Comments URL: https://news.ycombinator.com/item?id=39925870

Points: 2

# Comments: 1

Comments URL: https://news.ycombinator.com/item?id=39802381

Points: 1

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=35905008

Points: 8

# Comments: 1

Comments URL: https://news.ycombinator.com/item?id=34805339

Points: 3

# Comments: 1

Golly gee, you sure got me there on that! Let's rephrase to "parts of the West", what impact does that have on the argument that Western powers engage in media censorship as well?

> I don't want to stun you too much, but the west is not some uniform block of countries.

LOL. You understand it is _literally_ called the "Western Bloc", right? https://en.wikipedia.org/wiki/Western_Bloc

That's great. The block is in the EU. Which is in...the West.

RT- Russia Today English

RT- Russia Today UK

RT - Russia Today Germany

RT - Russia Today France

RT- Russia Today Spanish

Sputnik’

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L...

Or here's a mass media summary if you don't want to read the official documentation: https://www.reuters.com/world/europe/eu-bans-rt-sputnik-bann...

Take special note not just of the block, but of the anticircumvention provisions.

Totally not like how access to Russian news outlets has been blocked by parts of the West.

Apple has a list of requirements - https://developer.apple.com/programs/enterprise/ - for example, a company needs to have at least 100 employees. The issue, however, seems to be how stringently these requirements are enforced, or whether they are at all. In the case of Hermit, the Italian spyware company seems to have created a fake company and tricked Apple into granting the fake company access to the developer program. Now, the interesting question for me is whether the fake company actually managed to pass all of the requirements, like giving Apple a list of 100 fake employees, and whether Apple actually performed their due dilligence and checked whether the employee list was real, or whether they accepted it at face value, or didn't even require it.

In other words, I think a key takeaway from the latest incident is Apple needs to take accountability and harden their Enterprise program entry requirements, and I haven't seen anything about that being the case.

Yes, but still successful, as Hermit demonstrated. So my question is whether Lockdown mode would have prevented APTs like Hermit which it claims to prevent against. If not, then the move is security theater which doesn't address the actual flaws (like poor vetting into the Enterprise Program) being successfully leveraged in the wild.

I firstly don't believe this is true at all, plenty of high-level targets are not tech savvy; but more to the point of Lockdown mode, you could then say the same thing about most of its other features ("High-level targets are likely to already be aware of the dangers of doing $thing_Lockdown_prevents").

Are you sure that's true? I haven't seen a Hermit sample firsthand, but from everything I've read about it targets did not need to install an MDM profile, they simply needed to click a link. Looking at Apple's distribution guidelines - https://support.apple.com/en-bw/guide/deployment/depce7cefc4... - MDM is listed as one option, and simply going to a link is listed as another:

> There are two ways you can distribute proprietary in-house apps: > > Using MDM > > Using a website

It seems like the latter was used, so I don't think installation of a custom profile was required, which brings me back to my original question of whether Lockdown would have prevented it.

The list of lockdown features don't seem to explicitly list that in-house app sideloading is disabled - is it? If not, then this mode seems like security theater from Apple, in that it doesn't actually lock down the parts of the attack surface that are actively being leveraged. How about instead, or better yet alongside this, Apple explains how they granted entry in the Enterprise program to the spyware company, and what measures they're taking to prevent it from happening again.

Sure you could, you could rescind someone's diploma so that they no longer have the degree.

Yeah, I've never really understood this logic either. If someone lends money from me to, let's say go buy a tow truck, and then is not able to repay the loan because there are too many other folks with tow trucks (or for whatever other reason), why should that be my problem? I gave money with the expectation that it would be paid back. That is by definition what lending is, yet student loans are somehow touted as an exception where repayment shouldn't be seen as compulsory.