Google's Project Zero Aims To Find Exploits Before Attackers Do

DavidGilbert99 (2607235) writes "Google has announced Project Zero, a group of security experts who will hunt down security flaws in all software which touches the Internet. Among the group is a 24-year-old called George Hotz who shot to fame in 2007 when he was the first to unlock the iPhone before reverse engineering the PlayStation 3." Quoting the Project Zero announcement: You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. ... We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. All issues will be reported to the usual public vulnerability databases after vendors are given a short period to fix their systems and software.

Re:

[Anonymous Coward]

+1 if i had mod points left

how can anyone trust anything these guys say anymore? If they are working with the governments they can never say and if they aren't the history of their involvement is to much to get past.

I for one, from now on will avoid all large american corporate products and services. I will never again trust an american software company, at least before we could believe their agendas we're purely greed for owners/stock holders now we have no idea who's pulling the strings and who's motive i

Re:

[Sqr(twg)]

You don't have to trust them. Even if they don't point out the vulnerabilities that the NSA use, they will point out vulnerabilities that the Russians or Chinese might use, and that's already better than nothing.

Re:

[Anonymous Coward]

personally if i had a choice i'd give my data to Russia or China before i gave it to the USA.

america needs power taken away not exclusive rights to this sort of power.

Re:

[BronsCon]

It's not an exclusive right; what's stopping you, or anyone else, from doing the same thing, so you can be sure you're finding *all* the vulnerabilities?

Re:

[BronsCon]

Oh, no, I fully understood all the comments before yours, which were referring to Google finding vulnerabilities, but possibly *not* reporting on NSA-planted vulnerabilities. Those comments provided the context under which I interpreted your comment to be referring to the exclusive right to report on found vulnerabilities. Apparently, your comment was made out of context so, of course, the context in which it was taken was also incorrect.

That said, it's still not an exclusive right, as implied by the comm

Re:

[davydagger]

or even some random hacker/script kiddie.

security is not a binary, more security == better.

Also, the less backdoors exist, the more aparant the ones that do exist are.

If you eliminate all other backdoors except the NSA's, you can be more certain the backdoors that do exist actually belong to the NSA, and the more a single entity relies on a single backdoor is the more likely it will be discovered/found/patched/made irrelivant/worked around.

Ha!

[rockabilly]

All software that touches the Internet?

Good luck with that.

Limit to COTS

[tepples]

Perhaps it'd be more practical to target all commercial off-the-shelf software that touches the Internet.

Re:

[Hamsterdan]

Still covers a lot. Almost every software checks for updates.

Besides, HOW will they fincance that operation?

debug my software please

[goombah99]

SO I just post my software and these guys do a free security analysis. Cool, now I can be sloppy!

Re:

[LordWabbit2]

Or they just post an advisory stating that your software is a big pile of steaming security holes and to avoid it at all costs.

Re:

[paskie]

...abandoning it in favor of what? What real (or trending) alternatives do you think they'll pick? Phones and fax?

Re:

[paskie]

Okay, but *eventually* I think they are bound to figure out that a better alternative to this situation is going back to a site-local webmail service instead of a third-party black-box cloud (even if they promise the data stays in your server room).

In this sense, I think it's not a risk but a good thing - people start to realize that giving data to third parties may not be smart.

Re:

[MacTO]

Typewriters [slashdot.org].

Faith in the Internet at an all-time low

[Black.Shuck]

The Internet is insecure by design: http://www.worldofends.com/#BM... [worldofends.com]

"fuzzing"

[xxxJonBoyxxx]

>> automated software that throws random data at target software for hours on end to find which files cause potentially dangerous crashes.

You could just replace that with "fuzzing tools." :) The "files...cause...crashes" is kind of funny too.

Legality?

[gstoddart]

So, are they planning on buying copies of said software, and testing it in house?

Or do they think they're going to be doing penetration testing without permission? Because, the last I heard, that was actually illegal.

Re:

[maliqua]

The cost of the software for google is cheap compared to the value of the "we're the internet good guys" PR

Re:

[gstoddart]

Well, sure, maybe.

But my adblockers tell me Slashdot has references to gstatic.com, googleanalytics.com, google-adservices.com and googletagservices.com. All of which I universally block.

The fact of the matter is, Google hasn't been the good guys in several years now. Google has come full circle, and is just your garden variety greedy mega-corp.

Heck, I believe Google pioneered some of the techniques for bypassing cookie controls in several major browsers, and then later on said it was an accident.

I no lon

Re:

[NotInHere]

Getting elite people and good publicity sound like good reasons for me. Their business doesn't rely on lock-in as heavily as microsoft's, they need publicity.

Re:

[maliqua]

Just to be clear, i don't think google is the good guys, just that they want to be perceived that way.

Re:

[Charliemopps]

The differernce with Google has be, for the most part: They aren't stupid.

Being the good guys is profitable in the long term. Take net neutrality for example... codifying that in law would be good for everyone in the long term. The ISPs, the customers, Netflix... everyone. But, some people are stupid and only think in the near term. I'd argue that Googles greed is simply greater than most corporations and that's a good thing. They want it all and short term profits that ruin some other part of the economy j

Re:They aren't stupid

[TaoPhoenix]

I'll reply to you, as you're the closest to the angle I was going for.

Cross-posted from another site, with two more sentences here.

Okay, picking my words a little and hoping I get my tone right...

I get that Google (and Facebook and all kinds of other gangs) are *selling info*. It's sleazy, but to me that's "grey hat". It's "we're psychologically manipulating you to make money, but you knew that but we made the services nice and fun/useful so you don't care". I've been reading a huge Star Trek DS9 Re-Watch o

Re:

[fahrbot-bot]

But my adblockers tell me Slashdot has references to gstatic.com, googleanalytics.com, google-adservices.com and googletagservices.com. All of which I universally block.

I'm pretty sure the blame for that rests with Slashdot - you know, the content authors/owners - not Google. Slashdot certainly doesn't have to use Google services...

Re:

[Hamsterdan]

Corporations and NSA are exempt from most laws

Did'nt the courts make that illegal?

[Anonymous Coward]

I thought there were stories here about white hat/ black hat the courts don't care - go to jail.( Not that I agree with the rulings) So Google gets a by on the laws?

Re:

[maliqua]

Microsoft already is getting by this law why not google also

your forgetting in the Home of the Brave and land of the Greed laws only apply below a certain net worth

Re:

[GTRacer]

If their history is any indication though, it'll be in Beta for months or years. More than enough time to breed a resistance, develop time travel, and send someone back to protect John.

Re:

[maliqua]

Interesting, I didn't even consider this possible angle, I always figured they were in kahoots with a government agency but lets not rule out the possibility that google is doing evil for its own benefit and not being coerced by a greater power.

Re:

[93 Escort Wagon]

If you're going to specifically call out one person... shouldn't you post publicly under your own account rather than hiding in anonymity? Otherwise you have no credibility.

Re:

[metrix007]

That's bullshit. A lot of people don't even have an account. An account ads nothing.

Look at the statement, not the poster.

Isn't this a conflict of interest

[koan]

Between Google and the NSA?

Well...

[frank_adrian314159]

If its like their past behaviors, they'll tell everyone unless the government asks them not to under penalty of law - and they'll have the FISA court paperwork to make it stick. After all, Google now has a responsibility to its shareholders to not do illegal things, right? As such, I can't see this as more than a PR stunt.

Re:

[Dominare]

Ah yes. "I have no ethics and would do this if I could get away with it, therefore nobody has any ethics and would do this if they could get away with it."

Good logic! The next part is where you try to deflect by calling me naïve.

oh, noes! Google is hacking Google!

[swschrad]

all my data will be seized by Google and used for nefarious purposes! call out the National Guard! we are doomed!

No more please

[Thundercleets]

Google wants to sell us your sploits now?

Future Proof Jobs

[X10]

The poster of "Future Proof Jobs" should have read this subject rather than posting his question.

Google now hunting for exploits?

[saccade.com]

I'm glad to hear Google is dedicating resources to finding exploits in Internet softw...hey, wait, where'd my Bitcoins go???