Jay “Saurik” Freeman (@saurik), developer of Cydia, the alternative to the App Store for jailbroken iPhones, is passionate about vulnerabilities. At the 2015 Black Hat Conference in Las Vegas, we spoke to Saurik about how his passion for vulnerabilities generates the same sense of wonderment as watching a magician.
When a magician does a trick, he makes you believe he’s doing one thing, but he ends up doing something else. Security researchers are doing similar magician-like behavior when they’re exploiting vulnerabilities. In a show of bravado, they’ll create a sequence of events that you thought were impossible.
I asked Saurik if he knew why so many companies who are aware of vulnerabilities take months to fix the bugs.
One problem is that they’re not set up to differentiate between important and unimportant bugs. Because they can’t make a decision internally, bug fixes end up languishing.
Then there are some companies that do know about bugs and they fix them quickly, such as Google, said Saurik, but they rely on third parties to get that bug distributed. Google’s failure to distribute the bug fixes to the panoply of Android devices compounds a simple problem into an ever growing problem. The known bug has a second life as it gets installed on new Android devices months, if not a year, after the vulnerability was originally exposed. These zero day vulnerabilities end up living on as “forever day” vulnerabilities.