> Google has some responsibility when identifying flaws in consumer devices and software to be more clear about the actual impact, ramifications, and likelihood that your device was compromised
I don't think that's Google's job at all, especially for a competitor's product.
Their project is to identify security vulnerabilities and disclose them to the public, in the name of public interest. We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened. Their job isn't to make Apple's users feel better.
It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.
> I don't think that's Google's job at all, especially for a competitor's product.
To be credible, it would be especially true for a competitors product. If you're even remotely insinuating that they can or should go softer on themselves than others, they're 100% not credible, and that would only make Apple's stance that much more legitimate. If they aren't at least as tough on themselves - and they should probably be tougher on themselves than others - it's just a marketing team.
But I do think they have that responsibility. Disclosing flaws and vulnerabilities for consumer use cases requires nuance and less "just the facts, ma'am" otherwise you're actually doing more harm than good.
The stories will be blown out of proportion, and the world will go numb to them. Because the little, low impact issues are constant background noise - when they get blown out of proportion and 0.000001% are affected, and 90%+ were patched 6 months ago, all this does is contribute to the noise, and doesn't improve the signal.
> To be credible, it would be especially true for a competitors product.
At this point, I don't think it matter much to the typical consumer. Both camps have their fair share of zealots, and short of a press release stating something horrific, most people don't care to switch to the other side. iOS users claim superiority for their device features like iMessage, cameras, and UX, while Android users pretend like their device is for the technologically enlightened.
Credibility in a report like this is a non-issue for most users. It's not about responsible disclosure, facts, and the truth. It's about marketing.
It's funny how their public interest seems to stop at the line where Google looks good and their competitors look bad.
I would say that their public interest mission should include not inciting unnecessary mass panic by exaggerating claims or by using imprecise language that would allow the media to make exaggerated claims.
You know, like how they use much more toned down rhetoric when releasing info on Android bugs.
Absolutely. These articles erode trust in the competitors of Google. The fact that Apple was aware of the vulnerabilities and in the process of fixing them is lost on the public. They were apparently working on fixing these bugs for 10 days prior to Project zero.
Maybe this sensationalism furthers the public interest by turning software security into a weird zero-sum game where every company is trying to break their competitors products. But I can also see how cases like this creat a negativity that prevents companies from collaborating to fundamentally improve security.
> But I can also see how cases like this creat a negativity that prevents companies from collaborating to fundamentally improve security.
The security community works like this (public responsible disclosure), _because_ companies overwhelmingly proved that they couldn't be trusted to collaborate with security researchers.
> They were apparently working on fixing these bugs for 10 days prior to Project zero.
That’s not what the Apple press release says. It says that it took them 10 days from when they learned about the bugs until they had “resolve[d] the issue” (fix implemented? released?).
Presumably Google contacted them sometime in between when Apple first learned about the bugs and when they finished fixing them.
> Maybe this sensationalism furthers the public interest by turning software security into a weird zero-sum game where every company is trying to break their competitors products.
This isn't a Maybe. Narrowing in on the statement of fact "where every company is trying to break their competitors products," query Ben Hawkes of Project Zero for an exact quote, but this about 100% lines up with it.
P zero attacks Google's projects just as much as anyone elses, and there even more aggressive in things like sticking to their disclosure timeline. They definitely don't pull punches or play favorites.
What mass panic? Did I miss the part where entire towns were burning their iPhones? Most people don’t know or care about security, and even if this was “sensationalized” do you honestly believe everyone didn’t just forget about it a week later? Is there anyone who actually believes this will have any effect on iPhone sales?
No, I saw that -- maybe you missed every other flavor-of-the-week coverage for the past 10 years? Panic refers to user's reactions -- not what the news cycle generates for a given week. When information about Uber came out, at least #dumpuber trended or whatever, actual users wanting to change their behavior in response to events relating to a company. I didn't see that at all with this. This article is entirely about how members of the industry feel about Apple I guess? At least when the assertions aren't completely passive like "Apple’s perception as the secure consumer device is starting to crack." -- Apple's perception has cracked WITH WHOM??
The general population is completely burnt out about security stuff -- they hear about their bank getting hacked and releasing all their records like twice a year now. No one "panics" over that anymore either. This is no different, if they'll even be able to recall them being separate events a year from now.
Why would PZ write up a post on what they didn't find?
And in the past they've definitely written posts on issues that only affect Android (as far as mobile goes), like their super deep dive into remote broadcom wireless exploits.
Probably not a great example, given that Broadcom bugs affect anyone using Broadcom, which, yep, includes iPhones:
> A partial list of devices which make use of this platform includes the Nexus 5, 6 and 6P, most Samsung flagship devices, and all iPhones since the iPhone 4.
That report was published by trend micros zeroday team, not Google's. Also, bear in mind that project zero and android arent the same team. And pz does sometimes get the same response from Android as trend micro did. And it results in public disclosures just like this one.
> I don't think that's Google's job at all, especially for a competitor's product.
I think that any level of care they would take in describing the impact of a flaw in their own product, ethically, the same level care must be taken when describing the impact of security flaws in a competitor’s product.
Otherwise this goes from white-hat to grey-hat hacking, and it serves to undermine the stated goals and intentions of Project Zero.
> I don't think that's Google's job at all, especially for a competitor's product.
If they want security professionals to pay attention to them, it is.
I accept that maybe P0 just didn't carefully think through what they were saying; they've been straight shooters in the past. But the definitely gave both a misleading impression about the situation they described _and_ downplayed other risks.
If that keeps happening, I (for one) will end up treating them more like Oracle's security/marketing department. And that would be a serious loss, because P0 has been doing really good work.
> I don't think that's Google's job at all, especially for a competitor's product.
I don't think you quite understand why Google Project Zero team exists in the first place. Their job is to make the world a more secure place. They seem choose whatever they want to work on to maximize their impact on the world –ranging from Intel processors to iPhones to some first party technologies like Chrome.
> Project Zero's mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere.
Why they say they exist and why they actually exist are two different things entirely. There’s not a single corporation (except maybe B corps) that spends money like this without a competitive agenda. Off the top of my head are a couple obvious reasons for PZ: to help with recruitment, to give the company some good press, to make their competitors look bad, or to fix their own Android exploits before anyone else knows.
> It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.
It is at least plausible that Google structured the posts and announcements to exploit that ignorant media coverage for their own competitive advantage.
So at least arguably their “fault” as they have ample experience with that media coverage process themselves.
I don't think that's Google's job at all, especially for a competitor's product.
It's in their financial interest to do so. They don't want their users gmail data (or from other googles services) to leak, even if it's not their fault.
Given the dire situation of security, this can't be a "let the market figure out the solution" situation. When it comes to whether Google's IoT devices work with Amazon's, I would personally love for them all to work together, but for profitability, maybe that's not in Google's best interests. That's fine.
But for security, they need to be working together. This is definitely a "rising tide lifts all boats" situation.
>> We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened.
Many people will be annoyed by this "assume the worst" drama.
For example, drinking too much water, if we assume the worst, can kill you.
Also, walking around can kill you, if we assume the worst.
Also, just being around can kill you, if we assume the worst, hey, you could die of a stroke.
So, how is this "assume the worst" statement useful?
> It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.
Er, yes it is? Or rather, to make a finer point, it was their responsibility—i.e., they knew the causal chain that would inevitably result from their action and chose to perform that action anyway.
If you knowingly give an alcoholic a drink, you’re responsible for them falling off the wagon.
If you leave your pet mouse out next to your pet cat and leave the room, you’re responsible when the mouse is eaten.
If you can clearly foresee something bad happening, and you have an alternative path that avoids that thing happening, and you choose to go down the path where the thing happens: your responsibility.
That’s not to say that nobody else is responsible. Responsibility is not exclusive. A war, for example, is the responsibility of two parties—either side can just give in to the demands of the other, to avoid it. Both parties, in their choice to not give in, are responsible for the war.
I don't think that's Google's job at all, especially for a competitor's product.
Their project is to identify security vulnerabilities and disclose them to the public, in the name of public interest. We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened. Their job isn't to make Apple's users feel better.
It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.