Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Google Announces "Project Zero" To Improve Web Security

  1. #1
    Join Date
    Jan 2007
    Posts
    14,810

    Default Google Announces "Project Zero" To Improve Web Security

    Phoronix: Google Announces "Project Zero" To Improve Web Security

    Google this morning announced their latest initiative: Project Zero, an effort to improve web security for everyone...

    http://www.phoronix.com/vr.php?view=MTc0MTg

  2. #2
    Join Date
    Oct 2009
    Posts
    2,110

    Default

    There is a big problem with what they've written up... they talk all about transparency, but then go on to say that they will only report bugs to the software's vendor and then only publish out in the open once the resolution has been developed.

    From my perspective, this is a huge problem, since (a) how do you know that the vendor will *actually* bother to solve the problem, (b) they are NOT the only group capable of finding bugs -- those who exploit them will run unchecked, so how about a little heads up... (c) what if I'm capable of fixing the problem or disabling the defective functions myself? It would sure be nice to hear about the defects so that *I* can protect *myself* and not have to rely on someone else to do that for me, on their own schedule.

  3. #3
    Join Date
    Jan 2011
    Posts
    376

    Default

    That’s cute, but will they work on helping people fight against Google’s own data collection and centralization activities? (Which in turn can be used by governments and possibly hackers.)

  4. #4
    Join Date
    Jan 2012
    Posts
    59

    Default

    Quote Originally Posted by droidhacker View Post
    There is a big problem with what they've written up... they talk all about transparency, but then go on to say that they will only report bugs to the software's vendor and then only publish out in the open once the resolution has been developed.

    From my perspective, this is a huge problem, since (a) how do you know that the vendor will *actually* bother to solve the problem, (b) they are NOT the only group capable of finding bugs -- those who exploit them will run unchecked, so how about a little heads up... (c) what if I'm capable of fixing the problem or disabling the defective functions myself? It would sure be nice to hear about the defects so that *I* can protect *myself* and not have to rely on someone else to do that for me, on their own schedule.
    No, what they said is that typically bugs will only be disclosed publicly after a fix is released, and this is standard practice for responsible disclosure - there is typically a grace period for the vendor to fix the bug before disclosure, and the period is determined based on a number of factors, like the potential impact of the exploit.

    You've clearly not thought this through:
    (a) This is covered by the grace period.
    (b) Obviously other people may have discovered the bug, but as soon as you publish, everyone can exploit the bug on every vulnerable system (which is all of them, because there is no patch available), so publishing before there has been reasonable time to fix the bug is massively irresponsible.
    (c) What if you're not capable of fixing it? What about everyone else who's not?

  5. #5
    Join Date
    Oct 2008
    Posts
    3,134

    Default

    Quote Originally Posted by droidhacker View Post
    There is a big problem with what they've written up... they talk all about transparency, but then go on to say that they will only report bugs to the software's vendor and then only publish out in the open once the resolution has been developed.
    If you thought about this for 5 minutes, you'd understand why that is the typical process for EVERY project - including OSS ones.

    You don't want to announce to every hacker in the world clear instructions to 0 day exploit your software before you've had the chance to fix it. That's just stupid.

    If someone refuses to fix a bug you've found, then after a certain grace period you can expose the issue publicly. But don't help the hackers by not even giving them a chance to fix it.

  6. #6
    Join Date
    Mar 2010
    Posts
    8

    Default Dear Microsoft

    Message to Microsoft: We're coming for you!

  7. #7
    Join Date
    Apr 2014
    Posts
    115

    Default

    MWAHAHAHAHA!!!
    Now we are the only ones who have all the data.

  8. #8
    Join Date
    Oct 2009
    Posts
    2,110

    Default

    Quote Originally Posted by pdffs View Post
    No, what they said is that typically bugs will only be disclosed publicly after a fix is released, and this is standard practice for responsible disclosure - there is typically a grace period for the vendor to fix the bug before disclosure, and the period is determined based on a number of factors, like the potential impact of the exploit.

    You've clearly not thought this through:
    (a) This is covered by the grace period.
    (b) Obviously other people may have discovered the bug, but as soon as you publish, everyone can exploit the bug on every vulnerable system (which is all of them, because there is no patch available), so publishing before there has been reasonable time to fix the bug is massively irresponsible.
    (c) What if you're not capable of fixing it? What about everyone else who's not?
    a) Sure. Give a grace period for every hacker in the world to exploit everything. Great idea.
    b) Nonsense. Those people exploiting bugs... ARE ALREADY.
    c) Then **TURN IT OFF**. You can't exploit a bug on a computer that is TURNED OFF.

  9. #9
    Join Date
    Oct 2009
    Posts
    2,110

    Default

    Quote Originally Posted by smitty3268 View Post
    If you thought about this for 5 minutes, you'd understand why that is the typical process for EVERY project - including OSS ones.

    You don't want to announce to every hacker in the world clear instructions to 0 day exploit your software before you've had the chance to fix it. That's just stupid.

    If someone refuses to fix a bug you've found, then after a certain grace period you can expose the issue publicly. But don't help the hackers by not even giving them a chance to fix it.
    Every hacker in the world already knows about it.

  10. #10
    Join Date
    Feb 2011
    Posts
    1,127

    Default

    Quote Originally Posted by droidhacker View Post
    Every hacker in the world already knows about it.
    If that was the case then every security bug would have zero-day exploits. The very fact that we have a term for zero-day exploits shows that this isn't the case.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •