Google Attacks The Messenger Over Android Vulnerability

from the not-very-friendly dept

Tue, Oct 28th 2008 6:56pm — Mike Masnick

There was plenty of news over the weekend about a security flaw found in Google's Android mobile operating system that could allow certain websites to run attack code and access sensitive data. The security researchers have said they won't reveal the details of the flaw, even though it's apparently a known flaw that is in some of the open source code in Android that Google did not update. However, that didn't stop Google from attacking the messenger, claiming that the security researcher who discovered the flaw broke some "unwritten rules" concerning disclosure. First of all, there is no widespread agreement on any such "unwritten rules" and many security researchers believe that revealing such flaws is an effective means of getting companies to patch software. Considering that Android's source code was revealed last week, it's quite reasonable to assume that many malicious hackers had already figured out this vulnerability, and making that news public seems to serve a valuable purpose. It's unfortunate that Google chose to point fingers, rather than thanking the researcher and focus on patching the security hole.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: android, flaw, messenger, security
Companies: google

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Bob, 28 Oct 2008 @ 7:56pm

Flaws and Patches
First, Android was built from FOSS, so it was required to be given back to FOSS.
Second, flaws need to be illuminated in the FOSS world faster than in the "proprietary" world. More eyes on the code.
Let Google whine they have built a multi billion dollar company on FOSS and FOSS tools.

Google put someone on it and fix the problem already!
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2008 @ 8:12am
  
  Re: Flaws and Patches
  They did. They stopped the roll out of RC28, fixed, and are rolling out RC29.
  [ link to this | view in chronology ]
Kyros, 28 Oct 2008 @ 7:57pm

Google..
Google seems to be declining these days..perhaps apocalypse is among us?
[ link to this | view in chronology ]
- ehrichweiss, 28 Oct 2008 @ 8:59pm
  
  Re: Google..
  Sadly, I think this convinces me that Google isn't playing for our team any more. It's very sad because I had always given them the benefit of a doubt but from now on I'm going to scrutinize Google's every action with a completely different view.
  
  Also sad is that I'm certain that the apocalypse is going to become a self-fulfilling prophecy thanks to the fundamentalists rising in the ranks of our governments.
  [ link to this | view in chronology ]
  - Anonymous Coward, 29 Oct 2008 @ 8:09am
    
    Re: Re: Google..
    And the Anti-Christ leading in the polls for president. :)
    [ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2008 @ 4:02am
  
  Re: Google..
  Google seems to be declining these days..
  Not really. Their true nature is just becoming more apparent.
  [ link to this | view in chronology ]
Hugo, 28 Oct 2008 @ 8:02pm

I am running a deprecated version of Symbian released in early 2005. I remain happy to report that there has apparently been no reported flaws that would require a OS or firmware update.

Not to rain on Android or iPhone's parade... but, well you know...
[ link to this | view in chronology ]
jonnyq, 28 Oct 2008 @ 8:07pm

FOSS
"Charlie Miller, the man who discovered the Android flaw, has followed this path in the past, most notably when he sold details of a flaw in the Linux kernel to the U.S. National Security Agency for $50,000"

That's just bad form. Not saying I wouldn't do it, but it's bad form. In open source, it's better to just file a bug in the bug tracking system as a security bug and let the handlers respond before going to the papers. Mozilla even pays a bug bounty for this. It's more like $500 instead of $50000, but people complain less.

I'm assuming that Google has a maintained Bugzilla-style system. That may not be the case.
[ link to this | view in chronology ]
Anonymous Coward, 28 Oct 2008 @ 8:28pm

Not trusting the computer
Maybe that's the problem-- that these "Flaws", "bugs" and the like are actually "asks" from the NSA/CIA, to get into your machine. SvcHost keeps wanting to connect to some happy IP address owned by XO communications in Virginia every hour.

I've never seen so many bug patches in my life as in the past 6 months. Then they won't tell you the details of what the update does. Maybe it does nothing but provide access to your files.

I remain curious what the top CIA guy meant when he said the only safe computer was 'unplugged in a corner and not connected to any network'.

Does he know something we don't? Thanks Top CIA guy for the heads-up.
[ link to this | view in chronology ]
- TX CHL Instructor (profile), 29 Oct 2008 @ 4:54am
  
  Re: Not trusting the computer
  The CIA guy was right. To be useful, you have to actually run the computer, but you can be reasonably secure if you don't connect it to any network.
  
  I have a customers who is an attorney, for whom I built a client database system (turnkey, including hardware). Just before I loaded his data into the system, I disconnected it from his network, and told him NEVER connect that system to the internet again. And NEVER install any other software on it. I provided several USB flash drives for backups using backup software that I wrote, and told him NEVER put those drives into any other machine except the hot backup that I also provided. I super-glued an RJ45 plug into the ethernet connectors on both systems. As long as he follows those directions, those system cannot be hacked unless somebody gains physical access to them. (Ok, it's possible for somebody with the right gear to eavesdrop remotely, but the script-kiddies don't have access to that sort of thing. Yet.)
  --
  www.chl-tx.com The 2nd Amendment isn't about hunting ducks.
  [ link to this | view in chronology ]
- Dosquatch, 29 Oct 2008 @ 7:34am
  
  Re: Not trusting the computer
  I remain curious what the top CIA guy meant when he said the only safe computer was 'unplugged in a corner and not connected to any network'.
  
  What he means is that the only foolproof security is total inaccessability, and not just with computers. Any lock can be defeated. Any wall can be breached. The only way to be certain is to put it where the locks, doors, and walls themselves cannot be reached. Launched to the moon, for example.
  
  So, too, with computers. As long as it is powered up waiting, and will accept you logging in, your security can be breached. All one needs is to know enough to fool the computer into believing the attacker is you.
  [ link to this | view in chronology ]
  - nasch, 29 Oct 2008 @ 10:25am
    
    Re: Re: Not trusting the computer
    Any lock can be defeated. Any wall can be breached. The only way to be certain is to put it where the locks, doors, and walls themselves cannot be reached. Launched to the moon, for example.
    
    If you can launch it to the moon, then somebody else can launch themselves to the moon and go get it and break into it. I think when we're talking about security here, we mean remote access security. Clearly no physical security system is impenetrable, but that's not the point. The point is no computer security system is impenetrable either, so the only perfect protection from remote exploits is to completely disconnect the computer from all networks.
    [ link to this | view in chronology ]
Anonymous Coward, 29 Oct 2008 @ 1:43am

I remain curious what the top CIA guy meant when he said the only safe computer was 'unplugged in a corner and not connected to any network'.

Does he know something we don't? Thanks Top CIA guy for the heads-up.

It makes sense to me - with a slight paranoid touch, you can easily reason that every computer system can eventually be hacked. Therefore, the only way to secure it is to keep it the hell out of the way of the world ("the only safe computer is in the centre of a nuclear explosion" doesn't have the same ring).
[ link to this | view in chronology ]
- LBD, 29 Oct 2008 @ 9:13am
  
  Re:
  If your computer's plugged in, but not plugged into any wireless or eathernet or other methoid of computer to computer communication (I don't mean has it disabled, I mean no physical connection.) then it's perfectly safe unless a virus gets onto a data device and kills it.
  
  It still won't be able to tell your secretes.
  [ link to this | view in chronology ]
  - LBD, 29 Oct 2008 @ 9:16am
    
    Re: Re:
    Addium: Unless someone other then you gains physical acess to the machine. But honestly, that's fairly unlikely with a personal computer. I doubt there are people who will ninja sneak into your house, and steal data from your computer.
    
    I also doubt that there are many people who use Van-Allen Phreaking
    [ link to this | view in chronology ]
John Doe, 29 Oct 2008 @ 4:06am

Google = Microsoft?
[ link to this | view in chronology ]
- Dave, 29 Oct 2008 @ 5:52am
  
  Re:
  Not yet, but they're moving that way. Once you get to a certain size, you start forgetting about people and start focusing on shareholders (who are sometimes people)
  [ link to this | view in chronology ]
  - JT, 29 Oct 2008 @ 8:18am
    
    Re: Re:
    lol I laugh when I see something like this. They're all corporations that answer to a higher power, stock holders. The larger they get, the more diluted they get with "good and evil". Why people don't ever seem to get this is beyond me. Those who seem to adamantly defend Apple doesn't seem to get that they're also the same.
    
    So start your anti-Google campaigns and wait for your next start-up corporate savior to come along.
    [ link to this | view in chronology ]
Matt, 29 Oct 2008 @ 6:00am

False Dilemma
I don't see how Google can't have the technical team work on patching the vulnerability while the PR/exec team comments on the situation. I think you're being a little disingenuous about the etiquette issue; it's quite well established (see the nearly 15 years of BugTraq archives and this FAQ specifically) for a vendor to receive a private disclosure followed by a brief delay to allow them time to patch it. Sure, Android is open source so a black hat could (or has already) discover it on his own. But if not, releasing it publicly removes any runway the vendor had and turns a vulnerability into into a zero-day exploit.
[ link to this | view in chronology ]
Dosquatch, 29 Oct 2008 @ 7:35am

ummm....
what happened to "Don't be Evil"?
[ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2008 @ 9:29am
  
  Re: ummm....
  How is Google being evil? Sounds like the guy trying to make money or more of a name for himself.
  [ link to this | view in chronology ]
  - Dosquatch, 29 Oct 2008 @ 10:55am
    
    Re: Re: ummm....
    How is Google being evil?
    
    FTFA:
    After first dismissing the amount of damage to which the flaw exposed users, anonymous Google executives then attempted to discredit the security researcher,
    
    - pretend the problem isn't a problem
    - paint the researcher as the real problem
    - ????
    - PROPHET!!1!!!ELEVENTY-ONE!!
    [ link to this | view in chronology ]
LBD, 29 Oct 2008 @ 9:10am

Google
Goodle is no longer what it once was. It's died. Let us mourn the lost, and move on, taking our support from google's monstrious corpse to the next open freely avalible small company that will eventualy grow into a large company/supporter of human rights.
[ link to this | view in chronology ]
Shyptari, 29 Oct 2008 @ 10:19am

They're Both Wrong
Okay, in Google's defense: Yeah, you found the broken code, bravo! Now be a good boy and hand it back tot he owner to fix. Done. But when you just diss them, and go public with it, that is kinda lame. At least tell them that you're gonna go public. They woulda probably said "About what?!"..."Oh, okay. You do that, we'll fix it in the process."
Everyone = happy.

In Charlie Miller's defense: Google doesn't have to whine about it. Its code, its flawed just for the fact that people created it. Deal with it. So you didn't get a heads up, don't feel bad for yourself. Say to the guy "Why didn't you tell us first...meh, who cares, lets fix this before it becomes a major problem." And accept a little hurt pride. Its not about the ego, its about getting it done right. Even if it means everyone knows about it.
Everyone = happy.

My two cents.
But then again, the world doesn't work my way.
[ link to this | view in chronology ]
wooster11 (profile), 29 Oct 2008 @ 11:01am

Unwritten Rules
I think the unwritten rules are pretty clear when dealing with security issues in software.

These "Security Experts" (hackers) need to know these rules.

The first step is always to notify the company privately of the security issue to see if they will respond.

It is at that point, when a determination is made to whether or not to go public with the issue.

If a company was not responding to the issue even after being notified (let's say within 90 days - software development takes time), then the security group has the option to go the public to get the company to move on the issue.

The one good thing I can say is at least the security isn't releasing details on the flaw, but they still should have gone to Google in private first.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2008 @ 4:08am
  
  Re: Unwritten Rules
  I think the unwritten rules are pretty clear when dealing with security issues in software.
  And I think they aren't. So there.
  [ link to this | view in chronology ]
Clueby4, 29 Oct 2008 @ 12:00pm

Unwritten Delusions.
Unwritten rules?! For software?! Today's modern age snake oil!? No such expectation should be present.

I can see the benefits of giving the software companies a heads up, however those companies with bad track records, which Google proud member of, should not be afforded any such courtesy.

I'm not sure I find the selling of the exploits to third parties very palatable, but with the absence of merchantability that the software market throughly enjoys there's not much one can do about that other then frown :P
[ link to this | view in chronology ]
- What ARE you talking about, 29 Oct 2008 @ 5:37pm
  
  Re: Unwritten Delusions.
  How exactly is google a proud member of "those companies with bad track records"?
  From all I know, the last company on that list should be google.
  [ link to this | view in chronology ]
  - Anonymous Coward, 2 Nov 2008 @ 4:10am
    
    Re: Re: Unwritten Delusions.
    From all I know, the last company on that list should be google.
    Perhaps you should read the article at the top of this page.
    [ link to this | view in chronology ]
Paulie, 9 Dec 2009 @ 6:54am

This is pretty out of character for Google..or at least the way I perceive Google. A quick question: why did they release their source code for Android? Was it for developers? Anyway, it seems that, as mentioned, Google should be glad that this was pointed out publicly because now less people will be clamoring for some security software on their phones, because Google will fix this problem...right Google?
[ link to this | view in chronology ]