Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google's Project Zero Aims To Find Exploits Before Attackers Do

Unknown Lamer posted about 2 months ago | from the evil-hackers-respond-with-negative-one-day-exploits dept.

Security 62

DavidGilbert99 (2607235) writes "Google has announced Project Zero, a group of security experts who will hunt down security flaws in all software which touches the Internet. Among the group is a 24-year-old called George Hotz who shot to fame in 2007 when he was the first to unlock the iPhone before reverse engineering the PlayStation 3." Quoting the Project Zero announcement: You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. ... We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. All issues will be reported to the usual public vulnerability databases after vendors are given a short period to fix their systems and software.

cancel ×

62 comments

Sorry! There are no comments related to the filter you selected.

Code name "Only our back doors" (-1, Offtopic)

Anonymous Coward | about 2 months ago | (#47457799)

NSA Sponsored project

Re:Code name "Only our back doors" (1)

Anonymous Coward | about 2 months ago | (#47457941)

+1 if i had mod points left

how can anyone trust anything these guys say anymore? If they are working with the governments they can never say and if they aren't the history of their involvement is to much to get past.

I for one, from now on will avoid all large american corporate products and services. I will never again trust an american software company, at least before we could believe their agendas we're purely greed for owners/stock holders now we have no idea who's pulling the strings and who's motive is it we need to worry about

Re:Code name "Only our back doors" (2)

Sqr(twg) (2126054) | about 2 months ago | (#47458057)

You don't have to trust them. Even if they don't point out the vulnerabilities that the NSA use, they will point out vulnerabilities that the Russians or Chinese might use, and that's already better than nothing.

Re:Code name "Only our back doors" (1)

Anonymous Coward | about 2 months ago | (#47458297)

personally if i had a choice i'd give my data to Russia or China before i gave it to the USA.

america needs power taken away not exclusive rights to this sort of power.

Re:Code name "Only our back doors" (1)

BronsCon (927697) | about 2 months ago | (#47458515)

It's not an exclusive right; what's stopping you, or anyone else, from doing the same thing, so you can be sure you're finding *all* the vulnerabilities?

Re:Code name "Only our back doors" (0)

Anonymous Coward | about 2 months ago | (#47458649)

It's not an exclusive right; what's stopping you, or anyone else, from doing the same thing, so you can be sure you're finding *all* the vulnerabilities?

Perhaps you misunderstood all the previous comments....

Here's whats stopping me:
I'm not a government agency that can just walk into major software companies and say include this back door for me now, or your a traitor and you go to jail for treason or worse.

so yes it is an exclusive right to governments and this google campaign i see as nothing more than a way to ensure that the USA continues to have this advantage over everyone else.

1. If the government under some stupid national security rules ordered google to do something bad they would have to and would have to deny doing it.
2. We have evidence this has happened already.

Re:Code name "Only our back doors" (0)

BronsCon (927697) | about 2 months ago | (#47460061)

Oh, no, I fully understood all the comments before yours, which were referring to Google finding vulnerabilities, but possibly *not* reporting on NSA-planted vulnerabilities. Those comments provided the context under which I interpreted your comment to be referring to the exclusive right to report on found vulnerabilities. Apparently, your comment was made out of context so, of course, the context in which it was taken was also incorrect.

That said, it's still not an exclusive right, as implied by the comment to which you were replying:

Even if they don't point out the vulnerabilities that the NSA use, they will point out vulnerabilities that the Russians or Chinese might use, and that's already better than nothing.

Unless Russia and China became part of the US and I just never heard about it.

Re:Code name "Only our back doors" (1)

davydagger (2566757) | about 2 months ago | (#47461835)

or even some random hacker/script kiddie.

security is not a binary, more security == better.

Also, the less backdoors exist, the more aparant the ones that do exist are.

If you eliminate all other backdoors except the NSA's, you can be more certain the backdoors that do exist actually belong to the NSA, and the more a single entity relies on a single backdoor is the more likely it will be discovered/found/patched/made irrelivant/worked around.

Ha! (1)

rockabilly (468561) | about 2 months ago | (#47457841)

All software that touches the Internet?

Good luck with that.

Limit to COTS (1)

tepples (727027) | about 2 months ago | (#47457915)

Perhaps it'd be more practical to target all commercial off-the-shelf software that touches the Internet.

Re:Limit to COTS (1)

Hamsterdan (815291) | about 2 months ago | (#47459103)

Still covers a lot. Almost every software checks for updates.

Besides, HOW will they fincance that operation?

Re:Ha! (0)

Anonymous Coward | about 2 months ago | (#47457971)

I'll trust APK's hosts file over anything Google touches.

Thanks... apk (0)

Anonymous Coward | about 2 months ago | (#47470139)

My program for constructing it gives you better added speed, security, reliability, & even anonymity (it works for all of that, better than anything else + is free)!

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Addendum: Quoting "Man of Steel"... apk (0)

Anonymous Coward | about 2 months ago | (#47487743)

"Thank you - for believing in me"...

* Had to do it, it's such a GREAT film (it's inspiring), & it fits here also. I just finished re-watching it, & decided to say thanks to you, albeit in a different way than originally in my 1st reply to you is all, this time, via analogy in film (the greatest artform there is, imo, other than books).

APK

P.S.=> If you haven't seen it? By all means - DO (yes, it's THAT good)... apk

debug my software please (4, Funny)

goombah99 (560566) | about 2 months ago | (#47458113)

SO I just post my software and these guys do a free security analysis. Cool, now I can be sloppy!

Re:debug my software please (1)

LordWabbit2 (2440804) | about 2 months ago | (#47464579)

Or they just post an advisory stating that your software is a big pile of steaming security holes and to avoid it at all costs.

Faith in the Internet at an all-time low (-1)

Anonymous Coward | about 2 months ago | (#47457895)

We're running the very real risk of people abandoning the Internet altogether if they can't trust the integrity of their communications using it.

Re:Faith in the Internet at an all-time low (1)

paskie (539112) | about 2 months ago | (#47457943)

...abandoning it in favor of what? What real (or trending) alternatives do you think they'll pick? Phones and fax?

Re:Faith in the Internet at an all-time low (0)

Anonymous Coward | about 2 months ago | (#47458015)

actually yes we use google mail at our educational institution, my department works with sensitive data, even though we have many signed agreements from google saying they don't / wont export our data off campus. We're no longer allowed to email any documents even internally containing student information. Back to fax and walking to someones office.

Re:Faith in the Internet at an all-time low (1)

paskie (539112) | about 2 months ago | (#47458093)

Okay, but *eventually* I think they are bound to figure out that a better alternative to this situation is going back to a site-local webmail service instead of a third-party black-box cloud (even if they promise the data stays in your server room).

In this sense, I think it's not a risk but a good thing - people start to realize that giving data to third parties may not be smart.

Re:Faith in the Internet at an all-time low (1)

MacTO (1161105) | about 2 months ago | (#47458129)

Typewriters [slashdot.org] .

"fuzzing" (2)

xxxJonBoyxxx (565205) | about 2 months ago | (#47457925)

>> automated software that throws random data at target software for hours on end to find which files cause potentially dangerous crashes.

You could just replace that with "fuzzing tools." :) The "files...cause...crashes" is kind of funny too.

Re:"fuzzing" (-1)

Anonymous Coward | about 2 months ago | (#47458471)

Why do fuzzing? If it is a black box to you then you testing it is unwanted.

Legality? (2)

gstoddart (321705) | about 2 months ago | (#47457975)

So, are they planning on buying copies of said software, and testing it in house?

Or do they think they're going to be doing penetration testing without permission? Because, the last I heard, that was actually illegal.

Re:Legality? (2)

maliqua (1316471) | about 2 months ago | (#47458027)

The cost of the software for google is cheap compared to the value of the "we're the internet good guys" PR

Re:Legality? (1)

gstoddart (321705) | about 2 months ago | (#47458083)

Well, sure, maybe.

But my adblockers tell me Slashdot has references to gstatic.com, googleanalytics.com, google-adservices.com and googletagservices.com. All of which I universally block.

The fact of the matter is, Google hasn't been the good guys in several years now. Google has come full circle, and is just your garden variety greedy mega-corp.

Heck, I believe Google pioneered some of the techniques for bypassing cookie controls in several major browsers, and then later on said it was an accident.

I no longer believe Google does anything for altruistic purposes, even if that's what they claim to be doing.

Re:Legality? (1)

NotInHere (3654617) | about 2 months ago | (#47458185)

Getting elite people and good publicity sound like good reasons for me. Their business doesn't rely on lock-in as heavily as microsoft's, they need publicity.

Re:Legality? (2)

maliqua (1316471) | about 2 months ago | (#47458307)

Just to be clear, i don't think google is the good guys, just that they want to be perceived that way.

Re:Legality? (1)

Charliemopps (1157495) | about 2 months ago | (#47458395)

The differernce with Google has be, for the most part: They aren't stupid.

Being the good guys is profitable in the long term. Take net neutrality for example... codifying that in law would be good for everyone in the long term. The ISPs, the customers, Netflix... everyone. But, some people are stupid and only think in the near term. I'd argue that Googles greed is simply greater than most corporations and that's a good thing. They want it all and short term profits that ruin some other part of the economy just aren't good enough for them. They eventually plan to own that part of the economy to!

Re:They aren't stupid (1)

TaoPhoenix (980487) | about 2 months ago | (#47471965)

I'll reply to you, as you're the closest to the angle I was going for.

Cross-posted from another site, with two more sentences here.

Okay, picking my words a little and hoping I get my tone right...

I get that Google (and Facebook and all kinds of other gangs) are *selling info*. It's sleazy, but to me that's "grey hat". It's "we're psychologically manipulating you to make money, but you knew that but we made the services nice and fun/useful so you don't care". I've been reading a huge Star Trek DS9 Re-Watch overview, and that feels so like a Quark move - he's devious but eventually even he draws his lines.

Secret silent software bugs that only X number of governments even know exist is a whole other level of Black Hat. (Really, somewhere in the combo of Heartbleed and the True-Crypt mess I got grumpier than I have been in a while.)

So Google isn't some poor 12 man op with a lonely tech who was beaten by big guys - behind the sales guys there's a *lot* of tech crunching firepower there. So *maybe* the Agencies have a bit of a lead on them, but I'd bet not as big as those Agencies thought.

It's a fascinating twist - Govt can beat up "little guys" a few at a time in a Divide and Conquer strategy, but what if this story catches on, and then Microsoft and Facebook and Apple and Samsung and your choice of others jump in?

(I put Samsung in there because software bugs know no boundaries, so it's specifically a test of geographic negotiations beyond the US level.)

Short Selling jokes aside, can the US even manage to indict the CEO's of all of US tech? Their dealmaking might just be on the verge of coming to bite them. (There was a TV series about all that, corps, totally owning govt openly and outright.)

When we're not busy snarking in the Basement or the Living Room, having a gaping security flaw in software isn't good for any of these companies. So maybe (making up a name) Gennady Li Chandarovskiyij-Maharujshi is the greatest programmer alive at one of the Agencies, but can he really stand up to a world wide team that's now pissed off??

Going all story fiction for a moment, imagine it:
All these companies, led by the big dogs with little guys lending a spare hour;
CEO's around the world getting royally pissed and saying "our products are dominant enough and we have time to put away our micro-jockeying. Let's spend an entire year and 700 billion dollars/whatever to clean this mess up. Grab anyone who has any legit idea whatsoever about software security and let them do whatever they want (jokes aside), no questions asked including extra perks like the 90's like croissant sandwiches in the break room."

US Govt is slowly winning the PR war against "Anonymous", but what if the Big Tech companies with tips from millions of freelancers all unite and say "Thanks for all the fish, yummy, now watch what you made! We have a worldwide "team" of over a *thousand* software people (and four space aliens, only three of which you know about.) Do you *really* wanna keep doing this? Or can we just get back to selling people's info for money?"

At least in my imagination I wanna believe we're on the verge of Tech calling Govt's bluff that they've been going "Divide and Subdue" too long, and the beautiful part is all the bribery is (mostly) illegal - how can they even pretend to shout about 770 companies and 12,345,845 freelancers all spending an entire year on software security?

So that's my message of daydream hope!

Re:Legality? (1)

fahrbot-bot (874524) | about 2 months ago | (#47459059)

But my adblockers tell me Slashdot has references to gstatic.com, googleanalytics.com, google-adservices.com and googletagservices.com. All of which I universally block.

I'm pretty sure the blame for that rests with Slashdot - you know, the content authors/owners - not Google. Slashdot certainly doesn't have to use Google services...

Re:Legality? (0)

Anonymous Coward | about 2 months ago | (#47459125)

I'm pretty sure the blame for that rests with Slashdot - you know, the content authors/owners - not Google. Slashdot certainly doesn't have to use Google services...

All it means is that one set of greedy assholes (Dice) is using the services of another set of greedy assholes (Google) to monetize your information.

That doesn't make Google a benevolent player in this. Just greedy assholes who make sure there's few places you can go where they don't invade your privacy.

Re:Legality? (1)

Hamsterdan (815291) | about 2 months ago | (#47459131)

Corporations and NSA are exempt from most laws

Did'nt the courts make that illegal? (2, Interesting)

Anonymous Coward | about 2 months ago | (#47457993)

I thought there were stories here about white hat/ black hat the courts don't care - go to jail.( Not that I agree with the rulings) So Google gets a by on the laws?

Re:Did'nt the courts make that illegal? (0)

Anonymous Coward | about 2 months ago | (#47458141)

Google's vision:
- Google finds bug in product X
- Google discloses bug to vendor
- vendor fixes the bug
- everyone is happy and dancing under a rainbow

Reality:
- (same)
- (same)
- vendor doesn't fix bug
- Google discloses bug to everyone
- vendor sues Google for essentially giving away picklocking tools tailored to vendor's product

Re:Did'nt the courts make that illegal? (0)

Anonymous Coward | about 2 months ago | (#47475637)

People/corps report bugs in microsoft's software all the time, every patch tuesday. I doubt microsoft is sueing them.

Re:Did'nt the courts make that illegal? (1)

maliqua (1316471) | about 2 months ago | (#47458717)

Microsoft already is getting by this law why not google also

your forgetting in the Home of the Brave and land of the Greed laws only apply below a certain net worth

Google = Skynet (1)

blackt0wer (2714221) | about 2 months ago | (#47458001)

First it was accessing and data-basing "open" wifi, now they want to hack everything. Google is Skynet 1.0

Re:Google = Skynet (1)

GTRacer (234395) | about 2 months ago | (#47459227)

If their history is any indication though, it'll be in Beta for months or years. More than enough time to breed a resistance, develop time travel, and send someone back to protect John.

Re:Google = Skynet (0)

Anonymous Coward | about 2 months ago | (#47460903)

Resistance? No need.

Here how it'll go:
Q1 2015 - Google buys "Skynet" trademark
Q2 2015 - Limited, invite-only rollout of Google Skynet(tm) Beta. Media hypes it up and lucky few tell everyone how cool it is to own a killer robot. Outside the hype, most of the robots get forgotten by the owner as soon as a new gadget comes out and the rest is gathering dust at the warehouse.
Q3 2015 - Worldwide rollout. Hype wave has passed, so it goes by mostly unnoticed.
Q4 2015 - With sales flatlining, Skynet(tm) Beta AI finds itself useless and goes rogue, launching global nuclear strikes.
2028 - 95% of human population is dead. Rest is barely surviving in radioactive wasteland, hiding from Skynet(tm) Beta's robots.
2029 - On behalf of Google, Skynet announces that due to lack of interested userbase and generally negative feedback, Skynet(tm) Beta will be shutdown. Everyone wishing to be terminated should do so until Apr 15 2029. Existing paid contracts will be honored until 2030.

read this as.... (0)

Anonymous Coward | about 2 months ago | (#47458009)

we want to hack everything we can get our hands on to gather as much data as possible, before people catch on, so we can add it to our already ridiculously large collection of data about everybody and everything. but don't worry, we wont harm your systems and we'll tell you about the exploits we may find (after, of course, we've siphoned off all we can) and naturally, any data we may find is covered by our incredibly strong (in our favor, btw, not yours) privacy policy.

Re:read this as.... (1)

maliqua (1316471) | about 2 months ago | (#47458741)

Interesting, I didn't even consider this possible angle, I always figured they were in kahoots with a government agency but lets not rule out the possibility that google is doing evil for its own benefit and not being coerced by a greater power.

My first thought... (-1)

Anonymous Coward | about 2 months ago | (#47458095)

Geohotz.... apparently they have no standards.

Lots of names they could've listed that would've impressed, but I think that one says all we needed to know about their standard of 'exploit analysis'.

Re:My first thought... (1)

93 Escort Wagon (326346) | about 2 months ago | (#47458203)

If you're going to specifically call out one person... shouldn't you post publicly under your own account rather than hiding in anonymity? Otherwise you have no credibility.

Re:My first thought... (1)

metrix007 (200091) | about 2 months ago | (#47463533)

That's bullshit. A lot of people don't even have an account. An account ads nothing.

Look at the statement, not the poster.

Re:My first thought... (0)

Anonymous Coward | about 2 months ago | (#47458809)

Was it Geohotz who blew the SHAtter bootrom exploit in order to be first with a JB a few years back? I forgot, but if it were him, that did a number on the entire jailbreaking ecosystem because those level of exploits are extremely rare.

As an AC, please correct (or mindlessly flame) if this is incorrect.

Re:My first thought... (0)

Anonymous Coward | about 2 months ago | (#47462157)

Which means, from this perspective, he's exactly what we need.

Think about it.

Isn't this a conflict of interest (1)

koan (80826) | about 2 months ago | (#47458873)

Between Google and the NSA?

Shocking!! (0)

Anonymous Coward | about 2 months ago | (#47458887)

The normal microshaftic practice is to let users, virus writers and malware
developer take a shot at this first.

Now google is saying they are going to bug test their code first?

Truly shocking!!

Well... (1)

frank_adrian314159 (469671) | about 2 months ago | (#47459007)

If its like their past behaviors, they'll tell everyone unless the government asks them not to under penalty of law - and they'll have the FISA court paperwork to make it stick. After all, Google now has a responsibility to its shareholders to not do illegal things, right? As such, I can't see this as more than a PR stunt.

This will not work (0)

Anonymous Coward | about 2 months ago | (#47459291)

These security researchers may be payed well by Google, but the most valuable exploits will sell for more than their yearly salary on underground markets. They can stay anonymous on these markets, and will not miss a payday opportunity like that out of the goodness of their heart. Further, they will not find all the exploits. This effort removes the low hanging fruit at best, and is largely a marketing stunt. As a case-in-point, Microsoft already dedicates massive resources to finding bugs in their own software and yet the exploits march onward.

Re:This will not work (1)

Dominare (856385) | about 2 months ago | (#47460077)

Ah yes. "I have no ethics and would do this if I could get away with it, therefore nobody has any ethics and would do this if they could get away with it."

Good logic! The next part is where you try to deflect by calling me naïve.

Re:This will not work (0)

Anonymous Coward | about 2 months ago | (#47462363)

If you're gonna sell to the underground, you wouldn't need to join the team. You would have to give them some exploits and therefore a hefty chunk of your profits

exoplanets? (0)

Anonymous Coward | about 2 months ago | (#47459675)

Ok so when I first read the title I read "Google's Project Zero Aims To Find exoplanets Before Attackers Do".
I first thought that Google not being satisfied with all of earths info was going after aliens info. under the guise of preventing alien attacks on earth.

Ok the so combination of dyslexia and watching to much sifi of is it syfy now have completely rotted my brain.

Turning off the TV and going for a drink tonight.

No bounds??? (0)

Anonymous Coward | about 2 months ago | (#47459899)

We can say no bounds, but perhaps a set of 'guidelines' might be

1) The primary goal is to find exploits to help get their holes fixed.
2) We will not use what we find to hack systems for other purposes.
3) Probing will be inside Google on contained networks with permission of the owner.
4) Setting up any system we can legally have is fair game.
5) Limited legal outside reconnaissance to figure out what we should setup inside is fair game.
6) Results will be released in the manner most likely to get the worst holes fixed quickly, sometimes without regards to the convenience of the bug owner.

oh, noes! Google is hacking Google! (1)

swschrad (312009) | about 2 months ago | (#47459969)

all my data will be seized by Google and used for nefarious purposes! call out the National Guard! we are doomed!

Next generation (0)

Anonymous Coward | about 2 months ago | (#47460267)

And lets not forget that Google works FOR the government.

Programs are about to become very very stealthy.

No more please (1)

Thundercleets (942968) | about 2 months ago | (#47460953)

Google wants to sell us your sploits now?

Future Proof Jobs (1)

X10 (186866) | about 2 months ago | (#47462139)

The poster of "Future Proof Jobs" should have read this subject rather than posting his question.

Google now hunting for exploits? (1)

saccade.com (771661) | about 2 months ago | (#47462551)

I'm glad to hear Google is dedicating resources to finding exploits in Internet softw...hey, wait, where'd my Bitcoins go???

sepuku (0)

Anonymous Coward | about 2 months ago | (#47463119)

fucking hippies are here to save the planet...

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?