Go Back   OC3D Forums > [OC3D] General Forums > OC3D News
Reply
 
Thread Tools Display Modes
 
  #1  
Old 16-02-15, 02:30 PM
WYP's Avatar
WYP WYP is offline
News Guru
 
Join Date: Dec 2010
Location: Northern Ireland
Posts: 13,386
Google to give devs more time to fix flaws before revealing them

Google's "Project Zero" is a project which is designed to bolster internet security where if Google finds a Security flaw it gives a developer 90 days to fix it before going public. Now after a public backlash from several developers, Google is extending the deadline.



Read more on Google's deadline extension for "Project Zero" here.

__________________
One of these days I'll change my name to Mark Bench
Reply With Quote
  #2  
Old 16-02-15, 06:16 PM
remember300 remember300 is offline
OC3D Elite
 
Join Date: Feb 2013
Location: Dagenham
Posts: 2,292
Thats good but 90 days is too long... depending on the breach or access.
If it was say paypal allowing a peer to view all information that should be instant
maybe not tell everyone right away, but say it must become public knowledge in 2 weeks solved or not.
__________________
Reply With Quote
  #3  
Old 16-02-15, 06:54 PM
ImprovizoR's Avatar
ImprovizoR ImprovizoR is offline
Advanced Member
 
Join Date: Jan 2015
Posts: 352
90 days is enough. Unleash the chaos. If that's what it takes for these tech companies to start behaving responsibly. Most people just ignore the fact that these giant tech companies are supposed to be among the most responsible companies in the world. Think about just how much of our sensitive data relies on their services. They absolutely must be held responsible for any and all security flaws or god-forbid hacks. If outing those security flaws urges them to fix their , then I fully support it.
Reply With Quote
  #4  
Old 16-02-15, 07:04 PM
barnsley's Avatar
barnsley barnsley is offline
born in a.....
 
Join Date: Dec 2012
Location: Cambridge
Posts: 7,212
Quote:
Originally Posted by ImprovizoR View Post
90 days is enough. Unleash the chaos. If that's what it takes for these tech companies to start behaving responsibly. Most people just ignore the fact that these giant tech companies are supposed to be among the most responsible companies in the world. Think about just how much of our sensitive data relies on their services. They absolutely must be held responsible for any and all security flaws or god-forbid hacks. If outing those security flaws urges them to fix their , then I fully support it.
And releasing said exploits into the wild before they are patched is a good thing? What if said issue is something so complex it can't be fixed in the full 90+14 days? Not to mention that not everyone will patch their computers come update time. By making an exploit public, you're giving everyone and their mum an idea of what the exploit is and how they can use it.

I don't want Script Kiddies effing with my stuff.

My biggest issue is the whole thing is coming from Google. Who still don't fix crap on android and instead leave it to OEMs to fix it.
__________________
Rig: i7 [email protected]|2x8gb HyperX Fury|Intel z97-AR|Corsair H75| 2x Nvidia 1070 founders edition|Superflower leadex 750W gold|Inwin 904|240gb+512gb Samsung evo 840| ASUS MG279Q +Acer S240HL| Windows 10 pro, 8.1 pro| Kubuntu LTS
Audio: Silverstone EB01-E+EB03+DT 770 Pro 250Ω+Samson SAGOMIC
Ducky Legend (cherry red)+Zowie AM-FG
Reply With Quote
  #5  
Old 16-02-15, 07:34 PM
NeverBackDown NeverBackDown is offline
AMD Enthusiast
 
Join Date: Dec 2012
Location: Middle-Earth
Posts: 14,936
Quote:
Originally Posted by barnsley View Post
My biggest issue is the whole thing is coming from Google. Who still don't fix crap on android and instead leave it to OEMs to fix it.
We all know you prefer IOS. No need to flame andriod and start something. Google do a good job. It's hard to maintain pretty much the number one used search engine... also there are so many andriod phones and variants it is also equally as difficult to fix bugs. Sure they could do better but by no means they "don't fix crap".. they actually try, hence this whole project.
Reply With Quote
  #6  
Old 16-02-15, 08:05 PM
barnsley's Avatar
barnsley barnsley is offline
born in a.....
 
Join Date: Dec 2012
Location: Cambridge
Posts: 7,212
Quote:
Originally Posted by NeverBackDown View Post
We all know you prefer IOS. No need to flame andriod and start something. Google do a good job. It's hard to maintain pretty much the number one used search engine... also there are so many andriod phones and variants it is also equally as difficult to fix bugs. Sure they could do better but by no means they "don't fix crap".. they actually try, hence this whole project.
http://arstechnica.com/security/2015...ndroid-phones/
Oh boy they sure do try. While I understand it would be up to the OEM's to push the update out to the individual phones once the patch is made by google, they did actually fix one problem in the past which was the heartbleed bug. Instead they have left it to OEMs, who would rather you buy a new phone. Heck I'll give Google credit, they did used to fix some issues with 4.3 and then left it to OEMS to send out the patches (which they didn't).
Would you want Asus, AMD et al be left in charge of windows update because microsoft are too busy putting out the next version of windows?

Google security research is a project aimed at other people, not really specifically (or much at all) android.

Contrary to your belief, I actually prefer windows phone. why? Its an example of a well written OS that is secure but has customization and can support a decent range of hardware. Its a shame not many people have one, as it is pretty much everything what a modern smart phone should be.

We could go back and forth and accuse each other of favoritism of certain companies all day anyway but this isn't the place.

-edit- Before I hear something about android being open source and that because of that,it somehow excludes it from support I suggest you look up what linux does/is.
__________________
Rig: i7 [email protected]|2x8gb HyperX Fury|Intel z97-AR|Corsair H75| 2x Nvidia 1070 founders edition|Superflower leadex 750W gold|Inwin 904|240gb+512gb Samsung evo 840| ASUS MG279Q +Acer S240HL| Windows 10 pro, 8.1 pro| Kubuntu LTS
Audio: Silverstone EB01-E+EB03+DT 770 Pro 250Ω+Samson SAGOMIC
Ducky Legend (cherry red)+Zowie AM-FG
Reply With Quote
  #7  
Old 16-02-15, 09:23 PM
JMOC JMOC is offline
Member
 
Join Date: Dec 2008
Posts: 113
I think 60-90 days is reasonable. If the information becomes public or starts being exploited in the field then it might be a good idea to get the fix out quick.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump










All times are GMT. The time now is 06:43 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.