A case against security nihilism

# · 🔥 467 · 💬 332 · 6 days ago · blog.cryptographyengineering.com · feross
A perverse reaction I've seen from some security experts is to shrug and say "There's no such thing as perfect security." More concretely, some folks argue, this kind of well-resourced targeted attack is fundamentally impossible to prevent - no matter how much effort companies like Apple put into stopping it. So let's stop crapping on Apple, a company that works hard to improve the baseline security of their products, just because they're failing to solve an impossible problem. There is certainly more that corporations like Apple and Google could be doing to protect their users. A more worrying set of attacks appear to use Apple's iMessage to perform "0-click" exploitation of iOS devices. What we know that these attacks take advantage of fundamental weaknesses in Apple iMessage: most critically, the fact that iMessage will gleefully parse all sorts of complex data received from random strangers, and will do that parsing using crappy libraries written in memory unsafe languages. The only people who can fix Apple devices are Apple and that means Apple has to feel responsible each time an innocent victim gets pwned while using an Apple device. If we simply pat Apple on the head and say "Gosh, targeted attacks are hard, it's not your fault" then this is exactly the level of security we should expect to get - and we'll deserve it.
A case against security nihilism



Archive | Send Feedback | WebAssembly Version (beta)