This isn't the first, or the tenth, or the hundredth time this has happened to some security researcher dealing with some company.
It's absolutely not even the thousandth time a researcher has submitted an invalid report, then whined about not getting paid for it.
Google Non-Specialist: Nice Catch!
Actual Engineering Team: It's not a bug. Proxied access through a Service Account is the whole point of what this product does. Maybe our docs should have more warnings or we should put in another layer like the competing tool if people are going to get confused and shoot themselves in the foot.
Google Non-Specialist: Invalid, but we'll keep a case open to idiot-proof already acceptable behavior.
This is correct. Mod parent up.
The two other possible outcomes are Nightmare Eclipse (she's really on a roll!) or 0day sales on DNM's.
But it's not a vuln. So it would be worth nothing.
How would it have damaged Google to (a) give credit where it's due and (b) cut a $50,000 check?
For a report that isn't a vulnerability? Well, it would have cost them $50k, and they'd have gotten nothing for that money -- other than to encourage researchers to submit invalid reports.
It may be that you define their pre-installed apps as not crapware, but that's a judgement call, not a statement of technical fact.
Oh no! You can't remove... *checks* the app for moto actions, and an app for notifications!
What I'm talking about is bundled apps like Faceboot. They can be removed.
You don't even buy a Moto phone unless you want Moto actions, so yeah it's a judgement call, but if you already made the call to buy Moto, then you've already made the other call as well.
Also, a bunch of Google Apps. Moto bundles those as well. You apparently don't consider them crapware, but other people disagree.
As for Facebook, etc, there's another class of "virtually pre-installed" apps (I forget what the actual term is) which aren't actually part of the system image. Instead, the system image has a list of apps the device will automatically download and install after factory reset, so they're present by default but you actually can remove them. Whether Facebook is really pre-installed, virtually pre-installed or not pre-installed depends, of course, on the OEM and how much Facebook is paying them.
Google's terms mandate, of course, that even pre-installed apps can be disabled. OEMs are not allowed to block that.
Not being much of a gamer I haven't followed this story (at all!) so the headline and initiative name "Stop Killing Games" made me think it was 1.3 million signatures from people who want to ban games in which people are killed. "No way that's going to pass," I thought. People love virtual murder.
Then I figured out that it's the killing of the games people want to stop, not the games that include killing.
Vaguely related, I had a serious EverQuest addiction ~20 years ago (the reason I gave up on any but the most casual of gaming), and I noticed a few weeks back that it's still available on Steam, and free to play, so I downloaded it and logged on, and even found my old character still there (though with zero gear because I gave it all away when I quit playing). The UI is dramatically different, but the general content seems the same. It's no longer very interesting to me, though.
Moto phones bought direct have no unremovable crapware.
The pre-installed apps are just as unremovable on Moto as any other (unless you unlock the bootloader; some Motos have unlockable bootloaders). It may be that you define their pre-installed apps as not crapware, but that's a judgement call, not a statement of technical fact.
These are actually the same two algorithms, renamed to be less fun.
Yes, that was the joke. Maybe too much of an inside joke, but isn't this supposed to be a nerd forum?
Phones that run stock Android are usually pretty good at letting you uninstall/disable anything you don't want.
Disable, yes. Uninstall, no. If it's pre-installed it's part of the system image, which is mounted read-only and protected with fs-crypt. Actually modifying that would require root access to remount it rw and to disable fs-crypt.
That would also, of course, completely destroy the Android security architecture, leaving you wide open to all sorts of attacks. If you want to do that, get an Android device that has an unlockable bootloader (e.g. Google Pixel), unlock it, then do whatever you like. And be sure not to hire any evil maids.
I had no idea what that might be, so I did some checking. I think that we can all agree that everyone should use:
CRYSTALS-Kyber encryption and CRYSTALS-Dilithium
I'd recommend ML-KEM and ML-DSA instead.
If you install the official Claude Code add-in to VS Code, you get the inline diffs too.
Yeah, I use both GitHub Copilot and Claude Code for the same reason: to control token budgets.
I also use the Claude Code extension with VS Code. The inline diffs it provides are quite clumsy compared to Cursor's.
Interesting, that explains a lot. Until now, I thought I might want to try Cursor, but I already have VS Code with Claude and GitHub Copilot, so why bother!
The integration is a little better in Cursor; the main difference being the in-line edit diffs. But I bounce back and forth between Claude Code and cursor, so I end up just using the git diff view to look at changes about 80% of the time, so it's not much better.
Honestly, my reason for using it is that I have separate Claude and Cursor token budgets -- though I set Cursor to use Claude so I'm using the same model both ways.
You don't need it on consumer hardware
Except for, you know, illegal immigrants, legal immigrants, naturalized Americans and even American born, and all the other people targeted by their governments.
If your government breaking into your house and applying hardware-level attacks to scrape your secrets out of the RAM of your running computer is seriously part of your threat model, it's almost certainly very, very far from your biggest concern.
Also, you should probably consider turning your computer off.
I'm not disputing the article's claims, just pointing out that it doesn't appear to be universal.
What I'm seeing is a significant uptick in job opportunities and recruiter pings coming my way. I haven't seen this much interest in several years. I'm a senior SWE with a focus on security and a solid resume.
My guess is that lots of senior SWEs are seeing this. Deep experience pairs very well with AI, making each engineer able to do what a team of several could do previously. This could obviously come at the expense of positions for the rest of that "team of several", though. Plus there's the other concern that if AI doesn't progress to be able to replace the senior engineer, too, the industry is eating its seed corn; when the experienced folks retire there will be no one to replace them.
That's not all companies, though. My own current employer (Applied Intuition) is hiring like crazy, at all levels and especially entry level. What's more, we're not the only ones because we're actually struggling to hire new grads. They come interview and things seem good, but then a large percentage of them decline our offer. I have no idea what we're offering new grads, but Applied's compensation seems generally good (I'm satisfied with mine).
My guess is the problem is that Applied falls into an awkward place in the Silicon Valley space of companies: Already quite big ($15B valuation) and close to IPO so the pre-IPO equity isn't likely to make you independently wealthy unlike an earlier-stage startup, but still pre-IPO so the equity can't easily be spent. So, new grads looking for a potential huge payoff are disappointed, and those looking for lots of immediate cash are also disappointed.
Doubt isn't the opposite of faith; it is an element of faith. - Paul Tillich, German theologian and historian
