Slashdot Mirror
'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief (bbc.com)
The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
Google isn't playing nice. Don't get a cut of the profit? Well screw your security alerts.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
I'd at least like to hear Google's side of this first.
Would hate to unpack the pitchfork for nothing and all that.
If an application is allowing malware to be sideloaded, the users have damn well a right to know about it.
Google is not the distributor. In fact they are aggressively acting out because they are not the distributor.
I guess what Google is really saying here is if you find any zero-days in Android, publish them right away. Never mind this silly 'responsible disclosure' that companies like Google make noises about supporting.
It's not clear what level of ownership Google should be expected to take on this. It seems to me that they technically did more than I'd feel obligated to in their shoes. Epic appears to have been responsible for the bug, Google appears to have found it for them. Honestly I think they already went the extra mile right there.
Of course if Epic used the app store, then I'd expect a more appropriate arrangement of identification, fix and announcement.
Google has nothing to lose by delaying disclosure of an exploit that isnt even in its ecosystem...
however...google has everything to lose if the idea of operating outside its walled garden catches on.
Good people go to bed earlier.
Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.
The problems is in bypassing the play store they did open themselves up some and now they want google to change, not them.
When you cant win, ad hominem.
"We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
Allowing the unpatched game to continue running also unnecessarily risks Android users. Doesn't google have the ability to delete an app in Android? If so perhaps they should have deleted the unpatched game versions?
Looking forward maybe google should have the ability to lock out a vulnerable version of an app. Don't delete it, just prevent it from running, only allow it to be updated to a newer version.
Google doesn't distribute Android? When did that happen?
Regardless, anyone with two brain cells to rub together could see this shitshow (and more in future) coming the second Epic announced that in order to install their software you'd have to allow uncertified install packs on Android. Many many people do not have the technical acumen to understand the full ramifications of that, and will probably forget to flip the switch when they're done, so a whole host of malware providers are even as we speak licking their chops waiting to take advantage of the holes in the devices Epic has just convinced their users to open.
Does Google charge too much on the Play Store? Probably. But it's their store and they can set any price they think the market will bear, just like anyone else. That's the deal for using Android. Epic is being very irresponsible.
I think you are a bit confused if you think this bug was in Android...
Google's policy seems reasonable. There's a fixed version, so disclose the info.
Not only is it a shitty installer, the whole idea of an installer app on Android is shitty. Just have people download the APK and use the built in package installer. If it's about download size, use the same trick most big games do and have the app load data files on first launch into its own protected data directory. All of that is built in and is quite safe and audited.
Not that Google never does anything shitty, but this one is on Epic.
They did the same thing they do with other bugs. Give them 90 days to fix it and disclose 7 days after it is patched, whichever comes first. It's hard to say they are being unfair or aggressive since it is the exact same time window they have for anything else. It's not google's responsibility to hold on to the release beyond 7 days because Epic asks them for more time to ensure everything is long since patched.
This is correct. If they don't want Google to shit on their parade, maybe they should have plugged the security holes.
"I'm a humble person really,
I'm actually much greater than I think I am"
Not only is it a shitty installer, the whole idea of an installer app on Android is shitty. Just have people download the APK and use the built in package installer.
That's not a fully working solution because it leaves out people who get confused during the download process. If you download an APK then it appears in your downloads list and as a notification. If you clear that notification and your downloads list then there is no way whatsoever to install that APK without installing additional software, like a file manager, unless you download it again. Many people are probably not even aware of the downloads list, and if someone has a lot of notifications they might not be able to figure out how to install the APK they just downloaded. This is Google's fault; they should have included a file manager with their OS, but they didn't.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It's not google's responsibility to hold on to the release beyond 7 days because Epic asks them for more time to ensure everything is long since patched.
It's not Google's responsibility to announce the vulnerability, either. They choose to do so, nobody is forcing them.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
vulnerabilities need to be announced as soon as they reasonably can, otherwise everyone is running on unpatched systems and being silently exploited, or not so silently once some ransomware gets on there.
The moment a patch is released attackers have the opportunity to reverse engineer the patch to find the vulnerability regardless of whether there is a subsequent disclosure or not. By this vulnerability being widely circulated in the press its more likely users will upgrade or uninstall than hoping users launch fortnite in the next 90-days. I imagine the real issue Epic has here is that they do not want the bad press leading to users who downloaded Fortnite to try uninstalling.
Gp stated correctly that this serious vulnerability would not have existed had Epic not insisted that users disable security protections. That's a fact. Not a wish, not a "best possible future", but a simple fact.
Kinda like the fact that all your money you've been paying into Social Security is gone. It's been spent. It's not sitting there waiting for you to get it when you're older. Wishing things were different doesn't change the facts.
I don't think this bug was in Android. I said that Google distributes Android. Totally separate pieces of information. I then added my opinion that Epic is for their own enrichment opening up additional security holes in a very irresponsible fashion.
I see two major problems with your argument. First, Android is supposed to be open source/marketed as being the open platform, but the practices of Google are really counter to this. Normally I don't care to get into the pissing matching between companies (frankly I don't care if the companies kill each other usually), but these particular pissing matches are actually harming consumers. Then, Google is intentionally distributing Android with some built in dark patterns to scare users into only being comfortable with using Google Play where they get a large cut of profits for very little work. I mean they didn't even put that much work into Google Play to start. I don't mind them taking some profit as that is how the Android Platform is monetized and allows it to be freely distributed, but they literally take more money than these companies are taxed. Something is pretty wrong with that picture.
On top of that, they have taken great pains to prevent other stores from taking much hold or allowing for simplified individual distribution to the Android platform in any way. Imagine the uproar if Microsoft did this with Windows. Epic did take a risk for this business decision and definitely fucked up with the execution, but Google is doing some real shady shit now and straight up trying to punish them. This is some fucking mob tactics to keep anyone else from doing the same and them losing the stranglehold on their distribution monopoly. This behavior is NOT good for consumers at all and honestly, pretty unfair to businesses and developers too.
Google jumped at the chance to punish out of spite, because Epic chose to operate its own store. This is how it looks.
When all you have is a hammer, every problem starts to look like a thumb.
The problem with your arguments are you're applying expectations of open-ness for PC OSs to the mobile phone market. You complain that:
> On top of that, they have taken great pains to prevent other stores from taking much hold or allowing for simplified individual distribution to the Android platform in any way. Imagine the uproar if Microsoft did this with Windows.
We're not talking about Windows, Android's main competitor is Apple's IOS. How's Android look compared to that? How are those IOS competitors to the App Store there doing? Exactly.
> First, Android is supposed to be open source/marketed as being the open platform,
And it is. To MANUFACTURERS. It's a packaged OS that anyone who wants to build a device around can do so. Your disconnect is you are conflating how Android is considered an open platform to how Linux is on the X86 space.
> Epic did take a risk for this business decision and definitely fucked up with the execution, but Google is doing some real shady shit now and straight up trying to punish them.
And I disagree. Google put a mechanism in for experienced users to be able to load an untrusted .apk file with the expectation that only people who understood the ramifications of doing so - i.e. so called "power users" - would use it. And now Epic's told everyone and their grandma to allow untrusted .apks to be installed on their phones. Epic is the party saying "Google wanted a cut of our cash flow so we're just gonna tell everyone to toss out a basic security feature of Android so we can make some more money!"
There are file managers with recent Android.
Maybe older ones as well, it probably depends on the phone maker too (my Galaxy S4 had one bundled from Samsung for example).
Admittedly, the issue with large APKs is that you need double the space. First to download and then to install the files. That's why so many games are using installers (though usually done downloading private files in the main game, not as a separate app).
Comment removed based on user account deletion
Everybody has their own rules and guidelines around responsible disclosure. We need an organization like like the IEEE or ACM or CERT to make standard practices for this. This is important because there is always a question of liability. I'd like to know that if I followed the IEEE rules for responsible disclosure that I can be reasonably sure that someone can't sue me.
epic is make billions off this game and they don't get any
Not true. A popular game makes the Android platform more popular, sells more handsets, and enlarge Google's walled garden of services from which it derives advertising income.
When all you have is a hammer, every problem starts to look like a thumb.
The problem with your arguments are you're applying expectations of open-ness for PC OSs to the mobile phone market.
While true, why should they be applied different? Phones are just mini computers and in many cases people use them as their main computer anyway. The only reason the markets are treated differently in that regard is the companies behind the major developments engineered the market that way. It was a much more organic process with PCs originally and they were not able to force-feed consumers their own ideas with as much success (Plus as much as I dislike Torvalds, Linux gave a big middle finger to closed platform usage in the early days).
We're not talking about Windows, Android's main competitor is Apple's IOS. How's Android look compared to that? How are those IOS competitors to the App Store there doing? Exactly.
Apple is just as guilty if not more. The argument that "It isn't as bad as they other guy" is still weak. Using a more extreme example would be, "I'm not so bad, I only beat that guy into a state or paralysis/coma, while that guy beat another to death!" Neither one is right, just less wrong...
And it is. To MANUFACTURERS. It's a packaged OS that anyone who wants to build a device around can do so. Your disconnect is you are conflating how Android is considered an open platform to how Linux is on the X86 space.
When they came up with it originally they tried to compare it in much the same way as the Windows/Linux relationship, but they became very dissatisfied with the fragmentation of the market. While the Android One development has helped Android beat Apple they also used that initiative to solidify some monopolies within the platform. Google Play is the lynch pin to that monopoly. Companies can't even branch Android effectively and reach a decent market because of Google's policies with it and their is no real alternative market.
And I disagree. Google put a mechanism in for experienced users to be able to load an untrusted .apk file with the expectation that only people who understood the ramifications of doing so - i.e. so called "power users" - would use it. And now Epic's told everyone and their grandma to allow untrusted .apks to be installed on their phones. Epic is the party saying "Google wanted a cut of our cash flow so we're just gonna tell everyone to toss out a basic security feature of Android so we can make some more money!"
I'll give you that Epic did take a big risk in using that to accomplish this, but why exactly should Google have such a monopoly on the distribution of software to the phones? Same with Apple. It creates a serious pay to play scenario that isn't really different than the spirit of net neutrality. Google is trying to force people to access the consumers through them for a hefty fee. It is a "security feature" but it is also a digital bouncer for Google. Why can't they provide a more secure way for independent market places or developers to distribute apps? Simple, profit. They stand to make nothing and even lose their monopoly if they did that. If they really cared about users as much as they claim this would already be standard just like software security certificates and dll signing.
It's very simple, and it's not what this headline says.
Epic decided to forgo the Play Store for releasing Fortnite.
Google said "Okay, but this sort of thing can make our platform less secure. Be careful out there."
Epic releasesd an installer for Fortnite that could install Fortnite without the Play Store.
Google looks at it, and sees that it can be used to install more than just Fortnite, because it contains some stupidCode that can be used to install all sorts of malicious things because someone at Epic was very careless.
Google tells Epic about this lame bit of coding, and tells them they've got seven days to fix it because it would be really, really bad if this were exploited by someone who wanted a whole lotta phones on their DDoS botnet (for example).
Epic says "We believe we have 90 days to fix it" and releases a new installer without the stupidCode in it.
Seven days goes by, Google releases details of the stupidCode so that other people can learn from and not make this same foolish mistake.
Epic throws a tantrum.
The TL;DR is that this wouldn't have been a problem if someone at Epic hadn't decided to just throw an installer out there without looking at it carefully first, and Google probably should have given them 30 days instead of 7, but probably gave them only seven days because it lets them reinforce their point that poorly-written third-party installers are bad. Epic gave them reason to do that when they started talking to the press and basically whining about the Play Store cut as if Google did nothing to deserve any money (because it's so obviously both easy and free to build and maintain a giant marketplace with some semblance of standards), and Google appears to have noticed that if they ignore the tall tales "web reporters" spin, they eventually wind up having to explain complex concepts to state Senators and that tends to be very expensive.
Reading comprehension issues? OP wrote "don't get any". Now you are arguing a fallback. Suit yourself, Google still looks like shit over this and you know it.
When all you have is a hammer, every problem starts to look like a thumb.
Google can do that for Play apps. This whole pissing match started because Epic decided NOT to publish Fortnite on the Play Store.
If they can remove a Play app then they can remove a non-Play app. They may not do so currently but that is a choice not a technical issue.
Don't clear the notifications then. It's not that difficult. Epic could have made an instruction how to install an APK. Doesn't Android have a built-in file manager anyway?
sudo rm -r -f --no-preserve-root /
if by "looks like shit" you mean looks responsible, you are correct.
When you cant win, ad hominem.
That's really childish of google, especially as Google is only using the 7 day deadline when it's due to a security risk if it's already being actively misused, but it isn't. Normally they have 90 days (or sooner if they notice it being actively being misused).
So why did they release it with the 7 day deadline? well we all know why...
So your new fallback argument is "shit is not shit". Nice.
When all you have is a hammer, every problem starts to look like a thumb.
> we worked around the clock (literally) to fix it
So they put a clock in the middle of the room and arranged their desks around it?
Fucked up like an amature.
And their reason for doing this is because they want to handle the in-app purchases themselves to make more profit.
So they can't write a secure installer and we're expecting them to securely handle peoples credit card information?
Google don't take all of the 30% for themselves. You can get Visa et all will be getting a decent cut of that.
Don't forget Epic also continued to say ".... and on top of that, we're telling them to install an app with a massive security hole in it"
It's not Google's responsibility to announce the vulnerability, either. They choose to do so, nobody is forcing them.
It's only their responsibility if you assume they have an interest in protecting the security of their users.
Are you for bug disclosures or against them? There is / was a serious security issue w/ the Epic installer. Bug disclosures are a Good Thing. We are all better off for them. Attributing malice to the action doesn't change that fact.
Unless you are looking for a reason to bash Google. If so, disregard the above.
>> We're not talking about Windows, Android's main competitor is Apple's IOS. How's Android look compared to that? How are those IOS competitors to the App Store there doing? Exactly.
> Apple is just as guilty if not more. The argument that "It isn't as bad as they other guy" is still weak. Using a more extreme example would be, "I'm not so bad, I only beat that guy into a state or paralysis/coma, while that guy beat another to death!" Neither one is right, just less wrong...
I think that's a bit of hyperbole. The default position on apps from phones always was "work with what the manufacturer makes available for purchase on the store or hack your phone. Period". Apple stepped in and let people develop (for a fee) free apps in addition to paid ones, but the single point of distribution was and is the App Store. Android was the very first OS that even gave you the option to sideload .apk files without having to screw with a PC like PalmOS on the Treo. You're angry that it wasn't as open as the PC world. That wasn't ever in the cards.
> I'll give you that Epic did take a big risk in using that to accomplish this, but why exactly should Google have such a monopoly on the distribution of software to the phones?
Because they make the software that runs the phones? If you don't like it, go get a different phone, or write your own software for the phone. Or if you don't want to do that, go get a Tizen or Plasma Mobile compatible phone, overwrite the stock Android with that and have at it. I mean sure, Tizen's riddled with security holes and Plasma only works on a couple of Android devices but baby steps.
> Why can't they provide a more secure way for independent market places or developers to distribute apps? Simple, profit. They stand to make nothing and even lose their monopoly if they did that.
You're right. They stand to make nothing. And they risk introducing instability. So why on God's Green Earth would they? Do you do extra work for free that might cause you more problems in your day job? I don't. Why would they?
I think that's a bit of hyperbole. The default position on apps from phones always was "work with what the manufacturer makes available for purchase on the store or hack your phone. Period". Apple stepped in and let people develop (for a fee) free apps in addition to paid ones, but the single point of distribution was and is the App Store. Android was the very first OS that even gave you the option to sideload .apk files without having to screw with a PC like PalmOS on the Treo. You're angry that it wasn't as open as the PC world. That wasn't ever in the cards.
Again though, my point is why? The only reason that is not in the cards is simply because they artificially made it that way.
Because they make the software that runs the phones? If you don't like it, go get a different phone, or write your own software for the phone. Or if you don't want to do that, go get a Tizen or Plasma Mobile compatible phone, overwrite the stock Android with that and have at it. I mean sure, Tizen's riddled with security holes and Plasma only works on a couple of Android devices but baby steps.
Up front I buy that they have some rights to that somewhat due to investment and such, but even though you don't want to accept the comparison to the PC market (for some reason) we already went through this with Microsoft and it was ruled they should not/do not have unilateral authority over something like this. There is an inherent risk when a company puts out more than a product and they are actually creating an ecosystem and/or market. Once they venture into those realms they don't get to dictate to the consumer and businesses within that marketplace everything about that market. If they did we would have a pure oligarchy develop in every country that attempted to create a capitalist system.
You're right. They stand to make nothing. And they risk introducing instability. So why on God's Green Earth would they? Do you do extra work for free that might cause you more problems in your day job? I don't. Why would they?
Instabliity? No. This stuff is not any more unstable than what is going to run on a normal PC. These things are not magic and Google Engineers are not wizards. They are mini PCs with a different Operating System and built on the same principles as everything else. That is just business talk bullshit that no engineer in their right mind is going to accept and honestly neither should the consumers.
Beyond that, as far as making a better side-loading mechanisms, I refer you to my previous point that when they created a marketplace they gave up some of the unilateral authority. Even if they were allowed that, they shouldn't be/have been acting like it is this huge open and free platform. They know it was misleading to people, but thought no one would notice or care on the consumers side if they were only taking advantage of the developers and businesses. To their credit sadly, they are right and most people don't care or notice. The backwards part is the consumers are either literally paying for it in higher costs for the software or indirectly paying for it due to lower quality work.
Bottom line, I have absolutely no issue with them making money for what they do. Everyone has that right and that is how the system works, but they are outright gouging and taking advantage of a monopoly that they intentionally created.
Lots of people install the Amazon App Store and pay for games through that source.
It does appear that Google wanted to make an example of Epic specifically, in the hopes that more app developers will be cautious to follow.
epic is make billions off this game and they don't get any
Not true. A popular game makes the Android platform more popular, sells more handsets, and enlarge Google's walled garden of services from which it derives advertising income.
Why does it make the Android platform more popular? That popular game is already available on all other platforms.
And you really think they aren't butthurt about not being able to take a 30% cut of the profits of one of the world's most popular and profitable games on their platform? Really? Come on.
> You're angry that it wasn't as open as the PC world. That wasn't ever in the cards.
> Again though, my point is why? The only reason that is not in the cards is simply because they artificially made it that way.
Because a phone is not a computer. It's a phone. And it's subject to some incredibly strict regulations that computers are not subject to surrounding many things, including the availability of the device to call and stay in contact with emergency services, for example. Google, Apple, and others have to abide by these rules, and part of that is mitigating risk of malware rendering the phones unable to contact those services. Can you imagine the shit show that would entail if half the Android phones in the US couldn't call 911 due to a malware infection? Or worse, half the android phones called 911 ALL AT ONCE due to a malware infection?
That is one reason they have to do their damndest to maintain a level of security over their devices and that means playing gatekeeper as much as possible. And at the end of the day it's their ass on the line. If the phone gets hacked people are going to blame Google, not Epic.
That's a cop out though. Google assumed their own risk by getting into the market and turning the phones into a computer just like Epic assumed risk buy using their own installer. And if Epic created the vulnerability you damn right they are going to be held responsible for that. Microsoft isn't held accountable for Adobe putting garbage software on their platform.
This is a platform. They are computers with telephony functions. I really don't understand why you want to give them a pass based on some idea that they are some how different, but you're clearly not going to agree with me nor I with you. You're entitled to your own opinion but we're rehashing now and not really contributing to a productive discussion at this point.
you really think they aren't butthurt about not being able to take a 30% cut of the profits of one of the world's most popular and profitable games on their platform?
Nice strawman, I did not say any such thing.
When all you have is a hammer, every problem starts to look like a thumb.
so why do they take 30% of profit from the apps on the play store then? they should be doing that for free for the reasons you just stated.
Great point, and one not missed by antitrust regulators, particularly in Europe and Asia. Apple needs to worry about this too, and Apple shareholders for that matter.
When all you have is a hammer, every problem starts to look like a thumb.
If more developers start skipping the Google Play store, Google could lose control of Android (the control it imposes via the store and Google services) and Android *actually* becomes free open-source. They clearly don't want that.
Obviously not, but in the long run it is inevitable and most probably, Larry and Sergey already understand this. They will continue to rake in the 30% gravy while they can, but they will not make the mistake of trying to defend that windfall margin to the point that it brings in the regulators or the forks.
When all you have is a hammer, every problem starts to look like a thumb.
+1 interesting
Requiem for the American Dream
Whoops Tim. Only a few weeks ago you told Forbes:
Avoiding the 30% “store tax” is a part of Epic’s motivation. It’s a high cost in a world where game developers’ 70% must cover all the cost of developing, operating, and supporting their games. And it’s disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service. We’re intimately familiar with these costs from our experience operating Fortnite as a direct-to-customer service on PC and Mac.
You forgot about some other services performed by the Play Store. Automated analysis of your code for security issues. Automated roll-out of your updates to users. And in some cases - for very serious bugs - even forcing your updates onto users.
And now you're crying foul because you got greedy, forced your users to bypass Android's security mechanisms and now you don't have a way to get a fix to them within seven days. LOL.
> That's a cop out though. Google assumed their own risk by getting into the market
> This is a platform. They are computers with telephony functions.
You have that backwards. They are a telephone run by a computer. It's not a cop out, it's a very real risk they have to mitigate. As I pointed out, Android is the only environment that even goes this far to be "user friendly" toward unvetted apps. If you're looking for an open platform, go look somewhere else because you'll never find it on a phone. You're correct, we're seeing this from different perspectives and won't be meeting in the middle.
F-Droid has been around for quite some time. You can use it so they haven't stopped you at all. Most consumers don't want to be bothered; they want and like the Play centralized repository. Sure Google takes a cut, but they provide added value and the insinuation to the contrary is disingenuous. Finally it is the OS not the apps that are open source so you are conflating two separate issues.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Google doesn't distribute Android? When did that happen?
When the distribution wasn't referring to Android but the code that was buggy - which Epic designed and wasn't distributed by Google. If that's not confusion it's a changing of goalposts strategy trying to hide the problem this article claim exists: that of Google being irresponsible opening up for Android users to be targeted.
The rest of your comment is largely irrelevant and claiming that Epic is irresponsible is something I'd expect of a Google investor or fanboy(do they still exist?) - so exactly what is your relation to Google?