On 2024-07-07 15:06, Wolf Greenblatt wrote:
> On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
>
>>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>>
>> You have 0 understanding of 3rd party toolchains and 3rd party code bases.
>
> Probably very true. All I know is researchers found a flaw in millions of
> mac/iOS apps and Apple didn't find that same flaw even after a decade.

Yes - you're proving how true it is that you don't know what the problem is.
For a given app submitted to Apple (binary and support files), there is
no telling what source files went into making the app. Apple really
can't tell.

Here is a number. It's 100 digits long. It could be a mix of machine
code and data expressed as base 10 digits.

6124816765405824154273973455473462816599900876296600712135840780870545082239373781728016373150924503

Now - I used 4 different algorithms and 4 different programming
languages on 2 different processors and 3 different operating systems to
generate 4 different segments of that (different length segments too).

Apple Si Mac - Max OS Pascal
intel i7 Mac - Mac OS, Windows, Linux. FORTRAN, C and Python

Given the above:

Can you tell me which algorithms? Which sequences of digits? From
which processor? Which OS? Of course you can't. Nor can Apple figure
out what source code generated binary unless they have the source code
(they don't - it's 3rd party).

But Apple -could- scan the compiled code for indications of malicious
code that they look at as part of screening apps for the App store.

And didn't find anything (AFAWK).

And finally, there are no indications that this 3rd party vulnerability
was ever exploited (probably because it is such an oddball backdoor that
nobody noticed it).

Not sure if that helps you but do get the notion that Apple cannot
detect what 3rd party source code was used in a 3rd party tool.

> Shouldn't Apple care that millions of mac/iOS apps are vulnerable?

They certainly do. But they can't protect you from the monster under
your bed either.

>
> The reports say that essentially every Apple owner is affected.
> So why wouldn't Apple care to do what researchers did, only 10 years ago?

This was only identified recently - and again - not something that Apple
would have been able to detect absent _actual_ malicious code being in
there (and even then, if it's novel then have to wait for it to
'express' in the market before it's fingerprinted for the future.

Done.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 2024-07-07 16:37, Silvano wrote:
> Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
>>> They found a flaw in one of the TOOLS developers USED to create
>>> millions of apps.
>>
>> They also stated there is no direct evidence of any of these
>> vulnerabilities being exploited in the wild.
>
> I think you made that up because the news said there are numerous exploits.
> Not only was it exploited but it shows the ecosystem is riddled with holes.

What specific app got through. Cite with link.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

Jolly Roger wrote on 7 Jul 2024 02:01:51 GMT :

> Did you just try to blame Apple for third party package managers?

Given how primitive the Apple ecosystem has recently been shown to be...

Let me see if I understand why you rather ignorant religious
fundamentalists Apple nutjobs completely excuse Apple for this shockingly
huge security hole, Jolly Roger, which has existed for a very long time,
even as Apple only touts safety and security - Apple never tests for it.

To wit...
1. You likely understand that this hole has existed for a decade.
2. You perhaps realize Apple did not find it - security researchers did.
3. You even maybe realize that three million apps are said to be exposed.
4. You may realize one of the three CVE's allows complete & full control.
5. You may realize that essentially every single Apple owner is exposed.
6. You may even understand that's billions of exposed Apple devices.
7. And you may be aware that estimates are that it's three million apps.
8. Every single one of which is installed ONLY on Apple devices alone.
9. Meaning it's purely the Apple ecosystem which allowed this to happen.

Given all those facts above, you then excuse Apple as you say that Apple
should tout this imaginary safety and security that, you say, Apple doesn't
even bother to test for (which they could have done, since others did it)?

You're fine with this primitive ecosystem being touted as safe & secure,
when it's not (and worse, you say Apple shouldn't even care to test it)?

Really?

On 2024-07-07, Silvano <Silvano@noncisonopernessuno.it> wrote:
> Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
>>>
>>> They found a flaw in one of the TOOLS developers USED to create
>>> millions of apps.
>>
>> They also stated there is no direct evidence of any of these
>> vulnerabilities being exploited in the wild.
>
> I think you made that up

Then you didn't read the article.

> the news said there are numerous exploits.

The news said there are three vulnerabilities, all of which are patched,
and that there is no direct evidence of any of these vulnerabilities
being exploited in the wild.

> Not only was it exploited

That's a lie, little Arlen.

> it shows the ecosystem is riddled with holes.

No, it shows a package manager had three vulnerabilities which have been
patched.

You desperately want to make more of this than there is, little Arlen,
because: troll.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

Jolly Roger wrote on 8 Jul 2024 00:13:40 GMT :

> Then you didn't read the article.

https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
modify any of three million iOS/macOS apps at will - whenever they want?

For ten years!

Alan Browne wrote on Sun, 7 Jul 2024 07:38:54 -0400 :

> As explained:
> 1. 3rd party tool/code base.
> 2. Did any malicious code get released this way? (to trigger Apple's
> malicious code detection).

https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
modify any of three million iOS/macOS apps at will - whenever they want?

For ten years!

Wolf Greenblatt <wolf@greenblatt.net> wrote:
> On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
>
>>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>>
>> You have 0 understanding of 3rd party toolchains and 3rd party code bases.
>
> Probably very true. All I know is researchers found a flaw in millions of
> mac/iOS apps and Apple didn't find that same flaw even after a decade.

The point that's being missed is that no-one else spotted it either.
Despite existing for so long it was never exploited.

This was specifically an error on the side of the people managing the
CocoaPods library. They should not have left orphan accounts open
indefinitely.

> Shouldn't Apple care that millions of mac/iOS apps are vulnerable?

*were* vulnerable. It was fixed last year. It has only been reported
recently for obvious reasons.

> The reports say that essentially every Apple owner is affected.

*was* (theoretically) affected. No-one was actually affected.

> So why wouldn't Apple care to do what researchers did, only 10 years ago?

They do care, but the software ecosystem is very complex and Apple cannot
monitor every third party system developers around the world use.

Your can guarantee they have been looking at this very carefully to see
what they can learn. Obviously being a secretive company we'll never know
what they've changed in response.

On 2024-07-08, Andrew <andrew@spam.net> wrote:
> Jolly Roger wrote on 7 Jul 2024 02:01:51 GMT :
>
>> Did you just try to blame Apple for third party package managers?
>
> Given how primitive the Apple ecosystem has recently been shown to be...

Just as "primitive" as all of them:

https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-07 19:32, Andrew wrote:
> Jolly Roger wrote on 7 Jul 2024 02:01:51 GMT :
>
>> Did you just try to blame Apple for third party package managers?
>
> Given how primitive the Apple ecosystem has recently been shown to be...
>
> Let me see if I understand why you rather ignorant religious
> fundamentalists Apple nutjobs completely excuse Apple for this shockingly
> huge security hole, Jolly Roger, which has existed for a very long time,
> even as Apple only touts safety and security - Apple never tests for it.
>
> To wit...
> 1. You likely understand that this hole has existed for a decade.

In an open source tool for which Apple played no role.

> 2. You perhaps realize Apple did not find it - security researchers did.

Is Apple the world's software police now?

> 3. You even maybe realize that three million apps are said to be exposed.

Interesting construction: "are said to be".

> 4. You may realize one of the three CVE's allows complete & full control.

Cite, please!

> 5. You may realize that essentially every single Apple owner is exposed.

Nope. I don't realize that... ....because no one has shown that to be
the case..

> 6. You may even understand that's billions of exposed Apple devices.

Same comment.

> 7. And you may be aware that estimates are that it's three million apps.

Really? Where's that from?

> 8. Every single one of which is installed ONLY on Apple devices alone.

Which is irrelevant to the actual question of how many "Pods" that are
unclaimed are used in actual apps.

> 9. Meaning it's purely the Apple ecosystem which allowed this to happen.

Ummmmmm... you sure about that?

No other development environment uses dependency management tools?

>
> Given all those facts above, you then excuse Apple as you say that Apple
> should tout this imaginary safety and security that, you say, Apple doesn't
> even bother to test for (which they could have done, since others did it)?
>
> You're fine with this primitive ecosystem being touted as safe & secure,
> when it's not (and worse, you say Apple shouldn't even care to test it)?
>
> Really?

Jolly Roger wrote on 8 Jul 2024 14:59:27 GMT :

>>> Did you just try to blame Apple for third party package managers?
>>
>> Given how primitive the Apple ecosystem has recently been shown to be...
>
> Just as "primitive" as all of them:

It's no longer shocking you are completely unaware that cocoa pods isn't
used in Windows or Linux, Jolly Roger, and the fact you claim it is shows
how blissfully ignorant you strange Apple religious nutcase zealots are.

On 2024-07-08 13:51, Andrew wrote:
> Jolly Roger wrote on 8 Jul 2024 14:59:27 GMT :
>
>>>> Did you just try to blame Apple for third party package managers?
>>>
>>> Given how primitive the Apple ecosystem has recently been shown to be...
>>
>> Just as "primitive" as all of them:
>
> It's no longer shocking you are completely unaware that cocoa pods isn't
> used in Windows or Linux, Jolly Roger, and the fact you claim it is shows
> how blissfully ignorant you strange Apple religious nutcase zealots are.

<https://vcpkg.io/en/>

On 2024-07-08, Andrew <andrew@spam.net> wrote:
> Jolly Roger wrote on 8 Jul 2024 00:13:40 GMT :
>
>> Then you didn't read the article.
>
> https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
>
> What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
> modify any of three million iOS/macOS apps at will - whenever they
> want?
>
> For ten years!

All of them:

https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn

The only reason you are desperately trying to paint this as an
Apple-only problem is your irrational hatred of the company and its
users. You're pathetic, little Arlen.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-08, Andrew <andrew@spam.net> wrote:
> Alan Browne wrote on Sun, 7 Jul 2024 07:38:54 -0400 :
>
>> As explained:
>> 1. 3rd party tool/code base.
>> 2. Did any malicious code get released this way? (to trigger Apple's
>> malicious code detection).
>
> https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
>
> What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
> modify any of three million iOS/macOS apps at will - whenever they want?
>
> For ten years!

All of them:

https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:

>> Probably very true. All I know is researchers found a flaw in millions of
>> mac/iOS apps and Apple didn't find that same flaw even after a decade.
>
> The point that's being missed is that no-one else spotted it either.
> Despite existing for so long it was never exploited.

Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
even care to think about backing up their own claims of safety & security.

> This was specifically an error on the side of the people managing the
> CocoaPods library. They should not have left orphan accounts open
> indefinitely.

It's worse than that because ANYONE (yes, even you and me) could have
injected code into those apps for a decade without Apple caring about it.

>
>> Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
>
> *were* vulnerable. It was fixed last year. It has only been reported
> recently for obvious reasons.

It was fixed but Apple didn't even know about it until someone told them
that anyone (yes, even you and me) could have injected code into any of
three million macOS/iOS apps for over a decade because Apple didn't care.

>
>> The reports say that essentially every Apple owner is affected.
>
> *was* (theoretically) affected. No-one was actually affected.

Apple doesn't care that anyone (yes, you and me included) could have
injected code into three million iOS/macOS apps which is why it's obvious
that Apple doesn't care about safety and security in their own ecosystem.

>
>> So why wouldn't Apple care to do what researchers did, only 10 years ago?
>
> They do care, but the software ecosystem is very complex and Apple cannot
> monitor every third party system developers around the world use.

If researchers found it, so could have Apple. Apple didn't even care.

If Apple actually cared about the safety & security of their ecosystem,
they would have found these holes in 3 million apps a decade ago.

>
> Your can guarantee they have been looking at this very carefully to see
> what they can learn.

It's obvious from what happened that Apple doesn't care about the safety
and security of the Apple ecosystem because if they did, this wouldn't have
happened.

> Obviously being a secretive company we'll never know
> what they've changed in response.

Apple only wants to advertise about safety & security they don't even test.

Jolly Roger wrote on 8 Jul 2024 14:57:56 GMT :

>> https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
>>
>> What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
>> modify any of three million iOS/macOS apps at will - whenever they want?
>>
>> For ten years!
>
> All of them:

It's no longer shocking you nutjobs are completely unaware that cocoapods
isn't used in Windows or Linux, Jolly Roger & the fact you claim it is
shows how blissfully ignorant you strange Apple religious zealots are.

On 2024-07-08 14:04, Andrew wrote:
> Jolly Roger wrote on 8 Jul 2024 14:57:56 GMT :
>
>>> https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
>>>
>>> What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
>>> modify any of three million iOS/macOS apps at will - whenever they want?
>>>
>>> For ten years!
>>
>> All of them:
>
> It's no longer shocking you nutjobs are completely unaware that cocoapods
> isn't used in Windows or Linux,

And you think that there are no open source dependency managers for
Windows or Linux, Arlen?

Oh, what a naive fool you are.

On 2024-07-08 13:58, Wolf Greenblatt wrote:
> On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:
>
>>> Probably very true. All I know is researchers found a flaw in millions of
>>> mac/iOS apps and Apple didn't find that same flaw even after a decade.
>>
>> The point that's being missed is that no-one else spotted it either.
>> Despite existing for so long it was never exploited.
>
> Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
> even care to think about backing up their own claims of safety & security.

Ummmm... ...no.

1. You need to show that "three million" iOS/macOS apps" actually USED
CocoaPods.

2. You need to show how many of those made use of the "Pods" that had
been orphaned.

>
>> This was specifically an error on the side of the people managing the
>> CocoaPods library. They should not have left orphan accounts open
>> indefinitely.
>
> It's worse than that because ANYONE (yes, even you and me) could have
> injected code into those apps for a decade without Apple caring about it.

Nope. You couldn't inject code into any app that didn't use one of the
orphaned "Pods".

>
>>
>>> Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
>>
>> *were* vulnerable. It was fixed last year. It has only been reported
>> recently for obvious reasons.
>
> It was fixed but Apple didn't even know about it until someone told them
> that anyone (yes, even you and me) could have injected code into any of
> three million macOS/iOS apps for over a decade because Apple didn't care.

Still stuck on repeating things you know you can't know are true.

Normal, sane people call that "lying".

On 08/07/2024 21:58, Wolf Greenblatt wrote:
> On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:
>
>>> Probably very true. All I know is researchers found a flaw in millions of
>>> mac/iOS apps and Apple didn't find that same flaw even after a decade.
>>
>> The point that's being missed is that no-one else spotted it either.
>> Despite existing for so long it was never exploited.
>
> Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
> even care to think about backing up their own claims of safety & security.
>
>> This was specifically an error on the side of the people managing the
>> CocoaPods library. They should not have left orphan accounts open
>> indefinitely.
>
> It's worse than that because ANYONE (yes, even you and me) could have
> injected code into those apps for a decade without Apple caring about it.

You could say the same about any currently unknown, but existing,
vulnerability available in any software. Do Google, Microsoft, etc also
not care about those?

Doesn't the fact that it was there undiscovered for ten years tell you
that it was far from trivial.

>>
>>> Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
>>
>> *were* vulnerable. It was fixed last year. It has only been reported
>> recently for obvious reasons.
>
> It was fixed but Apple didn't even know about it until someone told them
> that anyone (yes, even you and me) could have injected code into any of
> three million macOS/iOS apps for over a decade because Apple didn't care.

Apple didn't know because 1) it wasn't their software, 2) NO ONE knew.

You're using the benefit of hindsight to claim that something was easy
to do.

Why don't you pick a commonly used library in Windows development and
see how far you get in injecting code into the Microsoft App Store?
Please keep us up to date on progress.

On 2024-07-08 16:58, Wolf Greenblatt wrote:
> On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:
>
>>> Probably very true. All I know is researchers found a flaw in millions of
>>> mac/iOS apps and Apple didn't find that same flaw even after a decade.
>>
>> The point that's being missed is that no-one else spotted it either.
>> Despite existing for so long it was never exploited.
>
> Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
> even care to think about backing up their own claims of safety & security.

I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.

> Apple only wants to advertise about safety & security they don't even test.

They certainly do test. And what is appearing to be likely is that the
cited orphaned s/w, fantasized as being hijacked and converted to
malicious code never happened.

'cause had it happened, Apple's detection at the App Store would have
triggered on all but the most novel attacks.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 2024-07-08 20:29, Alan wrote:

> And you think that there are no open source dependency managers for
> Windows or Linux, Arlen?
>
> Oh, what a naive fool you are.

Nothing wrong with naïve. Being a fool is incurable though.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:

>> Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
>> even care to think about backing up their own claims of safety & security.
>
> I and others have made clear that this is not in Apple's court, and you
> have admitted that you don't understand 3rd party toolchains and code
> source, but you keep banging the same drum.

While it's clear I don't understand how Apple could have allowed this hole
in their ecosystem to exist for a decade, what I do very clearly understand
is that Apple's safe & secure ecosystem claims are shown to be unsupported.

Why does Apple say their system is safe & secure when obviously it's not?

On Tue, 9 Jul 2024 11:56:44 +0100, Chris wrote:

> You could say the same about any currently unknown, but existing,
> vulnerability available in any software. Do Google, Microsoft, etc also
> not care about those?

Apple loudly advertises their ecosystem is safe & secure, not Microsoft.
Why does Apple say their system is safe & secure when obviously it's not?

On 2024-07-09, Wolf Greenblatt <wolf@greenblatt.net> wrote:
> On Tue, 9 Jul 2024 11:56:44 +0100, Chris wrote:
>
>> You could say the same about any currently unknown, but existing,
>> vulnerability available in any software. Do Google, Microsoft, etc
>> also not care about those?
>
> Apple loudly advertises their ecosystem is safe & secure, not
> Microsoft.

Bullshit, little Arlen: --- Windows security that doesn't stop.

Before you even start up, Windows 11 is on guard. Cutting-edge hardware
and innovative software work in tandem to help keep your identiy,
information, and apps secure*.

* For supported devices with latest security updates installed.
---
<https://www.microsoft.com/en-us/windows/comprehensive-security>

> Why does Apple say their system is safe & secure when obviously it's
> not?

Why does little Arlen claim Apple's ecosystem isn't safe while ignoring
that vulnerabilities are allowed to exist for decades in other
platforms?

<https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn>

Because: troll. 🤡

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-09 06:29, Wolf Greenblatt wrote:
> On Tue, 9 Jul 2024 11:56:44 +0100, Chris wrote:
>
>> You could say the same about any currently unknown, but existing,
>> vulnerability available in any software. Do Google, Microsoft, etc also
>> not care about those?
>
> Apple loudly advertises their ecosystem is safe & secure, not Microsoft.
> Why does Apple say their system is safe & secure when obviously it's not?

"safe" doesn't mean "perfectly safe".

Etc.

On 2024-07-09 06:26, Wolf Greenblatt wrote:
> On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:
>
>>> Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't
>>> even care to think about backing up their own claims of safety & security.
>>
>> I and others have made clear that this is not in Apple's court, and you
>> have admitted that you don't understand 3rd party toolchains and code
>> source, but you keep banging the same drum.
>
> While it's clear I don't understand how Apple could have allowed this hole
> in their ecosystem to exist for a decade, what I do very clearly understand
> is that Apple's safe & secure ecosystem claims are shown to be unsupported.

It wasn't a hole in "their ecosystem", doofus.

This was something OUTSIDE Apple's ecosystem; a third-party tool used by
developers before their software was ever submitted to Apple.

>
> Why does Apple say their system is safe & secure when obviously it's not?