I suspect it's large companies, given the names provided.
Really, I don't get peoples hatred for Project Zero. Sure, hate the companies, but can you seriously argue that companies spending money on security research is a bad thing? Even if gasp they might get some good publicity from that research?
I guess the issue is that very little discovered internally will ever be publicly disclosed. It feels like a tactic to make themselves look more secure than others when that is not likely the case.
That being said, I think the same behavior is to be expected from any company large enough to need a dedicated security research team.
Project Zero absolutely covers vulnerabilities in Google products. Just take a look at the blog archives (https://googleprojectzero.blogspot.com/). Chrome and Chromium seem to be frequent features, but they cover other Google properties as well.
> I guess the issue is that very little discovered internally will ever be publicly disclosed. It feels like a tactic to make themselves look more secure than others when that is not likely the case.
Agreed, and I don't think for a second Google as a whole is any different in this regard.
But who cares? Security issues are being found, Security issues are being publicized, Security issues are being fixed.
Project Zero, as a small part of Google, is finding bugs in everyones software - including Google's - and holding them to the same standards, standards which are widely regarded as being acceptable standards for disclosure.
The rest of Google, should they discover an issue without Project Zero's help, presumably behave just as most of other companies do - so hate them all equally, that's fine - and I agree, but Project Zero is different to Google as a whole, and just is not something to hate IMO.
> good reason to want iPhone customers to feel unsafe
How does fixing vulnerabilities in your iPhone make you feel unsafe?
> apple blamed for issues
Apple is being blamed for the issues because Apple is to blame for the issues. They made the product. Who is to blame about the security issues in an Apple product, if not Apple?
And if you rule out "all companies like Google", you've basically ruled out everyone with enough capital to donate to research, depending on your definition of "like Google".
And really, it absolutely is a donation. The ROI on Project Zero is likely 50x or more less than if that money went to the marketing team.
If you don't want to engage in discussion why are you even commenting here in the first place?
You are saying that this gives more power to google and someone asked if you could elaborate on why you think that. Not everyone has the same background and what may be obvious power to you may not be to others. This forum is supposed to be participated in with good faith.
Thankfully there are many ways to participate. But maybe I was a bit short. My point is that if you don't 'meet me half way' I can't do the subject justice in a forum where a significant number of the comments arguing that point is hidden. That increases my effort to make an effective argument and diminishes my returns for that effort. Especially since I don't feel that strongly about it. You are better off trying to find a blog post about it that won't disappear in a couple of hours.
But on the other hand meta isn't that interesting either. If large companies wanted to do security research that wasn't objectionable to people they could do so by consensus, standards and agreements. No one could really question that. Instead the idea is largely that "the ends justify the means". That is what people tend to disagree with. That large companies can unilaterally decide how things are done, not just for themselves but in a way that affects other companies or their users. It doesn't really matter if it is for good or best practice because it is about them, especially as large companies in the industry, having that influence.
It's how it's used. Like how when Epic decided Fortnite should skip the Google Play Store and it's 30% cut, Project Zero suddenly was interested in checking the security of games (which you rarely if ever see), so they could find a vulnerability in it and feed it out to Google's favored press outlets with a constructed story about how Epic is compromising everyone's security by not using the Play Store. (Don't mind all the stories about malware in the Play Store, of course.)
As soon as a company slighted Google, it was immediately a Project Zero target, and that should tell you everything you need to know about why people are annoyed with them.
IMO, your making an pretty large assumption here - you're describing the intent as malicious without anything concrete to back it up. If I was a security researcher, and someone decided to do something out of the norm, I'd probe it! There's nothing here to suggest malicious intent, only a security researcher doing what a security researcher does.
> with a constructed story about how Epic is compromising everyone's security
Did Epic compromise everyone's (or, at least their users) security? My memory of that incident is, yes - they did. If that's true, if the code was buggy and had a path to a security exploit, how is it a "constructed story"?
If I recall the issue in question, the only way it would be vulnerable to anything was... if someone already had another malicious app installed on their phone. Which is to say, you could get infected by already being infected, which is... not much of a vulnerability.
Which is to say, you could get infected by already being infected, which is... not much of a vulnerability.
It's a pretty big vulnerability when you allow the malicious intent of one app to escalate to an actual malicious capability so I don't think you're accurately recalling the issue in question.
I mean, if the first malicious app has less permissions than Fortnite, it could potentially gain Fortnite's permissions through the vulnerability. But the first malicious app likely could've just asked for those permissions itself, it's not like Fortnite has egregious permissions as it is, and neither can run as root.
Which is to say, there's the possibility for minor problems that should be fixed, but it's far from the "Epic is terribly insecure, trust the malware-ridden Play Store instead" rhetoric we got from this particularly aggressive media campaign.
>Epic is terribly insecure, trust the malware-ridden Play Store instead" rhetoric we got from this particularly aggressive media campaign.
Did p0 say that anywhere?
Given that if I search fortnite on the play store, I get a special warning message that it can't be downloaded on play (which was added specifically to prevent fortnite clones), I'm less than convinced that there was a unified campaign by Google to undermine epic, as you seem to be suggesting.
It means malicious apps can target Fortnite as a vector for malwarin', stealing your Epic account, etc. The vuln got media attention because Tim Sweeney got it into his head to publicly grump at P0 because they wouldn't hold off disclosure past the point of patch release. If it wasn't a big deal, why do you think he did that?
