How Google is Working to Secure Technology

by Modis on April 24, 2017

google is securing technologyThey have been called “the defenders of the Internet”: the team of elite hackers hired by Google to find and report zero-day security vulnerabilities – those security flaws that have no known patch or fix, those flaws that are favored by hackers seeking user exploitation.

They are the team responsible for finding the Microsoft “Edge/IE” bug, Apple’s OS “task_t” bugs, the latest LastPass security flaw, and countless other vulnerabilities. Their goal is to make the internet a safer and more secure place – a place where anyone can use the internet freely and without fear. It’s a never-ending , lofty, and ethical goal.

Hiring Hackers

When Project Zero was first created in 2014, the concept was somewhat revolutionary. Hackers existed and security teams within companies were hired regularly, but the two were never mixed. No other company had ever hired hackers that had been caught before – and if they had, they never went so far as to hire the ones that had made news headlines. Hackers like George Hotz.

Hotz, or “Geohot”, was the first person to unlock an iPhone. He followed that up with various jailbreak releases. Apple largely ignored Hotz’s accomplishment. He later hacked into Google’s Chrome OS. This time he wasn’t ignored. Instead of punishing him, Google hired Hotz to fix the found flaws. A few years later, Google hired Hotz as part of the original Project Zero team.

Then team recruiter, Chris Evans, went on to hire some of the biggest hacking names in the world, including Tavis Ormandy, Ben Hawkes and Matt Tait. The all-star team of hackers is tasked with finding security flaws without restriction. Any program that is used online is fair game. So far, that mandate has prevented a lot of massive security attacks.

A Deadline Not to Miss

While the Project Zero initiative is admirable, it also comes with a deadline not to be missed. Once a security flaw has been found, the team member that discovered the flaw provides the impacted company with bug details. The team then gives that company 90 days to fix the flaw. What happens if the deadline isn’t respected? Details of the security flaw are published. This has already happened to a handful of companies, including Microsoft.

The disclosure deadline is controversial, to say the least, but it does accomplish one goal: the threat of exposure ensures that companies work to fix security flaws quickly. Prior to Project Zero, some companies let zero-day flaws flounder, resulting in chaos. The Project Zero team does not divulge details of found bugs immediately in order to prevent hackers from exploiting those flaws – and to give companies time to do the right thing.

Evans once described Project Zero as “primarily altruistic.” Three years after Google’s hacking dream team was built, it remains an essential part of everyday internet security.

Leave a Comment

Previous post:

Next post:

Modis