[xoa]

I think you and notpushkin are perhaps missing some of the "economic" angles on this. It's not just about the what, it's about the how. High value targets are highly likely to be following decent practices and at least staying up to date on software. Which implies that cracking iMessage would require use of a 0-day, of which there are not an infinite number at any given time, and which Apple will immediately eliminate forever if they discover it. Part of the point of highly targeted careful attacks is to stretch those out, it's not just about keeping the target from knowing (though that's not irrelevant), it's also about future targets.

So as with a lot of matters in intelligence work it's subject to cost benefit calcs. If using it against a given target means they are incredibly unlikely to notice and it can then be used again and again, it doesn't take much target value for a government to deploy it which pushes towards more mass use. On the opposite end if using it means it will immediately become useless ever again, then the expected target value has to at least exceed the market cost (which itself will rise more quickly if 0-days are being consumed more quickly vs production), every time. In between is a spectrum of less or more use. Apple wants it as far towards "use it and lose it" as possible, but Trevor Perrin's argument makes sense here: even a relatively small increase in percentage of "use it and lose it" amongst the population could significantly change the mean weighted cost for threat actors.

If they could know for sure whether a given counter measure was deployed that'd reduce the cost again, but if they can't there is indeed a population benefit. It's like a mine field, there don't have to be that many mines scattered around to really hurt people's willingness to cross it!

[p-e-w]

> High value targets are highly likely to be following decent practices and at least staying up to date on software.

Not even close. The vast majority of journalists, lawyers, activists, even public figures, don't have the knowledge to secure their digital lives, don't have access to an expert to do it for them, and in many cases aren't even fully aware of the nature of the threat (beyond some vague idea along the lines of "I'm probably being monitored").

On top of that, it has been my experience that people who don't understand threat mechanics on a deeper level (such as active MITM attacks) quickly stop following whatever best practices they have been trained to adhere to (in this case, peer key verification), because those practices have no observable effect to them and without actually understanding what's going on, it's hard for them to see what the point is.

[xoa]

>Not even close. The vast majority of journalists, lawyers, activists, even public figures, don't have the knowledge to secure their digital lives, don't have access to an expert to do it for them, and in many cases aren't even fully aware of the nature of the threat (beyond some vague idea along the lines of "I'm probably being monitored").

Citation needed. Because everything I have ever seen is that iOS users almost all leave on autoupdate and the move to the latest version is the overwhelming majority, very rapidly. Seriously, look at adoption each time over the last 5 years on a site like statista [0] or wherever, or various ones aimed at developers. If you want to claim that people at higher risk aren't part of the 60-85% I'd honestly be curious to see your numbers. Note I said "decent" not "best" practices. Whatever its flaws, mixed incentives, and issues (which are real), Apple has expended significant effort in making the normal default paths provide an ok baseline security for regular people and discouraging leaving them. Which isn't even something a lot of HNers like! If anything, I'd be unsurprised if HN types to lag in some respects because we want more control and to do things outside the well trod path. I've jailbroken a lot, is that something most people do? No.

In this specific case, the minimum needed to avoid a zero-day exploit is (by definition) merely to always have the OS updated and all security patches applied while staying firmly within the walled garden. Which it's objectively clear the super majority of regular people do. If you just go with the default and let Apple update your device whenever Apple wants, then it's a truism that anything you get hit by is something Apple hasn't yet patched. And in turn anything that raises the population probability that the 0-day actually gets noticed and potentially reported raises the risk of using the 0-day. The whole point of this feature is that it'd let a normal person who doesn't necessarily understand threat mechanics go "huh, that's funny" and then maybe say so on their social media/blog/wherever, at which point if even one person who follows them (and we're talking journalists or other types with enough influence to get targeted by major threat actors right?) recognizes what's going on and says "quick call Apple/security researcher/tell HN" now it's out there.

>because those practices have no observable effect to them

Literally the entire point of this new feature is to create an observable effect of tampering. Kind of a weird statement in context.

----

0: https://www.statista.com/statistics/565270/apple-devices-ios...

[saagarjha]

Turning on automatic updates, while a great choice for the vast majority of iOS users, does not protect against sophisticated adversaries who use zero day exploits. The fact that everyone is already on the latest version (they’re not, because of phased rollout, but it’s not too relevant here) means that an exploit that has value targets latest iOS by default.

Opt-in additional protections, such as Lockdown Mode, which aren’t perfect but help are rarely enabled by those who need it, despite being marketed to people who are targeted. Part of this is that it’s opt-in, but part of it is that a lot of the people targeted aren’t journalists: they’re the spouses of political leaders, or random government leaders, who don’t have a good security posture nor do they have people managing their devices for them to create one.

Also, do note that just because someone appears to have tampered with a conversation doesn’t mean you’ve burned your 0-day: it provides no indication of how they did so.

[p-e-w]

> Because everything I have ever seen is that iOS users almost all leave on autoupdate and the move to the latest version is the overwhelming majority, very rapidly.

Outside of the US, Android's market share dwarfs iOS's. And most people's Android phones are from vendors that stop providing updates, including security updates, after 2 years or so. There are hundreds of millions, if not billions, of vulnerable Android phones out there.

> Literally the entire point of this new feature is to create an observable effect of tampering.

Which, since most connections aren't tampered with, isn't actually observable in practice for most people. So the next time they meet someone new, they might not even bother asking them to do key verification.