back to article Ah, um, let's see. Yup... Fortnite CEO is still mad at Google for revealing security hole early

The CEO of Epic Games, maker of smash-hit shoot-em-up Fortnite, continues to savage Google for disclosing a security hole in his software. Calling the ad giant "irresponsible" for publicly disclosing the vulnerability on Friday, Tim Sweeney posted a string of angry tweets over the weekend and into Monday accusing the search …

  1. Anonymous Coward
    Anonymous Coward

    On one hand...

    On one hand, it's vindictive from Google... On the other hand, I had created an account on the epic website for the Unreal engine, forgot the password a long time ago, didn't log in in forever. Now I get hourly e-mails from Epic that "Someone tried to log in with your account!!!!" Not that terrible.. If only Epic would allow me to delete that account, but nope. Must be verified. Doesn't particularly raise any sympathy flags with me there.

    1. Anonymous Coward
      Anonymous Coward

      Re: On one hand...

      Aside from your anecdote being largely irrelevant to the article's topic, I'm unclear what your point is. Obviously, they didn't force you to create an account then forget your password. So do you mean there is no lost password recovery option?

    2. Sorry that handle is already taken. Silver badge

      Re: On one hand...

      Someone signed up for an account using my email address. Stopping the emails and then getting it deleted was a total PITA.

      1. Ian Michael Gumby
        Boffin

        Re: On one hand...

        So?

        The correct solution is that when an account is created, it should send a verification request to your email account. No verification, no usable account thus no flood of emails. (Unless its a flood of accounts being set up in your name using the same email address...)

        Sorry, no sympathy here.

    3. Richard Jones 1
      WTF?

      Re: On one hand...

      Yes, or it could be seen as egg on the face of someone who bucked the system, e.g. Epic. One point that no one picked up is whether Epic have modified their installer to check for updates for itself before it tries to run and install anything else. Otherwise leaving it 90 days before a check for updates does appear to be sleeping with a risk factor.

  2. Frozit

    1 week delay from reporting to software company to publishing the exploit. Where has this EVER been considered standard?

    1. ratfox

      It was a one week delay from the moment the patch was released, not from the moment the exploit was reported. Google claims they publish after 90 days or a patch is available, whichever comes sooner.

      The 90 days period is well-known, because so many companies fail to release a patch. It's the first time I hear the second part though. Apparently, Epic didn't know either. It might be in their guidelines and all, but it seems to me that next time, Epic will simply fail to tell them the exploit was fixed until the very last of the 90 days.

      1. Anonymous Coward
        Anonymous Coward

        The only way I know about the patch is Googles action but without a Fortnite account I don't know if Epic made any attempt to alert customers. Past experience with them suggests it's unlikely though and 90 days hoping users update before being exploited or warned is wrong.

        It's very believable Epic would have left users with a vulnerable installer in place for a long time, certain that hackers would be looking at the installer of such a popular game, find the same issues and potentially bypass or block any later automatic update.

        1. Anonymous Coward
          Anonymous Coward

          Malware authors often check software updates to see if they can reverse-engineer any holes that have been patched in the last release. For them it's almost like getting a gift-wrapped way to attack users who haven't patched yet. Prompt disclosure after patching ensures that the issue gets a little more notice and - hopefully - people are a little more likely to patch things quickly. Epic may not like it, but it's the disclosure policy for good reason.

          Given the timescale they patched things in, Epic actually came out from this vulnerability looking pretty good. Unfortunately, their CEO taking to twitter suggesting that they should be given the right to leave some of their user base unaware that they're more vulnerable to attack for up to 90 days isn't a good look, IMO.

      2. Anonymous Coward
        Anonymous Coward

        they publish after 90 days or a patch is available

        Unless it's a bug like Meltdown\Spectre that could cause havoc in their own system, then it's OK to wait for many months....

        1. Anonymous Coward
          Anonymous Coward

          Re: they publish after 90 days or a patch is available

          Meltdown/Spectre arise from hardware design faults, not a software vulnerability. A certain amount of working around these issues can be done in software, so patches could be used to mitigate the problem somewhat, but that relies on software companies (the OS developers, basically) who aren't responsible for the underlying problem to do the work to shore things up. And even after that happens, the only way to actually fix things properly is to replace everything with new hardware that doesn't have the same design faults in the core processors.

          Is it really so hard to see why the disclosure timescale was different for that scenario?

      3. Jim Cosser

        *Vulnerability, not exploit.

      4. David 164

        I doubt Google need Epic to tell them, they can simply download the game themselves and see if it is patched or not.

  3. Will Godfrey Silver badge
    WTF?

    I learned something

    Google take 30%. That is some serious gouging.

    I don't use android, but if I was, I'd now be trying to avoid their app store like the plague.

    1. ratfox
      Boffin

      Re: I learned something

      Where have you been? All the big app stores take 30%, Apple and Amazon included. Apple has set the pace by taking 30% since the beginning of the App Store; the others have just followed. It's slowly changing though: Microsoft also takes 30% for games, but starting from this year, they only take 15% for other apps. Google has also reduced some of their fees to 15%.

      I've heard the argument that it would also cost developers a lot to maintain their own website and payment systems. And in a sense, it's because the app stores exist that users are not just copying every single app under the sky without paying. That said, it does seem that the percentages are going down, so the app stores might have realized they are charging too much.

      1. Byron "Jito463"

        Re: I learned something

        Steam also takes 30%.

        1. MrXavia

          Re: I learned something

          "Steam also takes 30%."

          So the moral of the story is to try and buy software not on these stores... they limit you too much and they take hefty cuts

          1. Pascal Monett Silver badge

            No, the moral of this story is that 30% is visibly perceived as normal.

            Success is when your victims agree with your practices.

    2. Adam 1

      Re: I learned something

      I'm not sure who you're suggesting people go with. Apple store is also 30% (plus another call it 100pa for the account). At the low end of the market, paying 30c to Google or Apple for vetting, indexing, distribution and push of upgrades isn't too bad, but once you start hitting the the expensive apps, you can't really justify it.

      If enough of these sorts of companies separately distribute their wares, the app stores will smarten up.

      1. Anonymous Coward
        Anonymous Coward

        Re: I learned something

        "I'm not sure who you're suggesting people go with."

        This is El Reg, so this suggestion is probably not a good one, but if you watch ads on an ads supported app, the developers directly get ads revenue, skipping the 30% app store grab.

        A better suggestion would be going directly to the developer site and donate for their effort.

        Paying 30% for managing distribution, payment, security, and marketing isn't too bad for most developers at the start. But since now the market is saturated, there is barely any marketing done by those store (when you see the same ads screen over for days you know some people are being left out). Adding to google constant algorithm changing without informing the developers which causes a drop in users app download and usage, the 30% is starting to become a questionable cost.

        For big companies with resource to manage distribution, payment, security, and marketing, the 30% really is a questionable cost.

    3. Argh

      Re: I learned something

      If you use iOS, I hope you're also avoiding their app store like the plague. If you are, good luck installing anything from elsewhere. At least Android allows 3rd party app-stores (which can be given permission to install other apps with no warnings after the initial acceptance of the permission for the store), or installing individual apps.

      1. Anonymous Coward
        Anonymous Coward

        Re: I learned something

        The problem with third party app stores is you don't have the assurance you get from using Apple's or Google's "official" app stores. OK, they aren't perfect but they are a heck of a lot more secure than any third party app store. Reg readers don't realize the hazard this creates because Reg readers are mostly techies capable of exercising good judgment about enabling third party app stores and knowing which ones they can probably trust.

        But many many Android users will end up being tricked into using dodgy app stores that install Fornite loaded with a generous helping of malware (cryptocurrency miner if you're lucky, but possibly something much worse)

        Once people cross that Rubicon and enable third party app stores, it is MUCH easier to trick them into installing other things they shouldn't from sources they should absolutely not trust, since it requires fewer steps and passing fewer scary warnings (I don't know if Android has scary warnings if you enable third party app stores, but it should)

        1. Prst. V.Jeltz Silver badge

          Re: I learned something

          many Android users will end up being tricked into using dodgy app stores that install Fornite

          If they dont get it from fortnite.com , which is where I assume the correct version resides they have only themselves to blame surely?

          Thats on a par with clicking on sexyladies.exe in an email

    4. Richtea

      Re: I learned something

      Back in the distant past (2001 - 2008) before OS-based mobile app stores it was normal for the developer to only get 25% of the published price.

      The split was roughly 45--55% to the mobile network, with the remainder split 50-50 with the 'aggregator' - a 3rd party quality gate / company used by mobile networks who didn't want to get involved in app stores, they just wanted the income.

      I'd say losing a mere 30% is reasonable, but for the fact that its barely possible to charge for an app nowadays. Its just pixels and bytes right, so why do I need to pay for it?

      1. Prst. V.Jeltz Silver badge

        Re: I learned something

        but for the fact that its barely possible to charge for an app nowadays

        Well , so many people seem to want to make them for fun..... thats what put me off getting into coding as a career when i was a teenager - there were people coding games (16bit) i could only dream of coding - and then giving them away , presumably as a sort of distributed CV for their real jobs.

        I later learned you can make a living putting bits of vba into excel sheets, which i keep meaning to try.

        You need to get into corporate apps , ideally in health or education , then you can charge the earth for any old rubbish.

    5. iron Silver badge

      Re: I learned something

      I hope you don't ever buy anything in a bricks and mortar store, they generally take 50% or more of what you pay.

      1. Will Godfrey Silver badge
        Angel

        Re: I learned something

        Well now, some rather surprising responses.

        However most miss the mark because I don't have a smart phone at all - there wouldn't be much point, as (until a couple of years ago) it would have spent most of its time in a security official's locked box. Many places I've worked have an absolute prohibition on cameras.

        Having fat very dry fingers doesn't help - that's when they are not fat oil-covered ones.

        This will all change soon, but I've got so used to a very basic dumb phone, I doubt I'll change it.

      2. DocNo
        FAIL

        Re: I learned something

        Huh?

        http://www.aei.org/publication/the-public-thinks-the-average-company-makes-a-36-profit-margin-which-is-about-5x-too-high/

  4. Fungus Bob
    Facepalm

    Millionaire pissing contest

    'nuff said

  5. Anonymous Coward
    Anonymous Coward

    'User security is our top priority'

    Epic have been too lightweight about security, and have been caught out badly by the success of Fortnite. But problems began years ago, when the forums started to be hacked. They didn't do enough then and they're still not doing enough. They need to hire more in-house Security professionals and Community Managers to deal with the fallout. This is a pretty typical thread:

    https://forums.unrealengine.com/unreal-engine/feedback-for-epic/1453715-epic-your-account-security-design-is-atrociously-bad

  6. Anonymous Coward
    Anonymous Coward

    Who do you believe? - 'Wired' say the 'Play Store' is a Malware magnet:

    https://www.wired.com/story/android-users-to-avoid-malware-ditch-googles-app-store/

    1. This post has been deleted by its author

    2. Cuddles

      Re: Who do you believe? - 'Wired' say the 'Play Store' is a Malware magnet:

      It's not a question of who to believe. Of course the Play Store is a malware magnet, for the same reason that Windows has historically been a malware magnet - it's where the vast majority of the targets are, so it's where the criminal focus their efforts. As long as that central target repository exists, you can avoid most of the bad actors by simply not using it. But that doesn't mean things would necessarily be better if it weren't there, since you'd then just be in a wild west where people with no clue what they're doing downloaded any random crap from anywhere. Those of us who have had to help out family members who have managed to fill up their entire browser with toolbars know just how well that can work out.

      The problem is that you ultimately have to compromise in some way. Locking down a device so that a single central authority can control what can and can't be installed can potentially provide good security, but at the cost of user freedom as well as making an obvious target for attack. Allowing anyone to do whatever they like results in anyone being allowed to do whatever they like. Whether Android's attempt to do a bit of both is better is a subject for debate, but it doesn't seem inherently worse than either extreme.

  7. Sorry that handle is already taken. Silver badge
    Headmaster

    Shmup

    shoot-em-up Fortnite
    Fortnite is a shooter rather than a shoot-em-up.

    1. Prst. V.Jeltz Silver badge
      Headmaster

      Re: Shmup

      I beg to differ, all shooters are shoot 'em ups , but not all shoot 'em ups are shooters.

      1. Boothy

        Re: Shmup

        Quote: "I beg to differ, all shooters are shoot 'em ups , but not all shoot 'em ups are shooters."

        Wrong way round.

  8. Ian Michael Gumby
    Big Brother

    Bad action on the part of Google.

    Google's security team turned down Epic's 90-day request and published the information one week after the patch. It's not clear when Google informed Epic it was going to publish the details; the issue tracker page refers to an email sent direct to Epic.

    Google does have some explaining to do. Maybe they don't think its evil on their part?

  9. DeKrow

    When elephants fight, it is the grass that suffers

    Disclosing the details of the vulnerability seems inconsistent with their statement:

    “User security is our top priority..."

    With the popularity of the game it would be more "user security" orientated to state that there WAS an issue that's now fixed, but save the technical details, that allow exploits to be developed by bad actors, for a good while longer than a 7-day grace period.

    "The security of users that perform at least weekly updates of all their software are our top priority"

    Kinda niche compared to their actual statement.

    1. SkippyBing

      Re: When elephants fight, it is the grass that suffers

      Making money is our top priority, everything else falls somewhere beneath that as without money you don't have a business.

      Remember this whenever an airline says safety is their top priority.

  10. ecofeco Silver badge
    Facepalm

    Here's a novel idea!

    Stop making shit products.

    1. Francis Boyle Silver badge

      Given that the issue in question is a vulnerability

      that's like suggesting that builders make houses that can't burn down.

    2. HolySchmoley

      Re: Here's a novel idea!

      >Stop making shit products.

      Do you mean the shit products that have turned unelected, almost unaccountable 'big business' (*) into the basis of a surveillance society that the Stasi only dreamed of?

      Or are you talking about products with accidental bugs, like like Fortnite, made by the small fry?

      (*) G, FB, Apple...

      1. ecofeco Silver badge
        FAIL

        Re: Here's a novel idea!

        Any security vuln is NOT trivial.

  11. crediblywitless

    "malice of forethought"? I suspect you meant "malice aforethought".

  12. This post has been deleted by its author

  13. Jamtea

    Price gouging is not particularly nice, but at least some of that 30% does go a towards paying for the whole android show and future development. Without the play store there is no android. People have to accept this fact.

    Also, despite Google flying within spitting distance of being evil on occasion, I'd rather know if I'm staring down the barrel of a gun by having certain apps installed rather being oblivious and kept in the dark by developers who want to keep their security flaws hushed up.

    Either way, better the devil you know.

    1. Anonymous Coward
      Anonymous Coward

      "Without the play store there is no android. "

      LOL!

      What's all the data hoarding and advertising is for? Store revenues are just the cherry on the cake.

      I would understand the store fees if Android didn't gather all those user data, and didn't sling so many ads - covert or not.

  14. tiggity Silver badge

    Gouging

    For their 30% ...

    Google provide payment system (for app purchase and in game), which makes life easier for a small dev as the hassle about complex PCI DSS requirements is removed, just use their APIs & follow their simple rules

    Google scan app for malware, reassuring dev and end user.

    Google freely "hosts" your app for people to download.

    Google supports (via Google play games) in game "achievements / rankings" saving game devs that hassle as easy to use their APAs

    Google provide free app review system via ppplay store

    Google do some marketing for you e.g. people who used X also downloaded Y (where Y is your app)

    If your app gets good reviews it will rise up the rankings for its sector in the play store,increasing its visibility to users ("free" marketing based on reviews).

    For a huge company then worthwhile doing it themselves, but for small app maker the "gouge" can be worthwhile given the benefits.

    Full disclosure, I have had app on the play store...

    It was free (no ads either) and so cost Google money to host it. Lots of apps on there are free and ad free : Not everyone releases apps for profit but because they thought others may find it useful / interesting, or (in many cases) / to provide mobile interaction with their main product (e.g. don't like our website on mobile?, use our app instead)

    1. Solarflare

      Re: Gouging

      Google scan app for malware, reassuring dev and end user

      There have been hundreds of cases involving numerous infected apps on Google Play which have only been removed after someone made the larger comminuty aware of the problem. Now I'm not saying that any malware scanner is perfect, but Google's method for vetting apps has been derided as being very poor for quite some time.

  15. Anonymous Coward
    Anonymous Coward

    "App" stores ...

    Can't speak for Apple, but last time I had to browse the Android "app" store there were an inordinate number of "apps" which were just HTML help files instructing you how to do what you wanted an app for.

    Which suggests the quality/quantity crossover is in the wrong place.

  16. Anonymous Coward
    Anonymous Coward

    F google

    They don't let you know when they remove malicious apps from the store - that you downloaded. Last year that count was over700,000. But you have to have a valid Email to download - WTF google?

    Do no evil, oh yeah, you rescinded that.

  17. oli_from_germany

    Testing Procedures?

    Does Google really have different tools to reveal such bugs? Or are they available to Epic as well? Then, why did the bug slipped through the procedures? Epic can only blame themselves.

  18. Mark Manderson
    WTF?

    maybe i just dont get the point but....

    now that we know they are happy to take the 30% hit via apple store, what the F gives with this twat having a beef with google taking a 30% cut in their play store?

    The man seems an asshat and full of his own self importance to me, well done Epic youve had a best seller after all these years, Bravo, now stop being a dick.

    1. CRConrad

      Yeah, I think you dont get the point.

      How do "we know they are happy to take the 30% hit via apple store"?

      Maybe they just avoid it only on Android because they can't (at least easily) avoid it on iOS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like