Good Article About Google's Project Zero

Fortune magazine just published a good article about Google's Project Zero, which finds and publishes exploits in other companies' software products.

I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.

Posted on June 30, 2017 at 6:05 AM • 22 Comments

Comments

stineJune 30, 2017 6:48 AM

According to the Wired article from 7/15/14 titled "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers":

And Project Zero's hackers won’t be exposing bugs only in Google’s products. They’ll be given free rein to attack any software whose zero-days can be dug up and demonstrated with the aim of pressuring other companies to better protect Google’s users.

I don't know if their remit has changed, but honestly, even if they don't examine Google products, finding and exposing bugs in everyone else's products, generally causing those bugs to be fixed is surely a good thing.

If Microsoft, Adobe, etc, want to get together and fund a company whose sole purpose is to find bugs in Google products, I'm sure Google wouldn't stop them.

AlexJune 30, 2017 7:15 AM

Someone has to fund this stuff, I'm sure none of us want it to be the government.

"We found loads of vulnerabilities, then we told the NSA about them, so you'll find out about them when the NSA lose them"

Google have plenty of skin in the keeping Google secure game, that they are investing money in other companies surely cannot be a bad thing.

Alex

nobodyJune 30, 2017 8:06 AM

Project Zero is also exposing vulnerabilities in Google products. I was surprised when Bruce said otherwise in his last blog post about Zero too. Being skeptical of corporations is healthy, but some of the companies upset with Zero don't have a great track-record for security and transparency themselves (and sometimes carry historical conflicts of interest on those fronts).

PhJune 30, 2017 8:55 AM

I am glad that they try to set standards in the fairly unregulated world of bughunting/disclosure.

More then that is just as perception thing, most companies are/should be glad to get their bugs pointed out.

Just like a real scientist loves to be proven wrong, they are in it for the science, not the ego.

Rufo Guerreschi June 30, 2017 9:09 AM

Nearly useless effort as there will always be many more bugs all over the stacks.

We need a general-purpose open endpoint hw&sw computing platform that, albeit minimal in features, is radically security-reviewed relative to complexity; while still conceived to prevent malevolent use.

Welcome to the Trustless Computing Consortium, Certification Body and Cluster...

stineJune 30, 2017 9:34 AM

Thanks claudex. It was too early in the morning for me to find anything definitive about their reporting on Google products.

Ross SniderJune 30, 2017 10:06 AM

I usually have a pretty dim view about self-serving societies and shit behind layers of PR.

Google Project Zero is not one of these. They've done a seriously wonderful job of finding vulnerabilities in important software and performing research on vulnerability techniques.

While working for a competitor I was gracious that they produced vulnerabilities and analyzed our product! Our company certainly wasn't funding that kind of research and it was obviously sorely needed. The only complaint I have is that they don't appear to have a tight loop between the technical people and those creating their disclosure timelines. They gave us some bugs that obviously would take more than 90 days to fix and randomized us really, really heavily. All we needed was for them to agree to 180 days - or something similar - and it would have been good. (FYI not 180 days for every bug, just 180 for a particular instance in which the time was obviously needed).

Anyway, props to them.

albertJune 30, 2017 11:27 AM

Finding and fixing bugs is good for -anyones- bottom line.

-That- is what it's all about.

I don't see how anyone could argue against it.

@Ross,
I don't see how a company needs 180 days to fix one bug in their software, their design and their coding.

. .. . .. --- ....

Ross SniderJune 30, 2017 11:35 AM

@albert

Could you fix DNS in 180 days?

I was working for a very large company you've probably heard of and the bugs they filed weren't single codebase fixes. In fact, they disclosed an entirely new type of vulnerability class along with hundreds of instances of the bug that each needed their own validation. Fixing the bug meant creating controls that would close the vulnerability class (imagine having to invent, test and deploy stack cookies in 90 to fix the vulnerability class "buffer overflow" as an analogy). Actually, this is probably already enough information for you to deduce what the company and bugs were, if you cared to.

The kinds of research that Google Project Zero is doing (thankfully) are not always single line or single code base bug fixes. Are there bugs that you need more than 90 days to fix? Absolutely. This was one of them. Google did a very poor job with their disclosure policy with respect to that instance.

KevinJune 30, 2017 12:24 PM

I'm a big believer in root cause analysis. So, here's a question. Why isn't Tavis Ormandy working with developers to "super-fuzz" the code prior to release. Answer: Because the Marketing dept. always sets an unrealistic release deadline, and the new "global modular development" model in today's Silicon Valley startups insures that code will be released too early as betaware. Don't follow me? So here's the root cause analysis. Prior to Microsoft's dominance in the software world, companies like HP and Cisco were very picky about OS code testing & quality. It was quite rare for a "bug" to ever be found due to the high quality approach to development. This is where the same project team which wrote the pseudo-code took it all the way to release. As a console operator on an HP3000 MPE/iX mini-computer back then I can remember the CEO of HP apologizing directly to customers when a "bug" was found in a production release. Then suddenly, somewhere in the 80's Microsoft (following their splintered EMMx86 memory model & insecure DLL architecture)started a new form of rapid development where different teams worked on different modules and it all came together at the last minute for a strong shove out the door by the Marketing Department. This is where things got sloppy and the whole industry threw quality out the door following suit. We used to joke about how the new slogan should be "Microsoft, the world is our Beta-Lab", and this is why most companies wouldn't install Microsoft Service Packs until at least SP2 or SP3. Back to the current day, I believe project Zero is both a weapon and a benefit. Google probably coordinates the release of information about vulnerabilities in competitors products with movements in competitors stock prices (or similar tactics). At the same time they can play along like they're contributing to the greater good of overall security by discovering these bugs, as long as it doesn't hold up their own development cycle. Just my take on things.....

thokasJune 30, 2017 1:47 PM

Google's Project Zero only targets competitor products. The occasional exceptions prove the rule: they were found by digging into competitors products (e.g., trying to exploit Apple's Safari revealed an underlying bug in chrome that affected their browser as well). Their lack of finding any of the numerous critical vulnerabilities in Android that third party researchers have uncovered is also telling.

At the same time while it is irksome that they are constantly flinging mud at their competitors they *are* doing a public service and I commend them for their research and efforts to improve security for everyone.

MattJune 30, 2017 5:46 PM

Not that I know if this is true, but so what if they target Google competitors? Google's competitors are free to start up their own research team finding Google vulnerabilities.

Even if this is a cynical exercise to dig up dirt on Google's competitors, I don't see a downside. It's not like they are inserting the vulnerabilities, selling them to shady governments or criminals, or hoarding them for their own exploitation. The ones who do that are the ones we should be suspicious of.

JonKnowsNothingJune 30, 2017 6:30 PM

What a joke...

All they have to do is look in Bugzilla for their own security errors. There isn't a tech company in existence that fixes their own bugs unless absolutely forced to do so.

Maybe it's the new Forever Job?

thokasJune 30, 2017 7:50 PM

@Matt: It matters because intent matters.

However, don't forget I already said "they *are* doing a public service and I commend them for their research and efforts to improve security for everyone."

Who?July 1, 2017 1:22 PM

I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.

I think it is fine this way. As you say Google's project zero is doing a great effort finding bugs in Google's competitors products. That is ok to me. What about Google itself? Honestly, I do not care. The worse vulnerability in Google's software is unfixable, it is Google itself. So all of us can benefit from project zero: the Internet has benefited from these efforts and sane people does not run Google's devices, software and/or services.

MajorJuly 1, 2017 1:30 PM

Google finding vulnerabilities and shaming companies into fixing them seems preferable to trying to regulate companies into being secure. Google, and, of course, a ton of independent security researchers.

Maybe I am getting naive as I get older and more comfortable, but I am less scared of Google than I am most companies that profit off of my personal data. At least they provide quality services, products and languages. And I can't think of any revelations about Google that really disturbed me since they started scanning people's gmail (which did disturb me). Maybe somebody here can help me there! Although I am sensing an undercurrent of good will towards Google in these comments...

disclosureJuly 2, 2017 10:35 AM

@claudex The problem is not whether Project Zero works on Google software or not, it's whether they are more lenient on the disclosure timeline with internal software than they show to competitors. Other companies don't complain that Google found the bugs, they complain over premature disclosure, which you don't really expect PZ to do even if, say, the Chrome team takes ages to fix a given bug. But of course it's essentially impossible to know what that backstage looks like.

Nick PJuly 6, 2017 10:19 PM

@ Bruce

The funny thing about it is how many people in INFOSEC are currently recommending iPhones since they patch their vulnerabilities quickly sometimes in hours. Whereas, Android ecosystem ignores all kinds of actual vulnerabilities and other risks. So, it's quite amusing to see Google calling other companies out for bugs when they delay patching Android so much despite the *billions* it makes them per the leak in the Oracle case. Yeah, it's definitely propaganda by a company as bad as the competition in dealing with vulnerabilities.

How much Google makes on Android

Those numbers make their new project for a secure microkernel seem like a joke compared to the funding and effort put in on similar projects by CompSci, Microsoft, IBM, etc. They're a selfish, surveillance company that does some good things here and there. (shrugs)

JdLJuly 8, 2017 11:44 AM

But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.

Since it performs a valuable service for those competitors, what is the complaint?

JonKnowsNothingJuly 9, 2017 9:30 AM

@JdL

Since it performs a valuable service for those competitors, what is the complaint?

It's always easier to find dirt in other peoples laundry baskets...

Google ain't a saint. They don't do it because they Love-the-Competition. They don't do it because the Love-the-Internet. They don't do it because they want to Stop Exploits.

It's a capitalist company which means => They do it for the money, honey.

Anything to tarnish the competition. Anything to find an edge against the competition. Anything to remove a competitor. Anything to increase their monopoly and power base. Anything to make them look better.

And MORE important...

Anything that lets Eric Schmidt spend more time at his plug-n-play Burning Man resort surrounded by multitudes of young females in adoration of his sequined top hat.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.