and it confirms my belief that we need a proper operating system for phones. The current two big players are like Windows 3.x, a glitzy layer offering no protection between programs and everything running as the same "user". But then, I'm weird. I consider my phone to be fatally compromised at all times and consequently have never done internet banking on it and never will.
At least, not until someone does a Debian release for it, so that I could run the admittedly fun crapware in one account and the valuable stuff in another, knowing that they were separated by 60 years of experience in designing a securable OS, rather than a set of "permissions to access..." which are ill-defined to the end user and mostly chosen by the app designer anyway and therefore utterly useless.
Think Anon was either saying they think updraft102 and I are the same person and I'm using that account to defend my delicate ego, or that some weirdo hated my comment so much they used multiple accounts to down vote it... for 1) it's easy to click on the usernames and convince yourself we are not, for 2) I doubt it, but good... note the troll face icon!
> both decent operating systems when configured correctly.
Which is a bit like saying nitroglycerin is perfectly safe when handled correctly. Both statements are true, but you only get to hear about it when "human error" enters the equation.
At least, not until someone does a Debian release for it,
You can get at least some form of Debian for Planet's offerings but it won't help you much in locking it down, because you'll make it more or less unusable as a "smartphone" if you do so. Dumb phones were easier to secure because they did less, but it's not as if they were immune to hacks.
Things might improve with hardware that can support the kind of microkernel and containers that should improve security. Though, in a sense that just moves the goalposts because code does repeatedly breakout of containers.
I'm curious now - what phone/platform do you use?
I actually consider the couple of banking apps (for the banks I use) as more secure on IOS as compared to the desktop Windows platform.
To the point where I actually use them exclusively on IOS now.
I wrote to Bill Gates in 1982 about bugs we found in their 8K ROM BASIC, that was licenced for use in the Tangerine Microtan 65 single board computer (which later became the Oric 1 computer). It is now 2020 and I am STILL waiting for a reply from him. Jeez, are these bugs never going to get fixed?!
Paul
I’ve come up with a few
Coronafuck replacing clusterfuck
Pancession for pandemic caused recession
And of course
Boris bike current recipient of the PMs attentions.
Knocking shop replacement for party conference i.e. a gathering of folks that are easily bought.
Please blame all of the above on Pancession depression