[bri3d]

I strongly disagree that there is no evidence that Lockdown mode is effective; there have been numerous exposed, active iOS exploitation campaigns of which none have worked against Lockdown mode. When we're trying to prove a negative, that's actually some of the strongest evidence we can get.

The economics of the device exploitation industry are completely orthogonal from bug bounty payouts; the markets only overlap at the _extreme_ fringes. Trying to use one as a proxy for the other is meaningless.

[saagarjha]

I don't necessarily disagree but a lot of chains will bail out if they find like the Norton Antivirus app on your phone so

[bri3d]

In this case the body of evidence is still quite powerful though, given that not only do we not have any forensic evidence of compromise from a phone with Lockdown Mode, but in all public cases where chains were RE'd back out of the forensic evidence, they don't work when tested on Lockdown Mode! So, there's even signal that the lack of forensics indicating Lockdown Mode compromises is not due to artificial targeting or detonation gates, but rather successful mitigation.

(as an aside): I'm not trying to say Lockdown Mode is infallible; I am sure phones in Lockdown Mode are or will be compromised. But it's clearly a very powerful tool, and to try to argue that it is some kind of marketing-driven conspiracy, against the body of evidence of its success, using bug bounty payout numbers (???), as the grandparent post did, is ridiculous.

[saagarjha]

I wouldn't say that it's useless but I do want to consider the option that the chains that get caught are probably the ones that are less competent.

[Veserv]

That is a total strawman. The standard of “effective” being used by the person I was responding to and Apple themselves is “protects against state actors targeting you”, not “has any benefit whatsoever” or even “has a material benefit”.

Protecting against state actors is not a instantaneous property of the present. It demands durable protection against compromise by state actors who can easily spend tens to hundreds of millions of dollars on teams of hundreds for multiple years to develop novel, durable exploits known only to them. To the extent that compromises exist, they would require expected resource expenditure in excess of what state actors can deploy or are in excess of the value derivable by state actors which is going to be in the hundreds of millions to billions of dollar range to constitute as being "effective against state actors targeting you".

Protecting against state actors means secure against Iran, Saudi Arabia, China, and the NSA. That is the unsupported marketing bullshit I am calling out.

[saagarjha]

Apple is almost certainly spending hundreds of millions if not billions on software security.

[Veserv]

Sure, but that is not related to anything I said.

I said that “protects against state actors” means the cost of finding a exploit as generally applicable and powerful as a zero-click RCE needs to cost on the order of hundreds of millions to billions of dollars per exploit to be problematic for state actors to field.

That amount of resources is a competent team of 100 skilled individuals finding zero zero-click RCEs after 3 years of full time investigation. That could credibly be called secure against state actors, though would still not be out of reach of a real military operation as a hundred million dollars is still just the cost of a single jet fighter.