You're making the mistake a lot of people make where you assume if one side is a thing a competing thing must be equally valid. These aren't two people that are equally well respected or with equal track records. One of them has years of experience developing secure software, the other has years of experience hacking on bullshit snake oil for the purpose of selling it to users.
This is not a "the truth must be somewhere in the middle both sides are super great" narrative.
Nope, I was just saying that I don't have anywhere near the level of knowledge to say which of either them is more right than the other. I just find it fascinating when two people who are good at what they do have a debate.
> You're making the mistake a lot of people make where you assume if one side is a thing a competing thing must be equally valid.
I am rather a "if there are two different opinions at least one side must be wrong" kind of guy and cannot even imagine how one might come up with a "the truth must be somewhere in the middle". If this were true, it would simply mean that both sides were wrong from beginning on.
There are degrees of wrongness - it's not a black-and-white thing. Suppose two people are arguing over what causes robberies in downtown Chicago: person A blames drug use, while person B thinks it's poverty. The actual truth is some sort of mix of both, along with other factors not mentioned.
> One of them has years of experience developing secure software, the other has years of experience hacking on bullshit snake oil for the purpose of selling it to users.
Google has done more to shit up the web than any other entity ever. Now I know tons of people are going to say "but Google provides fast DNS, they provide free CDN services, they provide analytics for website owners, etc." Sure they do all that, but it's because every one of those things gives them the ability to track users all over the internet.
And as long as Google is not going to take responsibility for their programs (the explicit warranty disclaimers in their EULA), anything they say about "shipping a secure browser" is bullshit. Ultimately the warranty disclaimer tells us that they don't believe that their product is secure or reliable.
>Justin Schuh is not the same as Google (even though he works there)
Does Justin Schuh write and ship a web browser that isn't Chrome?
> privacy is not the same as security.
If someone says "Here's my program, it's great, it's shiny, it's awesome, it's wonderful, it'll cure acne, and feed teh poor. But then tells me that if it does none of those things, it's not their problem." Then I'm not going to believe their blah blah blah as long as they retain their disclaimer.
If Google wants to step up and start writing checks every time a defect in their software causes someone else money, then I'll start listening and trusting their statements.
Justin Schuh is security for Chrome. If you find a software security person anywhere in the industry who believes that users are safer with Safari, Firefox, or Internet Explorer, let me know about them. "Switch to Chrome" is pretty close to the first bit of endpoint advice most security people provide in 2016.
That doesn't make Chrome the best browser or apologize for any of the things Google has done to make the web more proprietary or less reliable. But none of those things are Justin's job: Justin's job is to solve the single hardest problem in software security (securing the world's most complicated inner platform), and by pretty much all accounts anywhere, the Chrome team has done an amazing job of it.
>If you find a software security person anywhere in the industry who believes that users are safer with Safari, Firefox, or Internet Explorer, let me know about them.
This is not the same statement as "shipping a secure browser."
Also doesn't refute the reality that Google still has a disclaimer of warranty in their EULA. As such that is a specific statement that they do not believe their product to be secure.
What a head-explodey argument: for Google's security team to be taken seriously, you require that Google alter their liability posture in a way that no other software company would. The first public company to do this would face shareholder lawsuits.
Who could possibly find such an argument convincing?
> for Google's security team to be taken seriously, you require that Google alter their liability posture
If they seriously believe that they have the ability to ship a secure browser what would it matter? The other question I have is if they have this capability, why haven't they?
Here's what I believe. Google will never ship a modern, full featured, standards compliant, and secure browser. Specifically they will never ship a secure browser.
>Who could possibly find such an argument convincing?
Pretty much the entirety of the rest of trade across the entire world. When was the last time your grocery store was allowed to sell you rotten food liability free? Companies, in fact, routinely are sued and fined for fraud and false claims. Chipotle just got sued for advertising a 300 calorie burrito that wasn't 300 calories. Why should Google (and Google employees) be able to make false claims and then later insist in their EULAs that they don't actually have to abide by.
Having a secure browser doesn't protect you from people thinking that your browser is insecure and blaming you for unrelated security failures. Like, have you read /r/talesfromtechsupport or done any user-facing tech support?
Well, I see his point. 3rd Party AV vendors have hacky hooks into the kernel to do what they need to do. And at that point they become kernel-level so they are a juicy target.
Symantec and other AV vendors have had stupid flaws (someone else linked to it in the comments) that allowed remote access and privileged escalation from just knowing the host has a certain AV installed.
All AV seems hacky--except for Microsoft's own, which is what I use and suggest all my friends use rather than shelling out for those subpar products.
Case in point: After years of fruitlessly asking AV companies to stop injecting shoddy patches into their kernel, Microsoft eventually gave up and added active countermeasures which deliberately trigger a kernel panic if certain structures are tampered with. That gave AV vendors the "encouragement" required to move to the sanctioned APIs.
even ignoring the attack surface, the tools seem to always cause the same kinds of system performance degradation that actual malware does. I'd rather be occasionally hacked!
All I can do is get some popcorn and dream of knowing who's right.