I really appreciate and enjoy the work done by Project Zero.
But, it often does feel like it could be retitled Project Schadenfreude. This particular post almost feels timed specifically for release right before WWDC.
They're doing Apple a huge favor by discovering these bugs. They're doing the security community a huge favor by publishing blog posts about them for others to learn from. They also do plenty of Android research, although iOS is a higher priority since most security-conscious people use iOS (including the researchers themselves). This is not a hit piece on Apple.
I’m not sure how this argument makes sense. Most people use Android. I don’t see any evidence that supports the claim that most “security-conscious“ people use iOS.
If it is somehow meaningful to make that claim, then it is all the more important for project zero to focus on Android, since people who are not security conscious are less likely to practice other forms of security.
Project zero simply doesn’t seem to publish these pieces about Android at the same rate they do about iOS. Perhaps this is unintentional.
vendor=Google returns 145 (bugs in Samsung's Android kernel,etc. are tracked separately)
vendor=Linux return 54
To be fair, a huge number of things make this not an even comparison, including the underlying bug rate, different products (Google lacks a desktop OS and an iMessage equivalent, for example), and downstream Android vendors being tracked separately. Also, # bugs found != which ones they choose to write about.
> Google lacks a desktop OS and an iMessage equivalent, for example
Nitpicking, but Chrome OS is a desktop OS, and Google has had at least 7 things similar to iMessage.
On topic, fron my perspective when I was working somewhere that got bug reports from project zero, it was great. I mean, not great that we had the bug they found first, or the follow-up bug they found after we fixed that one; but great that they were clear problems that we could solve. If we didn't want to be written up, we could have done better to begin with, and taken more care in looking around when the first bug was reported.
Is Chrome OS sufficiently unique enough from Linux to be its own category (genuinely asking)? I was aware of it when I made the original comment, but considered it more a subset of Linux, in that most major kernel security bugs would be shared.
Also, what are you considering similar to iMessage? My view is that iMessage presents its own unique & powerful attack surface that hangouts/etc dont have. Maybe RCS?
I think Chrome OS at least has a unique libc and GUI stack versus normal desktop Linux distributions? And there's certainly room for errors in their updater stack and all that.
gChat, Allo, Duo, SMS (whatever it's called today), Hangouts, Meet, ??? They're all relatively similar, send messages including media (remember stagefright)
> gChat, Allo, Duo, SMS (whatever it's called today), Hangouts, Meet, ??? They're all relatively similar, send messages including media (remember stagefright)
Most of those have a much more limited attack surface than iMessage, at least in my understanding. SMS is shared and doesn't try to do what iMessage does, thus the issues
I'd guess they have better things to do than to align their work with the schedule of wwdc. Their job is to find security issues; they probably don't care much about wwdc one way or another.
But, it often does feel like it could be retitled Project Schadenfreude. This particular post almost feels timed specifically for release right before WWDC.