“Moreover, while sending crafted packets and attempting all sorts of things, I’ve discovered several vulnerabilities in the Apple custom made parsers. I will not discuss them here (exception made for the session spoofing) but at the same time I’m not interested in reporting them to Apple…”
What he’s basically saying here is “I’d rather let my personal opinion prevail than responsibly disclose and get some vulnerabilities fixed.”
Even if, at their worst, Apple is as petty as he’s “heard” (given the FUD surrounding quite a lot of engineer’s), the proper response is responding with less pettiness, not more. It’s reflective of the author’s character no matter how he expressed the tantrum.
Well this is absolute bullshit. You're discussing private software. It's up to the owner to offer a bug program that's enticing enough to debug their own software if they care.
Reporting a vulnerability should be extremely low effort. Regardless of how I feel about a company I wouldn't want users to get screwed. I tried to disclose to google once and they required an account so instead I moved on with my life. I don't care about random people enough to make a google account.
I don't understand, you have a high-level technical understanding of MPC, but you're dismissive of the criticism?
An auth strategy based on a Map<String, bool>, where String is a plain-text beacon on the LAN, seems well-worth criticizing.
I may have gotten turned about when trying to understand a few things, my understanding is you dismiss this because you're not sure if one feature uses it? And because parsers can't have vulnerabilities on arbitrary data?
> My informed guess was multicast DNS as I’ve seen this protocol being (ab)used a lot from Apple (Bonjour for instance)
I understand it's in fashion to kick Apple (and not without reason) but mDNS and DNS-SD is their protocol. They made it and they market it combined with link-local addressing, etc as Bonjour. To me writing like this is naff and makes the author seem needlessly salty.
Apple has one of the most damaging two-faced approaches where on the public side they say they are all about openness and power users and security but on the private side they are intentional and severe about keeping that public image at the expense of users.
I agree that there’s no responsibility on Apple to document this specific protocol but it’s important to see it in context.
> they say they are all about openness and power users and security
They do mention security a lot, but “all about openness and power users”? That’s not my impression. They famously eschew the “make everything a setting” philosophy. The whole Apple thing is simplicity at the expense of configurability and control. Do you see them otherwise?
> but “all about openness and power users”? That’s not my impression.
...!
I feel like a frog that’s just been shown the bubbles forming on the bottom of the pot.
Granted I’ve been pretty “meh” on Apple the last few years but I’ve still watched the keynotes and kept up with their growth. I didn’t even notice that Apple cleaned developers and pro users from their brand! (pro users as defined by those that are always stretching the limits of the tech, learning, and finding new optimal ways to do things).
I just finished re-watched the uncut WWDC keynote and when developers are mentioned they are now almost entirely talked about in 3rd person while Apple is talking directly to upper management. The most hands-on-tech thing they did was talk for a couple seconds about the WebKit features.
My impression of Apple is shockingly outdated in their favour.
The product pages for both Mac Studio and the Mac Pro (both “Pro” products) either talk specs without highlighting what can be done with them or they talk about media creation. The target demographic here is creative professionals and not technical ones, power users, or developers.
They have served creative professionals for a long time for sure, but they also served power users and technology professionals because they recognized that it was them working with the creative professionals (and sometimes working on their own) to build products with huge markets. I thought that this was still an underlying corporate value at Apple but I see now that they’ve just conveniently dropped it without even a whisper. I guess their new core demographic is content creators and movie studios?
Apologies if this rambles. I had to get it out. I’m still processing this.
> I just finished re-watched the uncut WWDC keynote…
The WWDC keynote/state of the union is a public-facing event for enthusiasts, press and analysts. This is why Apple invites say, "Join the developer community for an in-depth look at the future of Apple platforms".
If you want to evaluate Apple's prioritization of the developer community, you can watch any other content that Apple creates for WWDC, along with the non-keynote events listed at developer.apple.com/wwdc23. Additionally, Apple developers have their own dedicated site at developer.apple.com.
It’s Apple’s choice what they do and the directions they go, but if the WWDC keynote really is for enthusiasts, press, and analysts it’s disingenuous to say it’s part of a Developer Conference.
Unfortunately I have to see “join the developer community” and “dedicated site at developer.apple.com” the same way as I see a big brand responding to a high-traction social media complaint with “Contact us privately so we can look in to it”: a way to pull the issue out of the public eye and in to a tightly-controlled environment that favours the brand over of the end user.
> but if the WWDC keynote really is for enthusiasts, press, and analysts it’s disingenuous to say it’s part of a Developer Conference.
About every conference has an opening keynote that doesn’t get into nitty-gritty details, but that informs both the participants and the press what the conference will be about.
It typically follows on a part where the local mayor/minister/… will welcome the participants, saying how good it is for the city/region/country to have the conference in their city/region/country.
https://en.wikipedia.org/wiki/Keynote: “At political or industrial conventions and expositions and at academic conferences, the keynote address or keynote speech is delivered to set the underlying tone and summarize the core message or most important revelation of the event”
I don’t see the WWDC keynotes as much different, except for the fact that Apple’s keynotes attract way more press than most other ones.
Yes, like all keynotes in all industries, it is about the larger ecosystem and new developments.
Cardiology keynotes are about global attention to heart health, not how a cardiothoraccic surgeon can rotate a stent to improve success.
Energy conference keynotes are about changing patterns in production and use of energy, not the novel polymers in the latest solar cells.
Keynotes are by definition intended to tie everything together (I like to believe the word was used a playful anagram). Pointing out that a keynote is not the most personally/professionally relevant part of a conference for the average attendee is not going to surprise anyone who’s been to conferences.
This year, there were lots of product announcements, so the keynote was end user centric. It's really platforms state of the union address the same afternoon that has the developer focus: https://developer.apple.com/videos/play/wwdc2023/102/
I just watched the intro and conclusion for the Platforms State of the Union and cannot see the pro focus we’re talking about.
Yes, it’s now directly talking to developers, but with a tone of “Here are new APIs and features we decided to make. Use them how we designed them.” (like talking top-down to a workforce)
> This gives me chills, the shared clipboard also uses this protocol, right? This means that everything we copy goes through the network via Bluetooth without encryption and can be captured by any Bluetooth sniffer?
The shared clipboard uses this protocol?... on what basis is this claim plausible?
> The individual messages are encrypted much like messages in iMessage are. After the devices are paired, each device generates a symmetric 256-bit AES key that gets stored in the device’s keychain. This key can encrypt and authenticate the BLE advertisements that communicate the device’s current activity to other iCloud-paired devices using AES256 in GCM mode, with replay protection measures.
Erm, hope they’re not super serious I guess?