Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Project Zero Aims To Find Exploits Before Attackers Do

Posted by Unknown on from the evil-hackers-respond-with-negative-one-day-exploits dept.

DavidGilbert99 (2607235) writes "Google has announced Project Zero, a group of security experts who will hunt down security flaws in all software which touches the Internet. Among the group is a 24-year-old called George Hotz who shot to fame in 2007 when he was the first to unlock the iPhone before reverse engineering the PlayStation 3." Quoting the Project Zero announcement: You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. ... We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. All issues will be reported to the usual public vulnerability databases after vendors are given a short period to fix their systems and software.

37 of 62 comments (clear)

  1. Ha! by rockabilly · · Score: 1

    All software that touches the Internet?

    Good luck with that.

  2. Limit to COTS by tepples · · Score: 1

    Perhaps it'd be more practical to target all commercial off-the-shelf software that touches the Internet.

    1. Re:Limit to COTS by Hamsterdan · · Score: 1

      Still covers a lot. Almost every software checks for updates.

      Besides, HOW will they fincance that operation?

      --
      I've got better things to do tonight than die.
  3. "fuzzing" by xxxJonBoyxxx · · Score: 2

    >> automated software that throws random data at target software for hours on end to find which files cause potentially dangerous crashes.

    You could just replace that with "fuzzing tools." :) The "files...cause...crashes" is kind of funny too.

  4. Re:Code name "Only our back doors" by Anonymous Coward · · Score: 1

    +1 if i had mod points left

    how can anyone trust anything these guys say anymore? If they are working with the governments they can never say and if they aren't the history of their involvement is to much to get past.

    I for one, from now on will avoid all large american corporate products and services. I will never again trust an american software company, at least before we could believe their agendas we're purely greed for owners/stock holders now we have no idea who's pulling the strings and who's motive is it we need to worry about

  5. Re:Faith in the Internet at an all-time low by paskie · · Score: 1

    ...abandoning it in favor of what? What real (or trending) alternatives do you think they'll pick? Phones and fax?

    --
    It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
  6. Legality? by gstoddart · · Score: 2

    So, are they planning on buying copies of said software, and testing it in house?

    Or do they think they're going to be doing penetration testing without permission? Because, the last I heard, that was actually illegal.

    --
    Lost at C:>. Found at C.
    1. Re:Legality? by maliqua · · Score: 2

      The cost of the software for google is cheap compared to the value of the "we're the internet good guys" PR

    2. Re:Legality? by gstoddart · · Score: 1

      Well, sure, maybe.

      But my adblockers tell me Slashdot has references to gstatic.com, googleanalytics.com, google-adservices.com and googletagservices.com. All of which I universally block.

      The fact of the matter is, Google hasn't been the good guys in several years now. Google has come full circle, and is just your garden variety greedy mega-corp.

      Heck, I believe Google pioneered some of the techniques for bypassing cookie controls in several major browsers, and then later on said it was an accident.

      I no longer believe Google does anything for altruistic purposes, even if that's what they claim to be doing.

      --
      Lost at C:>. Found at C.
    3. Re:Legality? by NotInHere · · Score: 1

      Getting elite people and good publicity sound like good reasons for me. Their business doesn't rely on lock-in as heavily as microsoft's, they need publicity.

    4. Re:Legality? by maliqua · · Score: 2

      Just to be clear, i don't think google is the good guys, just that they want to be perceived that way.

    5. Re:Legality? by Charliemopps · · Score: 1

      The differernce with Google has be, for the most part: They aren't stupid.

      Being the good guys is profitable in the long term. Take net neutrality for example... codifying that in law would be good for everyone in the long term. The ISPs, the customers, Netflix... everyone. But, some people are stupid and only think in the near term. I'd argue that Googles greed is simply greater than most corporations and that's a good thing. They want it all and short term profits that ruin some other part of the economy just aren't good enough for them. They eventually plan to own that part of the economy to!

    6. Re:Legality? by fahrbot-bot · · Score: 1

      But my adblockers tell me Slashdot has references to gstatic.com, googleanalytics.com, google-adservices.com and googletagservices.com. All of which I universally block.

      I'm pretty sure the blame for that rests with Slashdot - you know, the content authors/owners - not Google. Slashdot certainly doesn't have to use Google services...

      --
      It must have been something you assimilated. . . .
    7. Re:Legality? by Hamsterdan · · Score: 1

      Corporations and NSA are exempt from most laws

      --
      I've got better things to do tonight than die.
  7. Did'nt the courts make that illegal? by Anonymous Coward · · Score: 2, Interesting

    I thought there were stories here about white hat/ black hat the courts don't care - go to jail.( Not that I agree with the rulings) So Google gets a by on the laws?

    1. Re:Did'nt the courts make that illegal? by maliqua · · Score: 1

      Microsoft already is getting by this law why not google also

      your forgetting in the Home of the Brave and land of the Greed laws only apply below a certain net worth

  8. Re:Code name "Only our back doors" by Sqr(twg) · · Score: 2

    You don't have to trust them. Even if they don't point out the vulnerabilities that the NSA use, they will point out vulnerabilities that the Russians or Chinese might use, and that's already better than nothing.

  9. Faith in the Internet at an all-time low by Black.Shuck · · Score: 1

    The Internet is insecure by design: http://www.worldofends.com/#BM...

  10. Re:Faith in the Internet at an all-time low by paskie · · Score: 1

    Okay, but *eventually* I think they are bound to figure out that a better alternative to this situation is going back to a site-local webmail service instead of a third-party black-box cloud (even if they promise the data stays in your server room).

    In this sense, I think it's not a risk but a good thing - people start to realize that giving data to third parties may not be smart.

    --
    It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
  11. debug my software please by goombah99 · · Score: 4, Funny

    SO I just post my software and these guys do a free security analysis. Cool, now I can be sloppy!

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:debug my software please by LordWabbit2 · · Score: 1

      Or they just post an advisory stating that your software is a big pile of steaming security holes and to avoid it at all costs.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  12. Re:Faith in the Internet at an all-time low by MacTO · · Score: 1

    Typewriters.

  13. Re:My first thought... by 93+Escort+Wagon · · Score: 1

    If you're going to specifically call out one person... shouldn't you post publicly under your own account rather than hiding in anonymity? Otherwise you have no credibility.

    --
    #DeleteChrome
  14. Re:Code name "Only our back doors" by Anonymous Coward · · Score: 1

    personally if i had a choice i'd give my data to Russia or China before i gave it to the USA.

    america needs power taken away not exclusive rights to this sort of power.

  15. Re:Code name "Only our back doors" by BronsCon · · Score: 1

    It's not an exclusive right; what's stopping you, or anyone else, from doing the same thing, so you can be sure you're finding *all* the vulnerabilities?

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  16. Re:read this as.... by maliqua · · Score: 1

    Interesting, I didn't even consider this possible angle, I always figured they were in kahoots with a government agency but lets not rule out the possibility that google is doing evil for its own benefit and not being coerced by a greater power.

  17. Isn't this a conflict of interest by koan · · Score: 1

    Between Google and the NSA?

    --
    "If any question why we died, Tell them because our fathers lied."
  18. Well... by frank_adrian314159 · · Score: 1

    If its like their past behaviors, they'll tell everyone unless the government asks them not to under penalty of law - and they'll have the FISA court paperwork to make it stick. After all, Google now has a responsibility to its shareholders to not do illegal things, right? As such, I can't see this as more than a PR stunt.

    --
    That is all.
  19. Re:Google = Skynet by GTRacer · · Score: 1

    If their history is any indication though, it'll be in Beta for months or years. More than enough time to breed a resistance, develop time travel, and send someone back to protect John.

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  20. oh, noes! Google is hacking Google! by swschrad · · Score: 1

    all my data will be seized by Google and used for nefarious purposes! call out the National Guard! we are doomed!

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  21. Re:This will not work by Dominare · · Score: 1

    Ah yes. "I have no ethics and would do this if I could get away with it, therefore nobody has any ethics and would do this if they could get away with it."

    Good logic! The next part is where you try to deflect by calling me naïve.

  22. No more please by Thundercleets · · Score: 1

    Google wants to sell us your sploits now?

  23. Re:Code name "Only our back doors" by davydagger · · Score: 1

    or even some random hacker/script kiddie.

    security is not a binary, more security == better.

    Also, the less backdoors exist, the more aparant the ones that do exist are.

    If you eliminate all other backdoors except the NSA's, you can be more certain the backdoors that do exist actually belong to the NSA, and the more a single entity relies on a single backdoor is the more likely it will be discovered/found/patched/made irrelivant/worked around.

  24. Future Proof Jobs by X10 · · Score: 1

    The poster of "Future Proof Jobs" should have read this subject rather than posting his question.

    --
    no, I don't have a sig
  25. Google now hunting for exploits? by saccade.com · · Score: 1

    I'm glad to hear Google is dedicating resources to finding exploits in Internet softw...hey, wait, where'd my Bitcoins go???

  26. Re:My first thought... by metrix007 · · Score: 1

    That's bullshit. A lot of people don't even have an account. An account ads nothing.

    Look at the statement, not the poster.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  27. Re:They aren't stupid by TaoPhoenix · · Score: 1

    I'll reply to you, as you're the closest to the angle I was going for.

    Cross-posted from another site, with two more sentences here.

    Okay, picking my words a little and hoping I get my tone right...

    I get that Google (and Facebook and all kinds of other gangs) are *selling info*. It's sleazy, but to me that's "grey hat". It's "we're psychologically manipulating you to make money, but you knew that but we made the services nice and fun/useful so you don't care". I've been reading a huge Star Trek DS9 Re-Watch overview, and that feels so like a Quark move - he's devious but eventually even he draws his lines.

    Secret silent software bugs that only X number of governments even know exist is a whole other level of Black Hat. (Really, somewhere in the combo of Heartbleed and the True-Crypt mess I got grumpier than I have been in a while.)

    So Google isn't some poor 12 man op with a lonely tech who was beaten by big guys - behind the sales guys there's a *lot* of tech crunching firepower there. So *maybe* the Agencies have a bit of a lead on them, but I'd bet not as big as those Agencies thought.

    It's a fascinating twist - Govt can beat up "little guys" a few at a time in a Divide and Conquer strategy, but what if this story catches on, and then Microsoft and Facebook and Apple and Samsung and your choice of others jump in?

    (I put Samsung in there because software bugs know no boundaries, so it's specifically a test of geographic negotiations beyond the US level.)

    Short Selling jokes aside, can the US even manage to indict the CEO's of all of US tech? Their dealmaking might just be on the verge of coming to bite them. (There was a TV series about all that, corps, totally owning govt openly and outright.)

    When we're not busy snarking in the Basement or the Living Room, having a gaping security flaw in software isn't good for any of these companies. So maybe (making up a name) Gennady Li Chandarovskiyij-Maharujshi is the greatest programmer alive at one of the Agencies, but can he really stand up to a world wide team that's now pissed off??

    Going all story fiction for a moment, imagine it:
    All these companies, led by the big dogs with little guys lending a spare hour;
    CEO's around the world getting royally pissed and saying "our products are dominant enough and we have time to put away our micro-jockeying. Let's spend an entire year and 700 billion dollars/whatever to clean this mess up. Grab anyone who has any legit idea whatsoever about software security and let them do whatever they want (jokes aside), no questions asked including extra perks like the 90's like croissant sandwiches in the break room."

    US Govt is slowly winning the PR war against "Anonymous", but what if the Big Tech companies with tips from millions of freelancers all unite and say "Thanks for all the fish, yummy, now watch what you made! We have a worldwide "team" of over a *thousand* software people (and four space aliens, only three of which you know about.) Do you *really* wanna keep doing this? Or can we just get back to selling people's info for money?"

    At least in my imagination I wanna believe we're on the verge of Tech calling Govt's bluff that they've been going "Divide and Subdue" too long, and the beautiful part is all the bribery is (mostly) illegal - how can they even pretend to shout about 770 companies and 12,345,845 freelancers all spending an entire year on software security?

    So that's my message of daydream hope!

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine