Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Bugs Are Too Valuable To Report To Apple (vice.com)

Posted by msmash on from the big-dilemma dept.

An anonymous reader writes: Last year, Apple launched a long-awaited bug bounty program to reward friendly hackers who report flaws in the iPhone to the company. Despite inviting some of the best hackers in the world to join, it's a bit of a flop so far. The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly." Patrick Wardle, a former NSA hacker who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."

96 comments

  1. Foo by Anonymous Coward · · Score: -1

    NT

  2. So just increase the bounty... by Anonymous Coward · · Score: 5, Insightful

    Apple's pockets are a little deeper than most.

    They could surely increase the bounty to a point where no one could possibly compete with them.

    1. Re:So just increase the bounty... by Kergan · · Score: 3, Interesting

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

    2. Re:So just increase the bounty... by Anonymous Coward · · Score: 1

      Yes, except that corporations are allergic to giving away money, except to useless senior executives in the form of grotesque bonuses.

    3. Re:So just increase the bounty... by jeremyp · · Score: 4, Insightful

      I don't think the economics will work.

      iOS bugs are presumably valuable because they allow you to exploit users for lots of $$$ and because they are rare. If Apple raises the bounty, then unfixed bugs will become even rarer and grey market prices will rise and you are back where you started.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    4. Re:So just increase the bounty... by Anonymous Coward · · Score: 0

      In grey market, you can sell them to multiple people without buyers knowing. So, Apple needs to outspend multiple secretive government agencies combined.

    5. Re:So just increase the bounty... by Anonymous Coward · · Score: 5, Insightful

      You are not right back where you started. You just said by raising the price unfixed bugs will become even rarer, which is the goal of a bug bounty program.

    6. Re:So just increase the bounty... by geekmux · · Score: 1

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet"...

      Let's remember this is a reward program, not a ransomware scheme. Payment is rather dependent on disclosure and validation to vendor, so it's pretty easy to dismiss the full-of-shit concerns.

      And yes, Apple can easily afford to pay many times more than what they're offering. To your point, ignorance will likely ensure vendors find out the hard way what a proper reward should be.

    7. Re:So just increase the bounty... by MasseKid · · Score: 1

      The amount of money you can exploit the users for is a constant. Let's say you can milk users out of 10$ for a bug, apple wants to pay you 2$ and grey market wants to pay 5$ (they have to make a profit, just like everyone else. If apple raises their pay out to 10$, then they remove any incentive to sell to a grey market. The Grey market value will remain unchanged as it's price is set based on how much you can milk out of users based on a bug.

    8. Re:So just increase the bounty... by GameboyRMH · · Score: 1

      It's not like Apple could buy the stuff at an auction or something - or could they?

      They indeed could buy them from the black market cyber-arms-dealers like anyone else, at highly inflated prices. Zerodium will sell to anyone.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    9. Re:So just increase the bounty... by gurps_npc · · Score: 4, Insightful

      Not true.

      There are three markets for the bugs..

      1) Apple.
      2) Small time thieves (Mafia and their ilk)
      3) Big time thieves (NSA, Mossad, KGB, ISIS, etc.)

      The later two want the bugs to be cheap. But Apple should want the bugs to be expensive. And they can make it so.

      Apple can raise the price enough that thieves can't afford to outbid them. Granted, Apple can't outbid NSA and the other such global organizations. But they can outbid the small time thieves.

      Right now Apple is being cheap and letting common thieves outbid them. That is stupid. They should at least up the ante to the point that only the big time thieves, including terrorists and spy agencies to purchase the bugs.

      --
      excitingthingstodo.blogspot.com
    10. Re:So just increase the bounty... by Headw1nd · · Score: 1

      Yes, but Apple's goal is not to accumulate bugs, it's for there to be as few bugs as possible. Increasing the rarity of unreported bugs is their goal.

    11. Re: So just increase the bounty... by Anonymous Coward · · Score: 0

      If Apple pays a bounty, you can sell on the black market and then sell to Apple as well.

    12. Re:So just increase the bounty... by Anonymous Coward · · Score: 0

      The size of the bounty barely actually matters. The point of a VRP is not to pay researchers, it's to sow mutual distrust between two parties in the criminal underground. If bad guy A buys an exploit from bad guy B, either one of them could turn around and report it to the VRP for some side cash, in A's case after they're done using it and in B's case after they sell it. Just having a VRP means that all the bad guys either have to go from exploit development through to monetization themselves, or play the prisoner's dilemma game.

    13. Re:So just increase the bounty... by swb · · Score: 2

      Even the global security organizations have budgets and raising the prices high enough might make them less interested in high priced bugs unless they were well developed and high value. AFAIK, some of these exploits are theoretical and require a lot work to make them useful.

      I think I've also read there's kind of a supply chain for some of these bugs, from hackers to private security organizations that buy them and then resell them to state security agencies. I don't know, but I suspect that a lot of the hackers may not want to deal with state security agencies directly and prefer to sell to a middleman. If you can price the middle man out of the market, the hackers will have to either overcome their reluctance to deal with security agencies or sell to Apple, and for sufficiently high prices they may believe that the security agency price premium doesn't offset their aversion to dealing with the security agency.

    14. Re:So just increase the bounty... by gnasher719 · · Score: 1

      They might, but someone at Apple might also be thinking "no, they're actually full of shit and haven't found critical issues yet" until a zero day rears its ugly head. It's not like Apple could buy the stuff at an auction or something - or could they?

      If there was an auction, the right thing to do would be to shoot all the other bidders.

    15. Re: So just increase the bounty... by nehumanuscrede · · Score: -1

      Yup.

      This is just Apple being cheap and shortsighted. It also underscores the fact they don't take security as seriously as they claim to because, apparently, there is a point where they consider cost > security.

      Bump the reward to exceed black market prices and watch those bugs vanish quickly. Might consider hiring these very talented folks who are effectively doing the job your security minded types are supposed to be doing.

      Might even act to motivate your in house folks a bit more if they know their ass is on the line for every bug found.

      Long term longivity of a product like a smartphone is quickly undermined by a lack of trust in said device. Do it right the first time and you'll be that much better off in the long run.

    16. Re:So just increase the bounty... by willy_me · · Score: 1

      If the price increases then eventually, employees will start introducing bugs for their friends to find. A large payout for bugs can have unforeseen drawbacks.

    17. Re:So just increase the bounty... by Anonymous Coward · · Score: 0

      Thank you for your knee-jerk response, I am sure no one had ever considered this before.

    18. Re:So just increase the bounty... by cant_get_a_good_nick · · Score: 2

      OP used a bad term. Didn't mean rare as in fewer, but meant rare as in dearer. Kind of like "rare" diamonds... they're not really rare, just dear.

    19. Re: So just increase the bounty... by Anonymous Coward · · Score: 0

      Sure.

      Best case: you cash in twice.
      Other cases that are far more likely: Apple sues you into bankruptcy and makes you live in squalor; Black market criminals figure out that you screwed them and physically harm you.

    20. Re: So just increase the bounty... by Anonymous Coward · · Score: 0

      Black market criminals figure out that you screwed them and physically harm you.

      I doubt many researchers are selling bugs in the black market using their real names. Apple might just sue them into bankruptcy even if they don't double dip. And the thugs aren't going to find much other than an anonymous proxy and a Bitcoin address.

    21. Re:So just increase the bounty... by Anonymous Coward · · Score: 0

      One bone to pick with your categorization. ISIS belongs with the ilk of Mafia. Their motivation is to raise money through extortion, they don't have access to government budgets to exploit these for intelligence gathering purposes. There may be some overlap with government agencies on the espionage side of things, but I don't think ISIS has gotten that sophisticated yet.

    22. Re:So just increase the bounty... by Anonymous Coward · · Score: 0

      Rare as in dearer is only a thing because rare is fewer. I cant just say hydrogen is now rare and the price will go up.

    23. Re:So just increase the bounty... by Vitriol+Angst · · Score: 1

      Apple can at least outbid KGB, ISIS and etc.,

      People at the Kremlin are embezzling and hiding too much of their government's money to have more than petty cash left for buying hacking tools.

      You can add China to the list of groups that Apple can't outbid because they've got a lot more money than Russia.

      --
      >>"ad space available -- low rates!!!"
    24. Re:So just increase the bounty... by guises · · Score: 1

      You're missing the most important market: Chinese third-party app stores. That's where the money is actually coming from, jailbreaking is big business in China.

  3. Then Apple is not paying well enough by Anonymous Coward · · Score: 3, Insightful

    Then Apple is not paying well enough if the grey* market pays better.

    * NSA, FAPSI, 3PLA, etc

    1. Re:Then Apple is not paying well enough by Anonymous Coward · · Score: 0

      +1 to this - the NSA or Russians/Chinese have government backed funds to get these exploits - Apple will never be able to compete, esp since they tend to hide their billions locked away in a safe half way around the world! haha poor apple man, they can never catch a break...

    2. Re:Then Apple is not paying well enough by Alain+Williams · · Score: 1

      If they are rare then Apple will not have to pay for many of them, so the cost will not be huge. They ought to publicise when they have paid a bounty (and fixed the problem). Apple should then pay these bounties out of the marketing department budget, not software development. Their marketing department probably has a larger budget than development.

    3. Re: Then Apple is not paying well enough by Anonymous Coward · · Score: 1

      The point of a bounty is to get whitehats to find bugs for you. People who are willing to sell on the black market may very well sell zero days to hacker groups and then also collect the bounty before it goes "public."
      It's hard to outbid a blackhat group for an exploit that could make them millions.

    4. Re:Then Apple is not paying well enough by Anonymous Coward · · Score: 0

      Of course marketing is bigger. Apple is a marketing company! Paying a few script kiddies to copy anything Android does is pretty cheap, and with the good marketing, has obviously been quite effective so far.

  4. Gotta Love the Free Market by Anonymous Coward · · Score: -1

    Apple needs to learn how to compete in a genuinely open market.

    1. Re:Gotta Love the Free Market by Anonymous Coward · · Score: 1

      Why? That does not exist.

    2. Re:Gotta Love the Free Market by FatdogHaiku · · Score: 1

      That's a +1 Painfully True...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    3. Re:Gotta Love the Free Market by fustakrakich · · Score: 1

      It contraband it most certainly does exist. But then all markets are 'regulated' by the irresistible force, an offer that can't be refused.

      --
      “He’s not deformed, he’s just drunk!”
  5. For all my friends browsing at -1 by Anonymous Coward · · Score: -1

    Read this...you'll be glad you did!

    Nancy turned the lights down, she hovered over me, her fetid breath enhanced by rubbing her stinky fingers on her teeth. I said, I am ready to taste your shit. Nancy smiled, I'm ready to stink you up. Nancy still had her panties on. They were sagging under the load of excrement inside. She placed her left hand inside and emerged with shit covered palm and digits. The ample load dripped from her. I reminded her that this was new to me. Only a taste. Vomit is not one of the smells that turns me on. Nancy wants to please. She licked most off and daubed her nipples. She extended her index finger to me and asked me if I liked the smell. Heavenly aroma, she rubbed her lips and put some on her outstretched tongue. She said she wanted to kiss me. Her tongue coaxed my lips apart. We French kissed. I felt her tongue, I felt the excrement, I felt excited too. It tasted slightly bitter and had a coarseness to it. I enjoyed the experience of having such a lovely stench in my mouth.

    I asked Nancy if my breath stank. Just like mine she replied. Nancy was recruiting a virgin to shit eating. She was getting excited and was a little more tongue aggressive with a second helping that she kissed me with. She was also sweating profusely. She asked if she could fuck me. I have a two headed dildo, not too long and shit lubricated. My quick reply, absolutely, and another small helping of your shit. Nancy inserted herself and penetrated me. Using her right hand she replenished the fecal mass on her face. I asked her to put her brown covered finger in my nose to be refreshed with shit. So slowly did she fuck me. Closing my eyes I luxuriated in the penetration, the smell and now the taste of shit. I wanted this to last forever, but the ecstasy equaled coitus erruptus. Nancy held out a little longer. Her orgasm ended in us being a tangled, sleepy heap on that tight table.

    I think a half hour passed and Evelyn entered the room. You look cozy and smell sexy, Evelyn remarked in a curious low pitched voice. Evelyn came over and smelled Nancy's excrement coated hair and said to her you're very ripe. I love it and so do you, she retorted. This was a funny and not so friendly exchange. Evelyn chimed in let's shower and get some steaks. No shower for me, Nancy said. I'm going to head home, masturbate and sleep. In short order she was gone. Evelyn embraced me and kissed me. Just us now. I have an exciting evening planned. Hot water to shower, no soap. A fragrant hint of feces on us. Not too much to arouse interest in a public environment, except maybe to attract another shit savoring dyke. Evelyn squeezed into a very tight fitting pair of silk panties. They would make a sexy parachute.

    They also bore a resemblance to the panties in the shit smearing video we had watched. She completed her ensemble with fish net stockings and an ample jacket that cloaked her in respectability but left room for interest. Black dress for me, black sheer stockings. No false modesty. I looked good. A very pricey eatery, as I expected. Rare steaks and upscale wines, very intimate setting. We could converse in privacy. Recalling our initial encounter in the Mediterranean. Mykonos was our favorite port. We had our trysts amidst the blazing white windmills and the blazing blue sky. Above the sea, in narrow alleys we deeply inhaled each others shit on our fingertips.

    A wonderful meal and memories . More smelly sex awaiting us Evelyn remarked. As we pulled into the garage Evelyn mentioned that she wanted to explore fetishes that compliment their love of shit smelling. Was I interested?? I said yes but was a little hesitant. Was the sudden departure of Nancy part of a prearranged scenario?? This address was listed at my hotel as the place I would be staying at.

    Evelyn wanted to view the porno video we had looked at before. She wanted to do her version. Now the tight sweaty panties made sense. I sat in a comfortable chair as Evelyn got down on her knees and I watched her push out a perfect and substantial turd. An

    1. Re:For all my friends browsing at -1 by Anonymous Coward · · Score: 0

      Dude.

    2. Re:For all my friends browsing at -1 by Anonymous Coward · · Score: 0

      Nancy turned the lights down,

      Nancy Pelosi! LOL!

    3. Re:For all my friends browsing at -1 by Anonymous Coward · · Score: 0

      Good story. Would read again.

    4. Re: For all my friends browsing at -1 by Anonymous Coward · · Score: 0

      Son, you're grounded.

    5. Re: For all my friends browsing at -1 by Anonymous Coward · · Score: 0

      Creimer we told you to stop shilling your books on slashdot. ;)

    6. Re: For all my friends browsing at -1 by Anonymous Coward · · Score: 0

      Buy an Amazon Dot. In black, of course, to match my awesome Black MacBook.

  6. Is this like blood transfusions . . . by Latent+Heat · · Score: 1

    where the bug-exploit reveal is "cleaner" if it comes from a volunteer donor rather from a humanities grad student or homeless person who gets money from Plasma-R-Us?

  7. iPhone doesn't have bugs. by Anonymous Coward · · Score: -1

    The appy iPhone doesn't have bugs; it only has appy app apps! Anyone who claims they found an iPhone bug is a LUDDITE who actually found a bug in a LUDDITE phone like the LUDDITE Nokia 3310!

    Apps!

  8. What's this grey stuff? by Anonymous Coward · · Score: 2, Insightful

    If you sell it to Apple, you are a white hat hacker and helping make the product better.
    But it cost's you 7 figures per bug to be a good guy or gal.

    If you sell at market rate, it isn't a grey market, it's a black market.
    You are not only preventing something from getting fixed, you are helping folks do bad things.
    But you get a bunch of cash.
    It ought to be illegal except that is is funded by the FBI etc.

    I don't see how it would hurt Apple to pay market rates, but folks should not get away with clean cash for black activities either.

    1. Re:What's this grey stuff? by Anonymous Coward · · Score: 1

      Please don't do that causality bullshit. We have enough already. Walmart is being sued (attempted anyway) for "facilitating" a machete that was used as a murder weapon.

      You probably yell at the delivery boy for the cook's mistake. Because he's there and the cook isn't. It's not about justice, or even the food anymore, you just want to yell. Like a child throwing a tantrum, and you don't even remember why.

      Use whatever words you want to distinguish the intermediates from the buyers (including gov agencies) but to lump them as one is to insult your own finesse. Your own intelligence.

    2. Re:What's this grey stuff? by Anonymous Coward · · Score: 0

      Market rate with no concern for the use of the product is a gray market.
      Marketing something illegally is black market.

    3. Re:What's this grey stuff? by K.+S.+Kyosuke · · Score: 1

      Saying that it *ought* to be illegal and that it *is* a black market is mutually contradictory. Pick one.

      --
      Ezekiel 23:20
    4. Re:What's this grey stuff? by PPH · · Score: 1

      Sell it twice. Once on the black market. For the big bucks. Then sell it to Apple for the bounty.

      --
      Have gnu, will travel.
  9. Don't call them researchers by Hentes · · Score: 4, Informative

    Someone willing to sell bugs to criminals if they pay better is greyhat at best.

    1. Re:Don't call them researchers by Stan92057 · · Score: 5, Insightful

      Wouldn't call them gray either, they are black-hats 100% why call them gray? What good have they done? the bug they found will be exploited criminally. Now lol if they sold the bug to a criminals then turn around and sell it to apple then i would tag them gray.

      --
      Jack of all trades,master of none
    2. Re:Don't call them researchers by phayes · · Score: 2

      Indeed. if those who discover iOS flaws refuse to give/sell them to Apple then there is _no_ white in their hats and they are blackhats with no redeemable features.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    3. Re:Don't call them researchers by XparXnoiaX · · Score: 2

      Blackhats do research, too.
      Researchers are sometimes unethical.

      --
      Irresponsible disclosure is responsible
    4. Re:Don't call them researchers by Anonymous Coward · · Score: 0

      Don't call them researchers
      Someone willing to sell bugs to criminals if they pay better is greyhat at best.

      Yes but someone who does sell the bugs to Apple and not criminals, while at the same time is aware of the fact other people exist in the world and some of those other people would be willing to sell such bugs to criminals for more money, is not a greyhat or a blackhat, but clearly is a whitehat researcher.

      You know, like the people here being titled as researchers actually said.

    5. Re:Don't call them researchers by Anonymous Coward · · Score: 0

      The "whitehats" should be developing more secure software.. most of the industry is a giant circlejerk.

  10. Too hard to find flaws? by Tony+Isaac · · Score: 0

    The iPhone's security is so tight that it's hard to find any flaws at all

    Really? This sounds like corporate PR to me.

    I'd guess that it's more that there aren't as many skilled hackers trying to break iOS, than some intrinsic superiority of the OS.

    1. Re:Too hard to find flaws? by mbkennel · · Score: 2

      There are plenty of iOS users who have money, there's plenty of motivation. There aren't as many hackers because it's not very rewarding. The OS and app infrastructure is more secure, and it limits application developers in cases.

    2. Re:Too hard to find flaws? by angel'o'sphere · · Score: 2

      You seem not to lnow much how an OS works, how its security works and particularily why iOs is that secure.
      Your post is pointless.

      It starts with 'skiled hackers trying to break', you watch to many bad movies about 'hacking'.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    3. Re:Too hard to find flaws? by Tony+Isaac · · Score: 1

      So can you enlighten me?

      I've been writing Windows software since you had to write your own message handler loop, I've written video driver interceptors to pull text being sent to the screen. I've written windows message hooks and printer drivers. Before that, I wrote DOS TSRs in assembly. I've rooted my Android phone, I've installed BSD before Linux was a thing. I think I know a thing or two about hacking.

      Your rebuttal didn't actually say anything, except that you think I'm wrong. Why exactly, in a structural sense, do you feel iOS is more secure? I maintain that there is nothing structurally different, or more difficult, about hacking iOS. I think the only difference is market share. The money (hacking effort costs money) is going to follow the market king, every time.

    4. Re:Too hard to find flaws? by angel'o'sphere · · Score: 1

      iOS sandboxes each app.
      Consider it a glorified change root environment which is hardened against break outs.
      Basically every app is running with its own group and user id. They can not access each others data.

      https://www.apple.com/business...

      Yes, we need a new search engine, since google is 'tweaking' search results lots of stuff is hard to find.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  11. Semantics are important by Anonymous Coward · · Score: 1

    That's black market, not grey, I think.

    1. Re:Semantics are important by Anonymous Coward · · Score: 0

      Black is beautiful, babe.

      And people shouldn't complain when their governments bank on it. If they don't like it, they can vote the bums out, or STFU! So much fucking whining around here! They can stuff their phony 'morality' up their ass. The accountants make the rules, and everybody knows it.

    2. Re:Semantics are important by sjbe · · Score: 1

      The accountants make the rules, and everybody knows it.

      Speaking as an actual accountant I can assure you this is not actually true. Accountants can facilitate getting around the rules or in pointing out where the rules have nasty sharp teeth best avoided but they rarely have much say in what the actual rules are. Accountants aren't the ones robbing the mythical bank - they are the ones that provide the floor plans and sometimes drive the getaway car. The ones holding the figurative smoking gun tend to be financiers and lawyers. They are the ones who usually make the rules. If you need proof you merely have to examine the sorts of degrees held by most of Congress.

    3. Re:Semantics are important by Anonymous Coward · · Score: 0

      I'm just saying all your world's "principles" are written in the ledger... And chances are there are two sets of books.

  12. There is always a solution: by mbkennel · · Score: 2

    Cut the pay of the iOS developers by the amount of the bug bounty.

    1. Re:There is always a solution: by Bing+Tsher+E · · Score: 4, Insightful

      Thus lowering the quality of the developers who work on iOS which increases the bug count.

      No, I don't think a positive feedback loop is a good idea.

    2. Re:There is always a solution: by angel'o'sphere · · Score: 1

      Then they quit and get replaced by cheaper developers that create more bugs.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    3. Re:There is always a solution: by FatdogHaiku · · Score: 2

      Then they quit and get replaced by cheaper developers that create more bugs.

      Prompting more payouts followed by decreased developer payments leading to cheaper developers that create more bugs...
      Now THAT'S how you simulate an economy!

      (Seriously Kidding... or Kiddingly Serious...
      I always get those mixed up...)

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    4. Re: There is always a solution: by Anonymous Coward · · Score: 0

      You have no idea about how extrinsic motivation like this works. It's lead to worse coding, not better.

  13. It's the risk not the pay by FeelGood314 · · Score: 1

    If I'm good and work for bug bounties on other projects I can get a sort of steady pay. If I work on iOS bugs I might not find a valuable one with 6 months of effort. You could raise the payout to a million dollars a bug but I can't work on it full time because I will never no if and when I will get the pay.

  14. Re:So just increase the bounty...Pyramid Marketing by charliemerritt03 · · Score: 1

    Amway lit a fire once why not bring the hackers in with some sort of public rankings (updated monthly), secret conclaves in HI for the best 25 and all that bull

  15. "Grey" market? Please. by GameboyRMH · · Score: 1

    There is no good or acceptable reason to do anything with a vulnerability other than to first report it to the developer, and then release it to the public if they fail to patch it within an acceptable timeframe.

    Make no mistake, that market is as black as the devil's heart.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:"Grey" market? Please. by Anonymous Coward · · Score: 0

      Maybe they call it "gray" because it includes reputable buyers like the NSA, who only use such bugs to investigate criminals and keep the rest of us safe.
       

    2. Re:"Grey" market? Please. by GameboyRMH · · Score: 1

      LOL mod parent Funny! XD

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    3. Re:"Grey" market? Please. by rogoshen1 · · Score: 1

      >reputable
      >keep us safe

      10/10, would get trolled by again, well done sir :)

    4. Re:"Grey" market? Please. by serviscope_minor · · Score: 1

      Make no mistake, that market is as black as the devil's heart.

      But make no mistake, it is there and wishing it away won't make it so. You don't even have to go far: wait around here until a thread about the government arrives an the usual crowd will pop out of the woodwork trumpeting the free market over all else. If the free market really is the ultimate goal the the value of a bug is how much you can get for it.

      Personally I don't subscribe to that and like arguing with such people (hi, roman_mir and Archangel Michael!) because I think their points of view are chock full of ignorance about people. But they believe they are arguing from a point of righteousness, not evil.

      --
      SJW n. One who posts facts.
  16. Yeah but who cares by Anonymous Coward · · Score: 0

    You can find WAY more Android bugs, and there are more people using Android. No point in breaking iOS when only 15% of the market is using it.

    1. Re:Yeah but who cares by rogoshen1 · · Score: 1

      What's worth more to thieves, 1 bentley, or 20 rust-buckets from the local scrapyard?

    2. Re:Yeah but who cares by cant_get_a_good_nick · · Score: 2

      1) it's more than 15%.
      2) iOS is used by higher value targets. A lot of this came to light when a company strung 3 vulnerabilities together to make a rootkit dropper. The cost was about half a million to attack one dissident.

  17. They should create their own division of hackers. by 140Mandak262Jamuna · · Score: 1

    Let us say Apple creates a division that has access to all the security by obscurity things and even the source code. They don't report to any of the traditional marketing, sales, development hierarchy. They only report to the security chief, and their pay, bonus and career prospects depend on the bugs they find and fix. Sort of like the Military Police, or inspectorates. Would that work?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  18. Jailbreaks by Kernel+Kurtz · · Score: 2

    I'd rather they be used for that first, then Apple can fix them later.

    1. Re:Jailbreaks by cant_get_a_good_nick · · Score: 1

      A remotely exploitable jailbreak is the worst security hole you could think of. you actually don't want this.

    2. Re:Jailbreaks by geekmux · · Score: 1

      I'd rather they be used for that first, then Apple can fix them later.

      I'd rather guns only be used for self defense, and not be used to murder humans. Sometimes you can't have it both ways. Sorry.

      Then again, why am I apologizing? You want the freedom to do whatever you want with your smartphone? There's a simple solution for that. Don't buy a fucking iPhone.

    3. Re: Jailbreaks by Anonymous Coward · · Score: 0

      If you want that freedom, apparently you cannot get it with an Iphone. You can only pay for an Iphone, you can never own it.

  19. Buy directly by Anonymous Coward · · Score: 0

    Obvious solution: buy from the grey market at whatever price it's valued. Pretty sure Apple has the cash to do this. In fact, I think they probably already do and the "bug bounty" is just to save money.

  20. Re: They should create their own division of hacke by Anonymous Coward · · Score: 0

    I like the way you think. - T.J.

  21. Apple is much better off with this approach by Tanman · · Score: 3, Insightful

    One would be a fool to think that Apple does not also purchase bugs on the black market through intermediaries. Having an inexpensive bug bounty gives incentive to all the white hats out there to do their part to increase Apple security.

    For everyone else, Apple will buy exploits in the wild paying market value. If they increased their bug bounty program to this level, it would not increase their ability to get ahead of black hats since they would have to pay over market price to lure them over, but it would make all their other submitted bugs more expensive.

    1. Re:Apple is much better off with this approach by sl3xd · · Score: 1

      Another thing to consider:

      Governments print their own money. In that situation, a monetary "reward" is utterly meaningless.

      As a result, government agencies are interested in the information on a device.

      On the "commercial" side, think about it for a second: There's no legal requirement I'm aware of that compels a hacker to tell Apple anything; so if Apple finds out you didn't share exploit information with them, what are they gonna do? Ask nicely the next time?

      In contrast, if a crime boss you've worked with finds out you sold the hack to Apple instead of him, well...

      I hope you like concrete shoes.

      Being able to make a name for yourself while being simultaneously anonymous... it's a lot harder than using TOR and Bitcoin with a pseudonym. It's made doubly difficult as you're dealing with people who have the resources and motivation to unmask you.

      --
      -- Sometimes you have to turn the lights off in order to see.
  22. Apple can outbid NSA by sjbe · · Score: 1

    Apple can raise the price enough that thieves can't afford to outbid them. Granted, Apple can't outbid NSA and the other such global organizations. But they can outbid the small time thieves.

    Actually Apple can out bid NSA if they want to. By a lot. The entire Intelligence budget for the USA is somewhere around $80 billion per year. This includes CIA, NSA, FBI, DIA, and the rest. Apple's profits last year were about $45 billion. So yeah, NSA isn't going to be able to outbid Apple unless Apple doesn't care.

  23. Profit is the only "good" to some by sjbe · · Score: 1

    There is no good or acceptable reason to do anything with a vulnerability other than to first report it to the developer, and then release it to the public if they fail to patch it within an acceptable timeframe.

    "Good" and "acceptable" are concepts very much in the eye of the beholder. For some the only "good" is how much money they can make and the rest of the world can burn as far as they care. The only thing "acceptable" to them is a large enough price. This is how much of Wall Street works so why should we expect the market for security flaws to be much different? The greater good is a concept as alien to such people as a Martian.

    Make no mistake, that market is as black as the devil's heart.

    Quite so.

  24. Ethics by Anonymous Coward · · Score: 0

    There will always be someone angling for an advantage with out a moral code.

  25. How is this not illegal? by jonwil · · Score: 2

    A.How is it not illegal to profit from the sale of vulnerabilities in software? (other than by reporting it to the vendor and collecting a bounty) and B.How come the software vendors (who presumably dont want vulnerabilities to be bought and sold on the open market) haven't been lobbying for laws to make these vulnerability marketplaces illegal?

    Are the software companies worried that if its illegal it will just disappear into the deep web and become even harder to track and deal with? Do the software companies know that such laws will never happen because the government needs these vulnerability marketplaces as a way to get bugs to use in the spying efforts? Do the software companies know that such laws would be pointless since the action happens outside jurisdictions that might actually implement such laws?

    1. Re:How is this not illegal? by Anonymous Coward · · Score: 1

      What you are proposing would surely violate the 1st amendment. Why should it be illegal to sell matters of fact to anyone?

    2. Re:How is this not illegal? by Anonymous Coward · · Score: 0

      A.How is it not illegal to profit from the sale of vulnerabilities in software?

      We tried your idea in the 90s, and it was terrible. Computer security is in a much better position today: the field is doing more good for society, is training people better and discovering more things, and is producing some good cooperation between hackers and governments.

      What you are saying is a knee-jerk reaction to the current news cycle with many problems.
        - Making it illegal will not make it happen less often, but will destroy all possibility of good relationship with hackers.
        - It offends principled dignity: free speech.
        - It unjustly protects the authors of crap software and is a plantation-mentality "taking" of security researcher's effort. Why should corporate software shops with in-house lawyers get security research for free backed by the government's slave whip?
        - It creates a perverse incentive for companies to invest in prosecution and attribution rather than security, which lowers software quality doubly by keeping some of the smartest, least-broken people out of security research entirely and directing effort away from building security in to begin with.
        - It's a national solution to an international problem. ex. FBI arresting Sklyarov was preposterous, and disastrous because it destroyed credibility of US security conferences and was a blow to our domestic security industry from which we never fully recovered.
        - It increases the edge of spy agencies to whom the law doesn't apply.

      We've seen all those things play out badly in the 90s. The third one is still happening today, with the different prices for white hat blogger.io "maker"-level hackers vs. the grey hat professionals.

      tl;dr fuck you pay me.

  26. Apple have a direct interest in security by aberglas · · Score: 1

    Unlike Android, Microsoft etc.

    For other companies, security is about protecting their customers. For Apple, security is about protecting Apple's walled garden.

    1. Re:Apple have a direct interest in security by Plumpaquatsch · · Score: 1

      Unlike Android, Microsoft etc.

      For other companies, security is about protecting their customers. For Apple, security is about protecting Apple's walled garden.

      Explains perfectly why it's much easier to find security holes in Android and Microsoft products, Because they care so fucking much about their customers.

      --
      Of course news about a fake are Fake News.