Google Threatens to Air Microsoft and Apple's Dirty Code

[GeneralTheoryOfBadassery]

Let me explain the process of pushing updates to various android devices .

When a new version of android is ready , google uploads the code to aosp .

All the manufacturers download the code , make some changes to it ( add their bloatware and laggy skins ) and then push out the updates for the device ..

So .. For example .. If HTC one ( first edition ) doesn't get android 5.1 , that's not really Google's fault .

HTC , didn't want to push updates ( or couldn't push updates ) to that phone .

The responsibility of pushing an update to non nexus and non google play edition devices , is the manufacturer's !

For google play edition devices and nexus devices ... Responsibility of pushing updates to these devices lies with google .

Which they are already doing !

They have not abandoned these devices any way !

All google play edition devices and nexus device have already received android 5.1 !

Except the galaxy nexus ...

I have a nexus 4 which is a pretty old hag.

Google still pushes updates for my device even of it's 2 generations old !

So I think Google is doing their job perfectly and I don't think that Google is to be blamed in anyway for the fragmentation problem.

[Trik'Stari]

Personally I don't see how anyone can defend Microsoft or Apple taking their sweet ass time to fix a problem, google has every right to tell consumers "hey, your shit is not secure"

 

It's not like the hackers don't already know.

[GoodBytes]

Let me explain the process of pushing updates to various android devices .

When a new version of android is ready , google uploads the code to aosp .

All the manufacturers download the code , make some changes to it ( add their bloatware and laggy skins ) and then push out the updates for the device ..

So .. For example .. If HTC one ( first edition ) doesn't get android 5.1 , that's not really Google's fault .

HTC , didn't want to push updates ( or couldn't push updates ) to that phone .

The responsibility of pushing an update to non nexus and non google play edition devices , is the manufacturer's !

For google play edition devices and nexus devices ... Responsibility of pushing updates to these devices lies with google .

Which they are already doing !

They have not abandoned these devices any way !

All google play edition devices and nexus device have already received android 5.1 !

Except the galaxy nexus ...

I have a nexus 4 which is a pretty old hag.

Google still pushes updates for my device even of it's 2 generations old !

So I think Google is doing their job perfectly and I don't think that Google is to be blamed in anyway for the fragmentation problem.

 

Strange how Windows and Linux based OS such as Ubuntu, Mint, and the many other home PC OSs, and server OSs, and MacOS, can release patches without releasing a new OS version. Last I checked, when a new version of Windows is released, I have to go out and spend money to get it (ignoring Windows 10 offer when it will come out for home users (and maybe small businesses)). Yet, Microsoft provide updates delivered via Windows Update for security fixes and even bug fixes. I don't need Dell/HP/Acer, etc. approval process.

 

Like you said yourself, manufacture adds skins to Android. What it has to do with the back end which is where you have security issues to be fixed? If you use say WindowsBlind to customize the GUI of Windows, it doesn't block Windows Updates. You can get them, you can apply them just fine.

 

So Google, CAN offer an updater in the Android platform and deliver updates. But that cost money (servers, and network, and extra people to make sure everything works). Yet they are not. Even if I buy an Andoird phone stock Android. When Google delivers an update, my phone might not get it on day 1. I still have to wait for not only the manufacture to approve it, but also my service provider which BOTH wants me to buy their new phones.

[Derangel]

Let me explain the process of pushing updates to various android devices .

When a new version of android is ready , google uploads the code to aosp .

All the manufacturers download the code , make some changes to it ( add their bloatware and laggy skins ) and then push out the updates for the device ..

So .. For example .. If HTC one ( first edition ) doesn't get android 5.1 , that's not really Google's fault .

HTC , didn't want to push updates ( or couldn't push updates ) to that phone .

The responsibility of pushing an update to non nexus and non google play edition devices , is the manufacturer's !

For google play edition devices and nexus devices ... Responsibility of pushing updates to these devices lies with google .

Which they are already doing !

They have not abandoned these devices any way !

All google play edition devices and nexus device have already received android 5.1 !

Except the galaxy nexus ...

I have a nexus 4 which is a pretty old hag.

Google still pushes updates for my device even of it's 2 generations old !

So I think Google is doing their job perfectly and I don't think that Google is to be blamed in anyway for the fragmentation problem.

 

So it's not their fault that they simply don't care at all about Android users who aren't on the current version? If Google cared as much about security as they claim to with Project Zero they'd be working with at least the major manufactures to get some kind of fix for the massive security holes in previous versions of the OS, even if it's just for devices using versions a couple years old. Instead of actually giving a damn Google is passing the buck and ignoring the problem entirely while bitching about other companies and their update policies.

[GoodBytes]

Personally I don't see how anyone can defend Microsoft or Apple taking their sweet ass time to fix a problem, google has every right to tell consumers "hey, your shit is not secure"

 

It's not like the hackers don't already know.

 

They are not on their asses. Microsoft is among all companies the most active in not only fixing security bugs, but going after scammers (malware makers, virus makers/distributes, fisher, and even people calling claiming they are Microsoft). They have a whole division just for that.

 

Some security bugs takes time to fix, and here is why:

 -> Microsoft needs to identify, replicate on their side, the problem. Poor documentation might make it cause more time. What if Google provide all this info, but Microsoft can't replicate it. Then they need to look at what possible configuration of the OS does this happen. What if a security bug occurs if you have the option to show the shadow under cursor enabled only if it was previously disabled, due to a memory access bug, which opens this security bug that has been reported, but that detail wasn't reported.

 

 -> They need to make a plan of action on how to asses and resolve the problem.

 

 -> They need to make sure that no software is affected by this, new and old. This is HUGE problem, already it's the end of the world for some people for they 10 year old game doesn't work on a new version of Windows. a Game. What about age old software that a or some companies uses? How do you get around the situation smartly without making the OS slow ass mess over time?

 

THEN after all this... code the fix.

And now they can processed to testing, which takes time. Already we saw some updates being released that causes system problems to people. and people goes "What?!?! how come Microsoft is not testing their shit?!". What if they did and they rushed it, because it was the last day of Google or some other company release to the public the hack?

 

The whole day limit, makes no sense. It was not a problem before (ie: without it), why now it is?

Do you recall 1 single week where we didn't get a security update? I sure don't. Even from the 25th and 1st Microsoft manages to release a security update. And usually, in fact I don't think it ever happened, where you had only 1 security update. We have several at the same time.

[LAwLz]

No, I'm pointing out that Google is no more free of fault than the companies they are pointing fingers at.

Yes, that's exactly what ad hominem is. You are pointing out a negative characteristic of Google in order to try to draw attention away from Apple/Microsoft and to make Google's point seem less valid.

 

If you want to shit on Google for not updating their stuff then go ahead and do so. I will probably cheer you on a lot. Don't do it in this thread though because it is not relevant here.

 

 

 

 

The entire concept of the program hasn't gone over my head, thank you very much. I don't need that kind of condescension this early in the morning from you. 

Sorry but judging by your comment about how they should just make it 0 days instead of 90 strongly indicated that you did not understand the point of the project. Maybe you were being facetious and I just didn't pick that up from your text.

 

Google can go around airing others dirty laundry with rules THEY MADE UP. It is arbitrary. It isn't some industry standard thats upheld by a independent body. Its Google making up rules to make Apple, MS and anyone else look bad. Why hasn't Project Zero uncovered anything that Google has left unfixed? Why don't they soil their own pants instead of only soiling others?

Like I said before, you make it sound like they just threw a dart at a board and went "wow 90 days seems good!". The vast majority of security holes discovered by Project Zero gets patched before the 90 day deadline. That leads me to believe that Google evaluated how long it takes for a wide variety of security issues to be fixed and then came up with 90 days as being a good compromise between giving companies enough time to patch it (if they take it seriously and allocate enough resources for it), and not letting big security issues be left in the wild, ready to be exploited.

 

You assume that Google didn't put any though into it while I assume they did. Personally I think my explanation is far more logical than just "Google are idiots who just do things at random".

 

Project Zero is not even 1 year old. Maybe Google came up with the 90 day period because they have been able to patch their software in that period of time, and has since been able to do so consistently since the program started?

 

 

By the way, CERT has a 45 day deadline and here is their response as to why:

 

Q: Why not 30 days, or 15 days, or immediately?

A: We think that 45 days can be a pretty tough deadline for a large organization to meet. Making it shorter won't realistically help the problem. In the absence of evidence of exploitation, gratuitously announcing vulnerabilities may not be in the best interest of public safety.

They do allow for extended deadlines if they think the issue is very big and complex though (such as changing a core part of an OS).

 

The Zero Day Initiative (the ones who are responsible for Pwn2Own) give companies a 4 month deadline before going public.

 

 

My point is, the 90 day period does not seem like something they picked out of thin air.

 

 

 

Here is a link to Google's Online Security blog from 2010 which talks about their thoughts on vulnerability disclosures in Chrome and Firefox (remember, this was long before Project Zero):

 

Accordingly, we believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. Some bugs are mischaracterized as “critical", but we look to established guidelines to help make these important distinctions — e.g. Chromium severity guidelines and Mozilla severity ratings.

 

 

My point is, Google has most likely thought this though far more than you have.

 

 

Google has made themselves the self appointed, schoolyard bully. If Google truly cares, they will collaborate with the industry heavyweights and setup a independent organization that does this job of scouring code and finding vulnerabilities and contacting the companies to get fixes implemented. Project Zero, IMHO, has already backfired on Google for their MS debacle, where MS very clearly had a fix ready to go yet Google elected to not respect that and tattled like they were a TMZ-grade tabloid.

I totally agreed that they should have given Microsoft a grace period. Since then they have implemented it but when the bug was originally submitted it did not exist. They did a mistake and has since then corrected it.

[Victorious Secret]

They are not on their asses. Microsoft is among all companies the most active in not only fixing security bugs, but going after scammers (malware makers, virus makers/distributes, fisher, and even people calling claiming they are Microsoft). They have a whole division just for that.

 

Some security bugs takes time to fix, and here is why:

 -> Microsoft needs to identify, replicate on their side, the problem. Poor documentation might make it cause more time. What if Google provide all this info, but Microsoft can't replicate it. Then they need to look at what possible configuration of the OS does this happen. What if a security bug occurs if you have the option to show the shadow under cursor enabled only if it was previously disabled, due to a memory access bug, which opens this security bug that has been reported, but that detail wasn't reported.

 

 -> They need to make a plan of action on how to asses and resolve the problem.

 

 -> They need to make sure that no software is affected by this, new and old. This is HUGE problem, already it's the end of the world for some people for they 10 year old game doesn't work on a new version of Windows. a Game. What about age old software that a or some companies uses? How do you get around the situation smartly without making the OS slow ass mess over time?

 

THEN after all this... code the fix.

And now they can processed to testing, which takes time. Already we saw some updates being released that causes system problems to people. and people goes "What?!?! how come Microsoft is not testing their shit?!". What if they did and they rushed it, because it was the last day of Google or some other company release to the public the hack?

 

The whole day limit, makes no sense. It was not a problem before (ie: without it), why now it is?

Do you recall 1 single week where we didn't get a security update? I sure don't. Even from the 25th and 1st Microsoft manages to release a security update. And usually, in fact I don't think it ever happened, where you had only 1 security update. We have several at the same time.

 

Its the height of "I don't know a thing about the industry" to say that ANY company actually sits on their ass on security fixes. I mean, just wow. It can take MONTHS to clamp down on a problem, fix it, ensure it doesn't break anything else and then push it out. And people are saying these guys sit on their asses? 

Amazing. 

[LAwLz]

But an Operating System is all done in components. The majority of what is changed by the manufacture is the GUI level of Android, not the back end. Security issues generally is at the back end. Google can easily issue an update that will update the component.

Actually, you'd be surprised by how much work goes into the back end to make Android work on devices. It's not just change the GUI and it's done! Even Microsoft struggled to make WP 8 work on a lot of phones. If you look into developing third party ROMs for Android devices you will see a huge clusterfuck of things. Drivers no longer works and has to be rewritten, certain parts of the phone is completely locked down and is essentially a black box (even to the handset manufacturers), brand new APIs that are specific for that combination of hardware has to be written (for example the camera app) and so on.

 

Samsung writes their own JS library for their browser for example (and that's per processor). That's why we see such huge performance differences when we compare Chrome to the stock browser on the Note 4 (Exynos model):

 

 

 

It's sad to see so many good LTT users just talk out of their asses in this thread.

[GoodBytes]

Actually, you'd be surprised by how much work goes into the back end to make Android work on devices. It's not just change the GUI and it's done! Even Microsoft struggled to make WP 8 work on a lot of phones. If you look into developing third party ROMs for Android devices you will see a huge clusterfuck of things. Drivers no longer works and has to be rewritten, certain parts of the phone is completely locked down and is essentially a black box (even to the handset manufacturers), brand new APIs that are specific for that combination of hardware has to be written (for example the camera app) and so on.

 

Samsung writes their own JS library for their browser for example (and that's per processor). That's why we see such huge performance differences when we compare Chrome to the stock browser on the Note 4 (Exynos model):

 

 

 

 

It's sad to see so many good LTT users just talk out of their asses in this thread.

 

Make better CPUs then. If Google says "Look our OS runs on any CPU but it here are the minimum specs, and it needs to support float point operations, and SSE 3.0 (example)". Then watch how all CPU manufactures will make sure it meets that demand.

 

Or do like Windows Phones, limit to only a set of CPUs. Windows runs on x86 architecture CPUs.

[AlexGoesHigh]

Make better CPUs then. If Google says "Look our OS runs aon any CPU but it here are teh minimum specs, and it needs to support float point operations,m and SSE 3.0". Then watch how all CPU manufcatures will make sure it meets that demand.

 

Or do like Windows Phones, limit to only a set of CPUs. Windows runs on x86 architecture CPUs.

windows phones all run arm though, the smallest thing that run x86 windows are some low end tablets, or do you mean that ms is limiting wp to a specific set of arm soc's?

[GoodBytes]

windows phones all run arm though, the smallest thing that run x86 windows are some low end tablets, or do you mean that ms is limiting wp to a specific set of arm soc's?

specific set of arm soc's.

[Jade]

Too lazy to read the entire thread, but Google is doing the right thing for the consumer. If a company can not feasibly come up with a patch for security flaws in 3 months, despite having massive teams of security experts and developers, then they shouldn't be developing said OS in the first place. Even open source, non paid softwares can patch in the span of 3 months.

[LAwLz]

Make better CPUs then. If Google says "Look our OS runs aon any CPU but it here are teh minimum specs, and it needs to support float point operations,m and SSE 3.0". Then watch how all CPU manufcatures will make sure it meets that demand.

 

Or do like Windows Phones, limit to only a set of CPUs. Windows runs on x86 architecture CPUs.

Why put artificial limitations on hardware manufacturers? Speaking of Windows, Windows Phone 7 updates were a disaster so clearly Microsoft are having issues with getting updates out on ARM devices as well.

I have no idea why (haven't been able to find any answer either) but it seems like getting an OS to run well on ARM devices is just a huge pain in the ass, and every major update is a challenge.

Very similar components won't work with the same software. Most ARM processors use the same instruction set (ARMv7) but they still can't run the same software.

[Victorious Secret]

Too lazy to read the entire thread, but Google is doing the right thing for the consumer. If a company can not feasibly come up with a patch for security flaws in 3 months, despite having massive teams of security experts and developers, then they shouldn't be developing said OS in the first place. Even open source, non paid softwares can patch in the span of 3 months.

 

Thank you for highlighting that you in fact have NO IDEA how things actually work. At all. I'll give an example. 

DJI released new firmware for one my drones about a week ago. It started causing issues so bad they pulled it. Its been since...February 5th (?) since they yanked the firmware and haven't said when the issues will be fixed. So if it takes them that long (without a fix still) on simple firmware for a flight controller on a drone; what do you think is involved in fixing up a OS that has a exponential increase in lines of code and far more interconnected areas that could break if you fix the issue in the wrong way? 

Just wow. I would expect a hell of a lot more understanding in what it takes for software patches. 

[GoodBytes]

Why put artificial limitations on hardware manufacturers? Speaking of Windows, Windows Phone 7 updates were a disaster so clearly Microsoft are having issues with getting updates out on ARM devices as well.

I have no idea why (haven't been able to find any answer either) but it seems like getting an OS to run well on ARM devices is just a huge pain in the ass, and every major update is a challenge.

Very similar components won't work with the same software. Most ARM processors use the same instruction set (ARMv7) but they still can't run the same software.

 

Games do it, you don't see people complaining on how BF4 doesn't run on then Pentium 3 with their GeForce 256.

Why having a minimum specs is a problem? It makes supporting the OS much easier.

Doing so made Windows Phone 8 much better (ie: no disaster)

[Derangel]

Yes, that's exactly what ad hominem is. You are pointing out a negative characteristic of Google in order to try to draw attention away from Apple/Microsoft and to make Google's point seem less valid.

 

If you want to shit on Google for not updating their stuff then go ahead and do so. I will probably cheer you on a lot. Don't do it in this thread though because it is not relevant here.

 

I'm doing what? You couldn't be more wrong. I'm a blunt person, I don't engage in that bullshit. I'm stating my thoughts and opinions on the matter and on Google itself in the context of security updates. Nothing more, nothing less. You don't have to like what I'm saying or where I'm saying it but kindly don't pretend you know why I'm saying something. Trust me, you won't have a bloody clue.

[AlexGoesHigh]

Why put artificial limitations on hardware manufacturers? Speaking of Windows, Windows Phone 7 updates were a disaster so clearly Microsoft are having issues with getting updates out on ARM devices as well.

I have no idea why (haven't been able to find any answer either) but it seems like getting an OS to run well on ARM devices is just a huge pain in the ass, and every major update is a challenge.

Very similar components won't work with the same software. Most ARM processors use the same instruction set (ARMv7) but they still can't run the same software.

tldr for the windows phone 7 thing, that was because they switched to the nt kernel for 8, 7 used the old kernel non nt kernel

[Derangel]

Why put artificial limitations on hardware manufacturers? Speaking of Windows, Windows Phone 7 updates were a disaster so clearly Microsoft are having issues with getting updates out on ARM devices as well.

I have no idea why (haven't been able to find any answer either) but it seems like getting an OS to run well on ARM devices is just a huge pain in the ass, and every major update is a challenge.

Very similar components won't work with the same software. Most ARM processors use the same instruction set (ARMv7) but they still can't run the same software.

 

Oh god, WinPho 7. I think I still have my Samsung Rogue phone around here somewhere. Still not sure how I managed to avoid chucking the thing out of a window the day I got a new phone.

[Jade]

Thank you for highlighting that you in fact have NO IDEA how things actually work. At all. I'll give an example. 

DJI released new firmware for one my drones about a week ago. It started causing issues so bad they pulled it. Its been since...February 5th (?) since they yanked the firmware and haven't said when the issues will be fixed. So if it takes them that long (without a fix still) on simple firmware for a flight controller on a drone; what do you think is involved in fixing up a OS that has a exponential increase in lines of code and far more interconnected areas that could break if you fix the issue in the wrong way? 

Just wow. I would expect a hell of a lot more understanding in what it takes for software patches. 

Security and drone firmware are vastly different fields. 3 months is plenty of time for a company such as Microsoft. If it's not, then they should be revising their strategy with security patches. If it's something not patchable within three months, there's a pretty fair chance that if you can provide a valid argument to Google about why you can't, they can delay the public release.

[GoodBytes]

Security and drone firmware are vastly different fields. 3 months is plenty of time for a company such as Microsoft. If it's not, then they should be revising their strategy with security patches. If it's something not patchable within three months, there's a pretty fair chance that if you can provide a valid argument to Google about why you can't, they can delay the public release.

True. But what if Microsoft has better more critical security fixes to do? Sure hire more security experts. Easier said then done.

 

[edit]Ouu must be my lucky post[/edit]

[Jade]

True. But what if Microsoft has better more critical security fixes to do? Sure hire more security experts. Easier said then done.

 

[edit]Ouu must be my lucky post[/edit]

Then they notify Google of needing a time extension. See my previous post; provide Google with a reasonable and valid reason for an extension and they'd probably extend it.

[GoodBytes]

Then they notify Google of needing a time extension. See my previous post; provide Google with a reasonable and valid reason for an extension and they'd probably extend it.

Apparently, based on experience, Google is ignoring this despite what they claim.

[Jade]

Apparently, based on experience, Google is ignoring this despite what they claim.

Probably because there's not been a valid reason to delay. "Oh, we only release on Tuesdays!" isn't a very valid reason. The other 6 days of the week, the consumer is vulnerable.

[GoodBytes]

Probably because there's not been a valid reason to delay. "Oh, we only release on Tuesdays!" isn't a very valid reason. The other 6 days of the week, the consumer is vulnerable.

You are right Microsoft should spend 3 month preparing a document and inner workings of Microsoft and proof of code to Google as validation of why they need an extension... What?

 

You have a certain level of trust you need in the industry. Google is bullying, nothing more.

They bully Mozilla in an attempt to crush Firefox.

They bully Windows Phone by blocking YouTube app access.

They bully YouTube content creators with unfair copy right strikes despite being abused.

[AlexGoesHigh]

Probably because there's not been a valid reason to delay. "Oh, we only release on Tuesdays!" isn't a very valid reason. The other 6 days of the week, the consumer is vulnerable.

blames corpo IT's for shitting on microsoft about that, ms doesn't have any problem putting updates as soon as they are ready, they do it on a weekly basis to not screw up with the schedules of the IT personnel that manage cluster of hundreds of pcs, luckily they are fixing this with windows 10 by putting enterprise licenses on a different branch that consumers, if you look at the history update of windows 10 TP microsoft has been putting out small patches almost every day