More reports of iOS security flaws are circulating so let us now turn to the staid analysis of the Forbes contributor network and unicycle refurbishing plant.
Zak Doffman says “New Apple Security Blow: If You Have An iPhone, Look Away Now.” (Tip o’ the antlers to Nick, Don and @designheretic.)
If The Macalope had an iPhone, and he’s not saying whether he does or doesn’t, shouldn’t he look to see what this all about? And, really, with the sensationalism shooting out of the Forbes contributor network and bouncy house demolition experts on a daily basis like fetid, meat-based confetti out of a steampunk canon, telling people to look away seems to be rather disingenuous.
After a dreadful April, here we are in May…
Feeling that, just not necessarily about Apple in particular.
…with yet another security blow for the hundreds of millions of iOS users around the world.
There was one before, see. You might have missed it because you aren’t someone anyone is going to pay a million dollars to infiltrate.
And this time, it’s more than just an overblown exploit that can be downplayed, this time it’s confirmation that a glut of new security exploits are targeting iOS users.
This phrasing would have you think that the exploits have some kind of agency and possibly even the ability to think on their own. As far as The Macalope knows, there are no sentient iOS exploits in the wild. As a matter of fact, there are no known exploits of these vulnerabilities in the wild at all. That’s kind of the point of selling them.
What’s happened is that Zerodium, a company that buys exploits to sell to law enforcement and governments, has said that it currently has enough iOS exploits and will not be buying any more for the next two to three months.
Now, this is not good, of course. This is bad because it seems to indicate there are a lot. But is it something average users should be worrying about? No. This is a company that pays between $100,000 and $2 million for vulnerabilities that are high-risk. If you’re the kind of person someone would pay $100,000 to get access to your phone then, yeah, you should worry about it.
But the rest of us? We’ve got real stuff to worry about.
Exploits are valued based on their scarcity.
Much like… almost everything.
There was some pushback on Zerodium’s decision to make this proclamation—even suggestions it was a marketing ploy from Intel’s Ryan Naraine. But, in reality, there’s little point in Zerodium discouraging hackers from pushing exploits in its direction if there is a market.
“There is little point in marketing.” That seems objectively not correct. The Macalope doesn’t dispute their claim to have enough product. It seems like maybe what they need is more demand.
It’s worth noting here that Doffman himself runs a security consulting firm. Just, you know, for no reason.
“Feral Cats Are A Real Problem That More People Should Be Talking About, Says Man Who Gets Paid To Talk About Feral Cats.”
We don’t know anything about these vulnerabilities. Some of them may require physical access to the device (Zerodium buys all kinds). As Glenn Fleishman previously noted on TidBITS, some of these kinds of vulnerabilities are expensive to exploit. So, after firms like Zerodium pay a lot to acquire them, someone has to pay more to use them, meaning they’re only ever going to be used on high-profile targets. This is bad news for members of dissident groups, criminals, extremely wealthy people and politicians.
Is that you? It’s not The Macalope.
Well, maybe the first one. If we ever get organized. But Todd can't even make the Tuesday night wine spritzer social on Zoom.
Get it together, Todd.