Comment by tptacek
5 years ago
There are dozens, perhaps hundreds of people working at the level we're talking here --- vulnerability research is highly specialized. So the better question is perhaps why Apple doesn't build a program to train 1000 researchers to compete.
I get the impression that while Apple is world-class at HW ops, they are very mediocre at people ops. (and I get the impression that Google is the opposite)
I guess. Project Zero has a sort of unique history; as I understand it, it's less a reflection of Google's distinctive culture as it is Google's savvy in acquiring and nurturing a pre-existing research culture, and that might not be replicable. But you can also ask the question: how much of an impact has P0 had on shielding Google and its partners from similar vulnerabilities? If your impression is that, because of people like Ian Beer, Android phones are basically impregnable, I'll submit without a lot of insider knowledge that you're probably mistaken.
What an Apple P0 buys Apple might just be a bunch of favorable nerd press cycles. But that's not a problem Apple really has.
I am, however, convinced that with the right resource commitment, you could scale up a world-class research capability --- to potentially arbitrary levels --- without headhunting existing researchers, which is where I see the bottleneck right now.
Or, I mean, Apple could just rewrite their OS infrastructure in a memory-safe language. If I had the two options, I would put all my chips on the language change.
(I think P0 is extremely cool and valuable to Google in a bunch of ways and would be thrilled to see more major vendors try to replicate it, even I doubt they'll be successful).
Most likely the M1 optimizations related to ARC are also a step into that direction.
And they are also moving all kernel extensions to user space anyway.
I think you're very _very_ wrong about people ops at Apple.
The reason why Apple in 20 years turned from being 90 days away from bankruptcy to a revolutionary machine and most valuable 2+ trillion dollar company in the world is not because of HW ops or anything else, it's because of people.
While we know Steve Jobs had "issues with people", he also clearly stated:
> My model for business is The Beatles. They were four guys who kept each other kind of negative tendencies in check. They balanced each other and the total was greater than the sum of the parts. That's how I see business: great things in business are never done by one person, they're done by a team of people.
It takes a lot of people effort, talent and operations to achieve what Apple has achieved. So I think saying Apple is mediocre at people ops is unfair.
There's also the highly secretive internal Apple University for employees - https://www.nytimes.com/2014/08/11/technology/-inside-apples...
The Beatles lasted less than a decade before blowing up over interpersonal issues. Jobs is really telling on himself here—at least pick the Stones.
Steve Jobs has passed away for about a decade.
That’s of course another option.
I am just surprised because there are so many problems in tech where throwing money at it is not going to improve things.
However in this case, shouldn’t they be able to attract the best in the world just by turning the money gauge up?
If you are one of the most highly specialised vulnerability researchers in the world, would you seriously reject a $10m / year offer from Apple where you’d be able to spend all your time doing what you love with the only condition being that you report findings to Apple?