Really, a marketing piece on their own website where they make a extraordinary claim that they can protect against the “most sophisticated digital threats” without any evidence supporting their claim at all, let alone the extraordinary evidence required to actually support such a claim that is generally viewed as impossible by most technically competent individuals, cements their leadership in the security space?
It would make much more sense to look at their actual, independently validated security certifications that they advertise:
Where they have only managed to achieve the absolute lowest levels of security.
Like, look at that last one, their security validation functionally consists of typing “public unpatched ios vulnerabilities” into Google and certifying that nothing comes up. It is utterly preposterous to claim they have any security expertise against highly skilled attackers at all when that is the limit of their advertised certifications. If they actually want to demonstrate security leadership, they should certify against the highest level, AVA_VAN.5, which actually verifies protection against HIGH attack potential threats instead of the lowest level, AVA_VAN.1, which only verifies protection against BASIC attack potential threats.
My favorite part of Hacker News is when commenters just lazily make the same comments again a couple months later, without taking into account what people’s replies to them, and hope nobody will notice: https://news.ycombinator.com/item?id=32007917. Seriously though, this is pretty much the textbook definition of bad faith, so don’t do it.
Their lack of any independent audits of their claims continues to be relevant.
Please point to a single third party who is competent to evaluate if they can actually protect against the “most sophisticated digital threats” that has actually supported Apple’s claims.
Valid third parties include, but are not limited to, any national security agency or premier hacking organization with hundreds of members (i.e. actual “most sophisticated digital threats”) declaring it can protect against them, any individual or organization who has designed and implemented such a system in the past agreeing Apple has created such a system, or any certification body who has reliably certified such systems with low rates of false positives such as the Common Criteria.
Invalid support includes, but is not limited to, certification bodies that give Windows their highest security rating, marketing articles, individual hackers of no particular renown, and claims of it being “better” or “harder” without even being able to quantify where in a multiple order of magnitude range it lies.
My problem is that I can pretty much paste my response word-for-word and it still applies just as well here, which really means you haven't updated your take to account for it at all. That's just not interesting.
That said, it's still a new feature. I'm sorry I don't have the NSA spokesperson here to say that they are going to pack it up and go home now because iPhones are unhackable, since that's the only thing you are willing to accept. To be entirely honest I am not even willing to hide my disdain for the certification you've repeatedly brought up at this point beyond it being a set of good practices. Like, the Titan M2 chip was assessed at AVA_VAN.5 it got exploited last month because it was written in a bunch of C and deployed without layout randomization or attempts at CFI. I trust the words of hackers (of particular renown, mind you!) and their analysis of how strong the mitigations actually are over some certification person just looking at the system and trying to take a guess as to how it'd hold out.
I do not require a NSA spokesperson, I just need any organization with technical merit comparable to the "most sophisticated digital threats" or who have actual practical knowledge of how to defeat such threats to actually weigh in on the claims otherwise I do not see how their claims have any support as they are supported by neither the stated adversary or anybody who has demonstrated such defensive abilities previously.
I did not previously know that the Titan M2 chip was assessed at AVA_VAN.5, but I do not see how the chip itself being certified against physical attacks is relevant to the security properties of the Security IC Embedded Software which is explicitly out of scope and is uncertified at any level. To support my claim that it is a certification of the hardware, not the software:
On Page 7, Section 1.2.2, Statement 9, we see that Security IC Embedded Software is all software running on the chip (i.e. non-firmware). Security IC Embedded Software, which is what we would consider to be the Titan codebase that was attacked, is explicitly called out as not part of the Target of Evaluation (TOE).
On Page 22, Section 3.2, Statement 70, we see that the threats specified are physical, electrical, and hardware attacks. On Page 25, Section 3.2, Standard Threats, Statement 82-87, we further confirm that the enumerated threats are physical and related to the hardware itself, not the software.
On Page 30, Section 3.4, Assumptions, Statement 99, we see a assumption required for correct operation of the composite TOE (hardware + software) is that the Security IC Embedded Software correctly protects user data. As this is a assumption, this is not a evaluated claim and assumed to be true for the purposes of evaluation and is thus out of scope.
So, to reiterate, I do not see how a software attack on uncertified code in the Titan M2 chip proves the certification evaluates software incorrectly given that the software was out of scope of the certification in the first place and thus no claims of its quality are asserted as part of the certification that the Titan M2 chip received. That is like complaining that waterproofing standards for phones are garbage because they do not tell you how fire resistant a phone is. If anything, it supports my statement since the uncertified code was defeated.
Trust in this context is obviously not 1 or 0 but a sliding scale and some organizations are higher on that scale than others based on past conduct, as the previous poster pointed out at length.
If you don't trust anyone but yourself, you'll have to do the audit yourself. How do you suggest to do that? An auditor with a good track record seems like the most trustworthy practically feasible alternative to me.
I don’t think your feasible alternative is assessing the massively skewed information asymmetry at play.
Given you are the most successful computer company on the planet, and the entire planet is connected by your products within two degrees of separation in a network; then the only thing you gain is a loss as any auditor is in a position of being unmatched in every category at best and at worst is an active agent who will dissipate information increasing vulnerability and attack surface.
Bug bounties work well to solve this, and that’s how it’s done.
Is my browser broken and not displaying some comments I should see? The only response I see there is basically "let's wait and see for Apple to provide more details and/or involve third party researchers", which Apple seems to have not done at all in the last 70 days?
It would make much more sense to look at their actual, independently validated security certifications that they advertise:
https://support.apple.com/guide/sccc/security-certifications...
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
Where they have only managed to achieve the absolute lowest levels of security.
Like, look at that last one, their security validation functionally consists of typing “public unpatched ios vulnerabilities” into Google and certifying that nothing comes up. It is utterly preposterous to claim they have any security expertise against highly skilled attackers at all when that is the limit of their advertised certifications. If they actually want to demonstrate security leadership, they should certify against the highest level, AVA_VAN.5, which actually verifies protection against HIGH attack potential threats instead of the lowest level, AVA_VAN.1, which only verifies protection against BASIC attack potential threats.