[p-e-w]

> High value targets are highly likely to be following decent practices and at least staying up to date on software.

Not even close. The vast majority of journalists, lawyers, activists, even public figures, don't have the knowledge to secure their digital lives, don't have access to an expert to do it for them, and in many cases aren't even fully aware of the nature of the threat (beyond some vague idea along the lines of "I'm probably being monitored").

On top of that, it has been my experience that people who don't understand threat mechanics on a deeper level (such as active MITM attacks) quickly stop following whatever best practices they have been trained to adhere to (in this case, peer key verification), because those practices have no observable effect to them and without actually understanding what's going on, it's hard for them to see what the point is.

[xoa]

>Not even close. The vast majority of journalists, lawyers, activists, even public figures, don't have the knowledge to secure their digital lives, don't have access to an expert to do it for them, and in many cases aren't even fully aware of the nature of the threat (beyond some vague idea along the lines of "I'm probably being monitored").

Citation needed. Because everything I have ever seen is that iOS users almost all leave on autoupdate and the move to the latest version is the overwhelming majority, very rapidly. Seriously, look at adoption each time over the last 5 years on a site like statista [0] or wherever, or various ones aimed at developers. If you want to claim that people at higher risk aren't part of the 60-85% I'd honestly be curious to see your numbers. Note I said "decent" not "best" practices. Whatever its flaws, mixed incentives, and issues (which are real), Apple has expended significant effort in making the normal default paths provide an ok baseline security for regular people and discouraging leaving them. Which isn't even something a lot of HNers like! If anything, I'd be unsurprised if HN types to lag in some respects because we want more control and to do things outside the well trod path. I've jailbroken a lot, is that something most people do? No.

In this specific case, the minimum needed to avoid a zero-day exploit is (by definition) merely to always have the OS updated and all security patches applied while staying firmly within the walled garden. Which it's objectively clear the super majority of regular people do. If you just go with the default and let Apple update your device whenever Apple wants, then it's a truism that anything you get hit by is something Apple hasn't yet patched. And in turn anything that raises the population probability that the 0-day actually gets noticed and potentially reported raises the risk of using the 0-day. The whole point of this feature is that it'd let a normal person who doesn't necessarily understand threat mechanics go "huh, that's funny" and then maybe say so on their social media/blog/wherever, at which point if even one person who follows them (and we're talking journalists or other types with enough influence to get targeted by major threat actors right?) recognizes what's going on and says "quick call Apple/security researcher/tell HN" now it's out there.

>because those practices have no observable effect to them

Literally the entire point of this new feature is to create an observable effect of tampering. Kind of a weird statement in context.

----

0: https://www.statista.com/statistics/565270/apple-devices-ios...

[saagarjha]

Turning on automatic updates, while a great choice for the vast majority of iOS users, does not protect against sophisticated adversaries who use zero day exploits. The fact that everyone is already on the latest version (they’re not, because of phased rollout, but it’s not too relevant here) means that an exploit that has value targets latest iOS by default.

Opt-in additional protections, such as Lockdown Mode, which aren’t perfect but help are rarely enabled by those who need it, despite being marketed to people who are targeted. Part of this is that it’s opt-in, but part of it is that a lot of the people targeted aren’t journalists: they’re the spouses of political leaders, or random government leaders, who don’t have a good security posture nor do they have people managing their devices for them to create one.

Also, do note that just because someone appears to have tampered with a conversation doesn’t mean you’ve burned your 0-day: it provides no indication of how they did so.

[p-e-w]

> Because everything I have ever seen is that iOS users almost all leave on autoupdate and the move to the latest version is the overwhelming majority, very rapidly.

Outside of the US, Android's market share dwarfs iOS's. And most people's Android phones are from vendors that stop providing updates, including security updates, after 2 years or so. There are hundreds of millions, if not billions, of vulnerable Android phones out there.

> Literally the entire point of this new feature is to create an observable effect of tampering.

Which, since most connections aren't tampered with, isn't actually observable in practice for most people. So the next time they meet someone new, they might not even bother asking them to do key verification.