Amazon Shuts Down NSO Group Infrastructure

[JumpCrisscross]

> Apple might take this more seriously instead of having some PR flack write marketing copy

What are they supposed to do?

[kilroy123]

Take security a lot more serious than they currently do. They've had some seriously embarrassing security holes in their software the last few years.

Also, they could increase the payout for their bug bounty. Why report to apple for a 0-day when you can make $1 million from these guys? It's not like Apple doesn't have the cash.

[adventured]

> Take security a lot more serious than they currently do.

That statement doesn't mean much. How do you know they're not taking it seriously enough and still struggling with the enormity of the problem regardless? You could always claim any entity isn't taking security serious enough.

The alternative explanation makes a lot more sense: security is extremely difficult at Apple's scale, serving a billion consumers with complex and essentially always-connected electronic devices (not to mention their huge services business now). Devices that also happen to be one of the single most important attack points that there is.

[ramraj07]

Then why not increase the bounty? What are they possibly going to loose? What’s a few million for a company that makes hundreds of billions a quarter?

If you’re gonna say there will be a flood of zero days that the cost will add up that also doesn’t support their security seriousness.

[badkitty99]

They could attempt to slow down the ad-ridden stupidity train they have everyone riding on, believing there is no such thing as iphone security tools besides the steaming iOs UpDaTeS

[tptacek]

Apple takes security more seriously than almost any other vendor in the entire world. It's in a small club of vendors that operates at the literal frontier of what computer science knows about building security into commercial products. No reasonable argument about what Apple can do start from the premise that they don't take the problem seriously.

They aren't above criticism. They do some things well that Google doesn't do as well, and vice versa; it would be good if everyone could level up to highest standards set by any in the club. It's totally fine to point these things out.

As for the bounty payout thing, I highly recommend you track down a talk from someone that has run a vulnerability/exploit market; there are a couple. The economics of selling vulnerabilities to the grey market are nowhere nearly as simple as they appear in ordinary message board threads. In particular: Apple offers a fixed, lump sum payment, where every market I'm aware of offers tranched payments that end when a vulnerability is burned.