1. 13

  2. 5

    I always think of security of software massive companies are using as more a labor problem. It’s in their nature to keep billions in profit. They’ll spare only a slice. Can they spare enough of a slice to hire the developers to fix Linux? And, since it’s Google, Android as well?

    Three figures helped me understand this a while back:

    1. The cost of Solaris 10. It was a rewrite project to modernize a commercial UNIX. Fans of the open-source projects derived from it say it paid off. This gives an idea what their own high-quality, more-secure, clean-slate option might cost.

    2. The cost, in size and/or funding, of groups such as PaX Team, OK Labs, and GrapheneOS. Add in academic teams who did things like add memory safety to FreeBSD kernel or Linux apps. Maybe ExpressOS. These give an idea how much it might cost to make one or more dramatic improvements to Linux, Android, etc.

    3. Google makes billions in revenue on Android. Others making massive fortunes on Linux or Linux-based tech include IBM, Amazon, and defense contractors.

    Yeah, they could do it by themselves if they wanted. That confirms the damage is an externality to them. They’ll put in some kind of effort, leave most of the job undone, and do that even when the cost is almost nothing to them.

    1. 3

      You need to think about opportunity cost. $1 invested in security is $1 not invested in something else. The security investment is competing with things that customers are demanding. How many people will buy an Android phone instead of an iOS phone if Android ships with security feature X? How does this compare with the number of people that will buy an Android phone instead of an iOS phone if Android supports 200 new emoji? Even a big company like Google has a finite number of engineers and needs to prioritise their work. New features sell products, security improvements don’t (outside of a few markets).

      This would probably change a lot if regulation increased liability for vulnerabilities, but it’s not clear how that would work with open source projects. Some random person accidentally introduces a vulnerability into Linux, Google packages it up in AOSP, Samsung ships a phone with Samsung’s Android version built on top of AOSP, who should be liable if an end-user’s phone is compromised?

      1. 1

        The opportunity cost-based accounting only works if there is no liability for shipping shitty/insecure software. If only we could put an end to that…

        1. 1

          You need to think about opportunity cost. $1 invested in security is $1 not invested in something else.

          It’s true that businesses consider this. It might even be what Google was doing. You’ll know that if Google is, like Amazon, steadily building things that might become products, keeping an eye out for what customers love, and turning those into long-term, supported products with revenue. Instead, we see a trend at Google where they consistently create excellent tech with lots of users, sometimes taking over a niche, before canceling that tech. It’s like they don’t even try to make their investment pay off in any way. Looking at their cloud vs Amazons, it’s clear Amazon’s customer focus is whats causing them to pound away at Google. What we see can’t possibly be Google being clever about what customers want.

          On security side, we see a demand for security. Google pushed Chrome on both performance and security via Native Client. They promote projects like BeyondTrust and Titan. Back on demand side, we see damaging stories in the media comparing malware rates on iOS vs Android. It’s a differentiator for iOS you’d think they’d want to eliminate. Further, there’s always been a demand for a private, at least enterprise and government, variant of Android. There’s a hard-to-estimate niche for people that pay to turn off ads. That means it’s a wise move for these companies to make a more secure version with all tracking and ads turned off priced at whatever tracking/ads bring plus some profit. Privacy-conscious customers often pay a premium for it. So, they could increase the profit margin on that. It’s telling that they haven’t even tried despite both FOSS projects and small businesses showing how low cost it would be for Google to set that up.

          Saying they’re handling priorities really well is too charitable after all their missed opportunities, canceled products, and wasteful projects. Best explanation is a combination of (a) they don’t care about security for many reasons (including harder-to-sell ROI) and (b) marketing ineptitude.

          “This would probably change a lot if regulation increased liability for vulnerabilities”

          I agree. I go further wanting both regulation and liability. I’ve promoted regulation since the TCSEC (pdf) and DO-178B proved corporations will respond to it. Whole ecosystems, from reusable components to tools for building them, emerged from both sets of regulations. That makes regulations the only thing that’s proven to work. From there, I just looked to how to do it better: goal-based vs prescriptive, lower costs, more automation, etc.

          Liability is a different issue. We’ve seen the class actions in other industries achieve risk reduction. From there, it becomes some kind of game of what profitable evil they might get away with, what the lawsuits will cost, and if one is higher than the other. We need to make sure whatever they’re getting hit for is actionable. We also need to set the fines or damages at many times higher than whatever preventing them cost. Then, if that’s consistently enforced, those doing it will clearly have just acted unreasonable under reasonable, professional standard.

          So, a mix of regulation and liability.

        2. 2

          They probably would rather put their efforts into Fuscia. The Linux kernel is a bit of a commodity these days, with every tech company maintaining some level of contribution and aptitude for it. The result is less control for any individual company, which we love, but they can’t stand (see browser wars)

          1. 2

            That’s a good theory. Lots of them like control and GPL elimination. It seems like it’s why router vendors go proprietary when better stuff is available under BSD. Let’s not forget long-term, lock-in opportunities. Google seems to be in that camp looking how Google Apps/Play agreements with Android manufacturers.