[HN Gopher] A walk through Project Zero metrics
___________________________________________________________________
A walk through Project Zero metrics
Author : arkadiyt
Score : 38 points
Date : 2022-02-10 17:07 UTC (1 days ago)
(HTM) web link (googleprojectzero.blogspot.com)
(TXT) w3m dump (googleprojectzero.blogspot.com)
| tptacek wrote:
| This will sound very weird, but I kind of hate that they include
| Google among the vendors they report to, provide a deadline and
| grace period for, and track responses from. It's actually not
| their responsibility to do anything like that; if Microsoft and
| Apple are unhappy that P0 is targeting them, they should respond
| by standing up their own P0 teams and hammering Google, rather
| than having everyone operate under the fiction that it's OK for
| Google to be the only major vendor doing this work.
|
| (I'm of course not saying P0 shouldn't target Google, just that
| Google shouldn't have to be publicly accountable to Google P0).
| lima wrote:
| Why not? It really strengthens the message.
| tptacek wrote:
| I don't think it does strengthen the message, unless you
| think Google does such a good job responding to P0 that
| they're setting a standard Microsoft, Apple, and Adobe have
| to adhere to, and I think that's pretty debatable (the really
| important thing P0 does to set a standard is the 90 day
| deadline).
| xxpor wrote:
| It prevents google execs from burying P0 reports to other
| teams at Google though, which seems like the bigger risk?
| [deleted]
| xxpor wrote:
| Could you expand more on why?
|
| At least to me, it seems like there's no _downside_ to publicly
| tracking responses from Google itself. Ideally P0 should
| operate mostly independently.
|
| Agreed that there should be more P0 like efforts from other
| companies though. The more the merrier.
| tptacek wrote:
| I guess I'd start by saying I don't see the advantage to P0
| operating independently. Threads about P0 often devolve into
| debates about conflicts of interest, but there's no conflict
| here; every vendor has in principle the right to conduct
| lawful vulnerability research against other vendors,
| including competitors, and there's no ethical standard that
| dictates what those vendors should choose to target.
|
| Google is, of course, ethically obligated to rigorously test
| its own products, and if P0 has expertise that the other
| security orgs at Google lacks, it's ethically obligated to
| train that expertise on Google products. I'm just saying that
| Google isn't ethically obligated to include itself in its
| vendor tracking statistics.
| shadowgovt wrote:
| I agree there's no obligation, but including it gives other
| people some assurance that P0 isn't going easy on its
| patron.
| pvg wrote:
| What's the downside, though? It helps reinforce the message
| that this work is a kind of public good rather than mere
| corporate sniping and protects the reputation of the
| researchers. It's a bummer it hasn't shamed other big companies
| into organizing similar efforts but it would be even less
| likely to do so if it was even easier to dismiss as some sort
| of nefarious PR effort (not that this doesn't already happen).
| olliej wrote:
| I dislike many aspects of google, but project zero is not one of
| them and has greatly improve the overall security of the
| industry.
|
| Also their blogs describing how security exploits work are always
| super interesting
| [deleted]
| r00fus wrote:
| Is it meaningful to include "Linux" as a discrete vendor? How
| would you compare an OSS project to a company like Microsoft or
| Google?
| that_guy_iain wrote:
| The Linux Kernel is a product and the Linux Foundation is it's
| vendor. I would assume they mean Them. Especially when they had
| Red Hat and Cannonical in ,,other"
| tester756 wrote:
| that iOS vs Android table kinda makes no sense as they said
|
| iOS 76, Android Samsung 10, Android Pixel 6
|
| >The first thing to note is that it appears that iOS received
| remarkably more bug reports from Project Zero than any flavor of
| Android did during this time period, but rather than an imbalance
| in research target selection, this is more a reflection of how
| Apple ships software. Security updates for "apps" such as
| iMessage, Facetime, and Safari/WebKit are all shipped as part of
| the OS updates, so we include those in the analysis of the
| operating system. On the other hand, security updates for
| standalone apps on Android happen through the Google Play Store,
| so they are not included here in this analysis.
|
| so kinda what's the point of putting that column there? people
| will use it as an argument that Android is safer :P
| amscanne wrote:
| There are advantages and disadvantages to bundling applications
| with the core OS; having these security bugs become part of the
| OS release vehicle (along with the heavyweight process that
| implies) seems like a disadvantage. With respect to the table,
| I think there's a decent argument either way.
| gsmith7890 wrote:
| What was the most serious vulnerability or set of vulnerabilities
| identified by Project Zero?
| UncleMeat wrote:
| Spectre is probably the most interesting one. As of right now
| it isn't as critical as other things since it is difficult to
| actually exploit but its implications are gargantuan, similar
| to the development of return-oriented-programming a while back.
___________________________________________________________________
(page generated 2022-02-11 23:00 UTC)