Hire for what?
Since this concerns Google I can't help wonder... Are they going to fix the bug and/or exploit or will they be looking for the best ways to exploit said bug and gather even more information from you?
Google will expand its computer security research efforts by forming a well-staffed full-time team called Project Zero. The web ad broker wants to hire the best of the best, who can find Heartbleed-grade vulnerabilities, or worse bugs, in software. It's also looking to extend its bounty program for reporting holes. Project …
They've got form: see 2012's FTC settlement over the exploit of a Safari bug — though the fine was more about promising clearly and directly that tracking wouldn't occur, then exploiting a browser bug to track regardless. So it was a false advertising issue more than anything.
Project Zero would presumably just have had a quiet word with Apple.
Does that then mean that Google/Team Project Zero are going to go head to head against GCHQ, for are they not primes in the business of state-sponsored actor exploiting software bugs to infect your computer, steal secrets or monitor your communications. Indeed, is that information about capabilities and facilities not shared here today on El Reg, with intel available from this tale http://www.theregister.co.uk/2014/07/14/gchq_poll/
Or is Google and Team Project Zero going to chicken out of that task and in so doing render their lofty exhortation...... You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. ........ just choice bullshit?
GCHQ says ..... Go on, punk. Make my day.
You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications
I'd vote for that statement to be choice bullshit, of the same type as their Gmail "help" in which they explain that they will never allow a 3rd party to access your email, gently skipping over the fact that they themselves ARE that 3rd party.
It's a US company, operating under US law (and no other, as it has been trying to tell us) and thus exposed to a legal system that has all but destroyed any semblance of privacy protection (yes, yes, I know there is a lot of privacy theatre at the moment with state laws, but the problem is with federal law which overrides all of that). So thank you Google, but all you're really telling us is that you really want that NSA outsourcing job.
The defender has to think of everything but the attacker only has to find one exploit. It has always been thus.
That is not good enough reason for not trying to defend.
Google may actually be on the right side on this one. They gather a lot of personal data but do not seem to have a record of using zero day exploits to do it.
Google may actually be on the right side on this one.
No, definitely not. They are on their side, not the right side. What they are basically saying is that they don't appreciate the competition and are willing to pay top dollar to put it down.
No, this is a way of announcing to the global marketplace that the US cloud is "safe" to do business with despite various state actors doing their best to intercept traffic and gather data.
In other words, the more evidence that comes out that the govt agencies are in everyone's business --and it seems to be getting worse, not better-- the more global companies will pull out of the cloud, which of course is commercially lethal for Goog/Amazon/Azure etc. So, Google are trying to reassure their customer base by appearing to race to close down 0-days before the NSA and friends can exploit them.
Nice of them to do it, but let's not assume that it's pure altruism: the survival of their business is as stake. I wouldn't be surprised if we see an industry alliance forming to share 0-days amongst the big cloud players. (Of course, how long after that before the NSA start running humint infiltration ops against researchers working for those companies? OK, I'll get my tinfoil hat.)
Here's some extremely good advice on cyber-security. It's all the more remarkable because it is from 2012. It makes it abundantly clear that, if you are concerned for your security, only open source software offers you any hope at all:
The task of finding and eliminating every significant vulnerability from a complex product is monumental. If we also consider flaws intentionally inserted by a determined and clever insider, the task becomes virtually impossible. While there is a large body of literature describing techniques for finding latent vulnerabilities in hardware and software systems, no such technique claims the ability to find all such vulnerabilities in a pre-existing system. Techniques do exist that can prove a system implementation matches a design which has been formally verified to be free of certain types of flaws. However, such formal techniques must be incorporated throughout the design and development process to be effective. They cannot currently be applied to a finished product of significant size or complexity. Even when embedded into a design and development process, formal techniques of this type do not yet scale to the size of complete commercial telecommunication systems.
A security evaluation of potentially suspect equipment being deployed in critical infrastructure roles may seem like an answer to the security problems posed. Unfortunately, given the complexity of the telecommunications grid, the limitations of current security evaluation techniques, and the economics of vendor-financed analyses provide a sense of security but not actual security. Significant security is available only through a thoughtful design and engineering process that addresses a complete system-of-systems across its full lifecycle, from design to retirement and includes aspects such as discrete technology components, their interactions, the human environment, and threats from the full spectrum of adversaries. The result of such a process should be a convincing set of diverse evidence that a system is worthy of our trust.
This is who said it (full document):
I often point out that, whereas I can spend ages looking for a leak in a boat and not find it, when I put the boat in water the water finds the leak immediately. Open source makes the fight more evenly matched by allowing many more people to look for the leak. (Yes, I know that this helps the hackers too, but I reckon it improves the ratio of effort, hackers vs debuggers)
This post has been deleted by its author
Referring to article icon from main page and no offense to Liam Nelson but there will only be one John 'Hannibal' Smith and in my memory it will always be George Peppard.
"In 1972 a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Team."
Lol maybe I will put that my head stone even if I haven't watched an episode in decades and it was really bad 1980s TV barely a step above Airwolf.
Biting the hand that feeds IT © 1998–2020