One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
As an aside, it should be noted that this wouldn't be sufficient to trigger complimentary at the ICC if its obvious the investigation was not in good faith. The icc can ignore any domestic investigation it believes was not a serious attempt to investigate.
Like it'd be a pretty silly court if you could get out of everything by running your own sham investigation.
https://finance.yahoo.com/news/exclusive-tessl-worth-reporte...
The VC firm Boldstart has deep ties to the Israel intelligence community, so you pretty much want to avoid any of their investments.
So i don't think it follows that the attack would lead to israel being cut out of supply chains, since the attack didn't involve that.
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...
Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
If we want using a service to perpetrate a crime to itself be an additional crime then that should be made explicit. In the (unlikely) event that NSO wasn't actually perpetrating any crimes against the end users then that fact is probably what needs to be fixed.
This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.
The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.
whatsapp owns the systems, so its up to whatsapp to sue
You can’t sue a dude for stealing a screwdriver to break into your home with. Your tort is the act against you.
So if someone robs a bank and empties my safety deposit box I can't sue them because it was the bank that had the money, not me?
(One might argue that it's similar with "your" money ((in the bank)) , but that's not the point)
You can sue the thief for stealing your property and the bank for negligent bailment. Same concept as a valet crashing your car.
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
That sounds hopelessly ambiguous to me. What if Google decides that making use of yt-dlp is causing harm to them? What is the criteria here?
We wanted email spam to be illegal and so it was explicitly made illegal. We wanted robocalling to be illegal and so it was explicitly made illegal. In such cases we have (reasonably) clear criteria for what is and is not permitted.
* https://www.theverge.com/2019/5/14/18622744/whatsapp-spyware...
Interestingly enough, Signal (and others) had the same sort of vulnerability on Android from a WebRTC stack:
* https://googleprojectzero.blogspot.com/2020/08/exploiting-an...
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
Has your "memory safe" language been audited for security ?
There is the option of not having data and code sharing the same stack, that seems like a better solution to me but that's such an option is not usually talked about.
Well, RCE (cargo) is built into it. /s
Whattsup and co, are very happy to execute untrusted code: images displayed in messages, websites fetched and rendered. Basically a bad actor's wet dream.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
Encryption is important but it often is not the weakest link in the security chain.
I’m more worried about financial scams than I am anything related to government. Password managers with random passwords are an excellent guard against that threat.
If I were worried about state actor threats, any keys or passwords would be memorized.
The point is that a password manager is an additional weak link in the chain.
Bitwarden is already a big step up from what most people are doing, then if you want to hide from gouvernement you better make sure you save your password on extremely secured device. But that's another treat level from the average Joe.
That is kinda funny, although sad at the same time
On the flip side, I guess that means META allows WhatsApp users being only “legally spied” on
In such scenario only the target of the wiretap would receive the modified client application. Both google and apple allow pushing updates to small subset of users. It's not unthinkable that they also have the (internal) ability to push a specific update to a specific user.
But I guess now you'll move the goalpost to ask "Why hasn't any Googler come forward and admitted it's happening?" That is a fair question, but I think most people would see this legal spying as no big deal and perhaps even a good thing.
So the lack of evidence is itself evidence of another layer of nefarious activity? Are Apple in on it too (since they approve updates control the app store roll-outs)? I have no stomach for debates over unfalsifiable scenarios - your position is clearly set in stone.
You're allowed to say "The NSA", we're all adults here. No need to speak in euphemisms.
https://www.newsnationnow.com/business/tech/fbi-warns-agains...
There should be no "legal" hacking of someone's devices apart from extraction of data from already convicted people in public court with the right to defend themselves
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
[1] https://en.wikipedia.org/wiki/Pablo_Gonz%C3%A1lez_Yag%C3%BCe
Israeli forces killed 38x more journalists than Hamas did on October 7th.
The second part though doesn't make sense. If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?
The part that you miss is, are they only killing "terrorists" extrajudicially? To take that propaganda at its face value is to ask, what else could they be killing brown people for, if not terrorism?
And I would guess they’ll use the opportunity to increase the reach as well
The ‘terrorist’ label was invented as a means of abrogating human rights by governments who felt they were encumbered by the obligation to protect human rights. “Terrorist” labeling is a totalitarian-authoritarian apparatus to avoid culpability for its actions when a government decides the easiest solution to its problem is outright murder.
It seems to me like terrorism has a pretty plain definition: Using violence against civilians/non-combatants to further a ideological goal, primarily via fear.
It's often misused as an excuse, but there are actual terrorists, the word has a meaning and we should not let it be watered down by either the people wanting to use it as an excuse or the people trying to shroud terrorism in something else.
As citizens of nations which use terrorism as a tool for their political purposes, it is long since past the point we let ourselves be bullied by terminology and started instead to enforce the legislation required to rid our own ranks of war criminals - who are factually terrorists.
Like how they are now charging the UHC CEO suspect with terrorism
Then, if you support the guy, now a terrorist, well then you can be called a terrorist too
I'll gently push on the premise though: hacking isn't worse for the victims than death, obviously, but I think it's possible weaponizing of exploits does more total damage. Both collateral, due to the manufacturing of exploits which ultimately leak and harm a bunch of unrelated actors, and because the marginal hacking is lower cost, practically and politically. So a given attack is likely to be used against groups we'd recognize less clearly as "terrorists" / deserving of the harm / etc.
Why speak in hypotheticals supporting some phantom opinion? Concern trolling is even worse.
You said it is okay / allowed because "terrorists". Otherwise, it is a heinous crime. Just like the Pegasus one.
WASHINGTON - Stanislav Nazarov, 46, a dual citizen of Israel and Russia, has been extradited from Israel to face charges in an indictment accusing him of taking part in an international money laundering scheme.
But hey, it's a free planet, and you can believe whatever you want to belive. I certainly wouldn't want to get between you and one of your pet narratives.
https://repository.law.umich.edu/cgi/viewcontent.cgi?params=...
https://www.timesofisrael.com/diaspora-pedophiles-increasing...
You're very aware what I'm saying is true on a general scale. Sure, exceptions exist. You also know that the aid the US gives is significant and if it hadn't been given every year for decades, Israel would be nothing like what it is right now, it may not even exist.
Try refuting all the Israeli newspapers above which talk about how difficult it is to extradite obvious criminals from Israel. Apologies that you took my comment starting with "L O L" as if I literally meant no person ever in history has ever been extradited. Only a shockingly large portion have not been and will not be, enough to attract attention in the Israeli and foreign press.
And we're still huggy buddies with Saudi's Crown Prince and Netanyahu. Citizens lives only matter so much to our corrupt rulers
Also, look at how the govt has acted in the last year or so, they will never move against Israel
Capitalism is neat that way. Diffusion of responsibility.
Kinda similar to how the IDF has never been charged with war crimes despite several of their service-members being recorded breaking the law in their Israeli fatigues. It's not that international law was never broken, it's that Israel considers themselves above the rule of law and international bases of morality. That type of behavior absolutely must be called out in it's lonesome, such that no nation ever repeats Israel's embarrassing mistake.
If you know of any other cyber criminal organizations like the NSO, where governments use their tools to select and murder targets, please describe them.
once you meet your first transnational human trafficking ring with full fledged dev teams etc NSO seems very ethical among its ilk if you hear about it in the news its the tip of the iceberg
Yet they are protected by the US and Israel, which I believe is the case that they have backdoors into all of it, and getting the targets to actually install this malware on their own saves a lot time.
All good, except for the actual real world victims.
That describes the entire Israeli defence industry, and a fair sized portion of Israel's cybersecurity industry, based on the stomach-churning sales pitches I've received.
NSO are not unique, they just got unlucky.
Care to elaborate? This could be news story-worthy
I really feel like people aren't thinking this stuff through. Exploits and implants are not rocket science. There aren't a huge number of people in the world that are world-class at reliably exploiting modern targets, but it's not like there's just like 20 of them or something.
later
In case it's unclear from the comment: I don't think this is a good thing. I'm speaking positively, not normatively.
So what? Does this mean we should sell our arms to any horrible enemies of our state because if we don't, China will?
Many many of these regimes target Americans. Kashoggi had American citizen kids. Why do we allow our own citizens to get harmed because we have to love Israel and NSO so much? Who gets paid to look the other way?
ever heard of fingers in fedex boxes being sent to mothers in the states? does that make fedex liable?
probably not NSO is just the weak kid thats been caught and is the punching bag
FedEx operates a service known to be used by criminals but also of so much utility to the average citizen that the government has an entire service to provide the same thing.
The government doesn't provide spyware to anyone commercially and neither should we tolerate companies that do.
https://en.wikipedia.org/wiki/NSO_Group#Relationship_with_th...
Specifically, NSO Group is worth a lot less than I thought it was, even at its peak. ($1B+ valuation)
Also, the amount of infighting is... Surprising perhaps? Less surprising is the number of spinoffs out of it, and the number of competing Israeli spyware groups.
I'm constantly surprised by how good he Israeli startup environment seems to be.
Why is this? How are there so many acquisitions out of there?
So once people get really good they quickly realize they can make more by starting their own company and siphoning off client relationships.
It’s not possible to be “perfect,” but if we do our best to get there, we’ll make really good stuff.
It’s unlikely to happen, though, as we have a system that explicitly rewards writing crap, because it makes money.
As long as we fail to reward good work, we will continue to get poor work.
I think that's a bit off. The problem is that we continue to reward poor work so the poor work continues.
Note that even my fairly mild statement was not received well. People really don't like discussion of improving the Quality of software, here. Too much money to be made in not-so-good stuff.
In this case, the comment fit the conversation. The original comment was a short, pithy, and rather sarcastic one that was, nonetheless, correct. They pointed out that we need to write higher-Quality software, in order to give folks like the NSO people fewer “hooks.” The NSO folks are smart, dedicated people, that, in other circumstances, we would admire for their creativity and intelligence. They often take advantage of mistakes (or deliberate decisions) made by folks that we may find less admirable.
I like this community and medium, and sincerely want to be a “good citizen.” The opportunity to interact with people like you, is a privilege that I respect and value. We may not always agree on everything, but I find many of your contributions to be inspiring, educational, and relevant, so I appreciate you. You have taught me lessons, and have changed my mind, and, I’m sure, will continue to do so. You have great insight, knowledge, and experience, which I value, and appreciate you sharing it (for example: https://saagarjha.com/blog/2023/12/22/swift-concurrency-wait...). People like you, are why I like this place. We have no social interaction, so I have no idea if we’d get along, IRL. I would like to think we would, but I’m often wrong, and not afraid to promptly admit it.
For myself, I try to participate by making very specific suggestions, and “keeping it focused on me.” I don’t attack others, even if I find what they say to be quite offensive (or if they attack me, which is fairly common). Most times, I don’t feel that my comments would improve things, even if I vehemently disagree with someone, so they are best left unsaid. I don’t participate in any other social media, and I’m retired, so I do spend a fair bit of time, here.
I spent most of my career at a corporation that was all about Quality, and I suppose it must have rubbed off on me. At that company, Quality was a religion, and they took it to the point of obsession. After leaving, I have tried to practice their mindset in my continuing work. I write software that can have a big impact on the lives of its users, so I take Quality seriously, in order to reduce things like attack surface. I feel as if the current tech community has a baseline ethos of “write code as badly as we can get away with,” and that ethos is rewarded. I don’t think that treatises on better unit testing will be of interest to folks with that mindset. I feel as if the mindset, itself, is the issue, and code dumps won’t make a difference.
I often reference stuff I’ve written, not because I want traffic (I could absolutely care less, whether or not folks read my stuff. I write for myself), but because I don’t want to litter the place with “wall of text” commentary (as you can see, I lean prolix). A quick link to an article that I wrote, going into great detail, is better than a massive comment that won’t have as much information.
For example: https://news.ycombinator.com/item?id=42478993
Are those articles specific enough?
The problem arises when all things are not equal, and something needs to give. Perfect quality is generally not attainable or even desirable, because it sacrifices things in other areas that we care about even more. Sometimes the value of something is high enough that we will pay the price for it failing in some cases. That’s just how we do a cost-benefit analysis. I say this even though I work in software security, where most of my job exists and is made difficult by “bad” quality, and a lot of my effort goes into figuring out how to improve that. Depending on the circumstances, I may advocate for the balance to be adjusted in favor of more security (at the expense of something else) and sometimes I may actually decide that this is counterproductive. That’s really my actual response to the comment.
However, as you probably noticed, I didn’t reply with that. I called it low-quality. In fact I think the whole discussion is low-quality, not because it is not a real point, but because it’s not interesting. I understand and appreciate that you have worked on software quality throughout your career. I want you to be proud of your efforts in this area. And it’s completely reasonable to point to that and go “this is what’s missing from our industry”. It’s not actually very novel or actionable. So, despite me not actually voting on the thread, I felt it was not valuable.
When I was in high school I happened to be pretty decent at physics. In fact I won some awards and was nationally ranked. This is kind of like your situation, except of course my skills were less general and also more ephemeral. But it’s as if I, given my arguably decent understanding of physics, went “the problem with climate change is that we’re using too much energy”. First of all, this doesn’t actually use any of those skills to proclaim. Even someone who failed high school could probably tell you that. But secondarily, and more importantly, I haven’t actually said anything useful. My knowledge of mechanics is great but solving climate change is a huge problem, both deeply technical but also social and political. It’s a lot harder than going “stop applying force over distance to things”. The same is true for preventing exploits: I’m sure you’re great at writing apps that have low defect rates, but when it comes to protecting against nation-state threats there’s a whole lot going on beyond “let’s not make any mistakes”. More relevant would be a discussion about, say, memory safety, or auditing, or whatever that is actually on-topic and actionable. What you’ve posted is something that is really just a “hear hear here’s an obvious problem let’s fix it” which invites nothing beyond people who will do nothing but agree with you, or somehow twist it into their pet peeve and rant against it. Neither is against the rules but I think it doesn’t make for insightful conversation, so I’m telling you about it now.
But I feel that the root cause is attitude and encouragement. Sort of “the wolf you feed” kind of thing.
That’s not really something that can be addressed by technology or even education.
That’s the kind of thing that we handle with social infrastructure. Peer pressure, cultural norms, “tribal knowledge,” etc.
In my mind, the best way to approach that, is by contributing small, almost “throwaway” human-interaction-level “course corrections.” We set the examples we want others to follow, and talk about why we do stuff, as opposed to always making it about how.
Some of the most valuable lessons that I learned about Quality, in my career, were offhand comments, made by folks that lived Quality, and demonstrated the required mindset.
That’s not always something folks want to do. Information is valuable.
However, it’s not my area of expertise, so I probably go way overboard on it.
It’s because of the types of users of the apps I make.
My apps are mostly free apps, meant to be used by recovering addicts, and that demographic is (justifiably) paranoid. Lots of people hate addicts, and actually don’t want them to recover. They want them dead (except for my little Muffy, who is just an addict, because of her boyfriend, who we want dead).
If that sounds like I’m cynical, it’s because I am. I’ve been Serving this demographic for over 40 years, and have seen a lot. I’ve authored a lot of stuff that has become infrastructure.
In any case, I do my best to provide very secure software.
In the app I currently maintain, I went pretty crazy, in the backend server. It has multiple layers of security, and a lot of work to defang stuff like privilege escalation, and (of course), SQL injection. A lot of filtering is done in the actual SQL, for example. Many coders bring the information into memory, then filter it. I do my best to make sure it never even comes out of the database, if the current user isn’t authorized. I’ll do things like reload the user privileges, just before any SQL access. I also relegate all DB interactions to two extremely low abstraction layers. This has the added benefit of allowing me to swap DB technologies, in the future, if I want. Of course, I also use PDO, at the DB level, which gives me choices, there.
And the DB schema is crazy simple. No relations. I use a token-based authentication system, parsed by SQL code, so there’s no ACLs to hack. This also means that I have choices in DB engines, in the future, as the data are little more than Key/Value stores.
And I try to never have anything to do with that code. It’s simple and basic, so it updates really well with new PHP versions. I suspect most of the code would work with PHP 5. I use PDO Prepared Statements, when executing even the simplest queries, and I use Transactions, for DBs that support it. I have separate DBs for security and for main data, so there’s a security DB that can be sequestered and tracked/audited.
While I was developing the server, I went pretty crazy, with the testing. Each layer was subjected to thousands of probes and attacks, at varying levels, on millions of dummy records (I’ll probably never have more than a couple of thousand users), before I went on to the next one. I worked on it for over seven months, before I wrote one line of Swift. I’m big on testing.
If that sounds complicated, it actually isn’t, if you follow the architectural rules, but because it’s embedded into a very, very simple, low-level, abstraction, it almost never needs to be accessed.
I avoid working on the backend, because I basically hate PHP, and server-level work. I prefer spending my time, making users happy, at the UX level, with native Swift clients. I do overkill, on the low-level, so I don’t have to worry about it.
But probably, the best security, is that I don’t actually store that much user data, and don’t do things like data mining on the bit that I do store. We have a fairly strict privacy policy, that I treat as Canon Law. My partners don’t really like it, but I’m an uncompromising S. O. B.
I’ve seen stuff, man…
> More relevant would be a discussion about, say, memory safety, or auditing, or whatever that is actually on-topic and actionable.
It's curious that the first sentence mentions social and political issues, whereas the second sentence completely ignores them. The original comment of ChrisMarshallNY was addressing the social and political issues in tech, albeit vaguely.
You also mention valuing "iteration speed" without acknowledging the predictable devastation this has on quality.
Shipping less, and shipping slower, is on-topic and actionable.
The biggest barriers to addressing global warming are social and political. Many powerful people don't want to address it. Indeed, they've intentionally promoted the idea that the problem doesn't even exist. Purely technical discussions are futilely rearranging the deck chairs on the Titanic if they ignore this.
I do think that ChrisMarshallNY misdiagnoses the problem a bit:
> I feel as if the current tech community has a baseline ethos of “write code as badly as we can get away with,” and that ethos is rewarded.
The second clause of the sentence is redundant, because the first clause is the heart of the matter. Anyone who operates purely according to financial incentives will inevitably cut corners. Crap is profitable, for various economic reasons that are beyond the scope of this comment. In order to achieve high quality consistently, you have to care about quality, about craftsmanship, independently of financial awards. This doesn't mean you don't care about financial awards, just that you have to care about both quality and money. For lack of a better term, you need business ethics, where some ethical principles are inviolable. You can seek profit without seeking profit maximization.
Note that religion is largely independent of financial considerations:
> At that company, Quality was a religion, and they took it to the point of obsession.
> It's curious that the first sentence mentions social and political issues, whereas the second sentence completely ignores them.
I didn’t talk about them here because I wasn’t really interested in getting into an argument about it. I think you know me well enough to agree that I am well aware of the social and political implications of these kinds of attacks, and that I do actually care about them quite a lot. It’s just that this comment section and even sometimes Hacker News in general is not a great place to talk about a country’s policy on offensive cyberattacks or industry opposition preventing moving to safer practices, for example.
> You also mention valuing "iteration speed" without acknowledging the predictable devastation this has on quality.
You know I don’t actually necessarily think this is as simple as you say it is. Obviously rushing to ship will lead to worse quality. But being able to iterate and release software faster can sometimes have a positive impact on quality. Compare the quality of our favorite vendor’s browser to, say, Google’s: I think it is quite reasonable to say that the software quality of the latter is actually far higher, and bugs get fixed faster, specifically because of their release cadence. Now, I don’t actually want to use Chrome and there are a hundred people working on sneaking in ads into it or whatever, but it’s not actually “ship slow and get it right”.
> Anyone who operates purely according to financial incentives will inevitably cut corners.
I think (vaguely, don’t hold me to this) that societally we do too little to punish this and that uncut corners should be valued more highly. But again you don’t hear me going “yeah everyone sucks because of money” as my comment because I don’t think this is a novel insight and I have nothing more to add. This was the reason why I said the software quality discussion wasn’t super interesting.
> Hacker News in general is not a great place to talk about a country’s policy on offensive cyberattacks
That's not what I was referring to. By "the social and political issues in tech", I meant the general issues involved in building software, the internal and external cultures of the software developers.
> But being able to iterate and release software faster can sometimes have a positive impact on quality. Compare the quality of our favorite vendor’s browser to, say, Google’s: I think it is quite reasonable to say that the software quality of the latter is actually far higher, and bugs get fixed faster, specifically because of their release cadence.
You might have cause and effect reversed here. You suggest that the results are due to the engineering practices of the companies, whereas I would suggest that the engineering practices of the companies are a result of the values of the companies. It does appear to me that Google inherently cares more about security than Apple, and as far as I can tell, Google has more of an engineering-led culture than Apple.
Having said that, I don't think this is as simple as you say it is. ;-) For example, Google Chrome has a user-hostile silent forced updates system, which is what allows them to ship constant updates, whereas Apple Safari has a more user-friendly system where there's visibility and choice: you can see the pending updates in System Settings and choose when or even whether to install them. The latter type of update system is much less conducive to constant, frequent updates, because that would annoy users.
I don't understand why Apple has chosen to tie Safari updates to OS updates, on iOS and on the latest macOS, especially since the same Safari updates are not tied to OS updates on macOS N-1 and N-2. I mean, I understand why the major OS updates in the fall bring major Safari updates, but I don't understand why the subsequent minor Safari updates couldn't come separately, which will give Apple more flexibility to patch security vulnerabilities and other bugs in Safari.
Back to Chrome, I'm not sure I agree that its release cadence is good. First, Chrome has a public release schedule, and schedules are the death of software quality. Fixing bugs as soon as you can is fine, but forcing yourself to release things at certain fixed dates, simply for the purpose of releasing something, is not fine. The calendar is governing the release, not the readiness of the software. Moreover, Google Chrome is constantly, constantly, constantly introducing new features and other changes that have nothing to do with fixing bugs, which means that Google Chrome is constantly, constantly, constantly introducing new bugs, including new security vulnerabilities.
Apple also has a schedule: major new OS updates go out every September, no matter what. And this practice, the forced schedule, creates major quality issues. Ready or not, the updates must ship. Apple has more flexibility between Septembers, but unfortunately, contemporary Apple has also adopted the practice of using "minor" updates to constantly, constantly, constantly introduce new features and other changes that have nothing to do with fixing bugs. Part of the reason behind this is that Apple's forced yearly schedule doesn't give the company the time to finish things they've been working on and even promised at WWDC (another forced yearly schedule with self-imposed big announcements).
All of this is in stark contrast to "the good old days" when major Mac OS X updates had no fixed schedule. Of course the 10.N updates were still buggy, as major software updates always are, inevitably and predictably, but the major updates were infrequent, and they weren't forced on users. To the contrary, you had to go to a retail store and pay $129 for the privilege of receiving the discs to install a Mac OS X 10.N.0 version. The early adopters were self-selecting. And the minor 10.N.M updates were almost exclusively bug fixes without new features, so you had increasing quality over time, up and until the next major update.
> I think (vaguely, don’t hold me to this) that societally we do too little to punish this and that uncut corners should be valued more highly.
Perhaps, but I consider reward and punishment to fall under the same rubric as "incentives". And "getting tough on crime" rarely if ever works, for various well-known reasons. For example, wrongdoers don't believe they'll get caught, until they do get caught, making the punishment largely irrelevant to preventing the actions. And powerful people are very good at escaping the worst punishments even when they do get caught, as the powerful people tend to control the system of rewards and punishments.
IMO the only effective way to encourage good behavior and discourage bad behavior is to teach and foster personal ethics. The "incentives" have to be internal to one's own mind rather than external to one's body. Ethics make you do the right thing even when nobody is watching, even if you never get rewarded or punished. No system, no matter how "perfectly designed" can turn a bunch of bad people into a good, well-functioning society. The quality of the society depends essentially on the personal qualities of its members.
The main reason is because of WebKit, which is a built-in OS SDK.
If they update WebKit, then Safari also needs to be updated, to satisfy the new links, if for no other reason.
if you are a refugee or fleeing with ambiguous rights etc it could lead to death but that is mitigated by the fact the people buying may not necessarily be able to get deep into the weeds to figure out how it works most get the leaked source follow a playbook etc
so most western journalists should be safe unless they incurred the wrath of five eyes or something at which point running would be futyl :)
31. 206 points 9 hours ago US judge finds Israel's NSO Group liable for hacking journalists via WhatsApp (reuters.com)
22. 37 points 8 hours ago My Pal, the Ancient Philosopher (nautil.us)
15. 4 points 4 hours ago Testing for Thermal Issues Becomes More Difficult (semiengineering.com)
18. 11 points 2 hours ago The Christmas story of one tube station's 'Mind the Gap' voice (2019) (theguardian.com)