Wednesday, October 20, 2021
Tuesday, October 19, 2021
Monday, October 18, 2021
Friday, October 15, 2021
Wednesday, October 13, 2021
Saturday, October 09, 2021
Wednesday, October 06, 2021
Saturday, October 02, 2021
Friday, October 01, 2021
Wednesday, September 29, 2021
Friday, September 24, 2021
Saturday, September 18, 2021
Thursday, September 09, 2021
Monday, September 06, 2021
Sunday, September 05, 2021
Thursday, September 02, 2021
Saturday, August 14, 2021
“Sonos is seeking to ban the import of several Google products that are made in China. The preliminary finding will now be reviewed by the full United States International Trade Commission.
OAKLAND, Calif. — Google infringed on speaker-technology patents held by Sonos and should not be allowed to import products that violate Sonos’s intellectual property, a judge said in a preliminary finding by the United States International Trade Commission that was released on Friday.
In January 2020, Sonos sued Google in federal court and in front of the United States International Trade Commission, a quasi-judicial body that decides trade cases and can block the import of goods that violate patents. Google later filed a countersuit against Sonos, claiming that Sonos was infringing on its patents.
Sonos had asked the commission to block imports of Google Home smart speakers, the company’s Chromecast systems and its Pixel phones and computers. Those products are made in China and shipped to the United States.
The brief ruling did not explain why the judge, Charles E. Bullock, believed Google had violated the Tariff Act of 1930, which aims to prevent unfair competition through actions such as the import of products that infringe on U.S. patents, trademarks or copyrights.
The judge’s ruling is not the last word. The full commission has to consider whether to accept or reverse his decision for a final ruling, which is scheduled to take place on Dec. 13. If an import ban is imposed, it wouldn’t take effect for 60 days — well after the holiday shopping season.
José Castañeda, a spokesman for Google, said the company does not use Sonos’s technology. “We disagree with this preliminary ruling and will continue to make our case in the upcoming review process,” he said.
On Wednesday, Eddie Lazarus, Sonos’s chief legal officer, called Google a “serial infringer” of Sonos patents. On a conference call with analysts, he estimated that Google had infringed on more than 150 patents owned by Sonos, although it raised issues only with five patents to the commission. The case in front of the commission is just “the tip of the iceberg,” he said.
On Friday, Mr. Lazarus said in a statement, “This decision reaffirms the strength and breadth of our portfolio, marking a promising milestone in our long-term pursuit to defend our innovation against misappropriation by Big Tech monopolies.”
Sonos has said that Amazon is also violating its patents — a charge that Amazon denies. Sonos executives have said it pursued legal action against only Google because it did not know if it could sue two tech giants at the same time.
Sonos pioneered the market for home speakers that can be controlled by a smartphone and can synchronize music wirelessly between different speakers throughout the house. In recent years, Google, Amazon and Apple have pushed into the market for voice-controlled speakers. Sonos also offers speakers that use the Google Assistant software or Amazon’s similar Echo technology to control the device.
Sonos and Google are also locked in legal disputes over patents in California and Texas as well as France, Germany and the Netherlands.
Sonos’s share price rose 6 percent in after-hours trading on Friday.
Daisuke Wakabayashi covers technology from San Francisco, including Google and other companies. Previously, he spent eight years at The Wall Street Journal, first as a foreign correspondent in Japan and then covering technology in San Francisco. @daiwaka“
Wednesday, August 11, 2021
Monday, August 09, 2021
Thursday, August 05, 2021
Monday, August 02, 2021
A one-man scam Pac’: Trump’s money hustling tricks prompt fresh scrutiny The ex-president has built an arsenal of groups staffed with ex-officials and loyalists seemingly aimed at sustaining his political hopes for a comeback
“Donald Trump’s penchant for turning his political and legal troubles into fundraising schemes has long been recognized, but the former US president’s money hustling tricks seem to have expanded since his defeat by Joe Biden, prompting new scrutiny and criticism from campaign finance watchdogs and legal analysts.
Critics note Trump has built an arsenal of political committees and nonprofit groups, staffed with dozens of ex-administration officials and loyalists, which seem aimed at sustaining his political hopes for a comeback, and exacting revenge on Republican congressional critics. These groups have been aggressive in raising money through at times misleading appeals to the party base which polls show share Trump’s false views he lost the White House due to fraud.
Just days after his defeat last November, Trump launched a new political action committee, dubbed Save America, that together with his campaign and the Republican National Committee quickly raked in tens of millions of dollars through text and email appeals for a Trump “election defense fund”, ostensibly to fight the results with baseless lawsuits alleging fraud.
The fledgling Pac had raised a whopping $31.5m by year’s end, but Save America spent nothing on legal expenses in this same period, according to public records. Run by Trump’s 2016 campaign manager Corey Lewandowski, Save America only spent $340,000 on fundraising expenses last year.
In another move, Trump last month announced he was filing class-action lawsuits against Facebook, Google and Twitter, alleging “censorship” due to bans by the platforms after the 6 January Capitol attack that Trump helped stoke. But the move prompted several legal experts to pan the lawsuits as frivolous and a fundraising ploy.
Trump’s new legal stratagem raised red flags, in part because he teamed up with America First Policy Institute (AFPI), a non-profit group led by ex-White House official Brooke Rollins. At a press briefing with Trump, Rollins publicly told supporters they could “join the lawsuit” by signing up on a website, takeonbigtech.org, a claim belied by details on the website which featured a red button with the words “DONATE to AFPI”.
“Donald Trump is a one-man scam Pac,” said Paul S Ryan, vice-president of policy and litigation with Common Cause. “Bait-and-switch is among his favorite fundraising tactics,” Ryan stressed, noting that Trump’s Save America Pac told “supporters he needed money to challenge the result of an election he clearly lost”, and then wound up not spending any on litigation last year.
“Now he’s at it again, with frivolous lawsuits filed [in July] against Facebook, Twitter and Google, accompanied by fundraising appeals,” Ryan added. “This time he’s got the unlimited dark money group America First Policy Institute in on the racket.”
Other experts voice strong concerns about Trump’s tactics with Save America
“The president deceived his donors. He asked them to give money so he could contest the election results, but then he spent their contributions to pay off unrelated debts,” said Adav Noti, a former associate general counsel at the Federal Election Commission and now chief of staff at the nonpartisan Campaign Legal Center.
Noti added: “ That’s dangerously close to fraud. If a regular charity – or an individual who didn’t happen to be president of the United States – had raised tens of millions of dollars through that sort of deception, they would face a serious risk of prosecution.”
Such concerns have not deterred Trump’s fundraising machine from expanding further with the launch of a super Pac, Make America Great Again Action, which can accept unlimited donations. Both the Super Pac and Save America are run by Trump’s ex campaign manager Lewandowski, who did not return calls seeking comment.
The Super Pac has reportedly hosted at least two events for mega donors at Trump’s golf club in Bedminster, New Jersey, and in Dallas, but it’s not known how much has been hauled in so far.
Both Pacs are seen as vehicles for Trump to raise more funds to influence 2022 congressional races, where he has vowed to try to defeat several politicians such as the anti-Trump Republican Liz Cheney who voted to impeach him this year after the Capitol attack.
Campaign filings for the first six months of 2021 reveal that Trump’s political groups led by Save America raised $82m dollars, an unprecedented total for an ex president. Save America banked most of the funds while spending some to pay for Trump’s travel and other expenses, instead of challenging election results in states like Arizona despite Trump’s false claims of fraud there.
Veteran campaign finance analysts say that the bevy of Trump-linked groups launched since his defeat raise new questions about his motives and political intentions
“Trump’s aggressive fundraising, using a variety of committees and surrogates, raises questions about whether his continual hints at running in 2024 is primarily a ploy for donations,” said Sheila Krumholz, who leads the nonpartisan Center for Responsive Politics. “Trump may be more interested in fundraising than actually running, especially given how unprecedented his post-loss fundraising is.”
Besides Trump’s fundraising pitches for his new Pacs and non-profits, some major Republicans groups have collaborated in fundraising appeals since his defeat, and keep piggybacking on his allure to the party base, despite Trump’s repeated falsehoods that the election was stolen
In the eight weeks post-election, for instance, the RNC, the Trump campaign and Save America reportedly raised about $255m, but only spent a small fraction on lawsuits.
Further, Trump’s cachet with small donors is still exploited by party allies including the National Republican Senatorial Committee, (NRSC) the fundraising arm for Republican senators.
For instance, the NRSC in July email fundraising pitches touted a free Trump T-shirt for a limited number of donors writing checks from $35 to $5,000 to “protect the America First Majority”.
Similarly, the RNC in a 19 July email alert rolled out a money pitch to become an “official 2021 Trump Life Member” for donors who chipped in $45 or more by midnight.
Charlie Black, a longtime Republican operative, said that Republicans committees realize that Trump’s “name has the most popular appeal to the grassroots, so naturally they’re going to try to figure out ways to use his brand where they can to raise more funds”.
But legal analysts caution that Trump’s fundraising modus operandi with his various new Pacs and non-profits are different, and carry clear risks for unwitting donors and US campaign finance laws.
“Our nation’s campaign finance and anti-fraud laws have proven no match for Trump’s schemes,” said Ryan of Common Cause. “So my one piece of advice for Trump supporters is donor beware!”
Thursday, July 29, 2021
Wednesday, July 28, 2021
Amazon’s older Kindles will start to lose their internet access in December
"Amazon’s Kindle e-readers with built-in 3G will begin to lose the ability to connect to the internet on their own in the US in December, according to an email sent to customers on Wednesday. The change is due to mobile carriers transitioning from older 2G and 3G networking technology to newer 4G and 5G networks. For older Kindles without Wi-Fi, this change could mean not connecting to the internet at all.
As Good e-Reader first noted in June, newer Kindle devices with 4G support should be fine, but for older devices that shipped with support for 3G and Wi-Fi like the Kindle Keyboard (3rd generation), Kindle Touch (4th generation), Kindle Paperwhite (4th, 5th, 6th, and 7th generation), Kindle Voyage (7th generation), and Kindle Oasis (8th generation), users will be stuck with Wi-Fi only. In its email announcement, Amazon stresses that you can still enjoy the content you already own and have downloaded on these devices, you just won’t be able to download new books from the Kindle Store unless you’re doing it over Wi-Fi. You can see Amazon’s email to customers below:
Things get more complicated for Amazon’s older Kindles, like the Kindle (1st and 2nd generation), and the Kindle DX (2nd generation). Since those devices relied solely on 2G or 3G internet connectivity, once the networks are shut down, the only way to get new content onto your device will be through an old-fashioned micro-USB cable. For customers affected by the shutdown, Amazon is offering a modest promotional credit (NEWKINDLE50) through August 15th for $50 towards a new Kindle Paperwhite or Kindle Oasis, along with $15 in-store credit for ebooks.
While arguably the company could do more to help affected customers (perhaps by replacing older devices entirely) this issue is largely out of Amazon’s hands. The carriers have all committed to different time frames for when older 2G and 3G networks will go kaput, with AT&T setting the date for February 22nd, 2022, T-Mobile reportedly targeting April 2022, and Verizon shooting for December 31st, 2022.
Taking those into account, Amazon’s December date seems premature, but better to be prepared now, than left with a less useful e-reader later this year."
Sunday, July 25, 2021
Friday, July 23, 2021
Wednesday, July 21, 2021
Delta variant accounts for 83% of new cases in US, CDC director says A cluster of midwestern and southern states have emerged as new hotspots for Covid
“A cluster of midwestern and southern states have emerged as new hotspots for Covid
The highly transmissible Delta variant of the coronavirus now accounts for 83% of all sequenced cases in the US, a top federal health official said on Tuesday.
“This is a dramatic increase, up from 50% [in] the week of 4 July,” Rochelle Walensky, director of the Centers of Disease Control and Prevention (CDC), said in Senate testimony.
Walensky also said Covid fatalities had risen by nearly 48% over the past week to an average of 239 a day.
“Each death is tragic and even more heartbreaking when we know that the majority of these deaths.”
Monday, July 19, 2021
"Space aficionados have been following the saga of the . It had a happy ending as , and now we have visual proof of Hubble's health in the form of some lovely new galaxy images.
NASA released the images on Monday. They show some of the telescope's science targets from over the weekend as it returned to service after over a month in safe mode. The space agency switched the 31-year-old telescope over to backup hardware in order the save the mission."
The Pegasus Project | A global investigation Despite the hype, iPhone security no match for NSO spyware
Once inside, the spyware, produced by Israel’s NSO Group and licensed to one of its government clients, went to work, according to a forensic examination of her device by Amnesty International’s Security Lab. It found that between October and June, her phone was hacked multiple times with Pegasus, NSO’s signature surveillance tool, during a time when she was in France.
The examination was unable to reveal what was collected. But the potential was vast: Pegasus can collect emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings and browsing histories, according to security researchers and NSO marketing materials. The spyware can activate cameras or microphones to capture fresh images and recordings. It can listen to calls and voice mails. It can collect location logs of where a user has been and also determine where that user is now, along with data indicating whether the person is stationary or, if moving, in which direction.
And all of this can happen without a user even touching her phone or knowing she has received a mysterious message from an unfamiliar person — in Mangin’s case, a Gmail user going by the name “linakeller2203.”
For years, Mangin has been waging an international campaign to win freedom for her husband, activist Naama Asfari, a member of the Sahrawi ethnic group and advocate of independence for the Western Sahara who was jailed in 2010 and allegedly tortured by Moroccan police, drawing an international outcry and condemnation from the United Nations.
“When I was in Morocco, I knew policemen were following me everywhere,” Mangin said in a video interview conducted in early July from her home in suburban Paris. “I never imagined this could be possible in France.”
Especially not through the Apple products that she believed would make her safe from spying, she said. The same week she sat for an interview about the hacking of her iPhone 11, a second smartphone she had borrowed — an iPhone 6s — also was infected with Pegasus, a later examination showed.
Researchers have documented iPhone infections with Pegasus dozens of timesin recent years, challenging Apple’s reputation for superior security when compared with its leading rivals, which run Android operating systems by Google.
The months-long investigation by The Post and its partners found more evidence to fuel that debate. Amnesty’s Security Lab examined 67 smartphones whose numbers were on the Forbidden Stories list and found forensic evidence of Pegasus infections or attempts at infections in 37. Of those, 34 were iPhones — 23 that showed signs of a successful Pegasus infection and 11 that showed signs of attempted infection.
Only three of the 15 Android phones examined showed evidence of a hacking attempt, but that was probably because Android’s logs are not comprehensive enough to store the information needed for conclusive results, Amnesty’s investigators said.
Still, the number of times Pegasus was successfully implanted on an iPhone underscores the vulnerability of even its latest models. The hacked phones included an iPhone 12 with the latest of Apple’s software updates.
In a separate assessment published Sunday, the University of Toronto’s Citizen Lab endorsed Amnesty’s methodology. Citizen Lab also noted that its previous research had found Pegasus infections on an iPhone 12 Pro Max and two iPhone SE2s, all running 14.0 or more recent versions of the iOS operating system, first released last year.
How Pegasus works
Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.
Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.
Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.
Ivan Krstić, head of Apple Security Engineering and Architecture, defended his company’s security efforts.
“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” he said in a statement. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Apple burnished its reputation for guarding user privacy during its high-profile legal fight with the FBI in 2016 over whether the company could be forced to unlock an iPhone used by one of the attackers in a San Bernardino, Calif., mass shooting the previous year. The FBI ultimately withdrew from the legal clash when it found an Australian cybersecurity firm, Azimuth Security, that could unlock the iPhone 5c without any help from Apple.
Outside researchers praise Apple for its stand — and for continuing to improve its technology with each new generation of iPhones. The company last year quietly introduced BlastDoor, a feature that seeks to block iMessages from delivering malware, to make Pegasus-style attacks more difficult.
The investigation’s conclusions also are likely to fuel a debate about whether tech companies have done enough to shield their customers from unwanted intrusions. The vulnerability of smartphones, and their widespread adoption by journalists, diplomats, human rights activists and businesspeople around the world — as well as criminals and terrorists — has given rise to a robust industry offering commercially available hacking tools to those willing to pay.
NSO, for example, reported $240 million in revenue last year, and there are many other companies that offer similar spyware.
On Sunday, NSO’s chief executive, Shalev Hulio, told The Post that he was upset by the investigation’s reports that phones belonging to journalists, human rights activists and public officials had been targeted with his company’s software, even though he disputed other allegations reported by The Post and it partner news organizations. He promised an investigation. “Every allegation about misuse of the system is concerning to me,” Hulio said. “It violates the trust we are giving the customer.”
Apple is not alone in dealing with potential intrusions. The other major target of Pegasus is Google’s Android operating system, which powers smartphones by Samsung, LG and other manufacturers.
Google spokeswoman Kaylin Trychon said that Google has a threat analysis team that tracks NSO Group and other threat actors and that the company sent more than 4,000 warnings to users each month of attempted infiltrations by attackers, including government-backed ones.
She said the lack of logs that help researchers determine whether an Android device has been attacked was also a security decision.
“While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers. We continually balance these different needs,” she said.
Advocates say the inability to prevent the hacking of smartphones threatens democracy in scores of nations by undermining newsgathering, political activity and campaigns against human rights abuses. Most nations have little or no effective regulation of the spyware industry or how its tools are used.
“If we’re not protecting them and not providing them with tools to do this dangerous work, then our societies are not going to get better,” said Adrian Shahbaz, director of technology and democracy for Freedom House, a Washington-based pro-democracy think tank. “If everyone is afraid of taking on the powerful because they fear the consequences of it, then that would be disastrous to the state of democracy.”
Hatice Cengiz, the fiancee of slain Washington Post contributing columnist Jamal Khashoggi, said she used an iPhone because she thought it would offer robust protection against hackers.
“Why did they say the iPhone is more safe?” Cengiz said in a June interview in Turkey, where she lives. Her iPhone was among the 23 found to have forensic evidence of successful Pegasus intrusion. The infiltration happened in the days after Khashoggi was killed in October 2018, the examination of her phone found.
NSO said in a statement that it had found no evidence that Cengiz’s phone had been targeted by Pegasus. “Our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the company said.
A head-to-head comparison of the security of Apple’s and Google’s operating systems and the devices that run them is not possible, but reports of hacks to iPhones have grown in recent years as security researchers have discovered evidence that attackers had found vulnerabilities in such widely used iPhone apps as iMessage, Apple Music, Apple Photos, FaceTime and the Safari browser.
The investigation found that iMessage — the built-in messaging app that allows seamless chatting among iPhone users — played a role in 13 of the 23 successful infiltrations of iPhones. IMessage was also the mode of attack in six of the 11 failed attempts Amnesty’s Security Lab identified through its forensic examinations.
One reason that iMessage has become a vector for attack, security researchers say, is that the app has gradually added features, which inevitably creates more potential vulnerabilities.
“They can’t make iMessage safe,” said Matthew Green, a security and cryptology professor at Johns Hopkins University. “I’m not saying it can’t be fixed, but it’s pretty bad.”
One key issue: IMessage lets strangers send iPhone users messages without any warning to or approval from the recipient, a feature that makes it easier for hackers to take the first steps toward infection without detection. Security researchers have warned about this weakness for years.
“Your iPhone, and a billion other Apple devices out-of-the-box, automatically run famously insecure software to preview iMessages, whether you trust the sender or not,” said security researcher Bill Marczak, a fellow at Citizen Lab, a research institute based at the University of Toronto’s Munk School of Global Affairs & Public Policy. “Any Computer Security 101 student could spot the flaw here.”
The encrypted chat app Signal adopted new protections last year requiring user approval when an unfamiliar user attempts to initiate a call or text — a protection Apple has not implemented with iMessage. Users of iPhones can choose to filter unfamiliar users by activating a feature in their devices’ settings, though research for many years has shown that ordinary users of devices or apps rarely take advantage of such granular controls.
In a 2,800-word email responding to questions from The Post that Apple said could not be quoted directly, the company said that iPhones severely restrict the code that an iMessage can run on a device and that it has protections against malware arriving in this way. It said BlastDoor examines Web previews and photos for suspicious content before users can view them but did not elaborate on that process. It did not respond to a question about whether it would consider restricting messages from senders not in a person’s address book.
The Amnesty technical analysis also found evidence that NSO’s clients use commercial Internet service companies, including Amazon Web Services, to deliver Pegasus malware to targeted phones. (Amazon’s executive chairman, Jeff Bezos, owns The Post.)
Kristin Brown, a spokeswoman for Amazon Web Services, said, “When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts.”
The infiltration of Mangin’s iPhones underscores hard lessons about privacy in the age of smartphones: Nothing held on any device is entirely safe. Spending more for a premium smartphone does not change that fact, especially if some nation’s intelligence or law enforcement agencies want to break in. NSO reported last month that it has 60 government customers in 40 countries, meaning some nations have more than one agency with a contract.
New security measures often exert costs to consumers in terms of ease of use, speed of apps and battery life, prompting internal struggles in many technology companies over whether such performance trade-offs are worth the improved resistance to hacking that such measures provide.
One former Apple employee, who spoke on the condition of anonymity because Apple requires its employees to sign agreements prohibiting them from commenting on nearly all aspects of the company, even after they leave, said it was difficult to communicate with security researchers who reported bugs in Apple products because the company’s marketing department got in the way.
“Marketing could veto everything,” the person said. “We had a whole bunch of canned replies we would use over and over again. It was incredibly annoying and slowed everything down.”
Apple also restricts the access outside researchers have to iOS, the mobile operating system used by iPhones and iPads, in a way that makes investigation of the code more difficult and limits the ability of consumers to discover when they’ve been hacked, researchers say.
In its email response to questions from The Post, Apple said its product marketing team has a say only in some interactions between Apple employees and outside security researchers and only to ensure the company’s messaging about new products is consistent. It said it is committed to giving tools to outside security researchers and touted its Security Research Device Program, in which the company sells iPhones with special software that researchers can use to analyze iOS.
Critics — both inside and outside the company — say Apple also should be more focused on tracking the work of its most sophisticated adversaries, including NSO, to better understand the cutting-edge exploits attackers are developing. These critics say the company’s security team tends to focus more on overall security, by deploying features that thwart most attacks but may fail to stop attacks on people subject to government surveillance — a group that often includes journalists, politicians and human rights activists such as Mangin.
“It’s a situation where you’re always working with an information deficit. You don’t know a whole lot about what’s out there,” said a former Apple engineer, speaking on the condition of anonymity because Apple does not permit former employees to speak publicly without company permission. “When you have a well-resourced adversary, different things are on the table.”
In its email to The Post, Apple said that in recent years it has significantly expanded its security team focused on tracking sophisticated adversaries. Apple said in the email that it is different from its competitors in that it elects not to discuss these efforts publicly, instead focusing on building new protections for its software. Overall, its security team has grown fourfold over the past five years, Apple said.
Apple’s business model relies on the annual release of new iPhones, its flagship product that generates half of its revenue. Each new device, which typically arrives with an updated operating system available to users of older devices, includes many new features — along with what security researchers call new “attack surfaces.”
Current and former Apple employees and people who work with the company say the product release schedule is harrowing, and, because there is little time to vet new products for security flaws, it leads to a proliferation of new bugs that offensive security researchers at companies like NSO Group can use to break into even the newest devices.
In its email to The Post, Apple said it uses automated tools and in-house researchers to catch the vast majority of bugs before they’re released and that it is the best in the industry.
Apple also was a relative latecomer to “bug bounties,” where companies pay independent researchers for finding and disclosing software flaws that could be used by hackers in attacks.
Krstić, Apple’s top security official, pushed for a bug bounty program that was added in 2016, but some independent researchers say they have stopped submitting bugs through the program because Apple tends to pay small rewards and the process can take months or years.
Last week, Nicolas Brunner, an iOS engineer for Swiss Federal Railways, detailed in a blog post how he submitted a bug to Apple that allowed someone to permanently track an iPhone user’s location without their knowledge. He said Apple was uncommunicative, slow to fix the bug and ultimately did not pay him.
Asked about the blog post, an Apple spokesman referred to Apple’s email in which it said its bug bounty program is the best in the industry and that it pays higher rewards than any other company. In 2021 alone, it has paid out millions of dollars to security researchers, the email said.
People familiar with Apple’s security operations say Krstić has improved the situation, but Apple’s security team remains known for keeping a low public profile, declining to make presentations at conferences such as the heavily attended Black Hat cybersecurity conference in Las Vegas each summer, where other tech companies have become fixtures.
Once a bug is reported to Apple, it’s given a color code, said former employees familiar with the process. Red means the bug is being actively exploited by attackers. Orange, the next level down, means the bug is serious but that there is no evidence it has been exploited yet. Orange bugs can take months to fix, and the engineering team, not security, decides when that happens.
Former Apple employees recounted several instances in which bugs that were not believed to be serious were exploited against customers between the time they were reported to Apple and when they were patched.
Apple said in its email that no system is perfect but that it rapidly fixes serious security vulnerabilities and continues to invest in improving its system for assessing the seriousness of bugs.
But outside security researchers say they cannot be sure how many iOS users are exploited because Apple makes it difficult for researchers to analyze the information that would point to exploits.
“I think we’re seeing the tip of the iceberg at the moment,” said Costin Raiu, director of the global research and analysis team at cybersecurity firm Kaspersky Lab. “If you open it up and give people the tools and ability to inspect phones, you have to be ready for the news cycle which will be mostly negative. It takes courage.”
Dana Priest contributed to this report.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.