"...Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience," Apple told him when asked why the list of fixed iOS security bugs didn't include his zero-day..."
"...We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," Apple told Tokarev 24 hours after publishing the zero-days and the exploit code on his blog...
"...We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance..."
The company hasn't denied the bounty, they're just incompetent / slow on this process.
Feels like everyone is out to paint <x> company with just confirmatory bias using whatever half-baked story is available. Even I feel for company leaders in this kind of shitty journalism environment. And the rest of the comments here are just autopilot piling on the echo fest.
Tokarev discovered 4 iOS 0-days, then reported them all to Apple back in May. After months of Apple's continued refusal to fix or even publicly acknowledge all four of the issues, Tokarev made all of them public on GitHub.
Weeks passed, and now it's today. Apple has yet to fix or publicly acknowledge two of the four security vulnerabilities. That should make Apple look bad because it's some fundamentally irresponsible security practices.
Yes, I'm biased. I'm human, not a computer, and it's stuff like this that makes me biased towards Apple. They should receive negative publicity for this, then they should change how they do things. At the very least, app developers and users should be warned about the two issues that have yet to be fixed.
* There are valid reasons that bugs can take longer to fix than you'd expect; the most notable of them is when the bug you found is actually systemic, or has a deep root cause, and the real fix for the vulnerability is more complicated than the surface bug. Without a hard timeline, some shops will work to get the root cause fixed on some bugs even at the cost of an increased timeline, because the patch for the surface bug reveals the pattern and amplifies risk to customers.
* As a reporter, you can take some measure of control over the process back by providing a fixed timeline (like the P0 90 days). There's no negotiation needed; you give the vendor time to fix and they either do or don't, but either way you're going public. That is a valid way to go about things, but may cost you the bounty.
* These things are bug-dependent, and the process that runs for a zero-interaction RCE won't be the same as the process that runs for a bug that requires a malicious app store app and only gives access to the contact database.
* Message boards tend to expect that big vendors can just shell out for the bounty as a show of good faith. It's easy to see why they believe that. It makes sense. But it also creates broken incentives. The limiting reagent on bugs isn't bounty dollars (these are indeed barely even rounding errors to major vendors), but rather programmer time. If you pay out for weak, stuck-in-process bugs, you create incentives that redirect programmer time to those weak bugs and away from more significant bugs; as angry as you can reasonably be about a malicious app being able to snarf your contacts, if you're rational, you're a lot more concerned about memory corruption flaws, which is what you really want people spending their time on.
I don't understand how this isn't already reflected in bug bounty pricing tiers? Like, if I access your contacts, I get $x, but if I can access all your photos, I get $xx. As a user, I couldn't care less for how my data got accessed, whether it's a logic bug or memory corruption…
Is your point that all bugs soak up time to fix? If so pay the bounty and add it to the backlog. Or is it too much time to verify? That seems to be something you can kick back to the reporter.
Apologetics for a bug bounty program dragging their feet on a payout because "it's not a mem corruption bug" alone is unconvincing.
If Apple wants to nudge people towards submitting more serious bugs, they can pay more so people are incentivized to work towards those rather than mucking around in gamed. But, they don't really get to say "we didn't really have time to get around to this Contacts bug, sorry": people expect them to have it fixed. That's the whole reason Apple offers a bounty at all: so that researchers tell them about it early so they can fix it.
It would be interesting to understand at what point this becomes a GDPR issue, and if the GDPR legislation can be used to pressure companies in expediting this process.
It is entirely possible the researcher found something but didn't realize how deep the problem went. Apple may have released an incremental patch and is working on fixing a larger issue they found when digging into it.
When this has happened in the past, from the researchers perspective things seem quiet/delayed because we obviously can't share details of a larger vulnerability with them. All we can really do is ask for more time. In the end it all works out and they get paid out/credited for the original+follow on bug.
Not part of the security industry so not sure what is common or not, but I would understand Apple being worried about sharing too much with a researcher they may not be familiar with.
I would also understand the researcher's point of view that this fell through the cracks or Apple is not willing to fix; and is likely what happened.
Apple will pay a million bucks? Fine, NSA TAO will pay $10m. Apple can't pay $10m or $100m a bug on a regular basis, for the customers whom this matters the check is basically blank, as much as it takes.
>One person who will share those sales numbers is a South African hacker who goes by the name “the Grugq” and lives in Bangkok. For just over a year the Grugq has been supplementing his salary as a security researcher by acting as a broker for high-end exploits, connecting his hacker friends with buyers among his government contacts. He says he takes a 15% commission on sales and is on track to earn more than $1 million from the deals this year. “I refuse to deal with anything below mid-five-figures these days,” he says. In December of last year alone he earned $250,000 from his government buyers. “The end-of-year budget burnout was awesome.”
It should probably be pointed out that once you do this, you’re in the weapons industry. Your work will likely be used, directly or indirectly, to put a bomb through someone’s roof or put them in prison for a very long time. Make sure you’re okay with the ethics of it.
By this logic, americans should stop using cars at all, cause all that oil is coming from middle east, saudi arabia.
Damn strange feature that allows me to compromise any screen-locked mac.
If you get a certain key combination in before focus switches, it stays on the desktop, and you can continue to input - fire up a terminal, do whatever you fancy. It’s all blind, but still perfectly dangerous.
Certain full screen apps, if they have focus when you lock, retain focus indefinitely. Paradox interactive games, for instance - stellaris exhibits the behaviour nicely. This even includes mouse focus, and if you Apple-tab, then focus goes to whatever you Apple-tab to. You can only restore focus to the Lock Screen by clicking in the password field.
Both times I reported this I got a pedantic “locking the screen does not terminate applications, which may continue to run in the background” response.
Also, I'm not sure that saying "we have discovered a deeper problem that here beyond what you reported" really delivers much information beyond perhaps telling the researcher to keep investigating (although if they're already getting the bounty, the additional investigation wouldn't really be useful).
Having an e-mail from the company confirming the bug is serious and systemic massively raises its market value. Security is necessarily trust less. These game dynamics are unavoidable.
That is a very mistaken assumption. Even NDAs backed by threats from nation state intelligence agencies aren’t sufficient to keep exploits from being resold multiple times.
Or maybe that someone in the first buyer's organization resold it?
I've worked on the company end of bug bounties too, and it does happen that a report just falls through the cracks. Seemingly-inactive reports do need a certain amount of maintenance; you don't want to just trust that everything will work out in the end. (That said, as long as you get responses when you ping the company, things are working in the background.)
(edit to followup: in about 18 months of this, I encountered one report that had fallen through the cracks. Obviously, there might have been others that never came to my attention at all, but the companies are tracking things much more carefully than researchers often assume.)
I have heard of many researchers having extremely long delays, poor communication and simple things like not acknowledging the bug submissions.
"Two days ago, after iOS 15.0.2 was released, Tokarev emailed again about the lack of credit for the gamed and analyticsd flaws in the security advisories."
They didn't give him credit in the last 5 advisories. Really no excuse for that imho. If Apple keeps this up then why would anyone report bugs to them when you can just post it online and get credit for it right away? Or sell it on some 0-day site.
Every field works in a certain way and when it comes to bounty you want to make a name for yourself. You can't just pull up and say you are the one
But yeah may be they should just sell it to third-parties
> I feel for company leaders in this kind of shitty journalism
You're not making sense. Plus Apple has a history of being incompetent and slow on this.
Have they, really? Just because you find this instance here and there of such a story where they were, doesn't mean they have a history of being incompetent and slow on this (the same way someone who hit 99% of their three-pointers doesn't have a history of being an awful shooter).
That's how they fare long term:
Or to put it another way, when you poll people who complain Apple is notoriously slow to respond, don't be surprised if your conclusion is that Apple is notoriously slow to respond.
>The company hasn't denied the bounty, they're just incompetent / slow on this process.
People probably expect more from... checks notes The world's most valuable and successful modern corporation.
Pay very well? Often, assuming they actually pay, sometimes you can get stiffed there too. Very fast? Nope. Easy to work with? Nope. Communicate with you any better than Apple through the process? Not usually.
The above type of organization is what I was referring to. So if you consider the grey market buyers[⋁] of exploits “terrorist orgs”, then yes. If you use the normal definition of “terrorist orgs”, then hell no.
[⋀] three letter government agencies, defense contractors, and those who sell to them
There's nothing here that suggests Zerodium, or someone similar, would pay the same amount Apple is offering and there's nothing that suggests that Apple doesn't intend to pay this or credit him. That's all completely conjecture.
What is this based on? My understanding is that Apple pays out 99% of the reported bug bounties and that's only because they include multiple submissions in the totals but not in the payouts (they only payout the first discovery or root discovery).
Those are my favorite recent examples, but specifically Apple has huge issues with turnaround time. They also don't communicate with or assist the researchers who found these exploits either, which makes things particularly frustrating for people who ultimately both want to secure Apple's systems. Their overt hostility, history of poor communication, and frankly pathetic bug bounties are all contributors to how people perceive Apple's relationship with security experts.
This makes it seem like this is a recurring problem yet there are only a handful of complaints.
With 0-day security vulnerabilities, slowness equals incompetence. Companies with unbounded resources like Apple have absolutely no excuse for not being able to move as quickly as a small startup on issues like this, unless their message to shareholders is "yes invest in us so you can see our performance literally decrease with every dollar invested".
> Why are people out to crucify Apple (...), they're just incompetent / slow on this process.
That's exactly the problem when they're endangering the security of approximately one billion users.
Anyone who actually pays money or golden bars within a reasonable timeframe?
> It's a significant vulnerability, but there's e.g. no price list entry on Zerodium
On this scale I think it's "Contact us and we negotiate" sort of price.
Governments can already pay prices comparable to the supposed bounty valuation of this bug for code execution. They're probably not shelling out six figures in gold bars for a bug that exfiltrates contact lists from apps that have to be installed from the app store.
The non-bounty market clearing price for a lot of scary sounding vulnerabilities is $0.
Cellebrite and all the surveillance-as-a-service shops might be interested in information disclosure bugs. You maybe will not get the $100K Apple promised, but maybe you can sell it four times for $30K or something like that if the bug is still "good enough" for certain uses.
RCEs in Windows or iOS go for a lot more than a measly $100K if you can manage to get in contact with the right people. Think 10-20 times that.
This is a bug that allows you to read contacts from a malicious app installed from the app store. It's not drive-by contract exfiltration; it's intensively interactive. I'm surprised the Apple bounty terms are so generous-sounding about bugs like these, but I read them, and I'm not contesting the $100k the article claims this is worth.
Apple can't really outbid the grey market on RCEs, but they have clearly outbid it on this bug.
But who knows, it still might worth a few bucks to you because you already figure out the delivery. And your relationship to somebody with the skills to find interesting bugs and willingness to sell to you might be even worth more, so you might pay money not just for the bug but for the relationship.
It's not that bugs of all stripes don't have plausible value. It's that there isn't a market for most of them. Bugs are small parts of the enterprises that exploit them. To purchase a bug for significant amounts of money, it has to slot into some kind of business process that will profitably† take advantage of it.
What people are subtextually observing with these $250k vulnerabilities is that there are a bunch of well-scripted playbooks for profiting from RCE vulnerabilities on widely distributed, unevenly patched devices. There may be no meaningful cap to how much a phone RCE is worth, since the IC's alternative to RCEs is human intelligence work that will dwarf any RCE cost just in health and benefits overhead for personnel.
But there just aren't a lot of business processes that profitably exploit stolen contact lists from malicious application installs. You can come up with lots of stories about those processes, but the key thing is that for a bug to be worth a bunch of money, that process already has to exist and be working; the cost of building all the business process stuff around the bug will rival the cost of the bug itself. Bugs have finite lifespans, and "snarf contacts from malicious app" bugs are idiosyncratic, and tend not to be pin compatible with a steady stream of similar bugs that would justify keeping that exploitative process up and running.
This is for what it's worth all my own personal weird theory of the situation, and I don't sell or buy bugs. But I have repeated the theory to many people who do either or both, and nobody has told me I'm totally wrong about it.
† For some possibly non-economic definition of "profitably"
1. The bug lets you download contacts. Nothing else. As you've said, no one's going to pay six figures for a bug that lets you get someone's contacts from GameCenter. If this was even slightly more abstract and didn't specifically deal with just GameCenter, I could see it being valuable for companies that do phone-to-phone transfers, for example, because you could download someone's contacts from a locked device. This isn't that, though.
2. Nowhere in the article, or even the original tweet, does Apple acknowledge or state that he was the person that initially found the bug. They just confirmed that the bug exists and asked him to keep it confidential. It's entirely possible that the reason for the delay is because someone discovered a lower-level bug that rolled up to this and it's a bit less clear-cut who is owed the credit for the fix that they released. They're not just going to go around and pay everyone who claims to have found a bug. They have to verify it and make sure that it's not something they've already discovered through another report or on their own.
3. Sometimes this stuff just takes time. When you're dealing with codebases that as large as this, changing a small thing to fix a bug can unintentionally break a bunch of other things. It's not always a simple matter of "this small piece is broken and is completely independent of everything else". We have no idea if this is or isn't one of those cases because we don't really know much about it (and for good reason).
I, the evil overlord, would very much like to know who is ratting out my secret initiatives to those nosy journalists. Maybe some of them don't keep a good information hygiene and will download my simple but quite addictive game? At least I get to know some names and addresses.
Or make useless copycats, as Kosta Eleftheriou proved already is a way of choice in the iOS App Store.
E.g. one of the first GDPR fines here in Germany was issued against a company that had their customer DB dumped, specifically for still storing some user passwords in plaintext.
As a first-order effect, sure.. but Apple is not immune to the damage that this causes either. More importantly, their failure to pay or honor their commitments would be the root cause of this in the future.
They opened this "bug bounty" door on their own, they are solely responsible for it's success or failure.
The two options:
- someone full discloses a 0-day. Apple is embarrased, users can take mitigating action until its patched. Apple is probably forced to patch. End result: really embarasing for apple. Small risk to users that's pretty ephemeral.
- sell to highest bidder. Black market or at best grey hat. Exploit is used against users. Nobody really knows its happening. Maybe that eventually comes back to give apple a bad reputation, but not likely to happen in the short term.
One of these courses of action disproportionately hurts users a lot and apple not very much. The other hurts basically only apple and users very little. Even if you argue that the black market might eventually hurt apple a little bit, its still a very small hurt.
If your goal is to piss off apple, it seems clear that full-disclosure is the thing to do here. If your goal is just to clear your concious on the morality of selling exploits to bad people who intend to use them to do bad things - while i'm sure you'd find a way to justify that no matter what apple did. The human mind is good at self-justification.
> More importantly, their failure to pay or honor their commitments
What commitment? A bug bounty program isn't a commitment to do anything. Its not a contract or a work agreement. At best its sort of like a contest.
But even disregarding that, i'm not sure this bug even is in any of the categories they list. What they say is: iOS user installed app can access sensitive data including Contacts, Mail, Messages, Notes, Photos, or real-time or historical precise location data. i'm not sure this fits.
Is apple being a dick? Yes. Are they breaking commitments they made? Not super clear.
And thereby accomplishing what, exactly? There is still merit, albeit not from a material wealth standpoint, for doing the right thing for the right reasons.
But in the grand scheme of things, does it even punish the tech giants? They have so many claws in a users life, and in the case of apple, your only other choice is google or a bunch of shady oems.
At the end of the day the only people who pay for it are users themselves, their data is comprised and irreversibly out there
That sounds like a good enough reason to report these bugs for someone with morals.
You can likely rely on a good majority of people to do the right thing when it isn't for or against their interests in any substantial way.
I'm not sure the amount of people that will do the right thing when it's not in their best interests by some small but noticeable amount.
I'm also not sure the amount of people that will do the right thing when it's vastly against their best interests, but it's bound to be far less that the prior group, and I suspect it's way below a majority.
The point isn't that these people aren't doing the "right thing", it's that these programs are designed to align doing the right thing with the best interests of the researchers, so noting that we might get more results that are not in the best interests of society at large or the company in question if they don't hold up to what they agreed to is not only a valid observation, it's the likely outcome if we're to expect these programs exist for a reason.
To put this in perspective, say you find a suitcase with a million dollars in it. You can turn it in, or you can keep it for yourself. If there's no real expectation you'll get anything if you turn it in, how does the reasoning go in your head? What if you know you'll get 10% for finding it and turning it in? What if you live in abject poverty? What if you have $60k worth of medical bills for a family member to pay off?
By that logic, a grocery store giving away everything for free is the right thing to do. Doesn't lead to anything sustainable though.
Actual weapons our government sold to Saudi and other's.
Selling a zero day would probably fall under a weapons clause.
Most zerodays are probably not bought by china to spy on dissidents, they are more like knives. On the contrary, when we sell bombs to Saudis we can be 95% sure they will be used in Yemen.
There seems to be the strange wordview where ordinary joe must be morally impeccable but its corporate leadership can be as immoral as they come.
Like the richer you are, the less rules you have to follow. Surelly it should be the other way round?
Next time someone finds one of these, I wonder where they will report it to….
Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts))
I thought it included SMS and iMessage contents, which does very much sound like what Zerodium is looking for. But reading it again it’s not actually all text messages.
If you're ever in Amsterdam and feel up for drinking a beer  with someone interested in netsec , feel free to email me.
 Or coffee, tea, your beverage of choice.
 I did a couple of fairly good security courses and about 300 hours of hackthebox.eu. So while I'm not a professional, at least I've scripted with IDA Python and defeated fun boxes like PlayerTwo.
Based on what? There's nothing to suggest that this falls into the category for an "information disclosure" according to Zerodium's eligibility guidelines.
And all it takes is one of those unsong heros giving up on reporting to Apple and, instead, reporting to some 0-day company, and some ransonware go brrrr
Its one of a few reasons I have made some in-roads into moving off the platform.
Seems like this in case it's just a mistake that was made.
At least some are going the back to the Full Disclosure days...
Based on what? You can't possibly know anything about this bug or what stage of the reporting process it's in and Apple regularly pays and credits people for reporting vulnerabilities and other exploits. This specific bug just isn't a high enough priority to elevate it to the level you're describing.
Apple doesn't want to patch zero-days used by US authorities in order to alleviate pressure on its encryption practices.
So they really only want to fix zero-days that are known broadly or get media attention. And they don't want to give too much incentive to researchers to report zero-days to Apple instead of selling them to the highest bidder (which may ultimately be the largest governments with the greatest ability to regulate Apple).
Apple is not that different from the status quo on end to end encryption as to necessitate a conspiracy (probably even in jest ). They have no icloud encryption, no photos encryption, no device backup encryption etc etc.
As far as the original article, I agree completely that not paying and crediting these folks in a timely manner is just stupid and will reduce Apple security long term.
If you don't like that "feature," don't do iCloud backups. I do direct backups as described in the support link. Apple doesn't have those keys.
Ask anyone who works in one of these organisations and they will attest to how many former IC people fill the ranks in certain areas.
Why would they bother fixing any of the bugs ?
Hope we soon get a usable Linux phone.
The people in the Apple store provided no fixes but suggested formatting the machine which I guess would be illegal in most places.
It makes me worry that I could be Jason and someone could remotely format my computer… it’s scary that something like this is possible.
Isn't that standard procedure for any company faced with a 0-day, prudent, and the right thing to do?
You can, of course, disclose vulnerabilities whenever you like. But don't expect to get a bounty if you piss off the vendor in the process.
The software is going out the door alongside the latest version of their biggest money-making product.
Note well how quickly 15.0.1 was released.
When it comes to phones I feel stuck behind a rock and a hard place - choose iPhone, with poor Linux integration and threats to passively scan files on my phone and forward them to LEO? Sure, they have a decent record with security but these bug bounty reports haven't been great.
Or choose Android, with its poor privacy record, a result of being built by an ad company that's already scanning my phone and mining it for data?
edited to add - While I'd love to see a true competitor in this space (i.e. not based on Android - those projects don't seem to work out well as a result of being half-in/half-out of the ecosystem) I don't see how it's possible without the support of the large tech players - Facebook, Instagram, Snapchat, WhatsApp, Twitter, and Spotify at minimum, to say nothing of the long tail.
This wouldn't be much of a problem if it wasn't for Google's SafetyNet that prevents Android apps from running on hardware and software platforms that Google doesn't approve of. You wouldn't need support from large companies if you were able to run the apps they already release for Android.
Compatibility layers like Anbox or Waydroid that allow you to run Android apps on Linux can't run SafetyNet-enabled apps, despite having no problem running other Android apps.
SafetyNet prevents compatibility layers like WSL 1 & 2, Proton or WINE with Android support from coming to Windows or other platforms, as well.
It's not Android/Google forcing SafetyNet on you, it's app developers insisting you need some special end user setup
> What's SafetyNet have to do with anything?
I thought I made that pretty clear in my post. I was addressing a post about competitors to Android facing challenges because of lack of app support from major companies.
SafetyNet helps Google maintain their mobile OS duopoly with Apple by preventing other mobile operating systems from running Android apps, despite there not being any technical reason why the apps can't run on other operating systems.
Steam was able to bring Windows games over to Linux via Proton because of projects like WINE. SafetyNet precludes running Android apps on devices and operating systems Google doesn't approve of.
Microsoft was able to bring Linux apps over to Windows via WSL 1 & 2. SafetyNet precludes running Android apps on Windows unless Google gives Windows a pass in their DRM.
For me it isn't really the tech companies that need to buy in to make an alternative phone OS viable, but things like banks. Online mobile banking is one of the main things I use my phone for after web browsing and messaging. The probability that it won't work on some third OS is what puts me off trying some of the alternatives.
You can download the source, modify it, and build them all freely. Hopefully more people can get involved and move the needle instead of only lamenting how they don't succeed while not actively trying to help them succeed. I mean this in a respectful way.
That's totally fair. I don't really have the time or Java/Kotlin/mobile familiarity to jump in here, and these aren't skills I can easily apply elsewhere in my career, personally.
> LineageOS has been going for quite a while now, CalyxOS is relatively new, and GrapheneOS (previously CopperheadOS)
My impression of these OSes is that they still rely on Google Play Services - or if not, micro-G which has many shortcomings. When most of the ecosystem doesn't work until you invite Google back in, it doesn't seem like a true alternative IMO.
Admittedly I haven't personally tried running any of them. Which one would you recommend trying if I were aiming to rid myself of Google's omnipresence?
I have used CalyxOS and it's a great os. I did use microG and 98% of the apps I use worked flawlessly. If you have a supported phone, I'd definitely give it a shot.
Graphene does not require Play Services, but it only runs on a small subset of Android phones that are ~$500+ here (heavily discouraged to use anything older than 4a 5G)
Have a source for them sending less data? Even if it were true, the use of that data differs.
None of the apps on Amazon App Store or F-Droid use Google Play Services.
If you can't see the value apple offers, that's fine, but to be blind to what they offer others seems odd.
I've yet to be scammed by apple's app store. Ie, I can cancel my subscriptions easily, bad apps you can even get a refund on if prompt etc.
I have been repeatedly screwed by websites run by developers outside of apple. These websites have been LOADED with trackers, they have impossible to cancel subscriptions, they do all sorts of dirty tricks (I'm tired of the intercom type follow-up emails - sorry I missed you, give me one last chance etc).
I get it, the dog eat dog crapfest is appealing to some, but Apple offers an alternative, and for some people that has value. And yes, I get it, the folks making these eye blinding slow websites have lots to say about apple, but my weather app opens promptly on apple, whereas the ad littered weather pages online bog my machine (with 100x the memory) down.
It's especially pronounced in Apple-related threads (one of the few topics that I browse HN for as there are a lot of topics I have no experience or expertise in) where all the nuance seems to have been zapped away as of late. It's either you're a complete Apple hater or a complete Apple fanboi and there's no in-between anymore. I have lots of criticisms of Apple but it seems like there's nowhere to discuss them anymore because they're immediately taken over by "Apple wants to scan your phone" and "Apple is suing mom and pop repair shops" or other hot takes that completely misunderstand their situations.
The scan your phone, repairs shops should be able to fake battery replacements or change faceID sensors without controls type stuff is also in this, or no reason for apple to make certain decisions (despite obvious reasons) etc.
It's gotten to just BLIND reaction - ie, apple is done when reality is apple remains far more trusted than almost any other company (or govt) brand wise.
But, IIUC, both of those are completely true.
Just some examples:
- Integration between their devices cannot be matched by others
- Apple Watch has the largest app collection, great integration between iOS and Watch apps, smooth animations/UX, the most accurate GPS of smart watches
- Handover of AirPods between Apple devices is a lot better than with other Bluetooth headphones
- (subjective) iOS has a lot better UX/animations than Android
Nothing matches it. I had some minor issues setting up my newly purchased M1 from an Intel backup, but it was quickly fixed when I updated the OS.
Always, always, always use a directly connected external hard dive. The networked version is terrible.
But he is over-reacting about the confidential line. When I worked at Apple years ago I added a similar line when dealing with external people. And in every email I have sent whilst working for telcos, banks etc over the last decade a similar line has been included automatically at the footer. It's more a boilerplate polite request not a demand.
It's the first line of the email after the greeting, manually written in.
And being a very serious security vulnerability (enough to warrant its own release) they are probably just being cautious.
It really is a polite request not some legal demand.