Orphaned Pods are
... been asleep most of the week, huh?
On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote:
... been asleep most of the week, huh?
How did you find out about this new hole found in millions of mac/iOs apps?
The holes are so big they can't be avoided but why did Apple not find it?
We’re being told it’s not Apple’s job to find security holes in other peoples dependencies so it’s not their fault.
On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote:
... been asleep most of the week, huh?
How did you find out about this new hole found in millions of mac/iOs
apps?
I was looking up Swift documentation for a project when all the hits
by reverse date shows up to be about this vulnerability for mac/iOS
apps.
The holes are so big they can't be avoided but why did Apple not find
it?
Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
CocoaPods isn't part of Swift.
We're being told it's not Apple's job to find security holes in other
peoples dependencies so it's not their fault.
You are desperately trying to blame Apple, because: troll.
Didn't you just say this?
"It's not Apple's job to police third-party package mangers."
On Sat, 6 Jul 2024 23:17:58 -0000 (UTC), badgolferman wrote:
We're being told it's not Apple's job to find security holes in other
peoples dependencies so it's not their fault.
You are desperately trying to blame Apple, because: troll.
Didn't you just say this?
"It's not Apple's job to police third-party package mangers."
Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
https://developer.apple.com/swift/Read above.
"Swift is a powerful and intuitive programming language for all Apple platforms. It's easy to get started using Swift, with a concise-yet-expressive syntax and modern features you'll love. Swift code
is safe by design and produces software that runs lightning fast."
"Designed for safety"
"Swift eliminates entire classes of unsafe code"
"Swift makes software safer and faster, while also making programming more fun."
"Another safety feature is that by default Swift objects can never be nil. This makes code much cleaner and safer"
"Swift syntax ensures you to safely deal with it using the ? syntax to indicate to the compiler you understand the behavior and will handle it safely."
"Swift is perfect for use in server apps that need runtime safety"
If researchers can find these holes, what is the reason Apple can't?
On Sat, 6 Jul 2024 23:17:58 -0000 (UTC), badgolferman wrote:
We're being told it's not Apple's job to find security holes in
other peoples dependencies so it's not their fault.
You are desperately trying to blame Apple, because: troll.
Didn't you just say this?
"It's not Apple's job to police third-party package mangers."
Isn't Swift touted to be "safe by design" on Apple own corporate web
pages?
Jolly Roger <jollyroger@pobox.com> wrote:
On 2024-07-06, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
We’re being told it’s not Apple’s job to find security holes in
other peoples dependencies so it’s not their fault.
You are desperately trying to blame Apple, because: troll.
Didn’t you just say this?
“It's not Apple's job to police third-party package mangers.”
On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:
Isn't Swift touted to be "safe by design" on Apple own corporate web pages? >>CocoaPods isn't part of Swift.
Maybe you didn't read
The holes are so big they can't be avoided but why did Apple not find
it?
It's not Apple's job to police third-party package mangers. You
desperately want to blame Apple for something that is very clearly not Apple's fault, because: troll.
The fact is that I'm beginning to think you didn't lie, Chris.
Not a fact. You lose.]
Jolly Roger wrote on 6 Jul 2024 21:28:04 GMT :
The holes are so big they can't be avoided but why did Apple not
find it?
It's not Apple's job to police third-party package mangers. You
desperately want to blame Apple for something that is very clearly
not Apple's fault, because: troll.
Jolly Roger wrote on 7 Jul 2024 02:06:58 GMT :
The fact is that I'm beginning to think you didn't lie, Chris.
Not a fact. You lose.]
Holy shit! You didn't lie!
On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:
Isn't Swift touted to be "safe by design" on Apple own corporate web pages? >>CocoaPods isn't part of Swift.
Maybe you didn't read any of the links about CocoPods & Swift in
Message-ID: <v6c85a$17bja$1@news.samoylyk.net>
Even so, given CocoPods is used in over three million mac/iOS apps, why is
it that researchers can find these flaws but Apple can't seem to do it?
Why then does Apple even bother to advertise safety and security if safety and security is not something Apple cares to test for in apps people use?
...yet you and your little troll buddies (namely badgolferman) continue
to lie trying to blame Apple for third-party vulnerabilities.
Here are some FACTS you desperately want us to ignore:
Open source vulnerabilities remain unpatched for decades <https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn>
---
A new report reveals an enormous number of identified open source vulnerabilities remain unpatched for 10 years and longer, often because organisations have no idea what open source code they are using.
On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:
Isn't Swift touted to be "safe by design" on Apple own corporate web pages? >>CocoaPods isn't part of Swift.
Maybe you didn't read any of the links about CocoPods & Swift in
Message-ID: <v6c85a$17bja$1@news.samoylyk.net>
Even so, given CocoPods is used in over three million mac/iOS apps, why is
it that researchers can find these flaws but Apple can't seem to do it?
Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
Isn't Swift touted to be "safe by design" on Apple own corporate web pages? >>You have 0 understanding of 3rd party toolchains and 3rd party code bases.
Probably very true. All I know is researchers found a flaw in millions of mac/iOS apps and Apple didn't find that same flaw even after a decade.
Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
The reports say that essentially every Apple owner is affected.
So why wouldn't Apple care to do what researchers did, only 10 years ago?
Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
You have 0 understanding of 3rd party toolchains and 3rd party code bases.
On 2024-07-07 12:06, Wolf Greenblatt wrote:
On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
Isn't Swift touted to be "safe by design" on Apple own corporate
web pages?
You have 0 understanding of 3rd party toolchains and 3rd party code
bases.
Probably very true. All I know is researchers found a flaw in
millions of mac/iOS apps and Apple didn't find that same flaw even
after a decade.
Actually, no.
They found a flaw in one of the TOOLS developers USED to create
millions of apps.
They found a flaw in one of the TOOLS developers USED to create
millions of apps.
They also stated there is no direct evidence of any of these
vulnerabilities being exploited in the wild.
Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
They found a flaw in one of the TOOLS developers USED to create
millions of apps.
They also stated there is no direct evidence of any of these
vulnerabilities being exploited in the wild.
I think you made that up because the news said there are numerous exploits. Not only was it exploited but it shows the ecosystem is riddled with holes.
On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
Isn't Swift touted to be "safe by design" on Apple own corporate web pages? >>You have 0 understanding of 3rd party toolchains and 3rd party code bases.
Probably very true. All I know is researchers found a flaw in millions of mac/iOS apps and Apple didn't find that same flaw even after a decade.
Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
The reports say that essentially every Apple owner is affected.
So why wouldn't Apple care to do what researchers did, only 10 years ago?
Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
They found a flaw in one of the TOOLS developers USED to create
millions of apps.
They also stated there is no direct evidence of any of these
vulnerabilities being exploited in the wild.
I think you made that up because the news said there are numerous exploits. Not only was it exploited but it shows the ecosystem is riddled with holes.
Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
They found a flaw in one of the TOOLS developers USED to create
millions of apps.
They also stated there is no direct evidence of any of these
vulnerabilities being exploited in the wild.
I think you made that up
the news said there are numerous exploits.
Not only was it exploited
it shows the ecosystem is riddled with holes.
Then you didn't read the article.
As explained:
1. 3rd party tool/code base.
2. Did any malicious code get released this way? (to trigger Apple's malicious code detection).
Alan Browne wrote on Sun, 7 Jul 2024 07:38:54 -0400 :
As explained:
1. 3rd party tool/code base.
2. Did any malicious code get released this way? (to trigger Apple's
malicious code detection).
https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
modify any of three million iOS/macOS apps at will - whenever they want?
For ten years!
https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
modify any of three million iOS/macOS apps at will - whenever they want?
For ten years!
All of them:
Probably very true. All I know is researchers found a flaw in millions of
mac/iOS apps and Apple didn't find that same flaw even after a decade.
The point that's being missed is that no-one else spotted it either.
Despite existing for so long it was never exploited.
This was specifically an error on the side of the people managing the CocoaPods library. They should not have left orphan accounts open indefinitely.
Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
*were* vulnerable. It was fixed last year. It has only been reported
recently for obvious reasons.
The reports say that essentially every Apple owner is affected.
*was* (theoretically) affected. No-one was actually affected.
So why wouldn't Apple care to do what researchers did, only 10 years ago?
They do care, but the software ecosystem is very complex and Apple cannot monitor every third party system developers around the world use.
Your can guarantee they have been looking at this very carefully to see
what they can learn.
Obviously being a secretive company we'll never know
what they've changed in response.
On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:
Probably very true. All I know is researchers found a flaw in millions of >>> mac/iOS apps and Apple didn't find that same flaw even after a decade.
The point that's being missed is that no-one else spotted it either.
Despite existing for so long it was never exploited.
Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't even care to think about backing up their own claims of safety & security.
This was specifically an error on the side of the people managing the
CocoaPods library. They should not have left orphan accounts open
indefinitely.
It's worse than that because ANYONE (yes, even you and me) could have injected code into those apps for a decade without Apple caring about it.
Shouldn't Apple care that millions of mac/iOS apps are vulnerable?
*were* vulnerable. It was fixed last year. It has only been reported
recently for obvious reasons.
It was fixed but Apple didn't even know about it until someone told them
that anyone (yes, even you and me) could have injected code into any of
three million macOS/iOS apps for over a decade because Apple didn't care.
Jolly Roger wrote on 8 Jul 2024 14:57:56 GMT :
https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection
What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
modify any of three million iOS/macOS apps at will - whenever they want? >>>
For ten years!
All of them:
It's no longer shocking you nutjobs are completely unaware that cocoapods isn't used in Windows or Linux,
And you think that there are no open source dependency managers for
Windows or Linux, Arlen?
Oh, what a naive fool you are.
On Mon, 8 Jul 2024 08:06:48 -0000 (UTC), Chris wrote:
Probably very true. All I know is researchers found a flaw in millions of >>> mac/iOS apps and Apple didn't find that same flaw even after a decade.
The point that's being missed is that no-one else spotted it either.
Despite existing for so long it was never exploited.
Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't even care to think about backing up their own claims of safety & security.
Apple only wants to advertise about safety & security they don't even test.
You could say the same about any currently unknown, but existing, vulnerability available in any software. Do Google, Microsoft, etc also
not care about those?
Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't >> even care to think about backing up their own claims of safety & security.
I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.
On Tue, 9 Jul 2024 11:56:44 +0100, Chris wrote:
You could say the same about any currently unknown, but existing,
vulnerability available in any software. Do Google, Microsoft, etc also
not care about those?
Apple loudly advertises their ecosystem is safe & secure, not Microsoft.
Why does Apple say their system is safe & secure when obviously it's not?
On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:
Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't >>> even care to think about backing up their own claims of safety & security. >>I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.
While it's clear I don't understand how Apple could have allowed this hole
in their ecosystem to exist for a decade, what I do very clearly understand is that Apple's safe & secure ecosystem claims are shown to be unsupported.
Why does Apple say their system is safe & secure when obviously it's not?
On Tue, 9 Jul 2024 11:56:44 +0100, Chris wrote:
You could say the same about any currently unknown, but existing,
vulnerability available in any software. Do Google, Microsoft, etc
also not care about those?
Apple loudly advertises their ecosystem is safe & secure, not
Microsoft.
Why does Apple say their system is safe & secure when obviously it's
not?
On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:
Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't >>> even care to think about backing up their own claims of safety & security. >>I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.
While it's clear I don't understand how Apple could have allowed this hole
in their ecosystem to exist for a decade, what I do very clearly understand is that Apple's safe & secure ecosystem claims are shown to be unsupported.
Why does Apple say their system is safe & secure when obviously it's not?
Before you even start up, Windows 11 is on guard.
On 2024-07-09 06:26, Wolf Greenblatt wrote:
On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:
Three million iOS/macOS apps were vulnerable for a decade, and Apple
didn't
even care to think about backing up their own claims of safety &
security.
I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.
While it's clear I don't understand how Apple could have allowed this
hole
in their ecosystem to exist for a decade, what I do very clearly
understand
is that Apple's safe & secure ecosystem claims are shown to be
unsupported.
It wasn't a hole in "their ecosystem", doofus.
This was something OUTSIDE Apple's ecosystem; a third-party tool used by developers before their software was ever submitted to Apple.
On 9 Jul 2024 15:20:05 GMT, Jolly Roger wrote:
Before you even start up, Windows 11 is on guard.
When I looked it up, it was pretty clear in all the reports that these cocoapods flaws are only in the Apple ecosystem as far as I have read.
Please cite where you got the idea cocoapods is part of the Windows
ecosystem as everything you say is wrong until you can show that cite.
On 2024-07-09 09:42, Wolf Greenblatt wrote:
On 9 Jul 2024 15:20:05 GMT, Jolly Roger wrote:
Before you even start up, Windows 11 is on guard.
When I looked it up, it was pretty clear in all the reports that
these cocoapods flaws are only in the Apple ecosystem as far as I
have read.
There are similar tools (dependency managers for developers) across
all OS ecosystems, doofus.
On 9 Jul 2024 15:20:05 GMT, Jolly Roger wrote:
Before you even start up, Windows 11 is on guard.
When I looked it up, it was pretty clear in all the reports that these cocoapods flaws are only in the Apple ecosystem as far as I have read.
Please cite where you got the idea cocoapods is part of the Windows
ecosystem as everything you say is wrong until you can show that cite.
On 2024-07-09 09:42, Wolf Greenblatt wrote:
On 9 Jul 2024 15:20:05 GMT, Jolly Roger wrote:
Before you even start up, Windows 11 is on guard.
When I looked it up, it was pretty clear in all the reports that these
cocoapods flaws are only in the Apple ecosystem as far as I have read.
There are similar tools (dependency managers for developers) across all
OS ecosystems, doofus.
Please cite where you got the idea cocoapods is part of the Windows
ecosystem as everything you say is wrong until you can show that cite.
On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:
Three million iOS/macOS apps were vulnerable for a decade, and Apple didn't >>> even care to think about backing up their own claims of safety & security. >>I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.
While it's clear I don't understand how Apple could have allowed this hole
in their ecosystem to exist for a decade, what I do very clearly understand is that Apple's safe & secure ecosystem claims are shown to be unsupported.
Why does Apple say their system is safe & secure when obviously it's not?
Wolf Greenblatt wrote:
On Tue, 9 Jul 2024 08:07:20 -0400, Alan Browne wrote:
Three million iOS/macOS apps were vulnerable for a decade, and Apple
didn't
even care to think about backing up their own claims of safety &
security.
I and others have made clear that this is not in Apple's court, and you
have admitted that you don't understand 3rd party toolchains and code
source, but you keep banging the same drum.
While it's clear I don't understand how Apple could have allowed this
hole
in their ecosystem to exist for a decade, what I do very clearly
understand
is that Apple's safe & secure ecosystem claims are shown to be
unsupported.
Why does Apple say their system is safe & secure when obviously it's not?
The more I argued with them, the better I came to know their dialectic.
First they counted on the stupidity of their adversary, and then, when
there
was no other way out, they themselves simply played stupid.
If all this didn't help, they pretended not to understand, or, if
was no other way out, they themselves simply played stupid.
If all this didn't help, they pretended not to understand, or, if
Hmm, then please do tell us how Apple are responsible for 3rd party tool chains and orphaned 3rd party code?
As a warmup exercise, please cite a specific instance where:
- Some orphaned code, was
- taken over by a hacker, then
- modified to do harm, then
- released into the 3rd party toolchain ecosystem, thence
- integrated with the 3rd party toolchain, into
- someone else's application, that
- was released on Apple's App Store, and
- got past Apple's validity checking, into
- the wild, and (for bonus points)
- caused harm.
Provide links.
On 2024-07-17 14:37, Alan Browne wrote:
was no other way out, they themselves simply played stupid.
If all this didn't help, they pretended not to understand, or, if
Hmm, then please do tell us how Apple are responsible for 3rd party tool
chains and orphaned 3rd party code?
As a warmup exercise, please cite a specific instance where:
- Some orphaned code, was
- taken over by a hacker, then
- modified to do harm, then
- released into the 3rd party toolchain ecosystem, thence
- integrated with the 3rd party toolchain, into
- someone else's application, that
- was released on Apple's App Store, and
- got past Apple's validity checking, into
- the wild, and (for bonus points)
- caused harm.
Provide links.
<chirp><chirp><chirp>
Hmm, all I hear is crickets.
Alan Browne wrote:
On 2024-07-17 14:37, Alan Browne wrote:
was no other way out, they themselves simply played stupid.
If all this didn't help, they pretended not to understand, or, if
Hmm, then please do tell us how Apple are responsible for 3rd party
tool chains and orphaned 3rd party code?
As a warmup exercise, please cite a specific instance where:
- Some orphaned code, was
- taken over by a hacker, then
- modified to do harm, then
- released into the 3rd party toolchain ecosystem, thence
- integrated with the 3rd party toolchain, into
- someone else's application, that
- was released on Apple's App Store, and
- got past Apple's validity checking, into
- the wild, and (for bonus points)
- caused harm.
Provide links.
<chirp><chirp><chirp>
Hmm, all I hear is crickets.
I was describing Wolf Greenblatt.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 339 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 01:00:43 |
| Calls: | 7,467 |
| Calls today: | 3 |
| Files: | 12,691 |
| Messages: | 5,627,866 |
