More Project Zero thoughts.
In light of the public complaints from Microsoft, more news and notions have been crawling out of the wood works. Two things of note are the efforts Project Zero makes towards Google's flaws and Google ability to patch its most widely used OS; Android.
The interesting part here is that based on what I've read one would almost have to think that Google created Project Zero entirely to point people away from Google. The first point is that it doesn't seem like Google discloses anywhere near as much information about flaws in its own projects and there is no evidence that they hold themselves to their 90 day policy. In light of that, it truly does make their attitude towards Microsoft seem purely spiteful.
The other point is that while they are aggressive in pointing out others flaws and bullying them into fixing them they actually have little or no ability (or as per the above paragraph, inclination either) to fix Android. The problem with Android of course is that almost no phone ships with "stock" Android. Virtually all use OEM variants and updates are blocked by carriers.
But, that isn't the totality of the problem. Certain aspects of the system they flat out refuse to patch even when the bulk of their user base uses affected versions. Google refuses to patch certain vulnerabilities in their WebKit based browser in versions of Android older than 4.3 (I believe that was the correct version) and something like 60+% of Android users are in that boat based on their own numbers.
In all fairness, much Google's latest shifts move towards a better system. This improvement isn't "free" however. It means two things. Moving more critical components into the Play store and out of AOSP which means less and less of Android becomes open source every day and tightening restrictions which decide who gets to use the Play Store and Google Services effectively making AOSP a less viable option. In other words, Google's path to security (and profitability) is to close down as much of Android as they can. But, as stated, the plus side is increased security. Patching an OS distributed the way Android is distributed is MUCH harder than posting an update to an app.
The conclusion here is that as more evidence emerges on how Project Zero and Google operate, it feels a lot less like an initiative to improve web security and a lot more like an initiative to fling mud at and bog down your competitors so that they can't keep pace.
That may sound like a biased opinion, but I don't think it is. Mobile devices overtook Windows for web access over the past year(s). The goal of Project Zero was to make the web safer by targeting the tools people commonly use to access the web, finding and exposing their flaws. Android has to be #1 or #2 on the list. But it isn't treated the same, and as a result there is little to no evidence that even seek exploits in Google products at all. The end result looks like they have a paid staff to find problems elsewhere to create work for and shame everyone else despite the fact their own platforms are quickly becoming to the most pervasive in all web activity and thus need this sort of attention more than Apple or Microsoft.
The interesting part here is that based on what I've read one would almost have to think that Google created Project Zero entirely to point people away from Google. The first point is that it doesn't seem like Google discloses anywhere near as much information about flaws in its own projects and there is no evidence that they hold themselves to their 90 day policy. In light of that, it truly does make their attitude towards Microsoft seem purely spiteful.
The other point is that while they are aggressive in pointing out others flaws and bullying them into fixing them they actually have little or no ability (or as per the above paragraph, inclination either) to fix Android. The problem with Android of course is that almost no phone ships with "stock" Android. Virtually all use OEM variants and updates are blocked by carriers.
But, that isn't the totality of the problem. Certain aspects of the system they flat out refuse to patch even when the bulk of their user base uses affected versions. Google refuses to patch certain vulnerabilities in their WebKit based browser in versions of Android older than 4.3 (I believe that was the correct version) and something like 60+% of Android users are in that boat based on their own numbers.
In all fairness, much Google's latest shifts move towards a better system. This improvement isn't "free" however. It means two things. Moving more critical components into the Play store and out of AOSP which means less and less of Android becomes open source every day and tightening restrictions which decide who gets to use the Play Store and Google Services effectively making AOSP a less viable option. In other words, Google's path to security (and profitability) is to close down as much of Android as they can. But, as stated, the plus side is increased security. Patching an OS distributed the way Android is distributed is MUCH harder than posting an update to an app.
The conclusion here is that as more evidence emerges on how Project Zero and Google operate, it feels a lot less like an initiative to improve web security and a lot more like an initiative to fling mud at and bog down your competitors so that they can't keep pace.
That may sound like a biased opinion, but I don't think it is. Mobile devices overtook Windows for web access over the past year(s). The goal of Project Zero was to make the web safer by targeting the tools people commonly use to access the web, finding and exposing their flaws. Android has to be #1 or #2 on the list. But it isn't treated the same, and as a result there is little to no evidence that even seek exploits in Google products at all. The end result looks like they have a paid staff to find problems elsewhere to create work for and shame everyone else despite the fact their own platforms are quickly becoming to the most pervasive in all web activity and thus need this sort of attention more than Apple or Microsoft.
Comments
Post a Comment