Project Zero successfully hurts security today!
Was reading about how Google spilled the beans a couple days ahead of a fix as a part of Project Zero. Also reading through some of the comments on various articles on the issue as well as on Twitter.
Bottom line is, Google uncovered a security flaw in Windows, notified Microsoft, and then, as per their indicated timelines released the exploit publicly.
Before I go further, in general, I agree with Project Zero. It is proactively attempting to make systems better by finding vulnerabilities (note: I am not saying bug as many commenters incorrectly infer/imply/say because there is a HUGE difference between a security exploit and a bug). They then notify the owners of the software (still good) and then effectively promise to tell everyone if they don't fix it. Even at this point, we are still in a generally good place as it lights a fire under those responsible. And, it has largely been a success.
The problem with this response however is that they are either sticking to an arbitrary timeline even when it negatively impacts exactly what it is supposed to address, or they are simply choosing to be massive pricks to Microsoft. Neither is acceptable.
I don't think I need to explain why jeopardizing the security of millions of PC users (many of which also use Google services) just to spite a business enemy should be frowned upon. So, I'm going to give Google the benefit of the doubt and assume they weren't intentionally screwing over such a mass number of users and that they were instead sticking steadfastly to their completely arbitrary timeline.
Sticking to an arbitrary and static timeline is at least not vindictive. But adhering to it all costs is incredibly stupid. Frankly, being this stupid is also a little hard to believe of a division within Google tasked with effectively out-smarting other developers for a living... but to be fair... that is the route I'm rolling with.
Why is it bad? Not everything fits into a nice, neat 90-day box of time and publicly releasing exploits for a bug you know will be fixed shortly ahead of that goes outright against what they claim the team is there for. The 3rd paragraph is the interesting part wherein they claim that you shouldn't be afraid of exactly the sort of exploits which they handed over on a silver platter to anyone interested.
I will say one thing against Microsoft on this. Many spite Google for sticking to arbitrary timelines. Microsoft also insisted on releasing this on "Patch Tuesday" instead of delivering it out of band. In other words, they also had an arbitrary timeline that they stuck to. It doesn't mean that there is any guarantee that even if they jumped the gun on it that it would be resolved prior to Google releasing the information... but worth noting.
I wanted to add that to state that there is some blame on both sides, but that I feel strongly against Google in this case. I get that having artificial deadlines for "going public" is a great way to motivate a response, but nothing beyond key details are required to do so. Ousting key details of an exploit will certainly enable more people to reproduce the exploit but still limits the availability to a VERY small subsection of even the development community. Ousting source code to reproduce the exploit is hard to justify, especially based on an arbitrary timeline. That sort of disclosure enables virtually any hobbyist to get on board. Releasing executables is even worse.
Bottom line is, Google uncovered a security flaw in Windows, notified Microsoft, and then, as per their indicated timelines released the exploit publicly.
Before I go further, in general, I agree with Project Zero. It is proactively attempting to make systems better by finding vulnerabilities (note: I am not saying bug as many commenters incorrectly infer/imply/say because there is a HUGE difference between a security exploit and a bug). They then notify the owners of the software (still good) and then effectively promise to tell everyone if they don't fix it. Even at this point, we are still in a generally good place as it lights a fire under those responsible. And, it has largely been a success.
The problem with this response however is that they are either sticking to an arbitrary timeline even when it negatively impacts exactly what it is supposed to address, or they are simply choosing to be massive pricks to Microsoft. Neither is acceptable.
I don't think I need to explain why jeopardizing the security of millions of PC users (many of which also use Google services) just to spite a business enemy should be frowned upon. So, I'm going to give Google the benefit of the doubt and assume they weren't intentionally screwing over such a mass number of users and that they were instead sticking steadfastly to their completely arbitrary timeline.
Sticking to an arbitrary and static timeline is at least not vindictive. But adhering to it all costs is incredibly stupid. Frankly, being this stupid is also a little hard to believe of a division within Google tasked with effectively out-smarting other developers for a living... but to be fair... that is the route I'm rolling with.
Why is it bad? Not everything fits into a nice, neat 90-day box of time and publicly releasing exploits for a bug you know will be fixed shortly ahead of that goes outright against what they claim the team is there for. The 3rd paragraph is the interesting part wherein they claim that you shouldn't be afraid of exactly the sort of exploits which they handed over on a silver platter to anyone interested.
I will say one thing against Microsoft on this. Many spite Google for sticking to arbitrary timelines. Microsoft also insisted on releasing this on "Patch Tuesday" instead of delivering it out of band. In other words, they also had an arbitrary timeline that they stuck to. It doesn't mean that there is any guarantee that even if they jumped the gun on it that it would be resolved prior to Google releasing the information... but worth noting.
I wanted to add that to state that there is some blame on both sides, but that I feel strongly against Google in this case. I get that having artificial deadlines for "going public" is a great way to motivate a response, but nothing beyond key details are required to do so. Ousting key details of an exploit will certainly enable more people to reproduce the exploit but still limits the availability to a VERY small subsection of even the development community. Ousting source code to reproduce the exploit is hard to justify, especially based on an arbitrary timeline. That sort of disclosure enables virtually any hobbyist to get on board. Releasing executables is even worse.
Comments
Post a Comment