Author: David Hoyt, Hoyt LLC Research

Public Release: Monday, August 23, 2021

Estimated reading time:  7 minutes

Executive Summary

This Article by David Hoyt looks at Chilling Effect, Best Practice & Transparency in the IT Security Sector.

Table of contents

• Executive Summary
• Sharing
  • Point of View
• Trust
  • Milestone
  • Request for Comment
  • Good Faith
  • No Chilling Effect 
  • Openness
  • Observation
  • Accountability
• Public Education
  • Intellectual Property
  • Perpetual Litigation
  • Right to Use
  • No Requirement to Use
  • SRD Abilities
• Lockdown
  • Vendors
  • Equivalent
  • Blame
• Best Practices
  • Vulnerability Disclosure
  • Uncoordinated Disclosure
  • Modern Approach
  • Prove a Bug
  • Downstream Code
• Content Fingerprint
  • Content Scanning
  • Chilling Effect
  • Self-Funded
• Contact
  • Additional Information

Sharing

Point of View

I am sharing my point of view due to the statement by David Thiel of the Stanford Internet Observatory. In the original Article Thiel stated that the Apple Security Research Device Program “is bound by so many rules on what they can say or do that it doesn’t necessarily solve the problem of trust”. The Screen Capture from the original Article dated Tuesday, August 17, 2021 as Published by MIT Technology Review is seen below:

Trust

No Chilling Effect 

There is No Chilling Effect by Apple on this SRD Program Participant. Specifically responding to Thiel, I am not bound by any rules on what I can do or say because of my Personal Choice to use the Apple Security Research Device. Our time is better spent on Research and Collaboration contrasted with tilting at windmills.

Full Disclosure

Openness

Transparency implies openness, communication and accountability. The Apple Security Research Device Fleet is a new Battleship Platform constantly in development being Reviewed by Industry Participants. Apple provided a 2021 SRD Cohort a Security Research Device [SRD] prototype in the Form of an iPhone 12,1 Model with Right to Use [RTU]. The Cohort dispatched the provided SRD prototype immediately upon receipt. Apple refloated a prototype quickly, but the Cohort dispatched the prototype a 2^nd time. Apple shortly thereafter refloated a 3^rd prototype but on its own turtled, that Version String sinking.

Observation

My observation is that these outcomes are normal for the Telecommunications Product Development Lifecycle. Apple receives Positive Report for Transparency and Communication from this SRD Program Participant.

Accountability

In iOS 15.1 Apple added a new entitlement called research.com.apple.license-to-operate to support Frida and other research tools for the Apple Security Research Device. This entitlement allows tools to bypass the PPL codesigning protections and the usual task-port policies to inject code into any process running on the system (platform and non-platform).

Public Education

Intellectual Property

The Public purchases a Right to Use [RTU] for a Computing Device such as a Radio Telecommunications Service [RTS] like the iPhone or Pixel. At Power-On the Consumer must accept that Right to Use [RTU] from those Vendors. A Company that develops Intellectual Property (IP) will zealously protect its interest in such Intellectual Property.

Perpetual Litigation

Some recent examples of perpetual litigation of IP are Oracle vs. Google in the matter of Java, and Apple vs. Corellium now on appeal. Each litigant seeks to compel the compliance of a Licensing Agreement [LA] often expressed in the form a RTU.  

Right to Use

When I choose to use to use the Apple Security Research Device I do so under the terms of the SRD RTU & End User Licensing Agreement [EULA].

No Requirement to Use

The RTU & EULA for the Apple Security Research Device contain No Requirement to Use the Apple Security Research Device.

SRD Abilities

The Apple Security Research Device affords Researchers the following abilities that a user Device doesn’t: (1) Side-load executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components, (2) Start services at startup, (3) Persist content across restarts. The Researcher can see and interoperate with all system services and devices with root permissions and Apple Entitlements.

Lockdown

Vendors

The Operating System is a small piece of the Package badged with iPhone or Pixel. There are many Vendors and millions of lines of Code packaged into a Consumer Device. Those Vendors may require via RTU & EULA the Lockdown of the Consumer Device to protect IP.

Equivalent

There are equivalent Virtualization Platforms [Corellium], Software Development Kits [SDK] and Hardware Development Kits [HDK] that provide greater functionality with purchase of additional RTU. A Security Researcher knows when a standalone RTS Device is in Lockdown and is often compelled to spend more money to License the SDK and/or HDK to conduct a Research Project.

Blame

The Blame for the Lockdown of Consumer Phones is due to Vendors of Hardware & Software Intellectual Property (IP) that Require the Lockdown by RTU, EULA or Chilling Effect.

Best Practices

Vulnerability Disclosure

The modern approach to Vulnerability Disclosure [VD] does not place Consumers at Risk due to Uncoordinated Disclosure [UD] made in advance of the Resolution Notification by the Vendor.

Uncoordinated Disclosure

UD may be considered by a Researcher at any point in time without Vendor Notification.

Modern Approach

The modern approach to Vulnerability Disclosure is Best Practices because Consumers are [mostly] unable to act on self-mitigations, often due to Lockdown restrictions placed on the RTS Device by IP Vendors.

Prove a Bug

My experience in 2021 is that Apple moves very quickly when a high value exploit with a working proof of concept is delivered. It takes time to prove a bug, the better the Report the faster time to Resolution.

Downstream Code

The reality is that after an initial Bug Report is made it could be days, weeks or months until the Downstream Code Vendor receives, validates and acts on a Vulnerability Report. 

Content Fingerprint

Content Scanning

As a matter of Public Record, Content on any Device, Uploaded & Downloaded to or from the Internet has a unique Content Fingerprint. Pictures are Hashed and Indexed by multiple 3^rd parties and linked to your Online Identity. Consumers must explicitly take steps to prevent content scanning which may not be possible with the modern RTU.

Chilling Effect

I have been the Target of many Chilling Effect by Private & Public Companies & Individuals and welcome the opportunity to educate all interested parties.

Full Disclosure

No Financial Conflict of Interest

I do not Own or Trade in any Apple Financial Products or Derivatives nor am I a Subcontractor or Employee or Agent of Apple Corporation. My relationship with Apple is business formal, arms-length. I have No Financial Conflict of Interest.