Early this month, Google's Project Zero revealed a breathtaking attack on multiple OSes, including Apple's Ios, in which a website that served Uyghur people was found to be hosting at least five different kinds of Ios malware that exploited previously unknown defects in Apple's code (the attack is presumed to have been the work of the Chinese state, which has been prosecuting a genocidal campaign against Uyghurs, whose high-tech fillips have seen both cities and apps suborned to aid in the pogrom).
The news prompted an industry-wide reassessment of the way that "zero day" defects are deployed by nation-state hackers: previously, these had been viewed as precious rarities deployed only in the most targeted ways, to preserve their efficacy (once a defect is known, it can be patched, and once the patching begins, fewer and fewer devices are left vulnerable). China's "watering hole" attack on Uyghurs represented an indiscriminate spraying of these Ios zero-days that had never been seen before.
Last week, Apple fired back at Google, with a bizarre, whiny post attempting to minimize the scale of the attack and questioning Google's conduct in going public.
Alex Stamos (previously) knows a thing or two about working in companies that get security wrong. He famously resigned as Yahoo's Chief Security Officer in protest of a plan to install an NSA spying tool to scan Yahoo Mail accounts. Then he quit his job as Facebook's CSO over the company's inaction on disinformation campaigns. He's a human warrant canary, a guy whose reliable ethics mean that whenever he departs a great job, there's probably some kind of scandal lurking behind the scenes (Alex hates it when I call him this. Sorry, Alex — you're just too damned reliably ethical).
In a wonderful Twitter thread, Stamos addresses Apple's special pleading, accusing the company of minimizing the scale of the attacks because "it's ok, it didn't hit white people." As Stamos points out, the fact that the attacks targeted Uyghurs likely means that it led to real-world violence — people compromised by those attacks may have been arrested, tortured, even murdered. Stamos praises Google's security work here, and closes with a direct appeal to Apple employees: "Dear Apple employees: I have worked for companies that took too long to publicly address their responsibilities. This is not a path you want to take. Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work. Demand better."
Apple's response to the worst known iOS attack in history should be graded somewhere between "disappointing" and "disgusting".
First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people." https://t.co/xkrRdTQmSB
— Alex Stamos (@alexstamos) September 6, 2019