“Google Inc. has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we’ll make them public,” Chris Strohm and Jordan Robertson report for Bloomberg. “An elite team of Google hackers and programmers scrub their own and competitors’ software for security flaws, giving companies a deadline to issue a fix. Google says it wants software makers to move fast because cybercriminals act with lightning speed when they spot bugs.”
“It’s a sensitive topic — rivals Microsoft Corp. and Apple Inc. declined to talk about the tactic — though others in the industry say the help isn’t always welcome, usurps a role best left to government and can jeopardize security,” Strohm and Robertson report. “‘I’m not sure who made Google the official referee of the marketplace for vulnerability notification,’ said John Dickson, a principal with software security company Denim Group Ltd. in San Antonio. He said pressuring companies to fix flaws is a good idea, but ‘what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.'”
“Apple declined to comment while Microsoft would only refer to a previous statement in which it said Google’s tactics felt like a game of ‘gotcha,’ illustrating [the divisiveness of the issue],” Strohm and Robertson report. “In January, Apple pleaded with Google to wait about a week before going public so it could fix three flaws in the Mac OS X operating system, according to a person familiar with the request who wasn’t authorized to speak publicly. Google knew the fix was coming and had possession of the updated software because it serves as a developer for Apple, the person said. Regardless, Google refused and released details of the flaws.”
Read more in the full article here.
MacDailyNews Take: People who wear Google Glasses shouldn’t throw stones.
Pot Kettle Black
MDN: love your “MDN Take”!
😀
Hey, how about “Google, do no evil.”
Some things may take longer than 90 days for all sorts of good reasons, like the other 100 bugs currently being fixed!
Meanwhile, just last month Google publicly refused to fix a security bug that affects over 60% of the fragmented Android base, since they’re on versions of Android v4.3 and older… i.e. anything that came out before just 1.5 years ago, and many cheaper devices that came out since.
http://arstechnica.com/security/2015/01/google-wont-fix-bug-hitting-60-percent-of-android-phones/
Glassholes!!!
Instant Karma gonna get yooos…
Google is the corporate entity most closely resembling, operating & suffering from Asberger’s Syndrome.
Aspergers “face-blindness” would suggest a strong motivation to create facial recognition technology.
Peter, Aspergers syndrome is not to blame, not more than stupidity or blindness. Not more than we can accuse diabetes patients as naming them as diabetics who commit some crime or act stupid or something. We don’t need any diagnosis for that. They are instead just stupid…. or work at Google. Aspergers or not. Aspergers can and are actually one of our finest, like Abraham Lincoln, Steven Spielberg and most likely Steven Jobs and also many of the worlds best writers, painters, artists, politicians, doctors etc etc. Some of the traits as Aspergers symptoms have we have most of us, though without having any diagnosis.
But if you mean jealousy, revenge, obsessive compulsive disorder, insensitivity, lack of empathy, narcissism, lack of empathy or just pure evil, then we are talking Google ;-).. and you don’t have to Google it!
But, most likely thera are many Aspergers that work at Google as in Silicon Valley. One of my friends once said that all we needed to to do is to put a roof over Silicon Valley and then we had an institution for Aspergers, with a roof on it! hmmm something to think about, doesn’t it or not?
I wasn’t making fun of those with Asberger’s (though what I hear from a good friend of mine who son has it is they don’t use the term anymore) but just the “clumsy and socially awkward” aspects of Google.
I also have a granddaughter (my wife and I adopted) who has learning disabilities and was born with a very slight Cerebral Palsy so I’m sensitive to these issues. Google’s quirky corporate style suggests certain mental maladies.
Steven Spielberg does NOT have Asperger’s. This rumor has been floating around the web for years. Please fact check before posting.
Come out with a better search engine, a better adsense.
Even taking away 5 to 10% of google’s business will be painful for those SOBs.
Apple has the option after the contract runs out, to put another default search engine up on Safari as it ships to customers.
My guess is this Google tactic seals their fate.
Google needs to die.
Pinnacle of Evil. FU MOLE.
Every time I think Microsoft is the king of douchebaggery, Google does something like this. Hopefully, the online community makes Google’s vulnerabilities known as quickly as they threaten others.
yep it is a douche-bag move, but what can one expect from them other than this sort of unwarranted self serving hypocrisy.
on the other hand it does seem to me that mr. apple has both the resources (talent and money) and one would think the motivation – and most certainly the obligation – to be putting out nothing less than bullet proof software.
there is no denying they have been kinda sloppy lately.
so please remember tim and all, this is not just a matter of our security and your reputation – it is also, fundamentally, you f’ing JOB
Wait-there’s such a thing as “bulletproof software”?
Especially where there are millions of lines of code?
Well, if Google wants bug-free code they can reduce the number of lines of code in Android to zero.
Who died and left Google in charge???
The whole world is suing Google for their bad ethics and flagrant invasion of privacy practices and they feel they have the gall to take upon themselves the moral authority ???
Google will fast lose everyone’s faith and any favor
It’s called redirection.
How about misdirection?
I think you mean “no direction”
In Google’s case, it’s One Direction
One may question the motive and the means but if it gets fixes out much faster I value that as the end user. There is no reason why such companies with such vast resources can’t do it!
“There is no reason why such companies with such vast resources can’t do it!” ?
There’s reality, for one.
You can’t throw money at a dearth of resources—there’s only so many talented programmers out there.
Software engineers created the flaws. Software engineers will be employed to fix the flaws.
See the flaw?
Don’t do evil? How about releasing security vulnerabilities to criminal hackers? When your phone operating system is the least secure in the industry! I don’t even have to wonder if the 90 day patch window applies to their own software, because it doesn’t. Maybe they should spend a little more time securing their own software and services, and a little less time worrying about their competitors.
Google: Research Arm of Cyber Terrorists
Android – the ‘Swiss Cheese of Security’
Interesting dichotomy: Apple and Microsoft (?) take security seriously and FIX holes – but maybe not within 90 days (Apple 97 days; Microsoft maybe 10-15 years for some flaws). Android is full of security holes that are actively being exploited and Google does nothing to fix problems in the established user base and may or may not address the problems in the NEXT version of Android.
What utter, blazing hypocrisy.
and “and may or may not address the problems in the NEXT version of Android”
Which, of course, will never reach the vast majority of Androcrap Swiss Cheese users.
But the difference is, Google could care less about Android security issues.
In fact, I doubt that they really care about security issues in Microsoft and Apple products. I see this as an effort to tear down their competition and redirect any concerns about Android security. They haven’t got a product worth using, so they start calling their competitors nasty names. Propaganda, by another name. No matter how you couch it, in noble, flowery language, it’s evil.
“…could NOT care less….”
Every major player contributed to security and privacy gaps.
Microsoft because they are inept and maybe because of backdoors.
Google because of a-hole at the top.
Apple because they sat on their hands when they had the bugs, tho they there are not like Google, usually.
Government backdoors and lack of secure standards.
Router companies.
ISP and other domain aspects.
—————————
Google LIVES because their business model is to sell out the consumer.
Do Know Evil
In principal what they’re going is ok, trying to get things fixed faster is hardly a bad thing, but the problem is, what’s to stop them from identifying a problem in their own software, starting work on fixing it, then announcing it when they’re ready to patch it to make themselves look good? Also, Android’s solution is that if they do fix things, it tends to only be on the newest version which isn’t used by anybody and which people couldn’t install even if they wanted to. Is a fix that can’t be utilised still a fix?
Funny, since Google data mines the shit out of every app, device and service they sell or provide and use it to sell to third parties. Kinda sounds like Google stuff comes pre-infected.
Dear Tim Cook,
Please fund an Android vulnerability unit and threaten to publicize the holes unless Google patches them within 90 minutes.
Thanks
Thanxal
I am of two minds about this. I like the idea of a forcing function that identifies OS and application vulnerabilities and drives companies to rapidly fix them. But I do not like the idea of Google being that industry conscience. Instead, I would prefer a consortium of industry players to fund research teams and incentivize independent software experts to report bugs. A requirement of participation would be to fix identified vulnerabilities within a specified timeframe.
“A requirement of participation would be to fix identified
vulnerabilities within a specified timeframe.”
Building/architecting software is NOT like building with Legos. With Legos, you have fixed, pre-determined block sizes and shapes, and they always snap together in a reliable way.
Writing code is a messy process, at times. Whether or not a software mod mysteriously introduces bugs into a formally working bit of code can be difficult to predict, ahead of time. And, the BEST beta testing period is NO guarantee that all of the bugs have been identified.
Sometimes, the existing code being modified is so complex and brittle (but works) that seemingly ANY code mods will break this formally working code — or certainly introduce cosmic weirdness that remains unidentified until after release and deployment to the customer base, where specific user cases (specific hardware, HW configs, network set-ups, interactions with network services, etc.,) suddenly align and highlight a code problem that could not be effectively predicted/seen prior to release.
And, then there are software architecture issues that become the source of the problem, such that some larger chunk of good working code must be ripped out and rewritten/architected to realize a different/necessary software feature upgrade — good metaphor would be when one modifies an existing building — some mods simply overwhelm the old building’s architecture’s ability to effectively support the desired structure upgrades without introducing safety/structural/support issues into other areas of the building that formally had no such issues — the solution would be to tear down some larger chunk of the formally perfectly good building, and rebuild from the foundation, up — to oft times include redesigning the foundation to properly support the desired building additions and mods.
And then, there are the bugs that randomly present themselves, originating in a buggy API, or compiler, or development environment, with complete unpredictably — fix the buggy API, and watch other formally working code suddenly stop working, because its ability to work relied upon the unidentified bug contained in the API (or compiler) — now, with the API or compiler bug fixed, it is no longer able to work correctly.
You get the idea.
Niffy
Special Note to Google: If my private information is “hacked” because of Google’s special mission to publicize weaknesses, I will go get a set of attorneys who have fangs that drag on the ground and we will feed on your money. For Years. For Billions. You won’t like it. We won’t stop.
In other words, by releasing details of the vulnerabilities, Google is enabling potential criminals to break the law? Doesn’t that make Google an accessory before the fact? So Google moves from unscrupulous to criminal, a disappointing progression for a company pledged to do no evil.
It seems to me that a company with software vulnerabilities (and over $100 billion in cash) that refuses to fix those problems in a timely manner is far more complicit.
It seems to me that there are far too many development ‘experts’ on the internet who haven’t read the Mythical Man-Month.
Then so, too, are the millions of consumers who click “Agree” on the end user license which warns them that all software has bugs. The bank balance really doesn’t impact responsibility.
Google security flaws: Android OS
Dependance on advertising revenue
Apps that invade privacy and collect personal information. 😀
This seems actionable. Shark lawyers take note.
Any company that ignores security leeks for any reason, looks bad.
Google is trying to take advantage of this. But the irony is, they are just as guilty as the rest.
Regardless, give me patch.
That’s really funny because Google has the worst mobile operating system when it comes to security with more than 90% malware. Maybe Google should think about cleaning up there own security issues before threatening others. Apple leads the way in security so Google should just SHUT UP!
Use the words “Google” & “assholes” interchangeably as they mean the same thing.
Oh Google, could you also make public the backdoors that organizations like the NSA use to commit their cyber crimes?
I know justice won’t prevails, and they won’t be prosecuted but citizens of the free and civilized world get such a laugh hearing your U.S. president rationalize it with a “We must look forward not backward” kind of statement. Thanks.
Any business affected by the flaws Google exposed — without giving Apple time to get the patched released — should sue Google for damages. I think they’d have a good shot at winning, or at least getting a settlement.
It’s basically corporate espionage, done in a public manner under the guise of public service.
“Do Know Evil,” indeed.
Glimmerblocker and do not use their shit products.
I heartily agree. Being as Google-Free as possible is a great goal. Personally, I still have trouble not using Google search as it still remains the best. I also haven’t found an easier place for my blogs than Blogger (BlogSpot), another of Google’s purchases.
Thank you Google for being kind enough to point out flaws. Hopefully Apple can make the necessary adjustments to protect my security/privacy. At least I know that the clock is ticking and that my trusted company is not sitting on its laurels while it try’s to sell me a watch (which I want incidentally). Rather than laying blame and cat calling, take it for what it is, a security threat that needs to get patched ASAP.