[shmatt]

I see something very positive in this news - it looks like Apple and other companies have successfully blocked most if not all of Pegasus' 0-click exploits

The true scary portion of this world is not even being sent an SMS/clicking a dangerous link, for a while people were getting infected without ever clicking anything

To me the most interesting leak/investigation that can come out of NSO is what happens once a 0-day is patched, is there downtime? do customers need to wait for a software update? is there automatic rotation of exploits?

[onionisafruit]

I wondered about how they manage their exploits too. Presumably they are constantly developing new exploits. I would guess that if they have a live 0-click that is working reliably they sit on the others until the current exploit is no longer effective. I doubt NSO considers their customers fully trustworthy. So they probably check every prerelease of ios and android for patches and ship the next exploit to customers only when a current exploit is being patched.

[badRNG]

> To me the most interesting leak/investigation that can come out of NSO is what happens once a 0-day is patched, is there downtime? do customers need to wait for a software update? is there automatic rotation of exploits?

I'd have to think NSO Group has the finances to bank at least a few 0-click, zero-days. It seems that the price of such vulnerabilities is increasing however. Zerodium, a large zero-day broker, is paying up to 2.5 million USD for 0-click Android and 2 million USD for iOS: https://zerodium.com/program.html

[EricE]

It still boggles my mind that input sanitization/validation hasn't gotten a formal discipline around it.

It's boring and tedious, yet crucial.