back to article Google settles location tracking lawsuit for only $39.9M

Google has settled another location tracking lawsuit, yet again being fined a relative pittance. Washington State Attorney General Bob Ferguson's office announced the $39.9 million fine last week, along with news that Google will have to implement several state-ordered tracking reforms that clarify what data is being gathered …

  1. b0llchit Silver badge
    Facepalm

    ...while also saying it plans to stop assigning CVEs to most reported issues...

    Of course! The vulnerability stops being vulnerable when we do not assign it a tracking number! Then all the bad guys have to guess which vulnerability is vulnerable. The good thing for Google is that they are effectively making it more difficult for the bad guys to be vulnerable. Yay!

    /s

    Hiding your faults is just security by obscurity. Google has no interest in making things better. They just want to milk you a bit more and that always functions better when the costs are kept low.

    1. Version 1.0 Silver badge
      Facepalm

      If you made $60M by selling the data to advertisers then paying $39.9M is just a lower profit these days ... and if you only sold the data for $10M then you have a nice tax deduction that helps other profits.

    2. DS999 Silver badge

      However

      People who compare the security of Android to iOS by counting CVEs will falsely believe Android is much more secure. Already Apple assigns a CVE for everything, even stuff they discover themselves, while Google only assigns them for stuff discovered externally unless it is being exploited so the numbers aren't comparable - but at least they are meaningful if you understand the context. Now Google's numbers will go down to near zero, presumably only assigning a CVE for stuff that's getting exploited and sweeping everything else under the rug as "not a problem because as far as we know no one ever exploited it".

      I'm surprised it is Google doing this, the "head in the sand" approach seems more like it would have come out of Microsoft's playbook!

  2. gzgweilo

    Set top box manufacturers......

    " who bought an infected set-top Android box from Amazon manufactured by Chinese company AllWinner, several popular models from AllWinner and fellow Chinese firm RockChip"

    My understanding is they are the chip manufacturers and as far as I know just supply the chips to a multitude of small and medium sized box manufacturers/copiers.....So is it the actual chips or additional code added?

    Are boxes with Amlogic chips ok?

  3. Anonymous Coward
    Anonymous Coward

    Not always who you think

    I was attending a presentation where the speaker let us know he was looking into manageable light bulbs as a security project. He found that most bulbs used the same firmware. Found where to download the most recent firmware was, to enable all the features that were disabled on some brands. He then moded the firmware to call home to his equipment (company IP). Then just for giggles he checked if he could upload firmware where he downloaded it from - it let him..... he up loaded his firmware, which has been installed (by counts of connecting to his system) to many times to count.. - as his version was put on at various companies who used the same master source.

    So the criminals may not be ANY of the companies involved. I can't recall the name of the speaker, but he is well known and I expect published at least some of what he spoke about.

  4. Anonymous Coward
    Anonymous Coward

    KeePass vulnerability

    If I'm reading it right, exploiting the KeePass vulnerability requires access to system-level memory dump files. If you have that level of access, then installing a keylogger would be about as simple. Since not even the encrypted database is available outside the device, this doesn't seem like that big of a security hole. The one exception is shared computers, where another user might possibly, maybe, be able to get the KeePass password, but would still need to get the encrypted database.

    1. Michael Wojcik Silver badge

      Re: KeePass vulnerability

      It's conceivable a dump file gets backed up to another device or a remote storage location, and the master key is harvested from there. Failing to protect the master key is going to introduce new branches into the attack tree however that failure occurs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like