Google Threatens to Air Microsoft and Apple's Dirty Code

[Victorious Secret]

blames corpo IT's for shitting on microsoft about that, ms doesn't have any problem putting updates as soon as they are ready, they do it on a weekly basis to not screw up with the schedules of the IT personnel that manage cluster of hundreds of pcs, luckily they are fixing this with windows 10 by putting enterprise licenses on a different branch that consumers, if you look at the history update of windows 10 TP microsoft has been putting out small patches almost every day

 

Yup. Jade is just showing how little he knows of why they picked earlier in the week, not later. Why they stick with Tuesday. They don't GIVE A SHIT about consumers. Its about corporate. They don't want IT wanting to murder everyone at Microsoft because they dumped a fix on a Friday and left them with no time to fix things before the weekend. 

Some people don't understand how these things actually work, and thats disappointing in a place like that. 

[Techteen14]

Finding security bugs is definitely a worthwhile pursuit. However, Google fails in several ways:

1. As others have mentioned, publishing info about the bugs when a security fix is imminent.This is only beneficial for hackers. The 90-day policy needs to be flexible. It needs to be decided on a case-by-case basis.

This.

2. The time-frame, 90-days, is ridiculously arbitrary. Why 90 days? Why not 80? 100? 120? 45? Picking some random "seemingly sounding good" number out of your ass, and then publishing security flaws because of it? Seems ridiculous if you think about it. Not all bugs/vulnerabilities are made equal. Some only take days to fix. Some weeks. Some months. Some WILL take longer than 90 days to properly fix. An OS is the most complex piece of software consumers use, after all.

At least it gives Apple/Microsoft motivation to put out the fix. 90 is arbitrary, but anything less is too short and anything over 4 months is too long (depending on the bug)

3. Google seems pretty biased in this. Apple and Microsoft are competitors. It's in Google's best interest to make them look bad.

4. How many "Google" bugs has Project Zero discovered? I don't see this information published anywhere. Does anyone here know?

This.

5. Android is a buggy piece of shit - especially for older versions. There are so many vulnerabilities in the older versions of Android, like KitKat and Jellybean. Google just washes their hands of it, because those vulnerabilities have been fixed in "Newer Versions", and it's the manufacturers responsibility. - This would be like Microsoft finding a Windows 7 bug and saying "Hey guys, no worries! It's fixed in Windows 8!" We would be fucking furious at Microsoft for doing something like that. It's one thing to not patch really old (5+ year old) versions of Android, but Jellybean is only 3 years old, for example.

1) As someone who actually uses an "older" version of Android, Android is not buggy, and yes I have used iOS before. I'm typing this from an iPad. Oh, and iOS 8 crashes as much as Android 4.0 ICS.

2) 3 years in the mobile space is drastically different from 3 years in the desktop space. Heck, it's been 8 years since my dad last built a custom PC and while he was watching me build mine today he was shocked at how little it was different. 8 years ago was the year of the original iPhone, with a single-core processor, smartwatch-res 3.5" screen, 128MB of RAM and 4GB of storage for $500 on contract. That's horrible compared to my beast of a phone, the OPO with a 2.5GHz quad-core processor, TV-res 1080p 5.5" screen, 3GB of RAM and 64GB of storage for $350 off contract. The first iPhone had to use web apps, while modern phones have millions of native apps (unless you have WP). Windows Vista, 2007's relevant software, is still technically supported today.

I see the need for a system like this to exist, but I also see that Google is taking unfair advantage of it. A 3rd party - independent organization would be better suited to this. One that is perhaps funded by all major Software companies equally, but has no ties to any of them. Or funded by Government or UN perhaps?

This.

[Techteen14]

Remain pure? Google's intentions haven't been pure since they were purely a search engine.

 

Typical, blame the big, bad corporation.

 

It is Google's fault when they completely abandon millions of users to a major security fault on a version of the OS that is only a couple years old.

Again, blame the evil corporation for your poor phone buying skills. As for age, see above post.

I don't have a smartphone, and never did have one.

Then why are you complaining about Android? That'd be like me, an Android user, complaining about some Lumia phones not getting full Windows 10, or me as an American complaining about Tony Abbott.

 

And, no. Is it Dell fault for fixing Windows security whole? Of course not. It is Microsoft. If Google poorly coded the OS that makes it impossible to update it in components like all major Linux-distro (if not, all of them, minus Android) or Unix or MacOS or Windows (basically all other OSs), then it is Google fault regardless.

PC OEMs don't have anywhere near as much power over the OS as Android OEMs do, and there aren't any PC equivalents of carriers or ROM makers either.

A Windows update does this:

Microsoft releases update>consumers install>OEMs modify and sell on new machines

Android updates go like this:

Google releases update to AOSP, Nexus and GPe devices>OEMs get a hold of the update>OEMs add features, remove features, change the GUI, add/subtract apps based on collaboration with other developers etc.> unlocked devices from those OEMs get update>carriers get update, add their own crapware>locked devices get update.

 

So I say, yes it is Google's fault. And they don't want to spend money on it, maximizing profit. Simple as that.

You have no idea, as you don't own a smartphone, see above paragraph.

If Windows Phone had a significant market share, watch how Google would release updates.

It never will. As for Android updates, unless Google makes OEMs conform to standards, which decreases update time but also stifles innovation, minimizes device diversity and makes new Android phone releases the same as new iPhone releases (i.e. Boring and the same old stuff).

[Derangel]

 

Typical, blame the big, bad corporation.

 

Again, blame the evil corporation for your poor phone buying skills. As for age, see above post.

 

What the fuck are you talking about in that first sentence? Where was their any blame or anything of the like in my statement?

 

I have a HTC One M7 kiddo. Your post above doesn't apply to anything I said.

[GeneralTheoryOfBadassery]

Actually, you'd be surprised by how much work goes into the back end to make Android work on devices. It's not just change the GUI and it's done! Even Microsoft struggled to make WP 8 work on a lot of phones. If you look into developing third party ROMs for Android devices you will see a huge clusterfuck of things. Drivers no longer works and has to be rewritten, certain parts of the phone is completely locked down and is essentially a black box (even to the handset manufacturers), brand new APIs that are specific for that combination of hardware has to be written (for example the camera app) and so on.

Samsung writes their own JS library for their browser for example (and that's per processor). That's why we see such huge performance differences when we compare Chrome to the stock browser on the Note 4 (Exynos model):

It's sad to see so many good LTT users just talk out of their asses in this thread.

Its true that a hell lot of work is required to just get the damn thing working ...

Its very interesting to see that the nvidia shield tab and nexus 9 are soo far apart , even if they have almost the same specs and run on same processor

[GoodBytes]

Then why are you complaining about Android? That'd be like me, an Android user, complaining about some Lumia phones not getting full Windows 10, or me as an American complaining about Tony Abbott.

 

Are you serious?! I am going to ignore what you said. I don't think you though your idea through before posting this sentence.

[Phillyphries]

Why has Google turned into such a bully lately

[Colonel_Gerdauf]

For those saying that Project Zero is a good thing, I am going to throw out some food for thought:

Suppose there is a company that, for whatever reason, deals with sensitive medical information in the scope of mainstream electronics. Somewhere in the systems, there is a low-level exploit that would handily give out everybody's social insurance numbers to those that use such exploit. The fix and patching in this case would require full cooperation and co-compliance with the associated software/hardware companies involved. As the multi-patch package takes more than 90 days to be properly rolled out, they ask for an extension. That request is either ignored or declined, and the deadline has been reached.

If Project Zero publicizes the exploit, it would cause more harm than benefit, to the point of causing a wide-scale calamity.

[LAwLz]

Games do it, you don't see people complaining on how BF4 doesn't run on then Pentium 3 with their GeForce 256.

Why having a minimum specs is a problem? It makes supporting the OS much easier.

Doing so made Windows Phone 8 much better (ie: no disaster)

It wasn't because of performance reasons those devices didn't get updated. WP 8 simply did not work on any of the CPUs the WP 7 phones worked on (and vice versa).

I am not up to date with Windows Phone but has every single WP 8 device received every update Microsoft has released or have some still not received the 8.1 update for example? I am pretty sure the HTC 8X, which Linus did his iSwitch video series about, is still stuck on WP 8 and some carriers have confirmed that their customers simply won't get any update.

 

So it has taken HTC several months to get the Windows 8.1 update for the 8X out. As far as I know it is still not out in any country, so it's not just the carriers being dicks either.

Limiting the hardware *might* make the updating process go a bit smoother, but it is by no means buttery smooth. Not even on Windows Phone devices and the fairly limited selection of hardware that will run on.

 

 

I'm doing what? You couldn't be more wrong. I'm a blunt person, I don't engage in that bullshit. I'm stating my thoughts and opinions on the matter and on Google itself in the context of security updates. Nothing more, nothing less. You don't have to like what I'm saying or where I'm saying it but kindly don't pretend you know why I'm saying something. Trust me, you won't have a bloody clue.

This thread is not about Google's security updates though. I am not sure what you mean by "I don't engage in that bullshit" but if you by "bullshit" mean logical fallacies then yes that is actually what you have been doing this entire thread.

Google's cockups with their own security updates do not make anything related to Project Zero (which this thread is about) any less valid.

 

 

 

For those saying that Project Zero is a good thing, I am going to throw out some food for thought:

Suppose there is a company that, for whatever reason, deals with sensitive medical information in the scope of mainstream electronics. Somewhere in the systems, there is a low-level exploit that would handily give out everybody's social insurance numbers to those that use such exploit. The fix and patching in this case would require full cooperation and co-compliance with the associated software/hardware companies involved. As the multi-patch package takes more than 90 days to be properly rolled out, they ask for an extension. That request is either ignored or declined, and the deadline has been reached.

If Project Zero publicizes the exploit, it would cause more harm than benefit, to the point of causing a wide-scale calamity.

That's a worst case scenario. Also, if something that big were to be discovered then I am pretty sure Google would give them an extension. The security issues found in Microsoft haven't been *that* big so far. As for Apple, they have never really taken security updates seriously so they need to get lots of pressure. They are constantly behind Microsoft, Google, Mozilla and others when it comes to patching known vulnerabilities that affects all companies (such as compromised SSL certs). It's not a coincident that Apple is the one that misses the most deadlines for Project Zero either.

 

Companies need strict deadlines or else they will get lazy.

[Legion495]

IMO it's a good thing Google does. First security issues are found before it is even public. They put pressure on the company to fix this. So the security should get much better if this will continue. 

 

I'm happy that MS try's to fix the issues. Even if they blame Google for that Google still forces them to fix it even faster. Win win situation for the consumer isn it? Except the issues aren't getting fixed.

Apple seems very lazy and I think they gonna get serious issues later if the bugs are known. 

 

I'm glad to see Google doing that. This is the only way we can be sure that security issues get found and fixed before a cyberattack comes. I'm sure MS will be rdy to fix issues even faster than they already did.
 

[zacRupnow]

I am Google.

[EpicGeekonFire]

Dick move, Google.

If you have the patch in your hands, you should delay until it is launched. If it isn't launched the day it's supposed to, then release it.

Dick move

 

I agree, that incoming patch should count as the security issue being "solved". 

[totjup5]

Good, maybe they'll fix it

[Deletive]

I wouldn't call what they're doing really threatening.

[AxelRantila]

 

5. Android is a buggy piece of shit - especially for older versions. There are so many vulnerabilities in the older versions of Android, like KitKat and Jellybean. Google just washes their hands of it, because those vulnerabilities have been fixed in "Newer Versions", and it's the manufacturers responsibility. - This would be like Microsoft finding a Windows 7 bug and saying "Hey guys, no worries! It's fixed in Windows 8!" We would be fucking furious at Microsoft for doing something like that. It's one thing to not patch really old (5+ year old) versions of Android, but Jellybean is only 3 years old, for example.

 

I see the need for a system like this to exist, but I also see that Google is taking unfair advantage of it. A 3rd party - independent organization would be better suited to this. One that is perhaps funded by all major Software companies equally, but has no ties to any of them. Or funded by Government or UN perhaps?

Considering that Microsoft still supported Windows XP when 8.1 has been out, I don't see the issue with Google supporting the previous version of Android as well as the current one.

 

 

For those saying that Project Zero is a good thing, I am going to throw out some food for thought:

Suppose there is a company that, for whatever reason, deals with sensitive medical information in the scope of mainstream electronics. Somewhere in the systems, there is a low-level exploit that would handily give out everybody's social insurance numbers to those that use such exploit. The fix and patching in this case would require full cooperation and co-compliance with the associated software/hardware companies involved. As the multi-patch package takes more than 90 days to be properly rolled out, they ask for an extension. That request is either ignored or declined, and the deadline has been reached.

If Project Zero publicizes the exploit, it would cause more harm than benefit, to the point of causing a wide-scale calamity.

 

Even though that would be a worse case scenario, it is still a good point nonetheless