Slashdot Mirror
Google's Project Zero Aims To Find Exploits Before Attackers Do
DavidGilbert99 (2607235) writes "Google has announced Project Zero, a group of security experts who will hunt down security flaws in all software which touches the Internet. Among the group is a 24-year-old called George Hotz who shot to fame in 2007 when he was the first to unlock the iPhone before reverse engineering the PlayStation 3."
Quoting the Project Zero announcement: You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. ...
We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.
All issues will be reported to the usual public vulnerability databases after vendors are given a short period to fix their systems and software.
All software that touches the Internet?
Good luck with that.
Perhaps it'd be more practical to target all commercial off-the-shelf software that touches the Internet.
>> automated software that throws random data at target software for hours on end to find which files cause potentially dangerous crashes.
You could just replace that with "fuzzing tools." :) The "files...cause...crashes" is kind of funny too.
+1 if i had mod points left
how can anyone trust anything these guys say anymore? If they are working with the governments they can never say and if they aren't the history of their involvement is to much to get past.
I for one, from now on will avoid all large american corporate products and services. I will never again trust an american software company, at least before we could believe their agendas we're purely greed for owners/stock holders now we have no idea who's pulling the strings and who's motive is it we need to worry about
...abandoning it in favor of what? What real (or trending) alternatives do you think they'll pick? Phones and fax?
It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
So, are they planning on buying copies of said software, and testing it in house?
Or do they think they're going to be doing penetration testing without permission? Because, the last I heard, that was actually illegal.
Lost at C:>. Found at C.
I thought there were stories here about white hat/ black hat the courts don't care - go to jail.( Not that I agree with the rulings) So Google gets a by on the laws?
First it was accessing and data-basing "open" wifi, now they want to hack everything. Google is Skynet 1.0
we want to hack everything we can get our hands on to gather as much data as possible, before people catch on, so we can add it to our already ridiculously large collection of data about everybody and everything. but don't worry, we wont harm your systems and we'll tell you about the exploits we may find (after, of course, we've siphoned off all we can) and naturally, any data we may find is covered by our incredibly strong (in our favor, btw, not yours) privacy policy.
actually yes we use google mail at our educational institution, my department works with sensitive data, even though we have many signed agreements from google saying they don't / wont export our data off campus. We're no longer allowed to email any documents even internally containing student information. Back to fax and walking to someones office.
You don't have to trust them. Even if they don't point out the vulnerabilities that the NSA use, they will point out vulnerabilities that the Russians or Chinese might use, and that's already better than nothing.
The Internet is insecure by design: http://www.worldofends.com/#BM...
Okay, but *eventually* I think they are bound to figure out that a better alternative to this situation is going back to a site-local webmail service instead of a third-party black-box cloud (even if they promise the data stays in your server room).
In this sense, I think it's not a risk but a good thing - people start to realize that giving data to third parties may not be smart.
It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
SO I just post my software and these guys do a free security analysis. Cool, now I can be sloppy!
Some drink at the fountain of knowledge. Others just gargle.
Typewriters.
If you're going to specifically call out one person... shouldn't you post publicly under your own account rather than hiding in anonymity? Otherwise you have no credibility.
#DeleteChrome
personally if i had a choice i'd give my data to Russia or China before i gave it to the USA.
america needs power taken away not exclusive rights to this sort of power.
It's not an exclusive right; what's stopping you, or anyone else, from doing the same thing, so you can be sure you're finding *all* the vulnerabilities?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
It's not an exclusive right; what's stopping you, or anyone else, from doing the same thing, so you can be sure you're finding *all* the vulnerabilities?
Perhaps you misunderstood all the previous comments....
Here's whats stopping me:
I'm not a government agency that can just walk into major software companies and say include this back door for me now, or your a traitor and you go to jail for treason or worse.
so yes it is an exclusive right to governments and this google campaign i see as nothing more than a way to ensure that the USA continues to have this advantage over everyone else.
1. If the government under some stupid national security rules ordered google to do something bad they would have to and would have to deny doing it.
2. We have evidence this has happened already.
Was it Geohotz who blew the SHAtter bootrom exploit in order to be first with a JB a few years back? I forgot, but if it were him, that did a number on the entire jailbreaking ecosystem because those level of exploits are extremely rare.
As an AC, please correct (or mindlessly flame) if this is incorrect.
Between Google and the NSA?
"If any question why we died, Tell them because our fathers lied."
The normal microshaftic practice is to let users, virus writers and malware
developer take a shot at this first.
Now google is saying they are going to bug test their code first?
Truly shocking!!
If its like their past behaviors, they'll tell everyone unless the government asks them not to under penalty of law - and they'll have the FISA court paperwork to make it stick. After all, Google now has a responsibility to its shareholders to not do illegal things, right? As such, I can't see this as more than a PR stunt.
That is all.
These security researchers may be payed well by Google, but the most valuable exploits will sell for more than their yearly salary on underground markets. They can stay anonymous on these markets, and will not miss a payday opportunity like that out of the goodness of their heart. Further, they will not find all the exploits. This effort removes the low hanging fruit at best, and is largely a marketing stunt. As a case-in-point, Microsoft already dedicates massive resources to finding bugs in their own software and yet the exploits march onward.
Ok so when I first read the title I read "Google's Project Zero Aims To Find exoplanets Before Attackers Do".
I first thought that Google not being satisfied with all of earths info was going after aliens info. under the guise of preventing alien attacks on earth.
Ok the so combination of dyslexia and watching to much sifi of is it syfy now have completely rotted my brain.
Turning off the TV and going for a drink tonight.
We can say no bounds, but perhaps a set of 'guidelines' might be
1) The primary goal is to find exploits to help get their holes fixed.
2) We will not use what we find to hack systems for other purposes.
3) Probing will be inside Google on contained networks with permission of the owner.
4) Setting up any system we can legally have is fair game.
5) Limited legal outside reconnaissance to figure out what we should setup inside is fair game.
6) Results will be released in the manner most likely to get the worst holes fixed quickly, sometimes without regards to the convenience of the bug owner.
all my data will be seized by Google and used for nefarious purposes! call out the National Guard! we are doomed!
if this is supposed to be a new economy, how come they still want my old fashioned money?
That said, it's still not an exclusive right, as implied by the comment to which you were replying:
Even if they don't point out the vulnerabilities that the NSA use, they will point out vulnerabilities that the Russians or Chinese might use, and that's already better than nothing.
Unless Russia and China became part of the US and I just never heard about it.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
And lets not forget that Google works FOR the government.
Programs are about to become very very stealthy.
Google wants to sell us your sploits now?
or even some random hacker/script kiddie.
security is not a binary, more security == better.
Also, the less backdoors exist, the more aparant the ones that do exist are.
If you eliminate all other backdoors except the NSA's, you can be more certain the backdoors that do exist actually belong to the NSA, and the more a single entity relies on a single backdoor is the more likely it will be discovered/found/patched/made irrelivant/worked around.
The poster of "Future Proof Jobs" should have read this subject rather than posting his question.
no, I don't have a sig
Which means, from this perspective, he's exactly what we need.
Think about it.
I'm glad to hear Google is dedicating resources to finding exploits in Internet softw...hey, wait, where'd my Bitcoins go???
fucking hippies are here to save the planet...
That's bullshit. A lot of people don't even have an account. An account ads nothing.
Look at the statement, not the poster.
If you ignore ACs because they are anonymous - you're an idiot.
My program for constructing it gives you better added speed, security, reliability, & even anonymity (it works for all of that, better than anything else + is free)!
APK Hosts File Engine 9.0++ 32/64-bit:
http://start64.com/index.php?o...
(Details of benefits in link)
Summary:
---
A.) Hosts do more than:
1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen...
B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).
C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... w/ less added "moving parts" complexity/room 4 breakdown,
D.) Hosts files yield more:
1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).
---
* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).
* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.
* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth...)
Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)
APK
P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"
...apk
I'll reply to you, as you're the closest to the angle I was going for.
Cross-posted from another site, with two more sentences here.
Okay, picking my words a little and hoping I get my tone right...
I get that Google (and Facebook and all kinds of other gangs) are *selling info*. It's sleazy, but to me that's "grey hat". It's "we're psychologically manipulating you to make money, but you knew that but we made the services nice and fun/useful so you don't care". I've been reading a huge Star Trek DS9 Re-Watch overview, and that feels so like a Quark move - he's devious but eventually even he draws his lines.
Secret silent software bugs that only X number of governments even know exist is a whole other level of Black Hat. (Really, somewhere in the combo of Heartbleed and the True-Crypt mess I got grumpier than I have been in a while.)
So Google isn't some poor 12 man op with a lonely tech who was beaten by big guys - behind the sales guys there's a *lot* of tech crunching firepower there. So *maybe* the Agencies have a bit of a lead on them, but I'd bet not as big as those Agencies thought.
It's a fascinating twist - Govt can beat up "little guys" a few at a time in a Divide and Conquer strategy, but what if this story catches on, and then Microsoft and Facebook and Apple and Samsung and your choice of others jump in?
(I put Samsung in there because software bugs know no boundaries, so it's specifically a test of geographic negotiations beyond the US level.)
Short Selling jokes aside, can the US even manage to indict the CEO's of all of US tech? Their dealmaking might just be on the verge of coming to bite them. (There was a TV series about all that, corps, totally owning govt openly and outright.)
When we're not busy snarking in the Basement or the Living Room, having a gaping security flaw in software isn't good for any of these companies. So maybe (making up a name) Gennady Li Chandarovskiyij-Maharujshi is the greatest programmer alive at one of the Agencies, but can he really stand up to a world wide team that's now pissed off??
Going all story fiction for a moment, imagine it:
All these companies, led by the big dogs with little guys lending a spare hour;
CEO's around the world getting royally pissed and saying "our products are dominant enough and we have time to put away our micro-jockeying. Let's spend an entire year and 700 billion dollars/whatever to clean this mess up. Grab anyone who has any legit idea whatsoever about software security and let them do whatever they want (jokes aside), no questions asked including extra perks like the 90's like croissant sandwiches in the break room."
US Govt is slowly winning the PR war against "Anonymous", but what if the Big Tech companies with tips from millions of freelancers all unite and say "Thanks for all the fish, yummy, now watch what you made! We have a worldwide "team" of over a *thousand* software people (and four space aliens, only three of which you know about.) Do you *really* wanna keep doing this? Or can we just get back to selling people's info for money?"
At least in my imagination I wanna believe we're on the verge of Tech calling Govt's bluff that they've been going "Divide and Subdue" too long, and the beautiful part is all the bribery is (mostly) illegal - how can they even pretend to shout about 770 companies and 12,345,845 freelancers all spending an entire year on software security?
So that's my message of daydream hope!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"Thank you - for believing in me"...
* Had to do it, it's such a GREAT film (it's inspiring), & it fits here also. I just finished re-watching it, & decided to say thanks to you, albeit in a different way than originally in my 1st reply to you is all, this time, via analogy in film (the greatest artform there is, imo, other than books).
APK
P.S.=> If you haven't seen it? By all means - DO (yes, it's THAT good)... apk