[saurik]

It is always interesting seeing comments like that and thinking "they must work for Apple, right?!", as I not only don't know of but even haven't heard of people in the external security research world who have much--if any--faith in Apple's Security Research Device Program... and so, lo and behold: Pavlo here, in fact, works for Apple on their Security Engineering & Architecture team; the whole thing is ridiculous :/.

https://twitter.com/benhawkes/status/1286021329246801921?s=2...

https://twitter.com/p0sixninja/status/1355953193738330114?s=...

https://twitter.com/axi0mx/status/1296988074212130816?s=21

https://twitter.com/thegrugq/status/1231395566459899904?s=21

If you want to do this kind of work without having to maintain a jailbroken phone (which is definitely annoying), I'd think the sane thing to do isn't to apply up for Apple's immoral-by-every-shade-of-hat Security Research Device program (which will probably reject you anyway): instead, consider signing up for Corellium, the iOS emulator service developed by ex-jailbreak people... the one that Apple first tried to buy and then (when they refused to pay very much) tried to sue out of existence (a tactic which, notably, failed).

https://www.washingtonpost.com/technology/2020/12/29/apple-c...

The downside of this is, of course, that you are now using a third-party hosted service for which you have to pay money for access, but it isn't like that Apple Security Research Device program comes with no attached costs, and their contractual restrictions are going to be way more frustrating than the similar practical issues from working with a remote system. That said, with the recent-ish advances in virtualized ARM, we are seeing more and more emulation of the iOS stack (starting at the lowest levels and working up), so--while I haven't myself tried any of these (including Corellium for longer than a demo... I have always worked with legitimately jailbroken devices)--people might be able to do some useful work locally using QEMU. (Here are a couple prior discussions of the current state of QEMU for this purpose.)

https://news.ycombinator.com/item?id=30545425

https://news.ycombinator.com/item?id=28551264

[dang]

Please don't cross into personal attack. The rest of your comment is fine but the first paragraph isn't.

https://news.ycombinator.com/newsguidelines.html

[saurik]

This isn't a "personal attack" as the complaint isn't personal. My comment isn't even about Pavlo himself: it is about the pattern of how it only seems like Apple employees ever talk up this program, and, "lo and behold", this is such an example. I don't pick at Pavlo for being a bad person, or even attack his comment: I complain about the immorality of the terms and mechanism of the program as well as the ridiculousness of how only Apple people defend it.

If my comment is a problem, then the extremely common comments from people on Hacker News complaining that someone is from Cloudflare or from Google--or from any number of cryptocurrency projects that seemingly the zeitgeist on Hacker News is always angry about--and are shilling some random project are also problematic; and yet, I don't believe I have ever seen you attempt to call people out about any of those: in fact, Hacker News seems to have a pretty clear "it is OK to shit on people who work on cryptocurrency projects" policy.

Meanwhile, Apple really shouldn't get any kind of defense, here: you know part of why Pavlo comes around obliquely commenting with no obvious mention anywhere (in comments, bio, etc.) that he's from Apple? I'll claim it isn't even (directly) his fault! Apple, the company, seems to have a policy against people identifying themselves on social media services so strong that if anyone gets attention--even if they are being helpful--it seems to land them in water hot enough that they have to sit around and wait to find out if they are being fired... such as the story of this poor employee on TikTok I've been following the last couple days:

https://www.tiktok.com/@/video/7131094900778503470

I think this is a shitty policy (whether explicit or implicit: the chilling effect is the same) that Apple has, and it isn't something we should be indirectly helping and supporting by claiming that anyone noting "this person is actually from Apple"--which seems to be the only thing I did, and which I do believe was important context for my comment--is a "personal attack". While I definitely believe that people who work for the large tech companies should be held accountable for the actions of those companies, none of my attacks today are personal: they are all against the explicitly-faceless corporate entity known as Apple.

[95014_refugee]

Possibly worth disclosing your own stake in this issue...

FWIW, Corellium was garbage. Can't speak for its current state, but not spending money on the tech - or the people - was the right call at the time.

[smoldesu]

I think the principles behind Corellium are good (can we build an iOS toolchain without Apple?) but everything I heard about the implementation was unfortunately also negative. I think it would be a lot easier to stand behind them if they separated their product and service offerings, maybe making the iOS bootstrapping code Open Source, but providing ARM instances with commercial support at-cost. In it's current state, though, I can't root for them any more than Oracle or Apple themselves.