XPost: misc.phone.mobile.iphone   
   From: marianjones@helpfulpeople.com   
      
   >> You are apparently attempting to reduce a very complex subject to a single   
   >> metric (malware prevalence), and that is not how security professionals   
   >> evaluate operating system security. Malware rates are not the definition of   
   >> security. They are one symptom of a much larger system.   
   >>   
   >> Here are some of the much more complicated facts that matter:   
   >>   
   >> CISA KEV data does not show iOS as "way more secure." When you query the   
   >> CISA Known Exploited Vulnerabilities database, iOS and Android have roughly   
   >> similar numbers of actively exploited CVEs over time. That is the only U.S.   
   >> government maintained list of real-world, in-the-wild exploited   
   >> vulnerabilities. It does not show iOS as dramatically safer.   
   >   
   > As we've discussed before the KEV cannot be used to make any extrapolation   
   > or implication. It is an extremely narrow view of the landscape ignoring   
   > 96% of known vulnerabilities.   
      
   Chris, I think it's clear that you are misrepresenting the data in KEV.   
      
   No one is claiming the KEV represents the entire vulnerability landscape.   
    a. Of course it does not.   
    b. It is intentionally narrow.   
   That is the whole reason it is useful in this specific context.   
      
   The KEV is the only US government maintained list that tracks   
   vulnerabilities that are actually being exploited in the wild.   
      
   It filters out the noise and focuses on the subset that matters for   
   real-world operational risk. That makes it appropriate for comparing   
   practical exposure between platforms.   
      
   Saying "the KEV ignores 96 percent of known vulnerabilities" is not an   
   argument against using it. That is simply a description of its purpose.   
      
   Most CVEs are never exploited, never weaponized, and never used against   
   real targets. Counting every CVE equally is a poor way to measure security   
   because it treats theoretical bugs the same as actively exploited ones.   
      
   If your claim is that iOS is "way more secure," then the KEV is exactly the   
   kind of dataset you should be able to point to.   
      
   It reflects real exploitation, not hypothetical attack surfaces.   
      
   And when you look at that data, iOS and Android show broadly similar levels   
   of exploited CVEs over time. That directly contradicts the idea that one   
   platform is dramatically safer than the other.   
      
   If you want to argue that the KEV is not the right metric, that is fine,   
   but then you need to provide a better one. Simply dismissing the only   
   authoritative exploited-in-the-wild dataset because it does not support   
   your conclusion is not a technical argument that is logically tenable.   
   --   
   I respond as an adult to anyone as long as they act like an adult.   
   My goal is to help people & to learn more from those people I help.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)