Pwn All The ThingsVerified account

@pwnallthethings

Mostly interested in natsec, infosec, and platform security. Views are my own. 🦊🦊 matt.tait/at/gmail

The sky, mostly
Joined December 2013

Tweets

You blocked @pwnallthethings

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @pwnallthethings

  1. Pinned Tweet
    Undo
  2. Retweeted
    12 hours ago

    More on 's collab to secure the software supply chain. "Instead of being reactive to vulnerabilities, we should eliminate them proactively with secure languages, platforms, and frameworks that stop entire classes of bugs."

    Undo
  3. Retweeted
    Aug 24

    NEW REPORT From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits

    Show this thread
    Undo
  4. Retweeted
    Aug 22
    Undo
  5. Typical. Rain starts 2 minutes after I go out, stops 2 minutes after I come back in.

    Undo
  6. Extremely niche tweet but my God it delivers

    Show this thread
    Undo
  7. Undo
  8. Retweeted
    Aug 18

    The Dan Kaminsky Fellowship is now accepting applications

    Undo
  9. Retweeted
    Aug 16
    Undo
  10. Does Apple ask other auditors for free labor after setting them up to fail? "Hi accountants, our calculation on this napkin is correct and the warehouse of receipts is subject to inspection by accountants who wish to verify it'? Of course not. Only this industry gets screwed.

    Show this thread
    Undo
  11. And notice the implicit assumption here in the first place. Security researchers *will* do the review, fighting over all of the obstacles intended to make actually doing the review simple. For free. Why? Why is this considered acceptable?

    Show this thread
    Undo
  12. Perhaps one way would be to write your own app to find unusual ways to compute the master hash and validate that it is valid, without relying on static graphical elements that hackers or Apple could surgically manipulate. But you think that app would get past AppStore review?

    Show this thread
    Undo
  13. That's even before we get into the various encrypted firmwares where you can't even see the binary, or the apps on the device that are partially or fully encrypted.

    Show this thread
    Undo
  14. Analysis of the binary itself is not even sufficient if Apple itself is in your threat model; the kernel sits underneath it, and is enormous and, you guessed it, also symbol stripped to frustrate reverse-engineering.

    Show this thread
    Undo
  15. How about dynamic analysis? Unless Apple is planning on giving the iCloud app the get-task-allow permission so you can attach a debugger, that would be out of the question on an vanilla iPhone. You'd need to resort to jailbreaks, or, heaven forbid, a Corellium device

    Show this thread
    Undo
  16. Are they going to do static analysis of the binary? Ok. But iOS binaries are intentionally stripped of non-essential symbols precisely to make this kind of analysis harder.

    Show this thread
    Undo
  17. Might be a slightly self-indulgent thread, but how exactly does Apple suppose that security researchers will do this without running across anti-research minefields that Apple has intentionally laid down to block exactly this kind of research?

    Show this thread
    Undo
  18. Retweeted
    Aug 11

    I spoke to about journalism security, the opportunity to support incredibly important work, and the need for more focus on attacks against media orgs.

    Undo
  19. If the evidence were real, it would be both easy, and in their interests, to show it plainly and widely. And instead we have layers of intentionally stripping context and obfuscation. Because it's fraud.

    Show this thread
    Undo
  20. Someone took probably an http log or wireshark, stripped it of context to obfuscate where it came from, put it in an RTF document, and then to further hide what it means, intentionally encoded it into hex to make it look scary and technical.

    Show this thread
    Undo
  21. In case you're wondering, the IP addresses are a filtered list of normal web-crawlers that just continuously scan the entire internet, (and you'll see similar logs on literally every website on the internet).

    Show this thread
    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·