There's a variety of models that others have experimented with, and they all tend to fail at bugs this deep. For instance, Google tried a thing where you open a bug ticket once you think you've found an issue and you stream out everything you tryalong the way. I think there were ongoing or partial rewards and it was Android-centric. I'm pretty sure approx. 0 people took them up on it.
Microsoft also had/has mitigation bounties for around the same dollar amounts and it turned out nearly the same: lower than expected interest given the price point. Most of the interested parties tend to be academics, for fairly obvious reasons when you think about the economics of it all.
I think that if Apple wants to find bugs this deep in specialized, hard-to-audit surfaces within iOS, they ought to hire experts at expert rates and provide them the tools they need to look. In my perfect world, I would hire an expert consulting firm at their market base rates and then offer bonuses for findings on top of it. I would make the engagement low intensity and long in length, to build competency and familiarity with the codebase over time.
> they ought to hire experts at expert rates and provide them the tools they need to look.
I'm really curious where this idea that the existence of a bug program means they must have no in-house bug hunting team. A competent, deep pocketed corporation (which I think we all agree Apple is) would certainly do both.
Want to hunt Apple bugs but not work for them? Do that. Want to hunt bugs with a steady salary? Do that.
> I think that if Apple wants to find bugs this deep in specialized, hard-to-audit surfaces within iOS, they ought to hire experts at expert rates and provide them the tools they need to look.
...Apple does this. The people I complain about and call "mercenaries" are the people from
the grey hat hacking community who decide to go work for Apple. If I wanted to go work for Apple on this I could probably get myself hired there in a matter of days, if it weren't for the issue that I am morally opposed to it (and they know that at this point, so they would rightfully be highly skeptical of me finally "coming around" ;P). The bug bounty program is not focusing on this issue.
When you work to help Apple lock down their operating system, you are helping an oligopoly (Apple along with Google and Microsoft) to control the future of all software development. The mitigations that are put into the operating system serve two purposes: sure, they lock out invaders... but they also lock out the user and rightful owner of the hardware.
The moral costs of the latter do not pay for the benefits of the former. I look at people who work for Apple on security as similar to people who work for the TSA: yes, they are probably in some way contributing to the safety of people... but they are actively eroding the liberties of people in such a frightful way that the benefits are not worth the cost.
So when I see people working for either the TSA or for Apple, I ask myself "did they really really need this job? or could they have gotten work elsewhere"; and if the answer is that they didn't absolutely need to work for Apple, I model them as someone who has left the Resistance to go work for the Empire because they thought laser guns were cool and the Empire happened to have a larger laser gun for them to work on, and hell: the Empire is managing to maintain order on a large number of planets, right? :/
In case you think that this is just some future concern, it is a war which is already playing out today in countries like China, where the government knows that Apple has centralized control of what can be distributed on that platform and uses that knowledge to lean on Apple with threats of firewalls and import bans to get software and books they dislike redacted.
> Apple, complying with what it said was a request from Chinese authorities, removed news apps created by The New York Times from its app store in China late last month.
> The move limits access to one of the few remaining channels for readers in mainland China to read The Times without resorting to special software. The government began blocking The Times’s websites in 2012, after a series of articles on the wealth amassed by the family of Wen Jiabao, who was then prime minister, but it had struggled in recent months to prevent readers from using the Chinese-language app.
Having a centralized point of control at Apple is not helping the lives of these Chinese citizens, at least according to the morals that I have (and I would have guessed you have, but maybe you are more apologetic to these regimes than I; we have never really spent that much time talking as opposed to just kind of "sitting next to each other" ;P).
So, yes: I absolutely am against security experts "helping Apple secure iOS" when what we know is actually happening is that they are "helping Apple enforce censorship by regimes such as the Chinese government on their citizens". There are tons of places in the world you can go work for where your work on security will actually be used for good: go work for one of those companies, not the oligopoly.
Thank you. This sounds like is a viewpoint I strongly disagree with, as I believe potential misuse of vulnerabilities is a concern which outweighs device freedom in this context (example: https://citizenlab.ca/2017/07/mexico-disappearances-nso/), but nonetheless I really appreciate the detailed explanation.
FWIW, I don't disagree with you that the security issues here are real. My issue is that Apple has managed to tie together the security of the user with the maintenance of their centralized control structure on computation. I think that people should lean on Apple to provide a device which is both open and secure. Part of this is what amounts to a bunch of people refusing to work for their company, particularly on the parts of their products which are essentially weapons (so the same argument about refusing to work for governments). Hell: even if they didn't seem to go out of their way to be actively evil about some of this stuff, it would be better :(.
I mean, here's a really simple one: they already have "free developer" account profiles. However, you can't install an app that uses the VPN API using a free developer profile. So if I build a VPN service with a protocol designed to be used by people in China to help people bypass the Great Firewall, as VPN services are illegal in China, China has complete control over Apple's app distribution, and Apple not only polices the use of their enterprise certificates but has in the last year or so started playing whack-a-mole on services which use shared paid developer certificates, users in China are not going to be able to install it on their iOS devices.
Why did Apple go out of their way to block access to the VPN API from free developer accounts? I can't come up with any reasons for this that make me feel warm and fuzzy :/. So yes: the US military does a lot of good protecting people on foreign soil, as does the FBI here at home, and I'll even grant that the TSA probably does something good ;P. You can show me a ton of reports of active terrorism in the world, and say "look, this stuff is important, peoples' lives are on the line"... but as long as working for those groups is tied to mass surveillance, installing puppet regimes, and maintaining resource imbalances, the moral issues remain :(.
(I'm also going to note that I find it a lot less weird if someone is consistent and always worked for Apple, whether directly as an employee or indirectly by handing them information and bugs than if they "switch sides" and go from simultaneous disclosure to "responsible" disclosure or even forced disclosure by being an employee. That's why this thread was spawned from me noting that I have at times used the term "mercenary". It makes some sense to me that there are people who work for the Empire because they believe in the goals of the Empire; it just irks me, though, that there are people who once worked for the Resistance who get a job offer from the Empire and are like "wow, that sounds great!" and go work for them without seemingly believing that anything has changed about what they are fighting for... it tells me that, at the end of the day, they really just thought "working with lasers is fun!" and the moral issues of which side they were on never mattered.)
I get where you are coming from. It is worth keeping in mind that not as many folks see it in a political manner, so if their viewpoint is a choice between "working hard to release free research/tools and getting people angry/complaining in response" versus "working hard and getting a decent salary to do what they love" then it makes some sense as to why people would go that direction.
I'm in agreement with you regarding Developer ID. I have no idea why Apple would want to limit that, I know they recently relaxed restrictions on NetworkExtension though (except for Wi-Fi helpers) - Are you referring to the old "e-mail here to apply for the entitlement" process they had in place? Or do they still not allow the entitlement for free developer IDs now?
> Are you referring to the old "e-mail here to apply for the entitlement" process they had in place? Or do they still not allow the entitlement for free developer IDs now?
I really do mean the latter: they still block this entitlement from use by free developer IDs. If you try to activate it you get an error #9999 with the following message.
> The 'Network Extensions' feature is only available to users enrolled in Apple Developer Program. Please visit https://developer.apple.com/programs/ to enroll.
It seems to me the actual solution is to hire experts as employees. That solves the "can't put food on the table" problem. It's probably a lot more efficient and effective use of their cash. As far as I know Apple has already done this over the years.
Doesn't a high bounty create a perverse incentive for employees to introduce or leave bugs they spot so that they/some accomplice can claim the bounty?
I know silicon valley employees' honnesty is above all suspicions and rogue employees is a monopoly of the financial industry but one has to consider the risk.
Do you believe this is possible? Introducing or leaving such bugs would need more than one person, probably from different departments and even if it gets past through code-review, there is still a risk someone notices the connection between the one who introduced the bug and the one who found it.
The thing is it often only takes one line of code running with the right privilege to make the whole system insecure. And a dishonest employee wouldn't even need to write it. Having access to source code, all it would take is to spot it but not fix it.
Developers unimpeachable morals aside, I think the risk of getting caught would outweigh the benefit. Most developers at Apple hardly need a secondary sort of income.
Is everyone in this thread being sarcastic about developers morals? No one here really thinks that developers have as a whole are more moral than any random subset of people, right?
In this case, the reward doesn't outweigh the risk.
Insider trading can earn very large amounts of money, and the higher your current position, the larger scale of insider trading becomes available.
Now, for Apple iOS core developers - does it make sense to risk a $200k/year job and possible jailtime to get a $50k bounty (the limit for kernel exploits) that you'd have to share with whoever helps you to launder it?
No, it doesn't... but the context of this subthread was "Apple should pay a lot more for this bounty" which turned into "but if they do that then it will create a perverse incentive to do this evil thing". The people you are arguing against thereby agree with you: $50k is not enough of an incentive; but they feel that at some point as that number gets higher the incentive will make sense.
Yeah, okay, with a factor of 10 increase, that would start to make sense, and there could certainly be people willing to go for it.
Many high profile bugs seem to have plausible deniability where they can reasonably be errors but might have been deliberately inserted. Anybody can make mistakes similar to Heartbleed, especially if they want to.
