[polack]

You are right in that these attacks takes more skills or a little bit of money, so in that regard it's not the same.

But in multiple ways I think it's the same; like that it's obvious that security is still not a priority when building the software and that you as a user have to assume that the platforms are compromised.

[dogma1138]

No it’s not I don’t think you realize the skill gap.

There is no SQLmap for iPhones and a “Metasploit” for iPhones costs 10’s of millions and requires you to be able to negotiation contracts on a state level…

The amount of money and skill that is require to identify these vulnerabilities and develop them into functional exploits is pretty insane.

It goes well beyond what even basic RCE due to say unsafe deserialization in Java requires.

Anyone without any knowledge in programming could probably learn how to identify and exploit a SQL injection even without automated tools within days if not hours.

On the other hand even experienced developers look at something like FORCEDENTRY and can barely comprehend it.

[kafrofrite]

Any reasonably complex piece of software will have vulnerabilities. In other words, vulnerabilities are not a variable for the security equation, they are a constant. When designing something, vulnerabilities will exist. Generally, vulnerabilities, on their own, are not a great indication of how security is prioritized internally in any company.

[polack]

When security researchers report SERIOUS security bugs to the manufacturers, as happened again and again the last years, without them acknowledging or fixing them for many months then I think it's safe to say they don't really care about security.

You can go and talk about complex software and that vulnerabilities will always exists how much you want, but there is no excuse for these big companies to not fix major bugs like this within a week from when it's been reported. I don't care if that means that the developers have to postpone their fancy AI face recognition feature that will make your face look like an emoji. NO EXCUSES.

[sgjohnson]

I actually wish NSO Group would sell their spying software to absolutely anyone willing to pay them money for it.

I’m not okay with anyone at all having it, so maybe if everyone could have it, the industry would have to get their shit together and actually patch the exploits.

[et2o]

Did you read about the ForcedEntry exploit? They implemented basically an entire emulator inside of one pass of an obscure PDF compression algorithm. It’s perhaps the most complicated hack I have ever seen by an order of magnitude at least.