[lolc]

A lot of interesting stuff may become public from this.

1. Is Apple scared that backdoors will be found in Ios? It's much easier to find them in a virtual environment.

2. As the article mentions, there may be zerodays for Ios developed by Corellium. It would be great to know the extent of this.

3. We might learn more about current phone cracking capabilites in general. That may open a few eyes, including mine.

I'm currently just very happy to have learned that people are poking at Apple's walled garden. Watching from the sidelines, I will appreciate any and all punches in this conflict. When secretive organizations battle in court, collateral exposure may happen :-)

[NotSammyHagar]

It should be guaranteed at this point that there are zero days in both main cellphone platforms, apparently an endless number. They keep coming out, there is so much value in them commercially.

I want to push a view and wish it was more widespread in the software world that finding zero days and not reporting them responsibly (like time to fix by the vendor before publication) is unacceptable. The second part of this view is that it is immoral to work at a company where you find zero days and exploit them. Working at the companies that find these and end up selling them to dictatorial regimes, secret police, as well as to the Harvey Weinstein's of the world is wrong. As a software engineer in a western country I'm fortunate to have some choice in my employers, as many of us do. My choices have some reflection on my character - and like everyone else, I'm hardly perfect myself.

There are legal and illegal activities, and companies hide behind "we only sell to countries where it's legal". It's still immoral and wrong, and I don't want to work with immoral developers. Doing this kind of stuff is not the ultimate scarlet letter - but if you are working this field, please consider the impact of your actions.

[_bxg1]

Is this really a minority view? I got the sense that most people in tech feel this way

[threeseed]

You seem to have a very flippant attitude on this.

Backdoors in Android and iOS costs lives. There are many governments who today kidnap, torture and kill citizens and even non-citizens based on compromised phones e.g. Jamal Khashoggi.

And to have companies like Correlium enabling and profiting from this is utterly reprehensible. They aren't altruistic or making the world safer or being selective in who they sell their technology. They are simply the modern day equivalent of a shady arms dealer.

[_bxg1]

I wouldn't lump Correlium in with the companies that hoarde and sell actual vulnerabilities. Tools that allow people to find them go both ways: they can equally be used to exploit and to harden a system. It's unclear which direction Correlium favored, if either, but there's at least the potential that it could be used for good.

What Apple needs to do, IMO, is release their own version of this for free and set up a well-funded bug bounty program (lord knows they have the cash). When you have to buy the tool from a third-party, it seems like wealthy bad actors will be more likely to do so than people with good intents.

[lolc]

I'm not in the mood to go around preaching about the scum that is zeroday factories. Or the questionable ethics of selling opaque phones. I'm just happy the conflict has reached the court system which may shine a light on these practices. What would victims of state persecution gain from me not being happy about this? Why bring them into the discussion?

[kick]

Security by obscurity is no security at all, because any repressive government will already be shining a flashlight at it to try and find anything they can. Making it faster for security researchers to find vulnerabilities means that there are less people vulnerable.

[threeseed]

I am not advocating against this sort of technology at all.

I am against it being a product sold exclusively and secretly to enterprises and governments. The sort of entities who are not informing Apple and Google about vulnerabilities but instead using them for unethical and criminal means.

[zepto]

That depends on who the researchers are working for.

[Wowfunhappy]

One of your points restated with a small tweak:

> Is Apple scared that vulnerabilities will be found in iOS? It's much easier to find them in a virtual environment.

And this is exactly why I really hope Apple loses—if they win, it could have a chilling effect for years to come. We want it to be as easy as possible for security researchers to find vulnerabilities so they can be fixed.

iOS is the worst offender of this because it’s so incredibly locked down. Where are those special iPhones for security researchers? Checkm8 helps, although it can’t be used to inspect devices newer than the iPhone X.