XPost: misc.phone.mobile.iphone   
   From: marianjones@helpfulpeople.com   
      
   Chris said:   
   >> Zero-day exploitation rates do not show iOS as "way more secure." Google   
   >> Project Zero's annual reports show that Apple repeatedly ships code that   
   >> has never been fuzzed or tested with modern techniques.   
   >   
   > Cite required.   
      
   Saying "cite required" to facts you've been provided many times already   
   is not a serious response here, Chris. It's not expected of adults.   
      
   This has been linked to in this newsgroup multiple times already, and it is   
   not some fringe blog post, it is Google Project Zero's own reporting.   
      
   Entire threads on this newsgroup have been devoted to Google's facts.   
   For you to outright deny all Google's facts is not what adults should do.   
      
   A relevant cite are Google Project Zero's yearly writeups on 0-days   
   exploited in the wild, where you can see some of that in this overview.   
   "0day In-The-Wild Exploitation in 2021" by Maddie Stone, Project Zero   
      
      
   But I'll quote others even though all of these have been discussed here.   
   SO for you to remain ignorant of them, makes it impossible to carry on an   
   adult conversation with you if you refuse to read any cites and yet you   
   deny that the cites which you refused to read exist.   
      
   That's not acting like an adult, Chris.   
   Sorry. It's just not.   
      
   You need to be able to carry on an adult conversation, Chris.   
   If you want to be treated as an adult.   
      
   You can't just deny all cites you haven';t read.   
   You have to read them first, Chris.   
      
   Then you can tell us what you think of them.   
      
   In that report, Project Zero explicitly calls out that multiple iOS   
   vulnerabilities which were exploited in the wild were in code that had   
   never been subjected to modern testing techniques such as coverage-guided   
   fuzzing. They make the point that these bugs were "not technically   
   sophisticated" and should have been caught by basic, systematic testing   
   before shipping, but were not. Apple is named explicitly in that context as   
   a vendor shipping code that had never been fuzzed or properly tested,   
   despite being widely deployed in security critical paths.   
      
   You do not have to take my word for it. Read the report yourself. The whole   
   point of those "year in review" posts is to look at how 0-day exploitation   
   happens in practice, and what it says about vendors' secure development and   
   testing processes.   
      
   So to restate the original claim in precise terms:   
      
   Project Zero's own data and analysis show that multiple in-the-wild iOS   
   0-days were in code that had never been fuzzed or subjected to basic modern   
   testing, which directly contradicts the idea that Apple is consistently   
   doing a clearly superior job of secure development compared to everyone   
   else.   
      
   If you want to argue that iOS is "way more secure," you need to engage with   
   that actual evidence, not just demand a fresh "cite" every time the same   
   report is mentioned. You ignoring facts does not make them go away.   
   --   
   I'm different than most posters here, not only because I'm extremely   
   well informed & well educated, but because I can understand complexity.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)