Announcement

Collapse
No announcement yet.

Google Announces "Project Zero" To Improve Web Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Google Announces "Project Zero" To Improve Web Security

    Phoronix: Google Announces "Project Zero" To Improve Web Security

    Google this morning announced their latest initiative: Project Zero, an effort to improve web security for everyone...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    There is a big problem with what they've written up... they talk all about transparency, but then go on to say that they will only report bugs to the software's vendor and then only publish out in the open once the resolution has been developed.

    From my perspective, this is a huge problem, since (a) how do you know that the vendor will *actually* bother to solve the problem, (b) they are NOT the only group capable of finding bugs -- those who exploit them will run unchecked, so how about a little heads up... (c) what if I'm capable of fixing the problem or disabling the defective functions myself? It would sure be nice to hear about the defects so that *I* can protect *myself* and not have to rely on someone else to do that for me, on their own schedule.

    Comment


    • #3
      That?s cute, but will they work on helping people fight against Google?s own data collection and centralization activities? (Which in turn can be used by governments and possibly hackers.)

      Comment


      • #4
        Originally posted by droidhacker View Post
        There is a big problem with what they've written up... they talk all about transparency, but then go on to say that they will only report bugs to the software's vendor and then only publish out in the open once the resolution has been developed.

        From my perspective, this is a huge problem, since (a) how do you know that the vendor will *actually* bother to solve the problem, (b) they are NOT the only group capable of finding bugs -- those who exploit them will run unchecked, so how about a little heads up... (c) what if I'm capable of fixing the problem or disabling the defective functions myself? It would sure be nice to hear about the defects so that *I* can protect *myself* and not have to rely on someone else to do that for me, on their own schedule.
        No, what they said is that typically bugs will only be disclosed publicly after a fix is released, and this is standard practice for responsible disclosure - there is typically a grace period for the vendor to fix the bug before disclosure, and the period is determined based on a number of factors, like the potential impact of the exploit.

        You've clearly not thought this through:
        (a) This is covered by the grace period.
        (b) Obviously other people may have discovered the bug, but as soon as you publish, everyone can exploit the bug on every vulnerable system (which is all of them, because there is no patch available), so publishing before there has been reasonable time to fix the bug is massively irresponsible.
        (c) What if you're not capable of fixing it? What about everyone else who's not?

        Comment


        • #5
          Originally posted by droidhacker View Post
          There is a big problem with what they've written up... they talk all about transparency, but then go on to say that they will only report bugs to the software's vendor and then only publish out in the open once the resolution has been developed.
          If you thought about this for 5 minutes, you'd understand why that is the typical process for EVERY project - including OSS ones.

          You don't want to announce to every hacker in the world clear instructions to 0 day exploit your software before you've had the chance to fix it. That's just stupid.

          If someone refuses to fix a bug you've found, then after a certain grace period you can expose the issue publicly. But don't help the hackers by not even giving them a chance to fix it.

          Comment


          • #6
            Dear Microsoft

            Message to Microsoft: We're coming for you!

            Comment


            • #7
              MWAHAHAHAHA!!!
              Now we are the only ones who have all the data.

              Comment


              • #8
                Originally posted by pdffs View Post
                No, what they said is that typically bugs will only be disclosed publicly after a fix is released, and this is standard practice for responsible disclosure - there is typically a grace period for the vendor to fix the bug before disclosure, and the period is determined based on a number of factors, like the potential impact of the exploit.

                You've clearly not thought this through:
                (a) This is covered by the grace period.
                (b) Obviously other people may have discovered the bug, but as soon as you publish, everyone can exploit the bug on every vulnerable system (which is all of them, because there is no patch available), so publishing before there has been reasonable time to fix the bug is massively irresponsible.
                (c) What if you're not capable of fixing it? What about everyone else who's not?
                a) Sure. Give a grace period for every hacker in the world to exploit everything. Great idea.
                b) Nonsense. Those people exploiting bugs... ARE ALREADY.
                c) Then **TURN IT OFF**. You can't exploit a bug on a computer that is TURNED OFF.

                Comment


                • #9
                  Originally posted by smitty3268 View Post
                  If you thought about this for 5 minutes, you'd understand why that is the typical process for EVERY project - including OSS ones.

                  You don't want to announce to every hacker in the world clear instructions to 0 day exploit your software before you've had the chance to fix it. That's just stupid.

                  If someone refuses to fix a bug you've found, then after a certain grace period you can expose the issue publicly. But don't help the hackers by not even giving them a chance to fix it.
                  Every hacker in the world already knows about it.

                  Comment


                  • #10
                    Originally posted by droidhacker View Post
                    Every hacker in the world already knows about it.
                    If that was the case then every security bug would have zero-day exploits. The very fact that we have a term for zero-day exploits shows that this isn't the case.

                    Comment

                    Working...
                    X