I'm so tired of "whataboutism" being used to as some attempt to shut down an argument. It is perfectly valid to point out hypocritical arguments. And it might stun you to know that the West isn't solely composed of the US. Try going to RT from the EU - https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L...
Take special note not just of the block, but of the anticircumvention provisions.
The grandparent made the broad generalization not the person you are replying to. They said the "west" is blocking RT. It might stun you to learn that the US is part of the west and isn't blocking RT. I don't want to stun you too much, but the west is not some uniform block of countries.
> It might stun you to learn that the US is part of the west and isn't blocking RT.
Golly gee, you sure got me there on that! Let's rephrase to "parts of the West", what impact does that have on the argument that Western powers engage in media censorship as well?
> I don't want to stun you too much, but the west is not some uniform block of countries.
The original comment was "Totally not like how access to Russian news outlets has been blocked by the West."
This statement is factually incorrect. I don't see where that argument was actually made.
But sure, some western countries have a level of censorship, yes, but that still doesn't approach the level of China.
And just because there is a wiki entry called western bloc, doesn't mean the western countries are uniform. The US is pretty well known for having broad, but not absolute, protections for freedom of speech.
You should not. But if it makes you feel any better, Americans do the same thing by allowing Chinese tech like Zoom and TikTok operate in their country.
It's not clear to me if Lockdown Mode would have prevented Hermit, the latest mobile APT which targeted iOS via sideloading by enrolling in the Apple Developer Enterprise Program.
The list of lockdown features don't seem to explicitly list that in-house app sideloading is disabled - is it? If not, then this mode seems like security theater from Apple, in that it doesn't actually lock down the parts of the attack surface that are actively being leveraged. How about instead, or better yet alongside this, Apple explains how they granted entry in the Enterprise program to the spyware company, and what measures they're taking to prevent it from happening again.
> The list of lockdown features don't seem to explicitly list that in-house app sideloading is disabled - is it? If not, then this mode seems like security theater from Apple, in that it doesn't actually lock down the parts of the attack surface that are actively being leveraged. How about instead, or better yet alongside this, Apple explains how they granted entry in the Enterprise program to the spyware company, and what measures they're taking to prevent it from happening again.
Im pretty sure that iMessage is one, if not the most targeted parts of the iOS ecosystem for practical exploitation. Disabling link previews and restricting the formats that are rendered likely renders this much more difficult.
The side loaded app would likely have to target non technical people as i'm pretty sure side loaded apps require lots of clicking through and trusting of certificates to get to run on a phone.
> So this would have prevented Hermit as you'd need to install a new configuration profile to allow sideloading of applications from that source.
Are you sure that's true? I haven't seen a Hermit sample firsthand, but from everything I've read about it targets did not need to install an MDM profile, they simply needed to click a link. Looking at Apple's distribution guidelines - https://support.apple.com/en-bw/guide/deployment/depce7cefc4... - MDM is listed as one option, and simply going to a link is listed as another:
> There are two ways you can distribute proprietary in-house apps:
>
> Using MDM
>
> Using a website
It seems like the latter was used, so I don't think installation of a custom profile was required, which brings me back to my original question of whether Lockdown would have prevented it.
An yet I wouldn't immediately jump to the conclusion that it's "security theater" because it only protects you from the vast majority of attacks and it may still be vulnerable to many 0-days. By this definition we have nothing but security theater in everything. And as the saying goes, if everything is security theater, nothing is security theater.
Lockdown is literally presented by Apple as being for people targeted by APTs like those developed by NSO Group, therefore I expect it to prevent attack vectors used by these APTs, like exploitation of the Developer program to facilitate sideloading malicious apps. I don't feel like this is an unrealistic expectation, and not having the mode actually do that amounts to security theater, which is a far cry from decrying everything as such.
> I expect it to prevent attack vectors used by these APTs
It does, it just doesn't close all attack vectors used by APTs.
They say[0]:
> Turning on Lockdown Mode [...] further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.
They don't say "turn this on and you'll be unhackable". They go on to say:
> Apple will continue to strengthen Lockdown Mode and add new protections to it over time.
So what they released in the current beta is just the start.
They decided that releasing Lockdown mode with only some additional protections would be worthwhile to at-risk users and I personally agree.
It's both true that Lockdown likely helps at-risk users (see reply by _kbh_) and still has lots of room for improvement.
It does, it just doesn't close all attack vectors used by APTs.
It's an ongoing problem with the pathological Apple-haters that they imagine that Apple says or promise something, and spread that falsehood all over the internet, when in realty Apple promised no such thing. They see what they want to see.
In addition to the thread above, another example is the dozens and dozens of times on HN where they claim that Apple promises that its app review process will keep 100% of malware out of the App Store. Apple doesn't make that claim. It says that app store reviews help prevent malware.
It's like discussing politics at the Thanksgiving table. People hear what they want to hear.
> Lockdown is literally presented by Apple as being for people targeted by APTs like those developed by NSO Group, therefore I expect it to prevent attack vectors used by these APTs, like exploitation of the Developer program to facilitate sideloading malicious apps. I don't feel like this is an unrealistic expectation, and not having the mode actually do that amounts to security theater, which is a far cry from decrying everything as such.
These APTs overwhelming use RCE vectors that are less obvious then side loading apps, iMessage is probably the most popular and I would hazard a guess that other popular messaging applications (WeChat, signal, telegram, etc) and safari would be next.
Running an enterprise app still is not a trivial single tap on iOS.
Obviously with the new EU legislation mandating support for unrestricted malware of this kind, that's kind of a moot factor in EU and EU-adjacent markets.
> Running an enterprise app still is not a trivial single tap on iOS.
Yes, but still successful, as Hermit demonstrated. So my question is whether Lockdown mode would have prevented APTs like Hermit which it claims to prevent against. If not, then the move is security theater which doesn't address the actual flaws (like poor vetting into the Enterprise Program) being successfully leveraged in the wild.
I had a more detailed reply to an earlier post you made - but the summary is "What constitutes an enterprise that should be allowed to have 'enterprise apps'"
> "What constitutes an enterprise that should be allowed to have 'enterprise apps'"
Apple has a list of requirements - https://developer.apple.com/programs/enterprise/ - for example, a company needs to have at least 100 employees. The issue, however, seems to be how stringently these requirements are enforced, or whether they are at all. In the case of Hermit, the Italian spyware company seems to have created a fake company and tricked Apple into granting the fake company access to the developer program. Now, the interesting question for me is whether the fake company actually managed to pass all of the requirements, like giving Apple a list of 100 fake employees, and whether Apple actually performed their due dilligence and checked whether the employee list was real, or whether they accepted it at face value, or didn't even require it.
In other words, I think a key takeaway from the latest incident is Apple needs to take accountability and harden their Enterprise program entry requirements, and I haven't seen anything about that being the case.
"What is Apple doing to prevent any government contractor from being able to use enterprise apps?"
Which is what you're actually asking. "Spyware" sounds like you're conflating with its traditional meaning of being a general consumer malware/virus plague. This is software made by companies that provide services and support for [among others] intelligence agencies, etc for actual targeted spying.
If you disagree with that being the actual question, then you're saying that having access to the enterprise is dependent on Apple auditing your entire company, its corporate hierarchy, its owners, and its executives - at least. That isn't going to be cheap, it isn't going to be fast, I'm sure you'd not be happy as a company to find distributing internal apps suddenly requires regular expensive audits, or as an employee to discover your employer now required you to agree to background checks, etc by Apple.
The whole, and it seems only, reason for the enterprise program was so companies ("enterprises" in marketing) could have internal apps that didn't have to pass the App Store review process.
It would have been vastly easier to convince a victim to install a piece of software from the App Store, but that would not have worked because despite naysayers the App Store as a first step in platform security works. Otherwise there would be unending stories of malware on HN :D
> High-level targets (for whom this mode is specifically advertised) are likely aware of the dangers of installing apps.
I firstly don't believe this is true at all, plenty of high-level targets are not tech savvy; but more to the point of Lockdown mode, you could then say the same thing about most of its other features ("High-level targets are likely to already be aware of the dangers of doing $thing_Lockdown_prevents").
The whole benefit of the iOS App Store system is that those apps can't be malicious.
This requires an atypical install/launch process that you'd hopefully trigger some sense of "this isn't right" - similar to the macOS complaints when you choose to run an unsigned app.
The ‘high level target’ or person of interest thing is slightly absurd. Everyone is a person of interest and security shouldn’t be only for the domain of journalists, activists, dissidents etc
> How failure to generate income on their degrees is a lender's problem? Clearly,there is an issue with inflated costs of getting a degree and finding a job with a low-demand degree, but why try solving it at the lender's expense?
Yeah, I've never really understood this logic either. If someone lends money from me to, let's say go buy a tow truck, and then is not able to repay the loan because there are too many other folks with tow trucks (or for whatever other reason), why should that be my problem? I gave money with the expectation that it would be paid back. That is by definition what lending is, yet student loans are somehow touted as an exception where repayment shouldn't be seen as compulsory.
The logic isn't that student loans are a special thing that shouldn't have to be paid back. The logic is that under normal circumstances the lenders has an incentive to evaluate the probability that the borrower will actually pay the loan back. They might raise the interest rate on higher risk loans or just refuse to lend. But with federally guaranteed loans that can't possibly be discharged, the lender's new incentive is to saddle all possible borrowers with as much debt as they can, regardless of their ability to pay.
The idea is that the lenders would stop lending to students who are likely to fail or who are studying something they won't be able to get a job in. The new reality would be: either study something with serious job opportunities, or pay out of pocket.
I think everyone agrees repaying money you borrow is the moral and right thing to do, but pragmatically bankruptcy acts as a governor on lending. In every other industry (including someone lending money for you to buy a tow truck) they need to weigh the possibility that you will never pay them back.
However, what does your intuition say when you try to think systemically? There is some percentage of people who get screwed by loans due to unforseen circumstances and no fault of their own. Student loans are universal enough that the stats make this number of people non-insignificant. If it's nobody's fault, who should shoulder how much of the burden?
So, say we make up a number and consider that we know around 10,000 people per year get student loans and eventually end up below the poverty line due to severely bad luck. The situation isn't their fault; it's also not the bank's fault. So what do you do as a policy maker?
What if you knew that, by forgiving student loans, 8,000 of those individuals would bounce back and become productive members of society, while only 1,000 would otherwise? What are negative and positive impacts on forcing banks to shoulder the burden of these defaulting loans? What about forcing individuals to shoulder the burden?
I mean, it sounds like you generally don’t agree with the bankruptcy system in our country then. And that’s a totally valid position. But I think that concern is somewhat irrelevant to the issue of student loans being treated different than other debt. I suppose, if you think that student loans being non-dischargeable is the first step in the right direction, then maybe it’s somewhat relevant, and you hope the rest of debt eventually becomes more difficult to discharge.
For what it’s worth, I would probably agree with that stance. You’re talking to a guy who had more than $100,000 worth of student loans and lived really cheap to pay them off as soon as possible. I’m not going to deny that a part of me cringes when they talk about student loan relief, because I’ll feel like a donkey for paying mine off.
Part of what you charge when you lend someone money is a risk premium, because there's a chance you won't be paid back.
If you lend money to tow-truck operators then it is absolutely possible for them to go bankrupt and for you to fail to recover the entire value of the loan. If you don't like that risk you instead can lend to safer borrowers, the ultimate being the US Government itself - and the quid pro quo is that you can't charge as much for those loans.
The most likely outcome in the tow truck case is that they repossess the tow truck and sell it at auction, only losing a small fraction of the money they loaned you. If someone can't afford a truck they borrowed, you still have a truck.
You can't take back someone's education, which is what makes this type of loan intrinsically riskier. Because you can never get rid of student loans, though, they don't have to do any risk analysis or say "no" to any students. They say "sure", no matter what the data says on the ability to repay for the type of degree that you're applying for. Since nobody is denied funding to go to college, colleges have no economic incentive to price degree programs by expected income. The result is that college becomes more expensive and less accessible to everyone.
Yeah. The dirty/ugly truth is that, economically, the real answer to this problem is not very pretty. Loans would be given out to people with demonstrated academic success, and with a pathway to a job with a proper income to support repayment. You would probably have parents cosigning for loans.
The practical affect would likely make college much more difficult to access for minorities and other individuals low on the socioeconomic status spectrum. It would likely have a net effect of slowing upward mobility and create a college aristocracy.
It really depends on whether the degree is actually relevant to their employability.
If one has a degree in winemaking or philosophy, does rescinding their degree have a significant impact on their employability? If not, then they could just tell the bank to rescind it while still getting the education.
I cannot use this because it always resets the custom zoom level for web site. For example I cannot browse HN with the default font size, so I set Firefox to zoom 120% for news.ycombinator.com, and I don't want to have to do that each time I come back to the site.
RFP is great but it also heavily interferes with addons. It disables Ctrl and Alt key combinations for them, breaks scrolling and timer-based behavior, and generally renders many of the addons unusable in various ways.
> If 1000 big youtubers put $100/month toward an association or union of some kind, they could afford a $100,000/month legal team to combat this.
Millionaire youtubers can already afford high-priced lawyers if they want to, I'm not worried about that.
Who I am worried about are regular people who create content but don't have large followers and don't make to it to the frontpage of HN, but still get hit by copyright trolls.
Stronger men can carrier bigger guns, but no one man is stronger than an army.
The rich still benefit from organization.
Also, an organization may have legal standing where an individual does not, and can then deploy their lawyer-army. Where an individual has to wait for an issue to personally affect them, the organization will almost always have at least one affected member and can therefore keep up the pressure constantly, and eventually perhaps make the internet a better place.
They're saying that individual, successful/rich/"powerful" YouTubers can defend themselves against these spurious claims already, but that by organizing they would be even more well equipped, at less personal cost, and also make it possible for smaller creators to also defend themselves (with even less cost).
None of that has anything to do with any Vietcong analogy I can think of.
I think, Fran has been quite public regarding her economic struggles. While maybe popular to some audiences, she is certainly not a millionaire. On the other hand, cases like this provide publicity to the very problem that is haunting many and provide a broader perceptible platform for these concerns.
Edit: Maybe I've misinterpreted your comment, but I stand to the importance of publicity that may be lent by such cases.
