Comment by insta_anon
5 years ago
What I don’t understand is:
Apple sits on this giant stack of unused money [1]. Why don’t they get the best security researchers in the world, pay each of them north of $1M / year in salary and create the ultimate red team where their only task is to try to hack Apple devices.
If they get a team of 1000(!) people, each with $1M(!) in salary that would be less than 0.5%(!) of their revenue in 2019 [2].
Wouldn’t that be worth it?
[1] https://fortune.com/2018/01/18/apple-overseas-cash-repatriat...
[2] https://www.statista.com/statistics/265125/total-net-sales-o...
There are dozens, perhaps hundreds of people working at the level we're talking here --- vulnerability research is highly specialized. So the better question is perhaps why Apple doesn't build a program to train 1000 researchers to compete.
I get the impression that while Apple is world-class at HW ops, they are very mediocre at people ops. (and I get the impression that Google is the opposite)
I guess. Project Zero has a sort of unique history; as I understand it, it's less a reflection of Google's distinctive culture as it is Google's savvy in acquiring and nurturing a pre-existing research culture, and that might not be replicable. But you can also ask the question: how much of an impact has P0 had on shielding Google and its partners from similar vulnerabilities? If your impression is that, because of people like Ian Beer, Android phones are basically impregnable, I'll submit without a lot of insider knowledge that you're probably mistaken.
What an Apple P0 buys Apple might just be a bunch of favorable nerd press cycles. But that's not a problem Apple really has.
I am, however, convinced that with the right resource commitment, you could scale up a world-class research capability --- to potentially arbitrary levels --- without headhunting existing researchers, which is where I see the bottleneck right now.
Or, I mean, Apple could just rewrite their OS infrastructure in a memory-safe language. If I had the two options, I would put all my chips on the language change.
(I think P0 is extremely cool and valuable to Google in a bunch of ways and would be thrilled to see more major vendors try to replicate it, even I doubt they'll be successful).
1 reply →
I think you're very _very_ wrong about people ops at Apple.
The reason why Apple in 20 years turned from being 90 days away from bankruptcy to a revolutionary machine and most valuable 2+ trillion dollar company in the world is not because of HW ops or anything else, it's because of people.
While we know Steve Jobs had "issues with people", he also clearly stated:
> My model for business is The Beatles. They were four guys who kept each other kind of negative tendencies in check. They balanced each other and the total was greater than the sum of the parts. That's how I see business: great things in business are never done by one person, they're done by a team of people.
It takes a lot of people effort, talent and operations to achieve what Apple has achieved. So I think saying Apple is mediocre at people ops is unfair.
There's also the highly secretive internal Apple University for employees - https://www.nytimes.com/2014/08/11/technology/-inside-apples...
2 replies →
That’s of course another option.
I am just surprised because there are so many problems in tech where throwing money at it is not going to improve things.
However in this case, shouldn’t they be able to attract the best in the world just by turning the money gauge up?
If you are one of the most highly specialised vulnerability researchers in the world, would you seriously reject a $10m / year offer from Apple where you’d be able to spend all your time doing what you love with the only condition being that you report findings to Apple?
It mystifies me too. I'm an independent security researcher that currently has a vulnerability in macOS with grave implications. I'd like to sell it to Apple for a fair price, but their security email is a dead end. Every time I've reached out they want me to disclose all of my research up front, no price negotiation. After doing as many bug bounties as I have, I've been burned one too many times by companies giving ~$200 for weeks or months of effort (less than minimum wage of course) on P1/P2 vulnerabilities in their infrastructure. I'm talking to a few groups who are willing to negotiate a price with me, but I can't be sure of their intent. I want to get it patched, but it's difficult when Apple themselves are disinterested.
They set out what they think is a fair price here: https://developer.apple.com/security-bounty/
Do you have any reason to think that Apple could stiff people that submit vulnerabilities to them?
My understanding of game theory says that Apple’s incentives are to try to act with integrity and to pay their bounties. There may be corner cases where confusion reigns, and where Apple mistake someone for a fraud, but I would presume they need to be very rare – otherwise Apple’s reputation as a buyer would suffer and people would sell to other buyers who cared for their reputation better (and every vulnerability sold to a third party has a high expected cost to Apple. Edit: on second thoughts maybe the cost to Apple is fairly low - certainly the maximum bounty size says that).
Edit: I agree that Apple stating a maximum payout is hardly helpful. I presume third party buyers indicate a minimum value they will pay depending on the value of the vulnerability to them. There is a market here, and it isn’t clear that Apple is willing to pay market prices, perhaps because too many people/teams give their vulnerabilities to Apple for $0 (e.g. projectzero!)
I think it's more complicated that just what they list on the bounty site. In this case the parent commenter has to provide all of their work to Apple, before discussions of what it's worth. Additionally, it's not like there is a clear and transparent market around the bug bounty market. Unlike the Chrome bug program which releases all of its reports, discussions, and payouts after ~90 days or so, there's no way to see the history of what's been reported to Apple.
In what other industries is that the case?
You can hire all of the smart people willing to work for you, but there will always be someone smarter not able to join you. That's either because they don't like you, or something else preventing them. Either way, you cannot guarantee that you will catch 100% of the vulns 100% of the time.
No, because there is no reason to assume that would materially improve security. Do you think a bulletproof vest manufacturer hiring the best gunmakers in the world would dramatically improve their bulletproof vests? It could help, and it is certainly essential to have good bullet/gun engineers on staff, but you would probably be better off hiring people who know materials science and the actual job of making bulletproof vests.
It would be far more beneficial for them to just use the tried-and-true techniques that have already been deployed for decades in high-reliability/high-security systems. In the event that such things are too onerous, they could run development methodology tests to remove the elements that provide the least security ROI to produce lesser, but still good, systems at a reduced cost. This would be far more likely to produce a good outcome than taking the standard high development velocity commercial methodology that has failed to produce meaningful security despite decades of attempts and enhancing it to be a high security process. At least in the former you can be reasonably confident you get good security, though possibly at a higher cost than desired. In the latter, although the cost may be less, the security is a complete unknown since you are using a new process invented by people who have never used, let alone made, a high security process before and it is a class of strategy that has literally never succeeded over multiple decades of attempts. Not to say it could not happen, it took hundreds or possibly even thousands of years of failed attempts before heaver-than-air flight was cracked, but they would probably be better served just using the existing techniques that are known to solve the problem.
Because there are always more bugs to be found in unsound software.
This finding is not about this single bug, it's just that someone bothered to scrape the surface.
(Note that 99% of the effort went into crafting the demo exploit once the vulnerability was found, which is basically wasted effort in the context of eliminating vulnerabilities - the vulnerability finding was easy)
well they might be trying. they recently hired Brandon Azad from p0, who definitely is up there. The problem is, that a lot of high calibre security people simply don't want to work for Apple. It suppose its out of spite for all their shitty policies..
You already know the answer. Shoveling billions of dollars into a pit that doesn't help Apple make even more money, is never going to happen.
I am actually not convinced about your assumption that it wouldn’t make them any money in the long-term.
My theory is: people that are quite tech savvy (like the HN crowd) would look at such an effort quite favourably and these folks are often micro-influencers when it comes to buying decisions of their direct peers.
Just an anecdote, but my entire family uses Apple devices, because I am the go-to computer guy in that circle and I advised them to buy Apple. The company that I co-founded used Apple hardware and so on.
Maybe that is just wishful thinking and it is hard to quantify, but I’d like to believe that increasing your reputation with developers (who in itself are a niche) helps you grow revenue in the long-term nevertheless.
I mostly agree with you. I'd like to point out this seems to be the first project zero post on HN that hasn't had a handful of posts suggesting project zero is a hit squad going after Apple.
Well your anecdote doesn't seem to support your argument.
Google is the one paying all those researchers at Project Zero, Apple doesn't seem to have that kind of security group, and yet you still buy/recommend Apple instead of Android.
I am sure it can move some people, but the reality is that this kind of effort is so down the list of priorities when buying for most people that it is certainly not worth $1B per year.
Sounds like an intelligent business decision.