Comment Re:They can't stop unlockers (Score 1) 284
Legality is all about clever interpretation of language. Depending on what your definition of "is", is, or whatever. Here are some alternate interpretations for your enjoyment.
We reviewed the code = we looked at some code. This does not mean code was changed. In fact, it probably wasn't changed.
Ensure our customers' security = too nebulous to be meaningful. Security according to whom? Security in which sense? Do they think that the overall security of everyone is improved if their users can be spied upon to prevent violent crimes happening to other users? What is the timeframe between an exploit and a patch? You can't fix everything, because fixing costs money - so how much exploitation / negative PR does it have to reach before it gets acted upon?
Industry-leading security = some freebies for your game of buzzword bingo. You can't measure security like that. Sure, you can compile some metrics from past data, and maybe have a metric that you can compare to another company's metric, but that doesn't give you a complete picture of security. What about what the users are encouraged to do by popular software and blogs? The end-user's security is out of your control. As it should be.
Take appropriate steps = some coders were tasked with presenting options to their managers, who slimmed those options down for their managers, who decided whether various things were appropriate, using decision-making tactics that the coders may not have been privy to. Maybe they said no to the steps due to the cost of fixing it, or the upcoming new version making the broken one obsolete. Maybe that's where it stopped, and they called that appropriate steps. If not? Positive steps may not have been taken, profitable steps were probably taken, incompetent steps were almost certainly taken. Pork barrel maneuvering may have happened in those meetings too. You know, "we can fix it if we can increase our budget by X" or "we'll need to get more people working on project Y since it includes that fix". And it would be pretty simple to create a fix and put in a new back door in the same patch... fix it, say you fixed it, and shuffle the new one under the rug.
Stay ahead of malicious hackers = We're really hoping that these nerds are right that this is going to be hard to break, because we spent a lot of money letting them research it instead of making some other part of the experience more stylish.
Defend our customers = When they are attacked, we will shake our fingers and give those nasties such a tut-tutting! Maybe we'll release a patch in three to six months or a year or two, if the managers interpreting their budgets and allocating it to those spreadsheet columns allows that. Otherwise, we'll just tell the engineers to make sure they fix that in the next version but the deadline can't slip so if it doesn't make it in under the wire we'll maybe patch it after the fact. Sometimes, too, you have to take a hit from one enemy while you're stopping a hit from another enemy. Maybe you'll let the spiders in your kitchen live, hoping they will help you out with those fruit flies, or you'll let the huntsman spiders live in the basement to keep the black widows out. Could it be that they see an ecosystem and have decided that certain less-problematic enemies are keeping more problematic enemies away? Did someone wine and dine the relevant managers and convince them that they should be allowed to live in there under some pretext of security?
I've worked in a large company for long enough that I know that you say you're doing an "internal investigation" after the problem is in your face, then you probably have six months to two years to complete the investigation before enough people start to jump ship for it to matter. At that point, the product is probably obsolete and your faithful sales reps have been touting each new version as better and more secure.
Call me cynical if you must, but I don't see any actual descriptions of what's being done behind closed doors at any of these companies or what's changing in the patches they roll out.