After the recent disclosures about Apple vulnerabilities, I've seen a lot of (unwarranted, in my opinion) criticism from HN of Project Zero, specifically the accusation of non-Google bias. For those who hold this position, does this affect your stance?
Their release pattern with the Apple fault could effectively be called a PR campaign, including a lot of editorial narrative about bad software development processes, etc.
This one gets a bug tracker entry.
When Project Zero posts a lengthy analysis with lots of scurious claims about the victims of the exploit, the window of exploitation, and narrative about the poor development practices that led to it, then call it even.
If it follows the traditional pattern, they'll write a post blaming some external party. No, seriously, when people point out all of the "Android" faults they've found invariably it is some variation of "but it isn't really Google's fault....".
Project Zero is brilliant, full of brilliant people, and is a remarkable effort, but when your paycheque is signed off by someone, it is human nature that you're really going to pussyfoot with them.
The iOS “deep dive” was a timed media push of a months-old problem right before a major Android release. They didn’t even try to obfuscate the timing or narrative. Blog post or not it’s pretty hard to top that.
> Apple has started multiple keynotes by talking about Android security issues.
Historically, they didn’t directly identify other vendors, but strongly implied it so it was obvious to most without directly saying names. This has changed a bit recently and I feel isn’t a good thing.
> I have _never_ heard Google officially talk crap about Apple.
No offense, but then you aren’t paying attention. There are examples given directly in this thread already.
> I bet apples own security team are 100% thankful for someone uncovering this.
That’s not my point at all with my original reply. I know first hand that some Apple security members are thankful for the work of ProjectZero. But that isn’t the point I was making or you made previously, Google “not saying anything bad about Apple” is patently false.
No. I may change my mind but the fact that they haven't written a blog post about it reinforces Project Zero's bias.
A minor windows exploit is found, and they publish "Windows Exploitation Tricks". An iOS exploit is found and they do a six part "very deep dive into iOS Exploit chains".
Now, they find a bad Android exploit and they don't publish anything.
I've not seen that criticism myself. But to me what Project Zero is doing re: Apple vulnerabilities is great. I own Apple products and it's only going to improve/harden them
However, I do think some of the motive is to take a bit of shine off Apple - meaning it's partly a marketing campaign.
Wasn't this a case where members of the Project Zero team were individually commenting in a Chromium bug thread and not a Project Zero public facing blog post?
Was there a Project Zero blog post before those comments went public that I missed?
It's not a "Chromium" bug, it's project-zero bug [1]. https://bugs.chromium.org/ is just a bug tracker site to host batch of projects by Google. While most of them are related to Chromium, there are also things like project-zero.
Note that that blog post was published in August 2019, while the vulnerabilities mentioned in the blog post were reported in a wide range of dates from October 2017[1] to December 2018[2] (that's the latest one I found in a quick skim, maybe there are later ones). This Android vulnerability was reported September 2019[3], so it may take 8-22 months before the blog post comes out. The reporter does intend to post a blog post about it[3].
