17 comments

[ 3.5 ms ] story [ 45.9 ms ] thread
For anyone unfamiliar with Project Zero, it's a team at Google dedicated to finding security vulnerabilities across the internet (and in software in general, it seems)

https://security.googleblog.com/2014/07/announcing-project-z...

Some high profile exploits they either discovered or played a big role in:

- SHAttered(?)

- Row hammer

- Cloudbleed

- Lastpass exploit

- Meltdown & Spectre

Would be good to also highlight the other finders of some of these issues, but this view shows that Google Project Zero is a well executed PR machine taking away the focus of other security researchers. The title of this thread is similarly misleading.
To be clear, I state that "they played a role in", implying that there were other people too.
Why a question mark behind SHAttered?

> This result is the product of a long term collaboration between the Cryptology Group at Centrum Wiskunde & Informatica (CWI) - the national research institute for mathematics and computer science in the Netherlands - and the Google Research Security, Privacy and Anti-abuse Group. [...]

I know it was Google, but I wasn't sure if Google Research was the same as Google Project Zero or a different team.
What is with this title ? It's a result of two CVEs.
In the support article Apple is crediting one of the CVEs “CVE-2018-4206: Ian Beer of Google Project Zero”
Title could still be better than it is, I think. Original title is much better. Things like attribution can be done fine in the comments if that's not in the title.

Furthermore, Project Zero was involved in only one of the CVEs anyway then. Why not put the other credit in the title too? CVE-2018-4187: Zhiyang Zeng (@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)

Correct. And I would rather emphasise Tencent more. They did amazing security work in recent years, to me more impressive work than Google zero.
(comment deleted)
It just implies that it's a good news story, where Google helped Apple make their software better and safer for everyone.
Google's PR machine strikes again, robbing Tencent of their due.
Exactly what I thought. Project Zero allows Google to segway away from their Android ecosystem mess they left beyind and (even relatively benign findings at times - there was a Defense in Depth issue in Windows recently I remember that got an article) get a lot of media attention, and other researches are ignored. Shows that Google's PR works really well. I first noticed that during Meltdown/Spectre where most of the heavy lifting was done by university students somewhere in Europe, but they nowhere got as much attention as Google. Sad.
What about Tencent? Very misleading title.
Guys seriously.. Nobody is going to read a link titled "About the security content of Security Update 2018-001".

People need some kind of pointer about _why_ they might want to read a security update statement.

Granted the original title should have included Tencent's name too.