Google Attacks The Messenger Over Android Vulnerability

from the not-very-friendly dept

There was plenty of news over the weekend about a security flaw found in Google's Android mobile operating system that could allow certain websites to run attack code and access sensitive data. The security researchers have said they won't reveal the details of the flaw, even though it's apparently a known flaw that is in some of the open source code in Android that Google did not update. However, that didn't stop Google from attacking the messenger, claiming that the security researcher who discovered the flaw broke some "unwritten rules" concerning disclosure. First of all, there is no widespread agreement on any such "unwritten rules" and many security researchers believe that revealing such flaws is an effective means of getting companies to patch software. Considering that Android's source code was revealed last week, it's quite reasonable to assume that many malicious hackers had already figured out this vulnerability, and making that news public seems to serve a valuable purpose. It's unfortunate that Google chose to point fingers, rather than thanking the researcher and focus on patching the security hole.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Bob, Oct 28th, 2008 @ 7:56pm

    Flaws and Patches

    First, Android was built from FOSS, so it was required to be given back to FOSS.
    Second, flaws need to be illuminated in the FOSS world faster than in the "proprietary" world. More eyes on the code.
    Let Google whine they have built a multi billion dollar company on FOSS and FOSS tools.

    Google put someone on it and fix the problem already!

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Kyros, Oct 28th, 2008 @ 7:57pm

    Google..

    Google seems to be declining these days..perhaps apocalypse is among us?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Hugo, Oct 28th, 2008 @ 8:02pm

    I am running a deprecated version of Symbian released in early 2005. I remain happy to report that there has apparently been no reported flaws that would require a OS or firmware update.

    Not to rain on Android or iPhone's parade... but, well you know...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    jonnyq, Oct 28th, 2008 @ 8:07pm

    FOSS

    "Charlie Miller, the man who discovered the Android flaw, has followed this path in the past, most notably when he sold details of a flaw in the Linux kernel to the U.S. National Security Agency for $50,000"

    That's just bad form. Not saying I wouldn't do it, but it's bad form. In open source, it's better to just file a bug in the bug tracking system as a security bug and let the handlers respond before going to the papers. Mozilla even pays a bug bounty for this. It's more like $500 instead of $50000, but people complain less.

    I'm assuming that Google has a maintained Bugzilla-style system. That may not be the case.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 28th, 2008 @ 8:28pm

    Not trusting the computer

    Maybe that's the problem-- that these "Flaws", "bugs" and the like are actually "asks" from the NSA/CIA, to get into your machine. SvcHost keeps wanting to connect to some happy IP address owned by XO communications in Virginia every hour.

    I've never seen so many bug patches in my life as in the past 6 months. Then they won't tell you the details of what the update does. Maybe it does nothing but provide access to your files.

    I remain curious what the top CIA guy meant when he said the only safe computer was 'unplugged in a corner and not connected to any network'.

    Does he know something we don't? Thanks Top CIA guy for the heads-up.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    ehrichweiss, Oct 28th, 2008 @ 8:59pm

    Re: Google..

    Sadly, I think this convinces me that Google isn't playing for our team any more. It's very sad because I had always given them the benefit of a doubt but from now on I'm going to scrutinize Google's every action with a completely different view.

    Also sad is that I'm certain that the apocalypse is going to become a self-fulfilling prophecy thanks to the fundamentalists rising in the ranks of our governments.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 1:43am

    I remain curious what the top CIA guy meant when he said the only safe computer was 'unplugged in a corner and not connected to any network'.

    Does he know something we don't? Thanks Top CIA guy for the heads-up.


    It makes sense to me - with a slight paranoid touch, you can easily reason that every computer system can eventually be hacked. Therefore, the only way to secure it is to keep it the hell out of the way of the world ("the only safe computer is in the centre of a nuclear explosion" doesn't have the same ring).

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    John Doe, Oct 29th, 2008 @ 4:06am

    Google = Microsoft?

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    TX CHL Instructor (profile), Oct 29th, 2008 @ 4:54am

    Re: Not trusting the computer

    The CIA guy was right. To be useful, you have to actually run the computer, but you can be reasonably secure if you don't connect it to any network.

    I have a customers who is an attorney, for whom I built a client database system (turnkey, including hardware). Just before I loaded his data into the system, I disconnected it from his network, and told him NEVER connect that system to the internet again. And NEVER install any other software on it. I provided several USB flash drives for backups using backup software that I wrote, and told him NEVER put those drives into any other machine except the hot backup that I also provided. I super-glued an RJ45 plug into the ethernet connectors on both systems. As long as he follows those directions, those system cannot be hacked unless somebody gains physical access to them. (Ok, it's possible for somebody with the right gear to eavesdrop remotely, but the script-kiddies don't have access to that sort of thing. Yet.)
    --
    www.chl-tx.com The 2nd Amendment isn't about hunting ducks.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Dave, Oct 29th, 2008 @ 5:52am

    Re:

    Not yet, but they're moving that way. Once you get to a certain size, you start forgetting about people and start focusing on shareholders (who are sometimes people)

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Matt, Oct 29th, 2008 @ 6:00am

    False Dilemma

    I don't see how Google can't have the technical team work on patching the vulnerability while the PR/exec team comments on the situation. I think you're being a little disingenuous about the etiquette issue; it's quite well established (see the nearly 15 years of BugTraq archives and this FAQ specifically) for a vendor to receive a private disclosure followed by a brief delay to allow them time to patch it. Sure, Android is open source so a black hat could (or has already) discover it on his own. But if not, releasing it publicly removes any runway the vendor had and turns a vulnerability into into a zero-day exploit.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Dosquatch, Oct 29th, 2008 @ 7:34am

    Re: Not trusting the computer

    I remain curious what the top CIA guy meant when he said the only safe computer was 'unplugged in a corner and not connected to any network'.

    What he means is that the only foolproof security is total inaccessability, and not just with computers. Any lock can be defeated. Any wall can be breached. The only way to be certain is to put it where the locks, doors, and walls themselves cannot be reached. Launched to the moon, for example.

    So, too, with computers. As long as it is powered up waiting, and will accept you logging in, your security can be breached. All one needs is to know enough to fool the computer into believing the attacker is you.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Dosquatch, Oct 29th, 2008 @ 7:35am

    ummm....

    what happened to "Don't be Evil"?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 8:09am

    Re: Re: Google..

    And the Anti-Christ leading in the polls for president. :)

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 8:12am

    Re: Flaws and Patches

    They did. They stopped the roll out of RC28, fixed, and are rolling out RC29.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    JT, Oct 29th, 2008 @ 8:18am

    Re: Re:

    lol I laugh when I see something like this. They're all corporations that answer to a higher power, stock holders. The larger they get, the more diluted they get with "good and evil". Why people don't ever seem to get this is beyond me. Those who seem to adamantly defend Apple doesn't seem to get that they're also the same.

    So start your anti-Google campaigns and wait for your next start-up corporate savior to come along.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    LBD, Oct 29th, 2008 @ 9:10am

    Google

    Goodle is no longer what it once was. It's died. Let us mourn the lost, and move on, taking our support from google's monstrious corpse to the next open freely avalible small company that will eventualy grow into a large company/supporter of human rights.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    LBD, Oct 29th, 2008 @ 9:13am

    Re:

    If your computer's plugged in, but not plugged into any wireless or eathernet or other methoid of computer to computer communication (I don't mean has it disabled, I mean no physical connection.) then it's perfectly safe unless a virus gets onto a data device and kills it.

    It still won't be able to tell your secretes.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    LBD, Oct 29th, 2008 @ 9:16am

    Re: Re:

    Addium: Unless someone other then you gains physical acess to the machine. But honestly, that's fairly unlikely with a personal computer. I doubt there are people who will ninja sneak into your house, and steal data from your computer.

    I also doubt that there are many people who use Van-Allen Phreaking

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 9:29am

    Re: ummm....

    How is Google being evil? Sounds like the guy trying to make money or more of a name for himself.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Shyptari, Oct 29th, 2008 @ 10:19am

    They're Both Wrong

    Okay, in Google's defense: Yeah, you found the broken code, bravo! Now be a good boy and hand it back tot he owner to fix. Done. But when you just diss them, and go public with it, that is kinda lame. At least tell them that you're gonna go public. They woulda probably said "About what?!"..."Oh, okay. You do that, we'll fix it in the process."
    Everyone = happy.

    In Charlie Miller's defense: Google doesn't have to whine about it. Its code, its flawed just for the fact that people created it. Deal with it. So you didn't get a heads up, don't feel bad for yourself. Say to the guy "Why didn't you tell us first...meh, who cares, lets fix this before it becomes a major problem." And accept a little hurt pride. Its not about the ego, its about getting it done right. Even if it means everyone knows about it.
    Everyone = happy.

    My two cents.
    But then again, the world doesn't work my way.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    nasch, Oct 29th, 2008 @ 10:25am

    Re: Re: Not trusting the computer

    Any lock can be defeated. Any wall can be breached. The only way to be certain is to put it where the locks, doors, and walls themselves cannot be reached. Launched to the moon, for example.

    If you can launch it to the moon, then somebody else can launch themselves to the moon and go get it and break into it. I think when we're talking about security here, we mean remote access security. Clearly no physical security system is impenetrable, but that's not the point. The point is no computer security system is impenetrable either, so the only perfect protection from remote exploits is to completely disconnect the computer from all networks.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Dosquatch, Oct 29th, 2008 @ 10:55am

    Re: Re: ummm....

    How is Google being evil?

    FTFA:

    After first dismissing the amount of damage to which the flaw exposed users, anonymous Google executives then attempted to discredit the security researcher,

    1. - pretend the problem isn't a problem
    2. - paint the researcher as the real problem
    3. - ????
    4. - PROPHET!!1!!!ELEVENTY-ONE!!

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    wooster11 (profile), Oct 29th, 2008 @ 11:01am

    Unwritten Rules

    I think the unwritten rules are pretty clear when dealing with security issues in software.

    These "Security Experts" (hackers) need to know these rules.

    The first step is always to notify the company privately of the security issue to see if they will respond.

    It is at that point, when a determination is made to whether or not to go public with the issue.

    If a company was not responding to the issue even after being notified (let's say within 90 days - software development takes time), then the security group has the option to go the public to get the company to move on the issue.

    The one good thing I can say is at least the security isn't releasing details on the flaw, but they still should have gone to Google in private first.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Clueby4, Oct 29th, 2008 @ 12:00pm

    Unwritten Delusions.

    Unwritten rules?! For software?! Today's modern age snake oil!? No such expectation should be present.

    I can see the benefits of giving the software companies a heads up, however those companies with bad track records, which Google proud member of, should not be afforded any such courtesy.

    I'm not sure I find the selling of the exploits to third parties very palatable, but with the absence of merchantability that the software market throughly enjoys there's not much one can do about that other then frown :P

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    What ARE you talking about, Oct 29th, 2008 @ 5:37pm

    Re: Unwritten Delusions.

    How exactly is google a proud member of "those companies with bad track records"?
    From all I know, the last company on that list should be google.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Nov 2nd, 2008 @ 4:02am

    Re: Google..

    Google seems to be declining these days..
    Not really. Their true nature is just becoming more apparent.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Nov 2nd, 2008 @ 4:08am

    Re: Unwritten Rules

    I think the unwritten rules are pretty clear when dealing with security issues in software.
    And I think they aren't. So there.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Nov 2nd, 2008 @ 4:10am

    Re: Re: Unwritten Delusions.

    From all I know, the last company on that list should be google.
    Perhaps you should read the article at the top of this page.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Paulie, Dec 9th, 2009 @ 6:54am

    This is pretty out of character for Google..or at least the way I perceive Google. A quick question: why did they release their source code for Android? Was it for developers? Anyway, it seems that, as mentioned, Google should be glad that this was pointed out publicly because now less people will be clamoring for some security software on their phones, because Google will fix this problem...right Google?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This