Google Threatens to Air Microsoft and Apple's Dirty Code

[LAwLz]

And when it is Google turn. "Oh it's 2 years old Android... it's not OUR problem that it affected the majority of Android users by significant margins....it's manufactures fault! Yea That is right! manufactures fault. They should be fixing Android security bugs, not us, the creators and main developers... Look at us, we are poor, have no resources, we can't do this alone! Poo hoo..."

 

Fix your own issues Google first, then you can bully the rest.

Ad hominem.

 

 

Why not just 0 days, Google? Why 90? Some bugs take longer to fix, some shorter; your time table is so fucking arbitrary what difference does it make? 

Now you're just being silly. 90 days seems pretty reasonable. If you don't understand why it's not 0 days then the entire concept of the program has gone right over your head.

 

 

I see the need for a system like this to exist, but I also see that Google is taking unfair advantage of it. A 3rd party - independent organization would be better suited to this. One that is perhaps funded by all major Software companies equally, but has no ties to any of them. Or funded by Government or UN perhaps?

But Google IS a third party.

By the way, you can find a ton of security issues related to Google product on their security research repository. They obey their own rules very well by the looks of it.

 

 

By the way, Google has now implemented a 14 days grace period. If the vendor contacts Google and says that the patch is ready then Google will give them an extra 14 days to roll it out before disclosing it. I think that should have been in the program from the start, because it really was a dick move to disclose that first Windows vulnerability just a few days before the patch was being rolled out.

[dalekphalm]

Ad hominem.

 

 

Now you're just being silly. 90 days seems pretty reasonable. If you don't understand why it's not 0 days then the entire concept of the program has gone right over your head.

 

 

But Google IS a third party.

By the way, you can find a ton of security issues related to Google product on their security research repository. They obey their own rules very well by the looks of it.

 

 

By the way, Google has now implemented a 14 days grace period. If the vendor contacts Google and says that the patch is ready then Google will give them an extra 14 days to roll it out before disclosing it.

Why didn't that make news? Much more news-worthy I'd say, considering that Project Zero's strict 90-day policy has put consumers in the risk before (Both with Apple and Microsoft, when a patch was imminent).

 

A 14-day grace period is definitely a step in the right direction, but isn't enough. Simply put, 90 days is entirely, 100% arbitrary. See your comment: "Seems pretty reasonable ". It does, doesn't it? That's the dangerous thing about it. It seems reasonable, yet without being a dev in Microsoft or Apple, or otherwise seeing the source code, you cannot say without a doubt that "90 days is sufficient" for any given bug.

 

In some cases, it will be. In other cases, it will not be.

[LAwLz]

Why didn't that make news? Much more news-worthy I'd say, considering that Project Zero's strict 90-day policy has put consumers in the risk before (Both with Apple and Microsoft, when a patch was imminent).

 

A 14-day grace period is definitely a step in the right direction, but isn't enough. Simply put, 90 days is entirely, 100% arbitrary. See your comment: "Seems pretty reasonable ". It does, doesn't it? That's the dangerous thing about it. It seems reasonable, yet without being a dev in Microsoft or Apple, or otherwise seeing the source code, you cannot say without a doubt that "90 days is sufficient" for any given bug.

 

In some cases, it will be. In other cases, it will not be.

There has to be a deadline, and in the world of security that deadline has to be pretty short. You can't just go "oh there is a big security issue in a product used by millions of people? We'll fix it in half a year". With the huge amounts of security issues being found by Project Zero it would be really hard to negotiate a time frame for every single one of them. 90 days is a pretty good time limit for the vast majority of issues that have been found so far.

 

Of course there will be issues that are more complex than others but those issues should get a higher priority and more resources allocated to fixing, rather than just delaying the update over and over.

 

I don't think Google just pulled 90 days out of thin air. I think they came up with the 90 day deadline by checking how long it takes to fix a variety of security issues. Maybe 90 days is enough time to fix 95% of all vulnerabilities discovered?

[Derangel]

Ad hominem.

 

Don't be silly. It's perfectly fair to bring up Google's shitty update policy and complete abandonment of versions of their OS more than a couple years old. Google is attacking MS and Apple for not fixing things "quickly enough" but we can't bring up that Google is willing to leave millions of users at risk because they can't be bothered to go back and fix issues?

[LAwLz]

Don't be silly. It's perfectly fair to bring up Google's shitty update policy and complete abandonment of versions of their OS more than a couple years old. Google is attacking MS and Apple for not fixing things "quickly enough" but we can't bring up that Google is willing to leave millions of users at risk because they can't be bothered to go back and fix issues?

Nope it is not perfectly fair because it is an ad hominem attack.

You are pointing out a negative characteristic of Google instead of focusing on why they are running Project Zero. Perfect example of an ad hominem attack.

[dalekphalm]

There has to be a deadline, and in the world of security that deadline has to be pretty short. You can't just go "oh there is a big security issue in a product used by millions of people? We'll fix it in half a year". With the huge amounts of security issues being found by Project Zero it would be really hard to negotiate a time frame for every single one of them. 90 days is a pretty good time limit for the vast majority of issues that have been found so far.

 

Of course there will be issues that are more complex than others but those issues should get a higher priority and more resources allocated to fixing, rather than just delaying the update over and over.

 

I don't think Google just pulled 90 days out of thin air. I think they came up with the 90 day deadline by checking how long it takes to fix a variety of security issues. Maybe 90 days is enough time to fix 95% of all vulnerabilities discovered?

A deadline, sure, but that deadline needs to be more flexible given that software vulnerabilities are no simple matter.

 

Also, simply throwing more people at a bug does not necessarily mean it will be fixed faster. Often, that can even make matters worse, because there's too many fingers in the pie, so to speak.

 

I have no idea how Google came up with the 90 day policy. Neither do you, you're just guessing. If they came up with it by a specific methodology, they should publish it. You know, "Transparency", and all that. Which Google loves so much...

[Derangel]

Nope it is not perfectly fair because it is an ad hominem attack.

You are pointing out a negative characteristic of Google instead of focusing on why they are running Project Zero. Perfect example of an ad hominem attack.

 

No, I'm pointing out that Google is no more free of fault than the companies they are pointing fingers at. If Google gets to point fingers at others then they have to accept criticism as well. I have no problem with them trying to push MS and Apple to get stuff fixed but I'm not going to turn a blind eye to Google's shitty policies just because I agree with one thing they're doing. Google deserves to get shit for abandoning Android versions as quickly as they do. If they care so much about security then they should fix their own damn OS as well as pointing out issues in their competitor's products. Everyone would give MS and Apple endless amounts of shit if they did the exact same thing, why should Google be treated any differently?

[Victorious Secret]

Now you're just being silly. 90 days seems pretty reasonable. If you don't understand why it's not 0 days then the entire concept of the program has gone right over your head.

 

Now you're just being silly. 90 days seems pretty reasonable. If you don't understand why it's not 0 days then the entire concept of the program has gone right over your head.

 

The entire concept of the program hasn't gone over my head, thank you very much. I don't need that kind of condescension this early in the morning from you. 

Google can go around airing others dirty laundry with rules THEY MADE UP. It is arbitrary. It isn't some industry standard thats upheld by a independent body. Its Google making up rules to make Apple, MS and anyone else look bad. Why hasn't Project Zero uncovered anything that Google has left unfixed? Why don't they soil their own pants instead of only soiling others? 

Google is using this as a "lets make others look bad". Apple and MS have ever right to fire back under the guise of "its only for consumer security"

Google has made themselves the self appointed, schoolyard bully. If Google truly cares, they will collaborate with the industry heavyweights and setup a independent organization that does this job of scouring code and finding vulnerabilities and contacting the companies to get fixes implemented. Project Zero, IMHO, has already backfired on Google for their MS debacle, where MS very clearly had a fix ready to go yet Google elected to not respect that and tattled like they were a TMZ-grade tabloid. 

@dalekphalm stated it perfect. Independent body or nothing. No one should self appoint themselves to this kind of position. 

[kpreg]

I completely agree with this. Go google!

[GeneralTheoryOfBadassery]

Android is most vulnerable to cyber attacks.

So.. Google should get their shit together and shut the fuck up ....

Or...

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Should they ??

I don't think so ...

Android is a completely open source OS .

That means ... Anyone can use the source code according to their will , and modify it however they want ... Soo. Why haven't manufacturers done that ??

They can modify the code and remove the so called " loop holes " and " security issues ".

They have the right to do that , they have the manpower , resources and pretty much all the stuff that they need to remove them ...

So why didn't they remove it ?? :blink:

So I don't really blame " google " for the security problems in android...

[Derangel]

Android is most vulnerable to cyber attacks.

So.. Google should get their shit together and shut the fuck up ....

Or...

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Should they ??

I don't think so ...

Android is a completely open source OS .

That means ... Anyone can use the source code according to their will , and modify it however they want ... Soo. Why haven't manufacturers done that ??

They can modify the code and remove the so called " loop holes " and " security issues ".

They have the right to do that , they have the manpower , resources and pretty much all the stuff that they need to remove them ...

So why didn't they remove it ?? :blink:

So I don't really blame " google " for the security problems in android...

 

While the OEMs can issue their own updates that's passing the buck, the exact same thing Google is doing. Sony, Samsung, HTC, etc didn't create the issue, it shouldn't be their fault if it isn't fixed. They deserve some blame for not trying as well but the majority of the fault still falls in the company that created the OS and should be responsible for fixing it. Plus what about Nexus, Google Play Edition, or other stock Android devices? Those devices are all Google's responsibility.

[GeneralTheoryOfBadassery]

While the OEMs can issue their own updates that's passing the buck, the exact same thing Google is doing. Sony, Samsung, HTC, etc didn't create the issue, it shouldn't be their fault if it isn't fixed. They deserve some blame for not trying as well but the majority of the fault still falls in the company that created the OS and should be responsible for fixing it. Plus what about Nexus, Google Play Edition, or other stock Android devices? Those devices are all Google's responsibility.

You have a point ..

I just wanted to say that google isn't the one that should take " ALL " the blame ...

[algoat]

Interesting.  I know that Google and Microsoft are offering bounties for anyone that can find security bugs in their own software.  Google offers up to $15000 for severe threats found.

[GeneralTheoryOfBadassery]

In fact ... The very " open source " nature of google's android is to be blamed .

If android wasn't open source , maybe google would have fixed the security issues in android.

But .. Maybe the security issues that were created in android , were actually meant for other people to modify the OS and improve it .

Android would not have been so " advanced " if it weren't for the open source nature .

It would have taken years and years to actually compete with iOS.

But , due to its open source nature, android is dominating over all other OS's .

Of Google were to fix the issues , maybe that would take away certain ways in which the manufactures could modify the os to their needs.

So I think the reason that Google didn't fix certain loopholes is that, it could have retarded the growth of the os .

Google is a big company. Surely they can get rid of some security issues ..

This is the only explanation I can come up with for then not fixing them

[GoodBytes]

In fact ... The very " open source " nature of google's android is to be blamed .

If android wasn't open source , maybe google would have fixed the security issues in android.

But .. Maybe the security issues that were created in android , were actually meant for other people to modify the OS and improve it .

Android would not have been so " advanced " if it weren't for the open source nature .

It would have taken years and years to actually compete with iOS.

But , due to its open source nature, android is dominating over all other OS's .

Of Google were to fix the issues , maybe that would take away certain ways in which the manufactures could modify the os to their needs.

So I think the reason that Google didn't fix certain loopholes is that, it could have retarded the growth of the os .

Google is a big company. Surely they can get rid of some security issues ..

This is the only explanation I can come up with for then not fixing them

 

If it was a small software, or a not well programmed large software I would agree with you.

But an Operating System is all done in components. The majority of what is changed by the manufacture is the GUI level of Android, not the back end. Security issues generally is at the back end. Google can easily issue an update that will update the component.

[FakezZ]

Yeah like Google's code is perfect. They are just trying to make sure they seem like the white knights, while the others are just not giving a damn about bugs in their software. It's not like I am against it if it means more stable software, nor that I wouldn't do it if I were Google, let's just not misinterprete things here.

[geforceftw]

I like this. I hope that they fix these issues quick. Now I want someone to find flaws with Android so Google can fix them. Good move but also dick move to the consumers, who Google relys upon.

[dalekphalm]

While the OEMs can issue their own updates that's passing the buck, the exact same thing Google is doing. Sony, Samsung, HTC, etc didn't create the issue, it shouldn't be their fault if it isn't fixed. They deserve some blame for not trying as well but the majority of the fault still falls in the company that created the OS and should be responsible for fixing it. Plus what about Nexus, Google Play Edition, or other stock Android devices? Those devices are all Google's responsibility.

Yes, Android is Open Source...

 

well...

 

kinda sorta.

 

Sure, any manufacturer (Or person, for that matter) could use AOSP to get the source code, and simply change whatever the hell they want. However, then they would lose access to Google Apps. AOSP forks don't get access to Google Apps, which is why you don't see them on Amazon Kindle Fire tablets, etc.

 

Most manufacturers simply install their own skin, which any user is technically able to do, if they had the skill.

 

But would people be lining up to buy the new Samsung Galaxy S47 if it didn't have Gmail and Google Maps? Nope. Those are selling features.

 

Manufacturers generally don't waste resources on security fixes because it shouldn't be their problem. And if it became their problem, it would be a collossal waste of resources. Imagine, instead of Google doing one set of security fixes, you had 30 different phone manufacturers, all making their own security fixes. All that duplicated effort? And each would likely be a little different too.

 

Fragmentation has always been Androids worst feature, and this would just fragment Android even more.

 

The manufacturers should work with Google, to ensure that the security fixes that Google makes get pushed out, and to make sure Google knows about any flaws they discover, but you cannot let Google wash their hands of the matter and say "Not my problem", because that's hypocritical bullshit.

[deviant88]

I WISH this would backfire and apple/ms would have their own hacker teams threatening google to patch security flaws then it would be a total madness between software giants,the winners? WE will get better security/software.Also reading all that madness would go well with my popcorn

[algoat]

I WISH this would backfire and apple/ms would have their own hacker teams threatening google to patch security flaws then it would be a total madness between software giants,the winners? WE will get better security/software.Also reading all that madness would go well with my popcorn

 

Well Google is asking everyone to try to find vulnerabilities in their software and rewarding them for doing so.

 

Google Vulnerability Reward Program

 

But right now, android is not on the list

[euniqe]

lel google. 

 

If we don't be careful, they are going to end up being the single most powerful entity the world has ever experienced, and nothing - NOTHING not even atomic warfare will be able to stop them.

 

They will have the power to consume as all - we just have to hope their intentions are going to remain pure. 

[euniqe]

Well Google is asking everyone to try to find vulnerabilities in their software and rewarding them for doing so.

 

Google Vulnerability Reward Program

 

But right now, android is not on the list

 

 

That's not a marketing issue, it's purely security - Imagine if the world's most popular OS was suddenly open to attack through a public-awareness program intended to protect from such attacks?

 

They can't afford to take that risk. Google will spend the resources themselves to maintain privacy.

[Xsilent(X)]

And when it is Google turn. "Oh it's 2 years old Android... it's not OUR problem that it affected the majority of Android users by significant margins....it's manufactures fault! Yea That is right! manufactures fault. They should be fixing Android security bugs, not us, the creators and main developers... Look at us, we are poor, have no resources, we can't do this alone! Poo hoo..."

 

Fix your own issues Google first, then you can bully the rest.

 

It is not google's fault that you're android device is not updated to the latest version. it is the manufacture fault. .

 

thats why i am always using CM

[Derangel]

lel google. 

 

If we don't be careful, they are going to end up being the single most powerful entity the world has ever experienced, and nothing - NOTHING not even atomic warfare will be able to stop them.

 

They will have the power to consume as all - we just have to hope their intentions are going to remain pure. 

 

Remain pure? Google's intentions haven't been pure since they were purely a search engine.

 

It is not google's fault that you're android device is not updated to the latest version. it is the manufacture fault. .

 

thats why i am always using CM

 

It is Google's fault when they completely abandon millions of users to a major security fault on a version of the OS that is only a couple years old.

[GoodBytes]

It is not google's fault that you're android device is not updated to the latest version. it is the manufacture fault. .

 

thats why i am always using CM

I don't have a smartphone, and never did have one.

 

And, no. Is it Dell fault for fixing Windows security whole? Of course not. It is Microsoft. If Google poorly coded the OS that makes it impossible to update it in components like all major Linux-distro (if not, all of them, minus Android) or Unix or MacOS or Windows (basically all other OSs), then it is Google fault regardless.

 

Heck, you even get updates by Linux powered Dell and Lenovo system from the distro, despite them modifying it.

 

So I say, yes it is Google's fault. And they don't want to spend money on it, maximizing profit. Simple as that.

If Windows Phone had a significant market share, watch how Google would release updates.