NSO == arms dealers, by their own admission. They did not create the market for digital arms, but successfully cater to it. No HN comment will change their business model. They benefit from the easy distribution of software twice. Once as an exploit developer, because all target systems look alike (recall hardware and software vendors also want to write hardware and software once and then distribute widely) and therefore an exploit must only be developed once to apply broadly. Then, a second time as a software developer, because they can sell their same software to multiple clients. Having worked on Pegasuses, the thing that is dreaded the most and is very costly is a rewrite. Those get financially prohibitive. If the world was serious about stopping the NSOs of the world, it would work toward efficiently (read: inexpensively) making different individual systems wildly different yet remaining interoperable (because the interoperability is where the network effect comes in, providing value in communication systems and leading to their wider adoption). The conflict to solve is how to make systems interoperable and non-interoperable at the same time. While it is easy to imagine randomized instruction sets, Morpheus-like-blindly-randomize-everything chips and bytecode VMs that use binary translation to modify the phenotype at each individual system, it is not so easy to envision how systems could be written once to interoperate yet prevent BORE-type attacks whereby the one time exploit development cost can be easily offset by repeat exploitation. The only way forward is to find that lever which gives defenders a cheap button to push that forces an expensive Pegasus rewrite.
