Ok? Those comparisons do not mean anything, really...
Project Zero released exploits that are being actively discussed, worked on, or have a planned distribution date in the past, against the wishes of the company that is actively responding to the issue.
Have you actually read those pages you linked to? They say things like:
Quote:
We think that 45 days can be a pretty tough deadline for a large organization to meet.
Quote:
Will all vulnerabilities be disclosed within 45 days?
A: No. There may often be circumstances that will cause us to adjust our publication schedule.
Quote:
Will you surprise vendors with announcements of vulnerabilities?
A: No. Prior to public disclosure, we'll make a good faith effort to inform vendors of our intentions.
Those are all from the CERT and you can find the same information and disclosure practices in the IETF. They actually handle these situations properly instead of abiding by a system of rigid rules that exist to favor yourself.
Having worked in this field, we all understand the whole no security through obscurity-phrase. It is true, but overused and twisted in a way you can use it as a weapon against competitors. Being unethical in a way that positions yourself in favor of others (as others have said, they only point to vulnerabilities within other vendor software, not Google's itself) is hard to look pass, IMO.
If these companies have been sitting on the issue, with no acknowledgement of a patch or deadlines for patches pass, it would be acceptable to use this kind of attention to move the ball, to force the company to move. But with these scenarios, especially the ones that have hit the media, that is not a consistent case.
You need to gauge a lot of factors other than "is it done or is it not by X time", because the development world is not nearly so black and white.
While a local Mac Mini setup would certainly put you in more direct control, you'd have to work pretty hard to achieve the level of redundancy that you would get with a cloud solution.
A good external RAID setup with a time machine backup on the side is enough redundancy for most small business, since cloud services still have the internet as a single point of failure to deny you access to your works. Sony's Playstation and Microsoft Xbox live networks has already made the demonstration during last christmas holidays that no cloud service is shielded from a DoS attack.
While a local Mac Mini setup would certainly put you in more direct control, you'd have to work pretty hard to achieve the level of redundancy that you would get with a cloud solution.
It's really unfortunate that they called this program "Project Zero". That's leading so many new outlets, including this one, to call these "zero-day vulnerabilities", but that goes against the very definition of what a zero-day vulnerability is. Some of these bugs may indeed be known to hackers, so they may be zero-day vulnerabilities, but if Google discovered them, reported them to Apple in confidence, and then granted 90 days before releasing the information to the public, then a zero-day that does not make; more like a 90-day.
Funny, I was going to use the same quote directed at your ignorant comments. I can get a level 3 Apple engineer (not support rep) on the phone within 10 minutes if I'm having issues with one of my Apple products, and almost always gets resolved to everyones' satisfaction. Google has NEVER resolved ANYTHING to anyone's satisfaction, not even close. This goes for the monkey's Microsoft has working for them as well. Apparently I work for a living, you just run your mouth spewing pro-Google propaganda.
You're correct, I confused you for someone that wasn't a straight-up Google troll.
I doubt your EVER going to get a true Apple engineer (you know, those with 4 year degrees) and are paid 125K minimum, on any support line, unless you bought more than 1000 machines and the Apple account rep called them up because you are an important client
Ok? Those comparisons do not mean anything, really...
Project Zero released exploits that are being actively discussed, worked on, or have a planned distribution date in the past, against the wishes of the company that is actively responding to the issue.
Have you actually read those pages you linked to? They say things like:
Those are all from the CERT and you can find the same information and disclosure practices in the IETF. They actually handle these situations properly instead of abiding by a system of rigid rules that exist to favor yourself.
Having worked in this field, we all understand the whole no security through obscurity-phrase. It is true, but overused and twisted in a way you can use it as a weapon against competitors. Being unethical in a way that positions yourself in favor of others (as others have said, they only point to vulnerabilities within other vendor software, not Google's itself) is hard to look pass, IMO.
If these companies have been sitting on the issue, with no acknowledgement of a patch or deadlines for patches pass, it would be acceptable to use this kind of attention to move the ball, to force the company to move. But with these scenarios, especially the ones that have hit the media, that is not a consistent case.
You need to gauge a lot of factors other than "is it done or is it not by X time", because the development world is not nearly so black and white.
A deadline always poses challenges, especially when it's adhered to strictly, but it's hard to find fault with a deadline that's two or three times longer than the deadlines imposed by two major cybersecurity organizations. Even if those organizations were generous enough to grant an extra month of leeway, they'd still fall short of Google's deadline.
If Microsoft needed 3 more days of testing before release, I'd have given them those 3 days to ensure a patch that doesn't start BSoD'ing machines all around the planet.
Google should be a bit more lenient with larger companies. Releasing details of these exploits does more harm than good because it shows malicious attackers where to look for vulnerabilities that they might not be aware of. If Apple acknowledged that they were working on a fix and gave their own ETA, that should be enough. I'm sure Google wouldn't like it if Apple published exploits for Android systems that won't be updated for another... wait do Android systems get updates?
Google should be a bit more lenient with larger companies. Releasing details of these exploits does more harm than good because it shows malicious attackers where to look for vulnerabilities that they might not be aware of. If Apple acknowledged that they were working on a fix and gave their own ETA, that should be enough. I'm sure Google wouldn't like it if Apple published exploits for Android systems that won't be updated for another... wait do Android systems get updates?
Android's barely get updates unless you're a Nexus device owner, and even then, the update lifecycle is 18 months from date first release of the device, and speed of the update rollout is often still inhibited if your Nexus device was purchased via a carrier, and not directly from Google at full retail cost.
Android still has so many outstanding security holes, that if Apple were to use their clout and publish all those vulnerabilities to every media outlet, Eric and Larry would have a unison "shite" hitting fans moment...
That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
Maybe. But easier said than done. Some fixes have nasty dependencies that show up in testing. Other fix a problem but break other stuff.
Ninety days is not an unreasonable target but it is an unreasonable deadline. Google is being really stupid here. Before long someone is sure to file suit saying that they were hacked because of a Google-announced vulnerability that was previously unexploited.
Funny, I was going to use the same quote directed at your ignorant comments. I can get a level 3 Apple engineer (not support rep) on the phone within 10 minutes if I'm having issues with one of my Apple products, and almost always gets resolved to everyones' satisfaction. Google has NEVER resolved ANYTHING to anyone's satisfaction, not even close. This goes for the monkey's Microsoft has working for them as well. Apparently I work for a living, you just run your mouth spewing pro-Google propaganda.
You're correct, I confused you for someone that wasn't a straight-up Google troll.
I doubt your EVER going to get a true Apple engineer (you know, those with 4 year degrees) and are paid 125K minimum, on any support line, unless you bought more than 1000 machines and the Apple account rep called them up because you are an important client
You'll get a real one if your problem is live and interesting. But Mag suggests that he can do it to order. I agree - ain't gonna happen.
"and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch."
Well, that could have been prevented had you released the patch the day before, now wouldn't it have, Microsoft?
I guess you're new. Microsoft has a regular schedule for releasing patches, other than OMFG panic things. This was a Great Blessing for sysadmins the world over.
Android still has so many outstanding security holes, that if Apple were to use their clout and publish all those vulnerabilities to every media outlet, Eric and Larry would have a unison "shite" hitting fans moment...
The consumers would win in the long run if Apple did that, since that would pressure Google to take a leaf from Apple's notebook and work out how to ship OS updates directly to users without OEM or telco interference.
You'll get a real one if your problem is live and interesting. But Mag suggests that he can do it to order. I agree - ain't gonna happen.
You are correct plovell, I don't always get an engineer on the phone, because often their lower-level support teams can get the job done.
When I've had live and happening issues with iCloud or another service, I very quickly was handed over to engineers. I also quickly got engineers on the line with me during the iOS 8.0.1 and Yosemite issues, and worked with them directly to help troubleshoot the problems in order for a fix to help get developed.
This is a level of service I could NEVER get with the likes of Google for their corporate / business offerings, and surprisingly it was just as bad (perhaps worse) with the Microsoft Exchange team, supporting their corporate Office 365 systems, that was a disaster!
There is not such standard, not in the way you're talking about. CERT only discloses in 45 days if the vendor doesn't read a crap and the bug is severe. They have routinely extended way beyond that. If you prove to me that this is actually a standard for fixed, no exception disclosure, we will talk.
The goal of disclosure is IMPROVING SECURITY, not following some dogma like a drone no matter what is the outcome.
There is not such standard, not in the way you're talking about. CERT only discloses in 45 days if the vendor doesn't read a crap and the bug is severe. They have routinely extended way beyond that. If you prove to me that this is actually a standard for fixed, no exception disclosure, we will talk.
The goal of disclosure is IMPROVING SECURITY, not following some dogma like a drone no matter what is the outcome.
45 days is CERT's default policy, with deviations being the exception rather than the norm:
"Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. "
High-risk vulnerabilities have been disclosed in fewer than 45 days. For instance, shellshock was disclosed by CERT just ten days after it was reported to Red Hat.
Apple is still trying to figure out after 6 months why search is broken in iOS and trying to come up with non-hideously looking icons for the Health and Voice Memos apps.
45 days is CERT's default policy, with deviations being the exception rather than the norm:
"Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. "
High-risk vulnerabilities have been disclosed in fewer than 45 days. For instance, shellshock was disclosed by CERT just ten days after it was reported to Red Hat.
They deviate all the time, I've dealt with them for more than a decade.
BTW. you forgot to paste something... That'S what CERT says about distributing the exploit (what Google did)
We will not distribute exploits, if that's what "full disclosure" means. In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who are harmed by people who use exploits maliciously. We will, however, disclose information about vulnerabilities that we might not have previously disclosed. Within the limits of our resources, we will publish information about as many vulnerabilities as we can
You also forgot this :
Do you disclose every reported vulnerability?
No. We may, at our discretion, decline to coordinate or publish a vulnerability report. This decision is generally based on the scope and severity of the vulnerability and our ability to add value to the coordination and disclosure process. Whether or not we coordinate or publish, we recommend that the reporter make a good faith effort to notify and work directly with the affected vendor prior to public disclosure.
so, Google didn't care a hoot about security in this case, only scoring points.
But, Karma will bite them very soon considering how horrible the security of their platform is.
Security is what's important and the fact is what Google did decreased security for 99% of users and companies because there's no way a end user or vendor could mitigate this risk inside a few days before the patches from Apple or MS came, even with the full exploit (which CERT, you know the one you like so much, say they don't release).
Apple is still trying to figure out after 6 months why search is broken in iOS and trying to come up with non-hideously looking icons for the Health and Voice Memos apps.
Among other things...
Right, compared to Google which Abandons people stuck on old Android versions after 18 months. Hey, they can always buy new phones, that's much better than a ugly icon...
Right, compared to Google which Abandons people stuck on old Android versions after 18 months. Hey, they can always buy new phones, that's much better than a ugly icon...
True, but I don't use Google phones, so don't care, myself.
We can live with an ugly icon.
Also, Apple use to have the best desktop wallpapers. MS smokes them in that department. The Apple ones - most of them - are really lame.
Jobs likely personally chose the ones that looked great and now that he's gone, they forgot to find a champion for that.
While this division does serve a worthy purpose, lately they have been putting end-users safety in jeopardy by releasing technical details of these discovered exploits before letting the manufacturers patch them. Though it has been 90 days, they should've reached out to Apple (and Microsoft for another instance like this over the last few days) and attempted to clarify if a patch was indeed in the works, and perhaps adjusting the release of this information to after the patch release date.
Their actions are unethical, but then again, this is Google we're talking about here...
You do realize that Apple was notified about this back in September right? There was absolutely nothing unethical about what Google did. Apple's the only one to blame for not having patched it up in 90 days.
Comments
90 days is twice as long as the industry standard. CERT discloses after 45 days (https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm). The IETF recommends 30 days (https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00).
Ok? Those comparisons do not mean anything, really...
Project Zero released exploits that are being actively discussed, worked on, or have a planned distribution date in the past, against the wishes of the company that is actively responding to the issue.
Have you actually read those pages you linked to? They say things like:
Quote:
A: No. There may often be circumstances that will cause us to adjust our publication schedule.
A: No. Prior to public disclosure, we'll make a good faith effort to inform vendors of our intentions.
Those are all from the CERT and you can find the same information and disclosure practices in the IETF. They actually handle these situations properly instead of abiding by a system of rigid rules that exist to favor yourself.
Having worked in this field, we all understand the whole no security through obscurity-phrase. It is true, but overused and twisted in a way you can use it as a weapon against competitors. Being unethical in a way that positions yourself in favor of others (as others have said, they only point to vulnerabilities within other vendor software, not Google's itself) is hard to look pass, IMO.
If these companies have been sitting on the issue, with no acknowledgement of a patch or deadlines for patches pass, it would be acceptable to use this kind of attention to move the ball, to force the company to move. But with these scenarios, especially the ones that have hit the media, that is not a consistent case.
You need to gauge a lot of factors other than "is it done or is it not by X time", because the development world is not nearly so black and white.
While a local Mac Mini setup would certainly put you in more direct control, you'd have to work pretty hard to achieve the level of redundancy that you would get with a cloud solution.
A good external RAID setup with a time machine backup on the side is enough redundancy for most small business, since cloud services still have the internet as a single point of failure to deny you access to your works. Sony's Playstation and Microsoft Xbox live networks has already made the demonstration during last christmas holidays that no cloud service is shielded from a DoS attack.
While a local Mac Mini setup would certainly put you in more direct control, you'd have to work pretty hard to achieve the level of redundancy that you would get with a cloud solution.
Have you looked at BitTorrent Sync?
http://getsync.com
It's really unfortunate that they called this program "Project Zero". That's leading so many new outlets, including this one, to call these "zero-day vulnerabilities", but that goes against the very definition of what a zero-day vulnerability is. Some of these bugs may indeed be known to hackers, so they may be zero-day vulnerabilities, but if Google discovered them, reported them to Apple in confidence, and then granted 90 days before releasing the information to the public, then a zero-day that does not make; more like a 90-day.
Funny, I was going to use the same quote directed at your ignorant comments. I can get a level 3 Apple engineer (not support rep) on the phone within 10 minutes if I'm having issues with one of my Apple products, and almost always gets resolved to everyones' satisfaction. Google has NEVER resolved ANYTHING to anyone's satisfaction, not even close. This goes for the monkey's Microsoft has working for them as well. Apparently I work for a living, you just run your mouth spewing pro-Google propaganda.
You're correct, I confused you for someone that wasn't a straight-up Google troll.
I doubt your EVER going to get a true Apple engineer (you know, those with 4 year degrees) and are paid 125K minimum, on any support line, unless you bought more than 1000 machines and the Apple account rep called them up because you are an important client
Ok? Those comparisons do not mean anything, really...
Project Zero released exploits that are being actively discussed, worked on, or have a planned distribution date in the past, against the wishes of the company that is actively responding to the issue.
Have you actually read those pages you linked to? They say things like:
Those are all from the CERT and you can find the same information and disclosure practices in the IETF. They actually handle these situations properly instead of abiding by a system of rigid rules that exist to favor yourself.
Having worked in this field, we all understand the whole no security through obscurity-phrase. It is true, but overused and twisted in a way you can use it as a weapon against competitors. Being unethical in a way that positions yourself in favor of others (as others have said, they only point to vulnerabilities within other vendor software, not Google's itself) is hard to look pass, IMO.
If these companies have been sitting on the issue, with no acknowledgement of a patch or deadlines for patches pass, it would be acceptable to use this kind of attention to move the ball, to force the company to move. But with these scenarios, especially the ones that have hit the media, that is not a consistent case.
You need to gauge a lot of factors other than "is it done or is it not by X time", because the development world is not nearly so black and white.
A deadline always poses challenges, especially when it's adhered to strictly, but it's hard to find fault with a deadline that's two or three times longer than the deadlines imposed by two major cybersecurity organizations. Even if those organizations were generous enough to grant an extra month of leeway, they'd still fall short of Google's deadline.
Google should be a bit more lenient with larger companies. Releasing details of these exploits does more harm than good because it shows malicious attackers where to look for vulnerabilities that they might not be aware of. If Apple acknowledged that they were working on a fix and gave their own ETA, that should be enough. I'm sure Google wouldn't like it if Apple published exploits for Android systems that won't be updated for another... wait do Android systems get updates?
Android still has so many outstanding security holes, that if Apple were to use their clout and publish all those vulnerabilities to every media outlet, Eric and Larry would have a unison "shite" hitting fans moment...
That said, Apple should have fixed these by now if they really were properly notified 90 days ago.
Maybe. But easier said than done. Some fixes have nasty dependencies that show up in testing. Other fix a problem but break other stuff.
Ninety days is not an unreasonable target but it is an unreasonable deadline. Google is being really stupid here. Before long someone is sure to file suit saying that they were hacked because of a Google-announced vulnerability that was previously unexploited.
Funny, I was going to use the same quote directed at your ignorant comments. I can get a level 3 Apple engineer (not support rep) on the phone within 10 minutes if I'm having issues with one of my Apple products, and almost always gets resolved to everyones' satisfaction. Google has NEVER resolved ANYTHING to anyone's satisfaction, not even close. This goes for the monkey's Microsoft has working for them as well. Apparently I work for a living, you just run your mouth spewing pro-Google propaganda.
You're correct, I confused you for someone that wasn't a straight-up Google troll.
I doubt your EVER going to get a true Apple engineer (you know, those with 4 year degrees) and are paid 125K minimum, on any support line, unless you bought more than 1000 machines and the Apple account rep called them up because you are an important client
You'll get a real one if your problem is live and interesting. But Mag suggests that he can do it to order. I agree - ain't gonna happen.
"and found disfavor with Microsoft by announcing an exploit two days before the Redmond giant was due to issue a patch."
Well, that could have been prevented had you released the patch the day before, now wouldn't it have, Microsoft?
I guess you're new. Microsoft has a regular schedule for releasing patches, other than OMFG panic things. This was a Great Blessing for sysadmins the world over.
Please Google "Patch Tuesday".
Android still has so many outstanding security holes, that if Apple were to use their clout and publish all those vulnerabilities to every media outlet, Eric and Larry would have a unison "shite" hitting fans moment...
The consumers would win in the long run if Apple did that, since that would pressure Google to take a leaf from Apple's notebook and work out how to ship OS updates directly to users without OEM or telco interference.
When I've had live and happening issues with iCloud or another service, I very quickly was handed over to engineers. I also quickly got engineers on the line with me during the iOS 8.0.1 and Yosemite issues, and worked with them directly to help troubleshoot the problems in order for a fix to help get developed.
This is a level of service I could NEVER get with the likes of Google for their corporate / business offerings, and surprisingly it was just as bad (perhaps worse) with the Microsoft Exchange team, supporting their corporate Office 365 systems, that was a disaster!
90 days is twice as long as the industry standard. CERT discloses after 45 days (https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm). The IETF recommends 30 days (https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00).
There is not such standard, not in the way you're talking about. CERT only discloses in 45 days if the vendor doesn't read a crap and the bug is severe. They have routinely extended way beyond that. If you prove to me that this is actually a standard for fixed, no exception disclosure, we will talk.
The goal of disclosure is IMPROVING SECURITY, not following some dogma like a drone no matter what is the outcome.
There is not such standard, not in the way you're talking about. CERT only discloses in 45 days if the vendor doesn't read a crap and the bug is severe. They have routinely extended way beyond that. If you prove to me that this is actually a standard for fixed, no exception disclosure, we will talk.
The goal of disclosure is IMPROVING SECURITY, not following some dogma like a drone no matter what is the outcome.
45 days is CERT's default policy, with deviations being the exception rather than the norm:
"Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. "
High-risk vulnerabilities have been disclosed in fewer than 45 days. For instance, shellshock was disclosed by CERT just ten days after it was reported to Red Hat.
Google needs to cut Apple some slack.
Apple is still trying to figure out after 6 months why search is broken in iOS and trying to come up with non-hideously looking icons for the Health and Voice Memos apps.
Among other things...
45 days is CERT's default policy, with deviations being the exception rather than the norm:
"Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. "
High-risk vulnerabilities have been disclosed in fewer than 45 days. For instance, shellshock was disclosed by CERT just ten days after it was reported to Red Hat.
They deviate all the time, I've dealt with them for more than a decade.
BTW. you forgot to paste something... That'S what CERT says about distributing the exploit (what Google did)
We will not distribute exploits, if that's what "full disclosure" means. In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who are harmed by people who use exploits maliciously. We will, however, disclose information about vulnerabilities that we might not have previously disclosed. Within the limits of our resources, we will publish information about as many vulnerabilities as we can
You also forgot this :
Do you disclose every reported vulnerability?
No. We may, at our discretion, decline to coordinate or publish a vulnerability report. This decision is generally based on the scope and severity of the vulnerability and our ability to add value to the coordination and disclosure process. Whether or not we coordinate or publish, we recommend that the reporter make a good faith effort to notify and work directly with the affected vendor prior to public disclosure.
so, Google didn't care a hoot about security in this case, only scoring points.
But, Karma will bite them very soon considering how horrible the security of their platform is.
Security is what's important and the fact is what Google did decreased security for 99% of users and companies because there's no way a end user or vendor could mitigate this risk inside a few days before the patches from Apple or MS came, even with the full exploit (which CERT, you know the one you like so much, say they don't release).
Google needs to cut Apple some slack.
Apple is still trying to figure out after 6 months why search is broken in iOS and trying to come up with non-hideously looking icons for the Health and Voice Memos apps.
Among other things...
Right, compared to Google which Abandons people stuck on old Android versions after 18 months. Hey, they can always buy new phones, that's much better than a ugly icon...
Right, compared to Google which Abandons people stuck on old Android versions after 18 months. Hey, they can always buy new phones, that's much better than a ugly icon...
True, but I don't use Google phones, so don't care, myself.
We can live with an ugly icon.
Also, Apple use to have the best desktop wallpapers. MS smokes them in that department. The Apple ones - most of them - are really lame.
Jobs likely personally chose the ones that looked great and now that he's gone, they forgot to find a champion for that.
They do, this is just an attempt at deflection.
While this division does serve a worthy purpose, lately they have been putting end-users safety in jeopardy by releasing technical details of these discovered exploits before letting the manufacturers patch them. Though it has been 90 days, they should've reached out to Apple (and Microsoft for another instance like this over the last few days) and attempted to clarify if a patch was indeed in the works, and perhaps adjusting the release of this information to after the patch release date.
Their actions are unethical, but then again, this is Google we're talking about here...
You do realize that Apple was notified about this back in September right? There was absolutely nothing unethical about what Google did. Apple's the only one to blame for not having patched it up in 90 days.