I typically do not like Google and a lot of ways the company acts and performs.
However, recently I moved into sysadmin-type work, partly doing work for state governments. Cybersecurity is really bad everywhere, and it’s scary,
and it’s frustrating how abstract and very theoretical all the risk is as it makes hard (justifiably) to take seriously.
Anyway, Google’s reputation with security is (fingers crossed) nothing short of “almost bulletproof”, and I’d love to see more IoT devices from them. With the recent rollout of Nest Security System, we’ve actually been advising lots of small businesses to combine this system, along with Nest cameras + fire alarms as a solution to actual physical security and fulfilling compliance alarms. Since Nest also does cellular backup in case of internet outage, we just hook everything up to an APC and the whole system can run for 10+ hours without power or internet.
Also also, Android security sucks. Not Google’s fault, but thank god they moved to making their own phones. Maybe that will encourage better behaviors from other manufacturers.
Android security is Google's fault. Any kidding yourself that might occur through believing that OEMs deserve any blame for an update mechanism (or lack thereof) in a system designed by Google is pretty easily discredited, especially when you consider it took Google five months to patch KRACK in the Pixel 2, when third party ROM authors did it in two days.
Also, Google's "reputation with security" needs some serious nuance: They are very good at preventing types of exploits they care about, but they are a literal joke when it comes to security that interfaces with submitted content and user choice. Consider that the Chrome Web Store is a literal cesspool of malware, and that a lot of websites blatantly try to force you to install extensions through the Chrome Web Store which steal your browsing data. Since extensions are permitted to request such a huge security hole, Google doesn't consider it their problem that extensions do it maliciously.
Because Google doesn't consider something they gave permission to do malicious things to be an exploit or vulnerability, Google can simultaneously claim that Chrome is the most secure browser, and it be literally the easiest browser to get malware with.
I can definitely agree with you that state level government security has a long way to go and is a pretty scary place. But Google can't fix it, because the biggest problem in government security is still humans, a security layer that Google has repeatedly demonstrated no understanding of.
Thanks for your reply, and that sucks to hear about Google.
My positive perception mainly comes from this super paranoid dude, Michael Bazzell: https://inteltechniques.com/experience.html. He both hates Google for their data collection and also respects it for their security practices.
Ugh I also hate to hear they’re doing the “we’re secure but who knows about our 3rd parties” practice. State IT does this as well. As long as you sign some contract with them that promises them you do NSA-style security, they’ll buy anything from you. Of course what 5-man IT shop wouldn’t sign a $20,000,000 IT contract when worst case, they get a bad audit and have to spend 50k really quickly to get
up to SOC II?
You can literally find a list of State IT contractors for most govs, and just go through them finding all the fly-by-night shops. That being said, the big vendors aren’t that much better either...
I am floored when I tell some vendor they can't do something because it isn't secure, and they look at me like nobody's ever told them that before. My general impression is "I can't seriously be the first person who's ever said this, can I?"
The thing people need to remember is that the CIA Director's AOL email account got hacked. In 2015. We are so far as a society from where we should be.
>Android security is Google's fault. Any kidding yourself that might occur through believing that OEMs deserve any blame for an update mechanism (or lack thereof) in a system designed by Google is pretty easily discredited
It would seem you still don't understand how Android is built. Google cannot update the phones made by other OEM's. OEM's download the Android source code, add their modifications and create their own forked version of Android. This is like asking Debian to update Redhat's Linux distribution. Blaming Google for the OEM's inability to update their own phones is disingenuous, but it does support your prime directive of disparaging Google every opportunity you get.
>especially when you consider it took Google five months to patch KRACK in the Pixel 2, when third party ROM authors did it in two days.
Those patches were provided by Google incidentally. Additionally, Google patched KRACK in Dec, 2017 on the Pixel phones. So where exactly did you get this 5 months?
>Also, Google's "reputation with security" needs some serious nuance: They are very good at preventing types of exploits they care about, but they are a literal joke when it comes to security that interfaces with submitted content and user choice. Consider that the Chrome Web Store is a literal cesspool of malware, and that a lot of websites blatantly try to force you to install extensions through the Chrome Web Store which steal your browsing data. Since extensions are permitted to request such a huge security hole, Google doesn't consider it their problem that extensions do it maliciously.
Could you point me to the malware on the Chrome Web Store? Since you claim it's a "literal cesspool of malware" it shouldn't be that difficult for you to point to those extensions. I look forward to those links.
I've learned not to try to argue with you, but yes. Google patched the Pixel 2 in December. The problem is... They were notified about KRACK in July. And Lineage had it fixed in... October, shortly after it went public.
> They just don't care about updates, otherwise they would remove certification access to any OEM not providing updates.
I think they care, but they can't do something about it. Because OEM's dislike updates.
Updates does not sell new phones.
Google on the other hand actually has it easier if all their devices are up to date. They do not need to maintain old code/branches whatever.
It's still Google's fault that they never had something in place to enforce it.
They basically wanted to have anybody on board of the OHA, so they needed to make tradeoffs in their contracts.
>Proving once again that Google Chrome extensions are the Achilles heel of what's arguably the Internet's most secure browser, a researcher has documented a malicious add-on that tricks users into installing it and then, he said, is nearly impossible for most to manually uninstall. It was available for download on Google servers until Wednesday, 19 days after it was privately reported to Google security officials, a researcher said.
>Researchers have uncovered four malicious extensions with more than 500,000 combined downloads from the Google Chrome Web Store, a finding that highlights a key weakness in what's widely considered to be the Internet's most secure browser. Google has since removed the extensions.
Google designed the Android update model, so is responsible for its consequences. They designed a different model for ChromeOS and it has worked much better.
I just wanted to throw out for folks this - nest secure does not appear to support fire monitoring via the protect with a Mo tutoring service -
The Nest Protect Smoke & CO sensor does not qualify as a 24 hour monitored fire protection device. This is due to the requirement from Nest that the user must first verify that the Nest protect fire alarm signal is or could be real before the monitoring service will receive the fire alarm signal and dispatch the fire department
--
This was a deal breaker for me using the nest eco system for home security -and- fire protection. Other systems don't suffer from this. It's too bad as I like the tech but it's not bulletproof yet.
However, recently I moved into sysadmin-type work, partly doing work for state governments. Cybersecurity is really bad everywhere, and it’s scary, and it’s frustrating how abstract and very theoretical all the risk is as it makes hard (justifiably) to take seriously.
Anyway, Google’s reputation with security is (fingers crossed) nothing short of “almost bulletproof”, and I’d love to see more IoT devices from them. With the recent rollout of Nest Security System, we’ve actually been advising lots of small businesses to combine this system, along with Nest cameras + fire alarms as a solution to actual physical security and fulfilling compliance alarms. Since Nest also does cellular backup in case of internet outage, we just hook everything up to an APC and the whole system can run for 10+ hours without power or internet.
Also also, Android security sucks. Not Google’s fault, but thank god they moved to making their own phones. Maybe that will encourage better behaviors from other manufacturers.