Slashdot Mirror
Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
Or if you do, divert attention by saying Microsoft did it first
I'm still on 2.3. I wouldn't get any update whatsoever.
The phone manufacturer couldn't careless if they tried.
At least now there's a push to not keep using ancient versions.
Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.
And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.
1- You can go buy a new Android phone; or
2- You can go fuck yourself.
I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.
Sorry Microsoft, the deadline is the same for everyone.
Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.
To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.
Now, if you're free to install the latest version on your phone, then it seems much more reasonable.
The MS of the '90s, harangued endlessly by a shockingly left-wing government (by today's standards), ended up being put in its place not by regulation but by competition. But even back then, as it dominated the desktop and the browser, it showed high respect for client privacy and control. Google's monopolistic behaviour knows no bounds. I'd take MS any day.
In my 30 years in IT, the difference I've found between MS and [insert any other brand] is that nobody loves MS - there is no religion as there has been around Apple, or Linux, or Google. They're practical businesspeople, who sometimes show excessive greed and stupid short-sightedness, but are always judged on their merits - people will abandon them as quick as they'll choose them, if they turn bad. And that's a good thing. It keeps them on their toes. Ballmer was a dick in the works for a while, but he's been kicked out, because everyone said exactly what they thought - there weren't hordes of fanboys(*) telling the world how wonderful the Start Screen is.
(*) Paid exceptions exist, such as Paul Thurrott. But nothing like him exists in the userbase.
First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).
And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.
The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.
Please keep writing your Neowin articles, as they provide us countless entertainment based on conjecture.
It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.
Google Voice doesn't recognize your Android version, please upgrade...
The cesspool just got a check and balance.
You can still buy fresh-from-the-factory phones that run nothing better than Gingerbread. (2.3) Halting updates on anything but KitKat and above is incredibly blinkered.
That said, Google really needs a better way of deploying updates other than patching the main tree and depending on their device vendors/carriers to eventually issue an update.
I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Actually, this time it's the evil Veri$on and AT$T and $amsung and LG($) and Moto$ola and any other company that you can force a dollar sign into. Those are the companies that are preventing your phone from updating to a newer android version, not Google.
XDInd
I'm sorry, but are people actually under the impression that their phones are secure?
I don't see any connection between these two posts smashed into one story....
As much as I like to bash carriers, Google, handset makers, etc, much of the crux of this problem is that "progress" in the world of smartphone technology moves at such a rapid clip that by and large many things out there 2+ years old are in many ways obsolete and there's no easy way to go back and fix problems without just replacing devices on the consumer end.
I'm curious if smartphone technological advancements will slow down enough in the foreseeable future where this gets addressed sufficiently and you can expect fixes. By and large the PC world has been like this for a while, although it lacks the structural issues (ie, Google/Handset maker/carrier) that complicate it. Handsets are still advancing from a hardware perspective fairly quickly in terms of new chipsets that even if issue X could get fixed, the hardware itself isn't supported anymore.
This same problem is happening with legacy software all over the place be it from Google, Microsoft, Apple or other vendors. There are billions (YES! 1,000,000,000's) of devices out there that work just fine but can't use the latest operating system from the vendors so they aren't getting patched. This creates BILLIONS of opportunities for hackers, worms, trojans, scammers, etc all because the vendors are greedy and don't want to keep supporting hardware and software that is only a few years old.
They should be offering legacy support out at least a decade. It is very doable with conditional compilations to build the latest operating systems for the older hardware of even 15 years ago. It simply won't have some features like transparent windows and other eye candy. The software should gracefully fall back to fit the hardware. This is doable at the compile time which avoids having overly large software packages.
No one is going to push out a 4.3 OS update even if Google provides one.
You realize, of course, that with the stroke of a key, Google could change their deployment terms and take full control over Android's deployment to end-users, just like Apple does with iOS.
If the Android user-base is as large as the Fandroids say (or even close to that), then not one hardware vendor nor carrier would dare to kiss-off Android if Google changed its terms regarding deployment to something similar to what Apple does.
Fact is, Google simply doesn't care about anything but ad impressions. Anything else is as the buzzing of flies. That's why it will never change Android to a more "consumer-friendly" distribution model.
Never.
There are 84 companies in the OHA (Open handset alliance). If a company for whatever reason will not update their phones to 4.4.4 (which is the latest point release of version 4 of Android) someone should probably backport the patch to 4.3 version of Android. Android is open source and Google accepts patches.
Google is not the only one making Android and the Google supported phones are free of this vulnerability. I can see Googles position on this (they want the vendors to just update to latest point release), although it seems a bit silly.
It's funny how people are willing to trade hundreds of evil companies (Bell, Verizon, AT&T, MS, Apple...) for one greater evil (Google). For those who do not understand what is happening, Google owns the future of marketing. The places to advertise your product effectively are becoming more and more scarce. TV providers can see their market shrink year after year and this is partially due to PVRs and the availability of content via stream. This is also why sports distribution has become a hot commodity with the NHL contract for Canada going to Rogers for 5.2 billion (12 year contract). Nobody PVRs a hockey or football game but an episode of walking dead or game of throne is fine for watching later.
Google looks good because they give everything for free in exchange for your time (advertising). Anybody that can milk that model is bound to eradicate the competition. After all, who can compete with free. As of today Google owns 88% of the worlds searches with Bing right behind at 4.5% ;)
Don't take me wrong, I love Google's products but I fear them as much as I love them.
Wait! What? You can drink the Kool-Aid? I've just been snorting the packets. Now can we please just steer this thread over to talking about Apple? Thanks.
Windows Phone allows user-controlled updates. *ducks the multitude of flying Android handsets*
If you're pissed off at Google for not fixing defects in older versions of Android, you can always switch to an iPhone or a Microsoft Windows phone. Why are you folks always whining about corporate decisions that make financial sense? Unless, of course, you're willing to something and make those "financial decisions" hurt the corporation involved.
Don't like how Google won't fix bugs? Don't buy an Android next time.
Unless you also want to say that the free market doesn't fix everything. There's a reason for various regulations concerning warranty and support regulations. Especially for vital telecom infrastructure.
That is all.
You wouldn't have this problem if you were a MyCleanPC.com user.
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.
Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.
I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!
Google Throws Microsoft Under Bus
My first thought wasn't "they're not nice people," but "finally" -- I was wondering how long it would be before a tech company could be large and influential enough, and behave in a way that would give Microsoft a taste of their own medicine. Too bad it's something of a hit piece.
As far as cellphones go, ain't Motorola a part of Google? Since you can't spell Motorola w/ an 'S', you could try and insert the Indian rupee sign in place of the R, except that Motorola exited the Indian market some 5 years ago
That's b'cos Apple is the only maker of iOS toys, and given its demand in the market, not having iPhone in its phone lineup actually hurts carriers. See T-Mobile. That's why carriers feel compelled to offer iPhones, and Apple is free to configure them any way it wants. As a result, I don't see the Verizon splash screen when I start my iPhone, the way I do when I start either my Lumia or my tablet
How are we supposed to root our devices if all the security holes get patched?
4.3 came out in July 2013, so a year-and-a-half ago (It would be even younger if I counted when companies actually pushed it out to people's phones) 2.5 years is not great by any means, but it's a full year more than people affected by this.
You're right, they did. I don't know if it includes older devices and such though.
XDInd
What would Slashdot be saying if MS discontinued Windows 8 patches because 8.1 is now out? A reasonable support lifecycle is something that isn't too much to expect out of modern OS. It should be defined at OS inception.
Everyone brings this line of reasoning out, and yes it makes some sense. But the thing is, Google knew full well from the get-go this would be the situation with Android, and they did absolutely nothing to prevent it.
In other word, "I bet Samsung will do a great job keeping their low-and-mid-range Android phones up-to-date" said no one ever at Google.
I'm still waiting for my Windows XP fix.
While none of the post-paid providers sell 2.3 any more, plenty of pre-paid providers still do. Boost, Straight Talk, TracFone, Page Plus, etc. If you are a pre-paid operator, many of your customers don't have good enough credit for payment plan on a nice phone, don't have enough money to buy a nice phone out-right, and said customers aren't forced to stay with your company long enough for you to risk much of a subsidy in the monthly fees. That leaves you being forced to sell the cheapest phones you can for the customers that want them.
We are talking $30-40, out the door, here... If you are spending that little on a phone, you have to trim cost anywhere you can, which means the thing won't even run stuff much more recent, even if the carrier wanted to put forth the effort to do so. (Which, given their generally low margins, they won't even think of doing.)
Yes, for not much more money, you can get a MUCH nicer phone ($65 will get you a Moto G on Boost, for instance), but at the very bottom end, every dollar counts when specing out phones.
(Personally, I use a Boost Moto G flashed to PagePlus/VzW... an excellent example as to why the phones can't be subsidized much. Sprint/Boost totally has taken it in the shorts here, as outside of the phone itself (which is still subsidized somewhat), they've haven't gotten a dime from me, as they inexplicably didn't request Moto lock the bootloader, making it fairly trivial to convert it over to working with Verizon.)
There will be one final CM11 milestone release before they switch to CM12. How do we confirm the final will have this patch?
I'm not sticking up for Google...
But the vendors all install a bunch of stuff on top of the Android OS. And then there's the whole Sense vs TouchWiz interfaces installed on TOP of the Android OS.
The interfaces would be the bigger problem... because unless they remotely wipe everyone's machine and put them on stock Android OS then it's going to take a LOT of testing and fixing and breaking... and getting HTC and Samsung and whoever else to go their act together. And wiping would be problematic... even if they could do it without making people lose their data or break their systems they will freak out that their interface was reduced.
...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.
So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.
There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!
It's only a 32 bit bus.
Have gnu, will travel.
You realize, of course, that with the stroke of a key, Google could change their deployment terms...
In 4.4, they did. With KitKat (4.4) instead of having to push core OS and Security updates through the manufacturer, they created Google Play Services which now holds the core Android OS functionality (unfortunately by breaking away a lot of the methodologies of AOSP and walling up a good portion of the garden). With this new package, they can push out the updates through the Play Store and don't even have to deal with the Manufacturers and, by extension, the Carriers for an update anymore, unless there needs to be an update to the hardware abstraction layer.
Because of this change in how Android operates from 4.3, it's not really in Google's best interest to screw with 4.3 because #1 It's no small undertaking to strip out the Android components and put them in a Google Play Services style of operation, #2 Even if google were to take on the undertaking, the Carriers/Manufacturers would sure as hell block it because it takes away all the control they have over Android... not to mention how much of a PITA it is to get any kind of google update from the Manufacturers/Carriers as it is already.
The windows vulnerability was on the current version 8.1 that is actively supported. The bug found on android is in a no longer supported version. This is not the same thing.
This is why I hate the Android model of updates. I don't have to wait for HP, Dell, Lenovo, and others for my desktop to get updated. There's no reason I should have to wait on Samsung, LG, HTC, or even worse AT&T or Verizon to get an update for my phone. If my phone is running Android OS, then I should be able to get updates straight from Google. I like Android in every other aspect except their update strategy. I am due for a new phone soon, and I really don't want to get screwed over (again) with a phone that doesn't get a single OS update after I buy it. I'm kind of leaning towards Windows Phone at this point. I could consider iOS, but their phones are much too expensive for my tastes.
As far as the OS goes, Windows Phone is great (don't let the controversies about Windows 8.x mislead you). With the traditional GSM guys (AT&T, T-Mobile), you'd get the latest OS in 8.1. With Verizon, you won't, but the way around it is to sign up for MSDN and then download the upgrade. In terms of UI, it is fantastic.
However, you might as well be aware of the pitfalls as well. Windows Phone gets the same sort of love from devs that OS/2 got in its day, or any other third party OS tends to get. A telltale sign of this is the apps: whenever you go around, you'll see all sorts of products and services advertize their apps for either just iOS or a combination of iOS and Android. Very rarely do you see apps advertized for Windows Phone as well. And sometimes, when you do find a Windows phone app by searching their store, it tends to be a web wrapper around their official website. I miss certain apps, like Vonage, which is there on both Android and iOS.
I have a Windows Phone, and it's fantastic for certain things. For instance, it lets social networking contacts be an automatic source in your phone lists, which really helps populate your phone book if you contact people you have on there. Also, in addition to MS Office, it has things like ADP, Concur, Skype, which are pretty useful for official work. So it's good for basic work related things - there are even things like time and units conversions calculators, area codes and zip codes lookups and so on. But yeah, the most popular of games may not be there, and quite a number of apps may be either missing, or just there in the form of web wrappers.
If that's not a problem, then Windows Phone can definitely be a good, if not great, experience
Not googles fault that device makers are too damned lazy to compile and deliver updated OS images to it's customers.
No, manufacturers have no update that they could distribute. You can't blame them for not distributing something that does not exist. Nor can you expect them to update to a newer OS. There will be compatibility problems for some customers so such an update must be optional not a necessary security patch.
When google releases updated source code then and only then does it become the manufacturer's problem.
As it is manufacturers have the perfect excuse for not updating customers, there is no update from google. The fact that manufacturers have not released updates in the past does not excuse google and allow google to adopt their policy of abandonment.
Google doesn't support phones they support android. This is fixed in the latest version of android.
Which would have compatibility and performance problems for some 4.3 based phones.
Basically you are wrong in your premise that google supports android. In fact they only partially support android. To fully support it there needs to be more reasonable timeframes for patching older OS versions. Especially for security related patches. Even Apple will occasionally release critical security patches for iOS versions that are officially no longer supported.
I read that Lollipop will include webview as part of the Google Play Services framework, which is Google's cloud-based framework that they have been moving more and more Android services to.
Unlike app store updates and normal Android system updates, Google Play Services works as a silent push update, so phone providers and manufacturers cannot block the update. I'd hazard a guess and say this may have something to do it.
Source: http://developer.telerik.com/f...
At least Apple gives a pretty decent support life of most of products.
Apple has also released some critical security fixes for obsolete no-longer-supported versions of iOS, so their concept of "no longer supported" has exceptions. Not all obsolete versions, but those that represent the final version that a particular line of hardware can upgrade to.
No they didn't, this slashdot 'report' looks like nothing but a cynical attempt to impart positive spin to Microsofts' failure to address the patch. Since when did slashdot become a PR arm of the Microsoft organization?
"Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the "Reported" label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed." ref
Vendor-Microsoft
Product-Windows-Kernel Severity-High Finder-forshaw
Reported-2014-Sep-30
CCProjectZeroMembers
Deadline-90
MSRC-20544
PublicOn-2014-Dec-29
Deadline-Exceeded
Fact is, at least in the U.S. -- the whole cellular market is designed around a 2 year device rotation as "standard".
This is due to the popularity of the 2 year contract that includes a heavily subsidized handset at signing or renewal time.
The industry figures that unless you're one of the less desirable customers who gets a pay as you go phone due to problems passing a credit check, you're going to keep paying $60-100 per month or so for the length of time you want to use a phone, and you're going to expect a shiny new model every couple of years as part of that arrangement.
I do think this might SLOWLY be changing a bit, largely thanks to T-Mobile trying to act as the rebellious upstart of the industry and encouraging people to rethink traditional contracts. (Additionally, the companies like "Net 10" who act as wholesalers of minutes of service and kilobytes of data from the major carriers help fuel interest in buying higher-end handsets straight out and using them without contracts.)
But no - there really is the expectation that a couple of years of support is all that's necessary on a cellphone. And tablets are sort of falling into that same category by default - simply because they run the same OS's as the cellphones do.
I read this thread and being new to having a smartphone that I can't root since I bought it for my business and need it to charge credit cards and started panicking.
So I read thru all the op and then found in the s4 what version I was running, and I am at 4.4.4 so I'm good to go.
For people not good to go - take the articles, and start calling and screaming at the providers that have you under contract and make them ship you a new phone. That was my plan if I wasn't covered.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
No you're missreading the stats. Android 4.3 has a 6.5% marketshare. The problem affects all versions of Webview and was fixed in KitKat and above.
Android >4.4 has a 39% market share.
This bug affects all other devices which accounts for 61% of the marketshare according to the developer dashboard.
I can't really understand the reluctance of people to rooting and or installing a custom ROM.
For one thing, it often (such as on the Nexus 7) involves wiping the device and unlocking the bootloader. People want to be sure that all their data will make it through the process, and an ADB backup reportedly doesn't cover contacts or other "content providers". For another, people don't want to install a custom ROM for the first 12 months while the thing is still under a warranty that installing a custom ROM voids.
Manufacturers [are] incentivized to support phones that are under warranty
Some manufacturers sell the previous-generation flagship phone as their midrange phone and the phone two generations old as an entry-level phone for people new to smartphones, such as children on a family plan or switchers from dumbphones.
Why should google bother.
Samsung, AT&T and many others will not patch the locked devices they sold
even if Google issued a patch none of these would update their devices.
Perhaps just perhaps this will generate a liability that in turn will
get these yeahoos to get their act together.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
This is exactly why i switched to WP, after my Android phone released in 2012 wouldn't get update past 2.3. That means that i couldn't use Chrome or some new apps. Even though enthusiasts dragged it till 4.3, user-maintained version was way too far from stable and polished. Now, after a year with Lumia, i can say i won't buy any Android products unless something changes in that department.
"Windows XP's lifespan wasn't short."
Software doesn't have a "lifespan". It works the same as it always did, with the same hardware.
Businesses doing the same work every day don't need new hardware or software if the equipment they have now is serving them well.
It wasn't until Service Pack 2 was released on August 10, 2004 that many of the very serious problems in Windows XP were fixed. Windows XP with Service Pack 2 might be considered to be a different version of the Windows XP operating system, it was so different from the initial Windows XP version. See the Microsoft article, List of fixes included in Windows XP Service Pack 2. There were 828 fixes.
See the article, Microsoft Windows XP "end of life": Conflict of interest.