Making a CPU requires exactly "photographic plates and film, exposed and developed, other than motion-picture film", i.e lithography and more and more extreme wavelengths.
It's advertising. Google drives traffic to the articles.
If Google stops linking to news articles, media companies would be the bigger losers than Google would be. Admittedly Google isn't Facebook -- it's value to users comes from indexing everything. This is probably why they accepted this deal.
As a Canadian, I wish that they'd just gone ahead and blocked Canadian news.
> If Google stops linking to news articles, media companies would be the bigger losers than Google would be.
Only on the margin. If all countries in the world simultaneously imposed this law, and google stopped linking all news articles world wide, then Google would be the bigger loser than media companies.
It's important to acknowledge the problem: Google extracts more monetary value from the news industry ecosystem than the the value it creates.
I am not entirely sure if forcing Google to pay that difference is the correct solution, or whether helping evil media companies in this way is the right thing to do, but the problem exists.
> If all countries in the world simultaneously imposed this law, and google stopped linking all news articles world wide, then Google would be the bigger loser than media companies.
Large media sites would perhaps benefit from that but in general I don't think that's the case. I get almost all my news from link aggregate sites like Hackernews and Reddit. If I didn't get news links from those sites, I'd end up consuming less news. Especially local news.
> It's important to acknowledge the problem: Google extracts more monetary value from the news industry ecosystem than the the value it creates.
I don't think that's the problem. The problem is that news just isn't that valuable anymore. The only reason it was as profitable at all was local monopolies on distribution. Craigslist did more to kill media profitability than Google could ever do. Now you just have a thousand media companies all writing an article on the same current event and trying to capture a few eye balls mostly from being linked to elsewhere.
Those 1000 --media-- news companies have been created in part by Google. Google created a game, where the website with the best SEO would bubble up to the top of their news results - not the website with the best editorial standards. This was Google 'commoditifying its complement'. In the absence of Google (but even in the presence of social media like HN or Facebook), there would be far fewer news websites that would be rewriting/summarizing the work of the actual journalistic newspapers. And in such a scenario the fewer news companies would actually make enough to continue to do serious journalism.
This is a lot more apparent if you look at other languages, which are not indexed as much by Google. There the status of news companies is a lot better.
Some news isn't valuable anymore. In the world we're going towards, wouldn't it be fair to expect that reliable/verified news will increase in value? Similarly, what is the true value of local news that would otherwise go unreported?
It's important to consider what someone would pay for news directly alongside the value that a healthy media ecosystem plays in a healthy society. It's not called the fourth estate because someone thought it would be fun.
Whether I agree or disagree this doesn't have anything to do with governments legislating that Google pay the largest media companies some money for linking. I absolutely see value in a healthy media system but massive companies owned by billionaires paying each other would not fit that definition for me.
There’s no way Google would have agreed to pay $100 million if they didn’t have good reason to believe they’d lose even more than that by not having news.
It’s purely a cost of doing business thing, which is why I think the calculation is different for Meta. On Facebook there’s just so much content to fill the void that news isn’t such a big loss.
Given all the major tech companies aggressively fuzz everything maybe, just maybe, you're missing the additional possibility: fuzzing is still random and extensive fuzzing does not mean you will encounter the same code paths as anyone else.
You need to understand "do fuzzing" is not a magic trick to find all bugs in software.
Similarly: definitionally you will only ever see the bugs that are not found prior to shipping - any bugs that are found prior to software shipping will have been fixed.
Fuzzing is not a magic trick, in the same way as invariants are not, and unit tests are not, and debugging is not.
All these techniques have degrees of mastery, and if applied carefully, and in combination, can save you a lot of grief.
Dumb fuzzing will not get you anywhere, same as dumb unit testing, and dumb debugging.
In this case, iMessage is particularly well suited for some smart fuzzing because all the attack vectors seem to involve smallish malicious attachment files.
You're missing the point: It is possible fro multiple distinct groups to all fuzz the same code and find different non-overlapping bugs.
You are erroneously saying "one group of people found a bug that could be found by fuzzing therefore apple is not fuzzing".
LibJPEG is decades old at this point and is still getting around 10 CVEs a year, despite being one of the projects I believe google constantly fuzzes.
zlib is getting a few a year despite being a vastly more constrained format than anything else imaginable, and again being a heavily fuzzed library.
If "do lots of fuzzing" caught every bug, then you'd get a big release that fixed all of them, and you'd never see any more.
> In this case, iMessage is particularly well suited for some smart fuzzing because all the attack vectors seem to involve smallish malicious attachment files.
I chose to include libjpeg above specifically to rebut this comment. That there are still CVEs coming in for libjpeg this year, despite years of fuzzing should be sufficient to show that even small attachments aren't magically invulnerable due to fuzzing.
Fuzzing is a useful tool but pretending that some project or software is going to be secure because it's been fuzzed a lot is nonsense, and pretending that fuzzing will find all the bugs is complete fiction.
Even software written in memory safe languages benefits from fuzzing: a memory safe language simply means your code will not continue if doing so would result in a memory safety violation, but for most memory safe languages that means at best an exception, but in most cases it means termination - that's what you get in Rust, Swift, or even functional languages like Haskell - and program termination can mean user data loss, or at least a bad user experience, so fuzzing is helpful even if bugs don't cause "security" issues.
Cynical reductionist me thinks Apple gets more ROI spending on marketing than in security.
They also spend a ton of engineering resources to prevent customers from using their products as general computing devices with the pretense of hardening security. It works to an extent and the tradeoffs are debatable, at least among tech-savvy folks in HN.
This was likely in a codebase that has been fuzzed extremely heavily. There are a lot of bugs that fuzzing cannot possibly reach. I'm guessing NSO group has a lot of talented vulnerability researchers who do code auditing. Companies need to invest in hiring and training these individuals and paying them what they are deserve. Throwing fuzzers at things and calling them secure is part of the problem.
What code auditing? Are you claiming NSO has access to iMessage and iOS source code?
NSO seems to be finding more and more bugs by poking a black-box alone, while Apple cannot seem to be able to fix by looking at the source code with all the fuzzing and verification tools, and much more $$$ at their disposal.
Sorry I thought it was obvious that I meant reverse engineering the closed source pieces of iMessage and auditing the open source bits. Source code just speeds up the process for vulnerability researchers, so Apple has a leg up in this regard.
"Are you claiming NSO has access to iMessage and iOS source code?"
The last NSO zero-click was in an open-source library reachable from iMessage. This vulnerability is likely no different considering it was in an image decoding library.
NSO group hires many talented security researchers who specialize in reverse engineering and auditing source code. It is hard for people not familiar with security research to understand but there are a lot of very talented code auditors out there who have honed the skill of picking up a new codebase, understanding it better than the developer who wrote it within months, and then finding bugs in it. There are teams of researchers at certain exploit shops who spend their lives focusing on understanding a single target.
Fuzzing is a great tool for finding bugs, but code auditing will always be the best way to find amazing bugs and novel attack surfaces. Researchers who can do both code auditing and fuzzing extremely well (like lokihardt@astr) are even rarer and extremely good because they can both find interesting pieces of code to fuzz through auditing and find amazing bugs while fuzzing.
Apple is and should continue hiring these talented researchers. The point I am making is that they should hire these security researchers even more aggressively and other tech companies should follow. Most of them work at exploit shops like NSO group because they pay a lot better than big tech. One security researcher and one security engineer to every five developers for these critical pieces of code should be the industry standard not 1 security engineer to every 100-1000 devs...
They also probably use simulation software like Correllium that eerily simulates iOS seemingly to the extent Apple wanted them shut down. If anything, iPhones would be far more secure if everyone could get eyes on their OS and be able to toy with it experimentally. I suspect they aren't the only actor against such radical transparency at the corporate and governmental levels.
You can audit binary code with tools like Ghidra and IDA Pro.
It takes a different mindset to find these type of bugs than it takes to develop software. I won't quite say they're orthogonal skill sets, but pretty close.
If the people finding these bugs don't want to work for Apple, Google Project Zero, etc. there's not really much Apple can do about it.
From information perspective we are looking at two pieces of information: the request itself, and the answer.
The answer contains just 1 bit of information, yes or no.
The request carries much more information. Did you chose me specifically from all my colleagues for this request? This informs me about you and how you operate. Did you wait until a specific moment to make this request? This informs me about you and how you operate. Did you attach special conditions to your request? Did you formulate it like it's nothing, when in fact it is a big deal? Etc.
The Askers think there is no information in the request itself and its specific formulation, and just care about the 1 bit of information in the answer. They also believe that the request-answer is a stateless transaction, i.e. that nothing gets memorized, or changes the environment going forward.
The Guessers are the opposite, are very careful with what the information disclosed in the request itself can do to the environment, the people, and the relationship going forward.
"You could've just said no" is what Askers say when they want to say: please ignore all the information in my request.
Example:
You are a friend who often scratches/dings his car, has occasional accident, etc. and you ask me to loan you my car, which I saved a lot for, restored old model, etc.
I will say, NO.
But I also learned something about you, that besides being careless you are also not self-aware, so I will take that into consideration going forward.
This reminds of Richard Feyman's observation how some people count visually while others do it by sound.
You might be one of those people that can do math purely symbolically, by parsing and manipulating expressions, a bit like regular language and you don't need your brain to build a mental image for the things you work with.
I am intuition-first kind of person, and let me tell you, intuition is not a crutch, it can do things where symbol manipulations would take orders of magnitude more effort.
It is actually possible to imagine and manipulate highly-complex, multi-dimensional things that don't have equivalents in nature.
Imagination is a muscle used a lot when thinking intuitively, some of us have it developed to a ridiculous degree.
I think that's a good way to look at it. I'm definitely on the symbolic side of things for my understanding. I study pure math and the 1 applied math course I had to take(Applied Complex Analysis) was a nightmare because I was doing math without a formal framework.
I will say though that not every topic can have a sensible visual model to it, and being able to acquire symbolic intuition is probably essentiall to go far in any field.
Making a CPU requires exactly "photographic plates and film, exposed and developed, other than motion-picture film", i.e lithography and more and more extreme wavelengths.
reply