hngopher.com

       [HN Gopher] Tachy0n: The Last 0day Jailbreak
       ___________________________________________________________________
        
       Tachy0n: The Last 0day Jailbreak
        
       Author : todsacerdoti
       Score  : 105 points
       Date   : 2025-05-24 19:50 UTC (3 hours ago)
        
 (HTM) web link (blog.siguza.net)
 (TXT) w3m dump (blog.siguza.net)
        
       | ivanjermakov wrote:
       | If this is the case Apple employed an amazing strategy. By
       | locking all ways to possibly root their devices they patch
       | vulnerabilities discovered for free by jailbreak devs.
        
         | ejpir wrote:
         | but they haven't, the article says the "private" community
         | still has exploits and apple patches them. The public, like the
         | dev, for some reason, don't anymore.
        
           | tptacek wrote:
           | They're exclusive to private communities because they're very
           | expensive, and getting more expensive over time; in other
           | words, Apple's strategy has driven the cost of exploiting iOS
           | up.
           | 
           | Anything public is dead, which is what you want to see.
        
             | bri3d wrote:
             | I'm not sure I agree with the premise here, although I
             | agree with the conclusion w.r.t Apple specifically.
             | 
             | I'm 100% positive from experience doing VR in several non-
             | iOS spaces that increased exploit value leads to fewer
             | published public exploits, but! This is not a sign that
             | there are fewer available exploits or that the platform is
             | more difficult to exploit, just a sign that multiple (and
             | sometimes large numbers) of competing factions are hoarding
             | exploits privately that might otherwise be released and
             | subsequently fixed.
             | 
             | As a complementary axiom, I believe that exploit value
             | follows target value more closely than it does exploit
             | difficulty, because the supply of competent vulnerability
             | researchers is more constrained than the number of
             | available targets. That is to say, someone will buy a
             | simple exploit that pops a high value target (hello, shitty
             | Android phones) for much more money than a complex exploit
             | that pops a low value target. There are plenty of devices
             | with high exploit value and low exploit publication rate
             | that also have garbage security.
             | 
             | With that said, Apple specifically are a special (and
             | perhaps the only) case where they are "winning" and people
             | are genuinely giving up on research because the results
             | aren't worth the value. I just don't think this follows
             | across the industry.
        
           | hsbauauvhabzb wrote:
           | Is this actually true? Jailbreaks are more or less the same
           | exploits used by things like Pegasus, the exploits are
           | probably worth more to the individuals that discover them
           | than the ability to give their friends access to side loaded
           | apps
        
           | numpad0 wrote:
           | [delayed]
        
       | weinzierl wrote:
       | I've heard Apple pays a million for Jailbreaks now. That's the
       | lower bound for the price on the free market.
        
       | yjftsjthsd-h wrote:
       | > The way he managed to beat a trillion dollar corporation was
       | through the kind of simple but tedious and boring work that Apple
       | sucks at: regression testing.
       | 
       | > Because, you see: this has happened before. On iOS 12,
       | SockPuppet was one of the big exploits used by jailbreaks. It was
       | found and reported to Apple by Ned Williamson from Project Zero,
       | patched by Apple in iOS 12.3, and subsequently unrestricted on
       | the Project Zero bug tracker. But against all odds, it then
       | resurfaced on iOS 12.4, as if it had never been patched. I can
       | only speculate that this was because Apple likely forked XNU to a
       | separate branch for that version and had failed to apply the
       | patch there, but this made it evident that they had no regression
       | tests for this kind of stuff. A gap that was both easy and
       | potentially very rewarding to fill. And indeed, after
       | implementing regression tests for just a few known 1days, Pwn got
       | a hit.
       | 
       | And now I wonder how many other projects are doing this. Is
       | anyone running a CI farm running historical vulnerabilities on
       | new versions of Linux/FreeBSD/OpenWRT/OpenSSH/...? It would
       | require that someone wrote up each vulnerability in automated
       | form (a low bar, I think), have the CI resources to throw at it
       | (higher bar, though you could save by running a random selection
       | on each new version), care (hopefully easy), and think of it
       | (surprisingly hard).
        
         | KennyBlanken wrote:
         | > And now I wonder how many other projects are doing this.
         | 
         | If by 'projects' you mean intelligence agencies, then I would
         | say it's safe to assume at least the G10 intelligence agencies
         | are doing this along with Russia, China, NK - and likely a huge
         | number of private groups.
        
       ___________________________________________________________________
       (page generated 2025-05-24 23:00 UTC)