- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
The amendments to the Investigatory Powers Bill, allegedly intended to make people safer, will undoubtedly make UK digital infrastructure a tempting target as the regulations will be weaken security there. The biggest problem for Apple, other than the steady erosion of encryption, is that essential security and privacy updates might be delayed or never appear — and without any transparency or scrutiny at all.
If passed, the law would mean that every tech security update must be reviewed by UK authorities before release, which will immediately delay distribution of vital security patches.
Hackers will immediately see this means any patched vulnerabilities will be secured in the UK last, making the nation an incredibly attractive target to attack. Hackers are organized enough to spot and exploit weakness. It’s what they do.
And if the UK rejects an update, that update cannot be released in any other nation and the public would not be informed of the decision.
First - if I’m not from the UK, thats very unlikely. At least because the UK wants it to happen and not for other reasons.
Second - the moment the information is out, it’s too late. Their zero day is burned.
Third - the police needs to know where to knock. If I publish the information in a way that can be associated with my identity and I’m the one that alerted the vendor, sure. But even if I’m a completely random person that immediately goes full disclosure - doing so may in a way that identifies me might hurt me anyways, depending on my jurisdiction. So for individuals it might be the smarter play to make it less traceable.
Fourth - imagine Google’s Project Zero or another “huge player” finds the Bug and alerts the vendor. Google e.g. has a policy to fully disclose the bug, if there’s no fix within a specified time-frame. This might be extended for reasons, but only of there’s a good reason. If the vendor cannot say why they don’t patch, well that’s none of these reasons.
You’re missing the point. They are blocking the security patches themselves. “Google has a policy to…” is invalid when a nation state, especially not one with one of the strongest intelligence gathering apparatus in the world, has a law telling them what to do.
Google already works with the intelligence agencies. It would be naive to assume otherwise
A completely random person anonymously putting the information out online is not the person releasing the security patch. That’s probably why they are focusing of the updates themselves. Easier to hold someone responsible