I shared this elsewhere but I could have expressed the initial problem a little clearer, which actually was "enter my home without unlocking my phone which causes my phone to die in the cold."
Unlocking the screen caused the battery to drop immediately - it still had network connectivity prior to that.
I think the initial problem was clearly-enough stated, and the GP's point is valid - why bother accounting for the case where your phone is so close to dying that you can't unlock the screen, when just a bit less battery life would mean that your phone dies regardless (and you're stuck outside anyways)?
The battery level isn't actually close to dying, in my case it just rapidly depletes from up to 40% when it's very cold. But that 40% remains intact seemingly with the screen off. Could be my phone also, but it has happened often enough that I wanted to solve it and thought this was an interesting approach.
For me, this was just a matter of convenience and not optimizing for most resilient or reliable solution. I do have backup plans for home entry.
Batteries are generally less able to source current when very cold. At low temperatures, the battery was sufficient to power your phone in a low-draw state (minimal network activity, no screen, low power CPU state), but the voltage dropped when current draw increased.
I experienced this. I ran to work at -10F. When I arrived, I took out my phone to take a photo of my ice beard and although it almost immediately died.
Marlette Funding is a consumer financial technology (fintech) business on a mission to inspire financial confidence by helping people manage their day-to-day finances. We offer a digital financial platform with simple, accessible and personalized financial solutions including personal loans, credit cards, and a financial health product.
The company is a fast-growing fintech that has been recognized numerous times as a best workplace. If you are energized by working in a fun organization where communication is open, everyone feels included, creativity is embraced, personal growth is encouraged, and you can make positive impact on the business, Marlette is the place for you.
The author may have added this in after publishing:
> Many people have asked, could viruses also use the Ψ technique to beat our immune systems? In short, this is extremely unlikely. Life simply does not have the machinery to build 1-methyl-3’-pseudouridylyl nucleotides. Viruses rely on the machinery of life to reproduce themselves, and this facility is simply not there. The mRNA vaccines quickly degrade in the human body, and there is no possibility of the Ψ-modified RNA replicating with the Ψ still in there.
Context and purpose of the bash script in question is important here. In the example, the author is writing a simple bootstrap script for a dev machine. A number of the critiques here, while valid, are aimed at different use-cases.
When some medical contractor misconfigures an AWS bucket and exposes 15,000 medical records we all lose our minds. It doesn't matter if the first bloke to find it was the researcher who disclosed it... We still go nuts. We make fun of the companies who come back and say "There was no evidence that the data was accessed by unauthorized parties." We know full well there's no evidence that the data WASN'T accessed by unauthorized parties.
Please stop pretending this isn't a big deal just because of a hard-on for Google. If you'll put a 10 man company out of business for their complacency and ignorance you should be lining up at Google HQ with pitchforks over this. They're supposed to be above this. They are hailed as a gold standard.
So what do you say about the idea that it creates a disincentive to find security issues, because you'll be hit for them one way or the other?
Also, I fundamentally disagree with your example. If they did an adequate investigation, using a 3rd party service, and found no evidence of my data being accessed by a 3rd party, and then fixed it- I'd say, "Good job checking up on yourselves" and move on.
Security is still incredibly hard to get right. I'm willing to bet your service has security holes in it, right now- and that's not a hit against you. We haven't mastered these systems and anyone who thinks they have is just waiting to get bit in the ass. Every security professional knows: It's never, ever, a question of "if", but of "when".
> We just prioritize rapid development time and ease of use over security.
> If we wanted computers to cost $x0,000 and OSes to cost $x,000, and the pace of progress to be glacial, we could have completely secure systems today.
> It's a choice, not an impossibility.
Progress in core OSes and conventional hardware has already slowed down to a glacial pace, compared with previous decades. Rapid development is often used to just create a churn of useless sidegrades and other poorly thought out things (deceptively sold as upgrades).
It might be time to make that different set of choices.
>If we wanted computers to cost $x0,000 and OSes to cost $x,000
That's an interesting theory that's not supported by historical evidence as far as I can tell. When computers were expensive, there just were less people with access. The systems were not any more secure.
I think ethbro is saying that focusing on absolutely secure systems would drive up costs, not that if we make them more expensive we'll somehow get more security just because they're more expensive.
They weren't suggesting we need more secure OSes specifically, that was just an example.
A better example is maybe instead of Google spending $xxx,000 to develop the system that was found insecure they should have spent $x,000,000 so they had more resources devoted to the security aspects.
Perhaps this is too high for this system to exist; well maybe that system just shouldn't exist if it can't be secured properly with the budget for it.
it is an impossiblity in all practical senses. This is the entire premise of Chromium. Knowing that there will always be bugs but designing the system so they are unlikely to be able to do bad things.
there's two points there
acknowledging it's impossible to have zero bugs ... and ... acknowledging that there will be exploits.
sure you can do better than average but "completely secure" is a myth
> So what do you say about the idea that it creates a disincentive to find security issues...
If a company is disincentivized to look for security holes because it's highly likely it will find them; that company is on the fast-track to failing.
> If they did an adequate investigation, using a 3rd party service, and found no evidence of my data being accessed by a 3rd party
They found no evidence of data being accessed, but they also don't share how this particular system tracks data that is accessed. This system was vulnerable for 2-3 years. What if you left your car at my house and you found a dent on it, but I claim that I didn't have any security footage of someone damaging your car without mentioning that I don't actually have security cameras.
> I'm willing to bet your service has security holes in it...
You're right, and it I find that my NTP service is exploitable and anyone can DDOS me I'll fix it and move on. There's no need to disclose that I'm an idiot when it doesn't affect other people. But when I accidentally leave my servers mis-configured and my API unprotected against unauthorized access I would make a post about it. We're not talking about an arbitrary vulnerability that lets people echo hello on a Google server. They left data exposed. I would like to know if it involves me.
> If a company is disincentivized to look for security holes because it's highly likely it will find them; that company is on the fast-track to failing.
I don't see any evidence to back up this assertion. FWIW I don't believe this is true.
>So what do you say about the idea that it creates a disincentive to find security issues, because you'll be hit for them one way or the other?
But is that really what would happen? Vulnerabilities are frequently found and publicly reported. The reaction depends on the type of vulnerability (how stupid it sounds) and on whether or not the vulnerability resulted in a breach. You don't get hit equally hard for all security issues.
I think both users and developers have to be mature enough to deal with this sort of thing without resorting to secrecy. Secrecy creates distrust as the reaction to this particular Google+ issue shows.
> So what do you say about the idea that it creates a disincentive to find security issues, because you'll be hit for them one way or the other?
With big enough repercussions it should incentivize processes that don't allow it to happen in the first place. This is how HIPPA and various other things work already and it does a decent job (not perfect though).
I'd also say that we need decide if mistakes are forgivable and whether or not if it's based on impact.
Perhaps for a small data leak it's forgivable, and we won't hit them with a huge fine or whatever. If it's a big leak then maybe we need to jail people.
It's a bit of a strawman to say everything has security holes because it's assuming the problem is unfixable from the start.
It's a bit like launching a person into space. "We know that probability we'll be sending people to their death is high, let's not bother then." We decided to do it anyway but we set extremely high bars for safety.
Imagine you've been driving across the same bridge every day for 3 years, only to discover it had an inevitably catastrophic structural flaw, only revealed when someone bothered to look, but the engineers, contractors, and government didn't want to talk about it.
I now think I replied to the wrong post. This thread is more confusing than most. We're all talking past each other. We (this group) likely agrees more than we disagree.
The difference here is that Google found this problem itself, and evaluated with high confidence that it was likely unknown to anyone outside that audit.
That means that Google was proactively checking it’s work to make sure it was secure, unlike your example where nobody was likely ever going to notice that bucket was misconfigured.
They’re the gold standard because they find and clean up their own shit, even when nobody is pressing them to do it.
Do we? "Some user data exposed on AWS due to crappy S3 permissions" happens like forty times a year. People publish papers annually just finding stupid crap like this in mobile apps. Misconfiguration bugs happen in thousands upon thousands of products. Where do we lose our minds?
There is a qualitative difference between an internally discovered vulnerability - presumably by somebody with lots of access, knowledge, and the ability to verify their hypotheses - and an externally discovered vulnerability.
Furthermore, if every potential vulnerability that might have been exploited needs to be reported as a breach... then each and every bug in any library and other dependency you use likely needs a breach report too - after all, you typically cannot verify retrospectively whether that exploit wasn't independently discovered and abused before the fix.
I'm not even positive such a reporting requirement would really be a bad idea, but it would definitely needs some more mature reporting and population education to tell the two classes of issue apart, especially since it's pretty vague where you draw the line on what needs publication once you get that far.
I think there is a difference between a vulnerability in an internal system, and blatantly exposing data to the public requiring little technical acumen to obtain.
You say that as if being harangued is the worst thing that could happen to a company.
Plus, were this the case, the CSV list would have stunted vulnerability exploration across the board. Have you seen the list of vulnerabilities discovered in curl?
I thought I was going to agree with you and then it all went sideways. You are right that some people "lose [their] minds" over the AWS scenario. I think the person that you are responding to is making the point that they shouldn't in that case either.
It isn't that it is Google that makes the difference, but the extent of the damage.
>We know full well there's no evidence that the data WASN'T accessed by unauthorized parties.
Really? If Google has access logging on its content, and as in your example an AWS bucket can be configured for access logging then it would be fairly straightforward to identify if the data was accessed.
Google does not have (or claims not to have) that kind of logging beyond the short term; not enough to cover even a small fraction of the vulnerability period.
You don't need to resort to crude sexual language or imply parent commenter's opinion isn't in good faith, rather than out of some blind corporate allegiance.
I'm not nit-picking, but your mention of "gold standard" got me thinking. What is Google the gold standard of? They have the top search product which is built on possibly gold standard software, server and networking technologies, but beyond that, are they considered the top standard in anything else? Maybe privacy and security should be important to their business models over the long term, but I'm not sure there is a unified coherent thought in the company's mind that better privacy and security help them make money with search, which is their chief priority. In other words, they can make heaps and piles of money every day with bad privacy and security, and I don't think they were ever considered a gold standard for either of those.
It would be hard to make a case that they're not one of the 3 best defensive security teams in the world, and that very much includes every world government. You could go back and forth about whether they're #1 or #2 or in 2- or 3-way tie.
According to the announcement, Google can only say that no one abused the vulnerability in the two weeks prior to discovery.
> We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
But..."no evidence of abuse" can mean a lot of things.
The original WSJ article shared this version of "no evidence of abuse", and it's not very reassuring.
"Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time."
It's also not clear that the activity logs would even have the context to distinguish normal access from unauthorized access.
It would probably be useful to explore the distinction between how vulnerabilities are handled in Open Source software, where disclosure is commonplace, versus non-source-available proprietary software, where the opposite is true.
We need disclosure in Open Source because if attention is not drawn to the vuln downstream users won't upgrade, but highly motivated attackers will have what they need. With non-source-available software, there are fewer opportunities for attackers to learn of any vulns.
'No evidence of abuse' is not acceptable grounds for treating it as if there were no abuse. Personally, I consider all three points as being irrelevant.
OK. What do you find to be acceptable grounds for treating a situation as if there were no abuse?
Bear in mind that proving no abuse is impossible, as it's always possible that the hypothetical abuser got one step further than your investigation and covered their tracks.
When such a vulnerability is discovered the right thing to do is to inform the users of its possible severity and the duration during which it was available.
If that ever becomes standard, every actually relevant notification would be lost in the noise. Multiple local privilege escalation vulnerabilities are discovered yearly in both Linux and Windows (along with many other OSes and userland applications). Do you really want that every single company releases notifications that roughly every single of their systems were vulnerable since the day they were created until date X each time that happens? After all, there is no way to prove no one abused that before their systems were patched (including the period between system creation and vulnerability being publicly released).
It is much more likely in my opinion that people would become desensitized to data breaches and stop taking any of them seriously. Equifax or Cambridge Analytica would have been just another in a deluge of notifications.
Are you familiar with California's Proposition 65? It was based on the same concept - never not inform. Some might opine that the consequences might have failed to meet hopes.
Canada is going to require disclosure of breaches starting November 1. That may allow for companies to still fail to disclose the _possibility_ of breaches, however.
Long story short, California requires labeling of things that may contain chemicals hazardous for a variety of reasons. The idea was simple - never not inform. The intentions were pure.
The result is that basically everything has a vague and uninformative label about how it may contain chemicals that could be hazardous. The labels are spectacularly uninformative and incredibly numerous. They are universally ignored by everyone, as they constitute a sea of noise.
The net result is that a wonderful, laudable, pure, kind, and compassionate idea - never not inform - has led to a deluge of useless informational notices in which actual useful notices are impossible to find.
It might be worth considering that there could be a lesson in there.
Labeling is slightly different than simply informing, in that it is a specific method of informing. It would be like requiring Google to display information regarding this security issue on all of its pages.
Warning labels have dubious efficacy, as evidenced by decades of grotesque warnings upon cigarette packaging and their limited success at reducing consumption; but that's not to say we ought not be able to know about the potential harms of a product or service, just that product labels sort of suck as a method of informing users.
OTOH, Canada requires nutritional information on all food, and that's reasonably useful and successful _because_ the content of that label is strictly defined and reasonably useful.
The core idea you have is amazing! Tell people, be sure they know their risks, communicate them clearly, and then they're empowered to make their own choices. It's a wonderful idea that both protects people and respects their autonomy.
Nutritional information is relatively easy to provide is thoroughly exhaustive detail. How does one go about informing about data events that may or may not have occurred, and may or may not occur in the future, in a way that's comprehensible to users who must be assumed to have absolutely no technical grounding whatsoever?
The most useful informative warning I think that could be reasonably provided runs like this: "Please be aware that any data you provide this service, and any data this service gathers, could previously, presently, or in the future be the subject of a data breach that may or may not be detected."
While the warning could of course be improved by being made more specific about what data is concerned, this does not seem like a good way to produce useful and informative warnings. Instead, it seems to me that attempting to pursue that most wonderful of ideals - never fail to inform - could easily produce a sea of overcautious attempts to ensure a user is never not informed, and instead over-informed into oblivion.
While such labels might potentially be successful in scaring users into using services less, this might not be the same as informing users.
I do hope I've communicated clearly here. Please let me know if anything could have been better-written. More importantly, I've clearly failed to understand some of your wise and well-made points. Can you help me with what I've missed?
As a non-technical user, if it were to be simplified like Nutritional Information, I would expect broad categories risk that receive either a check or no-check for the possibility of exposure. IE:
X Authentication
X Financial
X Communications
X Property
Or such, so I can be aware at-a-glance that my user name, password, credit card information, private messages, or personal documents may have been compromised. I wouldn't be over-informed into oblivion, or at least not as likely to be, if the information available were suitably informative-yet-terse. Like a nutrition label.
However, that's just my pie-in-the-sky desire!
Pragmatically, as a technical person, I'd personally be happy with regular release notes of product revisions, including SaaS products, and which are paired with a technical-oriented blog that details the notes in further clarity for the technically adept. The role of journalists can step in here, and appropriately severe information will spread much as it does now.
The upshot is that technical folks like us may learn a thing or two via such an open communication. If everyone did it then there would be less fear to do it and there would be more information avaialable about common risks and their mitigations.
So then all security audits just become you paying someone large amounts of money to get really bad press for yourself. Regardless of whether you've actually lost customer information or not.
At which point why not just stop being proactive?
Hardline stances sell great on forums, that doesn't make them right.
> At which point why not just stop being proactive?
The attitude that absence of evidence should be treated as if it didn't happen leads to exactly that conclusion - that it's better to not be able to tell what's happening.
Does your place of business inform for every closed xss bug? Sqli? Every buffer overrun? Directory traversal? The bar for "bug that could potentially lead to access to user data" is so low that I'd say that any business that isn't finding hundreds of these bugs a year isn't doing a serious job on security.
There's a scale from "there's no evidence of abuse and if there had been abuse we're certain we would have seen evidence" to "there's no evidence of abuse but there's no reason to suppose if there had been abuse we'd see any evidence".
Companies tend not to be terribly good at articulating where we are on that sort of scale.
You're absolutely right! There very much is such a scale.
Even the companies who are the very best at communications will tend to struggle to communicate clearly when filtered through a press that have strong incentives to construe everything as a data breach. Lay people reading either of your statements will tend to stop at "there's no evidence" and go "What do you mean, 'no evidence'!? I want certainty!". Witness how readily and widely this whole G+ event has been mis-reported as MASSIVE DATA BREACH.
While you're completely correct, perhaps there's room for subtlety here.
So if you were to write software or publish it, or deploy it, or even merely use it as part of your process to provide some other service to users, do you think it's reasonable to report each and every vulnerability?
Keep in might that effectively means you'd need to report a potential breach every patch tuesday if you're running on windows, and similarly frequently for most linux distros. Oh, and you'd need to report all vulnerabilities in any dependencies of any software you build on, such as webframeworks, libraries, other apps... everything. Oh, and svn had a sha1 collision vulnerability, so any software that ever used SVN, and anything that depended on it might need to report a breach. With meltdown and spectre... OK, we've basically arrived at the point that if your business was somehow in nebulous proximity to a computing device it may well have posed the risk of a breach. Where does it stop?
I mean - I'd love to live in a world where that were a realistic strategy, but in the I WANT MOAR DEPENDENCIES world we live in, which is just waking up to dealing with security issues, I'm not sure this is realistic, nor helpful.
So it's a shame that the best we have is the absence of evidence - but for all my frustration about the cavalier risks google took here, I do actually believe that's pretty plausible evidence of actual absence. After all, if this had been discovered and meaningfully exploited, I really doubt the exploiter would have stopped.
Reporting this kind of stuff as a breach is basically FUD. Essentially: You're distracting from real security issues, of which there are legion. No need to get all hypothetical about it - yet. Google made a shameful bug, but this isn't breach, not by any useful definition of breach.
I wonder if “Strategic Lack of Log Retention” would make a good conference topic.
The problem with what Google is doing is that they are insinuating that a lack of evidence is evidence of lack. This is not unlike when companies like Equifax claim “we have no evidence...”
We should not be rewarding companies for strategically avoiding culpability.
I feel like lack of logs can increase apparent culpability (as this scenario shows). It seems a little silly they don't store anything after two weeks but I was explained elsewhere that a lot of the reason was that those logs can contain user data and they can't lose it or turn it over to the feds if it doesn't exist.
It can, however it also makes it harder to really pin them on anything. I think that's a net win.
I understand the position that excessive log retention can itself create a high-risk metadata pool, but there are ways to mitigate that by tokenizing them or removing PII data without having zero usage information.
Google deleted most of the logs that could have contained any evidence. Would you feel the same way if Google employees manually deleted the logs after discovering the breach?
Yes, I don't want them to delete records of third-party access to my account unless I explicitly ask them to. Even if I didn't want that, there are a lot of options in the space between deleting after two weeks and storing them forever.
400 third-party apps had access to this info. It's not that "Google knows that there wasn't any abuse" but that "Google doesn't know whether there was any abuse, because it didn't have the proper systems in place to check for that anyway."
It's kind of like you saw no crime happening because you didn't look. But that says nothing about whether or not the crime actually happened.
Let's just assume there wasn't any abuse.. say a bug compromised my bank account, but no money was stolen (someone may have looked my balance and decided I was too poor to be robbed), do I expect to be made aware? yes of course and I feel data privacy deserves the same level of diligence because this is still a breach in trust, So ethically, they could and should have at least made a statement and apologized.
We should not equate "no evidence of abuse" to "evidence of zero abuse", that type of plausible deniability is not going to push improvement in protecting user privacy. Especially in this case, no evidence was really a lack of evidence (probably worse), because logs were only kept for a short period of time.
In the legal sense, or based on "industry practice", they might not be _required_ to disclose to the public. But can they, and should they? because we have all witnessed Google gone above and beyond, and done amazing things over the years. I'm a google fan, and I'm very disappointed by how this was handled.
Appreciate the feedback! My point on the price concern was that the app was not developed solely for my county, it was resold to multiple customers - at least 2,000 according to the link I posted in another comment.
I'm not sure what other customers were charged for the app, but if they were all $70K (as my County was), then that's a hefty rake.
"New 911 communication system in New Castle County integrates a panic button, live camera feeds and an automatic 911 call through a free smartphone app."
What was included in the 70k? Typically the govt agency I work for bundles things like support for 5 years, professional services, data migration, maybe even hosting into the "purchase" price because capital is easier to get than operating budget.
The article says $70k of development costs were funded and that the app itself is free.
That doesn't seem like enough funding for a secure app with proper testing, and a free app is a terrible idea if they want software that is maintained and supported.
Unlocking the screen caused the battery to drop immediately - it still had network connectivity prior to that.