back to article You don't need a HERO, you need a ZERO. From Google

Google will expand its computer security research efforts by forming a well-staffed full-time team called Project Zero. The web ad broker wants to hire the best of the best, who can find Heartbleed-grade vulnerabilities, or worse bugs, in software. It's also looking to extend its bounty program for reporting holes. Project …

  1. Anonymous Coward

    Hire for what?

    Since this concerns Google I can't help wonder... Are they going to fix the bug and/or exploit or will they be looking for the best ways to exploit said bug and gather even more information from you?

    1. ThomH

      Re: Hire for what?

      They've got form: see 2012's FTC settlement over the exploit of a Safari bug — though the fine was more about promising clearly and directly that tracking wouldn't occur, then exploiting a browser bug to track regardless. So it was a false advertising issue more than anything.

      Project Zero would presumably just have had a quiet word with Apple.

  2. Anonymous Coward
    Anonymous Coward

    Project Zero will report bugs to relevant vendors – and no third parties.

    This (the title) was not in quotes - so an El Reg take rather than a Google promise? Why would we not assume the NSA will require Google report to them?

  3. amanfromMars 1 Silver badge

    Big Problem No 1 ...... Exploiting Software Bugs is Too Big to Fail

    Does that then mean that Google/Team Project Zero are going to go head to head against GCHQ, for are they not primes in the business of state-sponsored actor exploiting software bugs to infect your computer, steal secrets or monitor your communications. Indeed, is that information about capabilities and facilities not shared here today on El Reg, with intel available from this tale

    Or is Google and Team Project Zero going to chicken out of that task and in so doing render their lofty exhortation...... You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. ........ just choice bullshit?

    GCHQ says ..... Go on, punk. Make my day.

    1. Anonymous Coward
      Anonymous Coward

      Re: Big Problem No 1 ...... Exploiting Software Bugs is Too Big to Fail

      You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications

      I'd vote for that statement to be choice bullshit, of the same type as their Gmail "help" in which they explain that they will never allow a 3rd party to access your email, gently skipping over the fact that they themselves ARE that 3rd party.

      It's a US company, operating under US law (and no other, as it has been trying to tell us) and thus exposed to a legal system that has all but destroyed any semblance of privacy protection (yes, yes, I know there is a lot of privacy theatre at the moment with state laws, but the problem is with federal law which overrides all of that). So thank you Google, but all you're really telling us is that you really want that NSA outsourcing job.

  4. Tom Maddox Silver badge

    These are geeks . . .

    "The group's manifesto is about as difficult to disagree with as . . . regular showers . . ."

    So, highly objectionable to the geek community, then?

  5. Scoular

    Defence is always more difficult than attack.

    The defender has to think of everything but the attacker only has to find one exploit. It has always been thus.

    That is not good enough reason for not trying to defend.

    Google may actually be on the right side on this one. They gather a lot of personal data but do not seem to have a record of using zero day exploits to do it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Defence is always more difficult than attack.

      They gather a lot of personal data but do not seem to have a record of using zero day exploits to do it.

      And how, exactly, would you search for evidence of that?


    2. Robert Helpmann??

      Re: Defence is always more difficult than attack.

      Google may actually be on the right side on this one.

      No, definitely not. They are on their side, not the right side. What they are basically saying is that they don't appreciate the competition and are willing to pay top dollar to put it down.

  6. elip

    they already have the best on staff...

    They have some of the "industry's" leading researchers already employed: Chris Evans, Michal Zalewski, Niels Provos, Damien Miller, and on and on...or is this a job-fair call for recent grads?

    1. Anonymous Coward
      Anonymous Coward

      Re: they already have the best on staff...

      No, this is a way of announcing to the global marketplace that the US cloud is "safe" to do business with despite various state actors doing their best to intercept traffic and gather data.

      In other words, the more evidence that comes out that the govt agencies are in everyone's business --and it seems to be getting worse, not better-- the more global companies will pull out of the cloud, which of course is commercially lethal for Goog/Amazon/Azure etc. So, Google are trying to reassure their customer base by appearing to race to close down 0-days before the NSA and friends can exploit them.

      Nice of them to do it, but let's not assume that it's pure altruism: the survival of their business is as stake. I wouldn't be surprised if we see an industry alliance forming to share 0-days amongst the big cloud players. (Of course, how long after that before the NSA start running humint infiltration ops against researchers working for those companies? OK, I'll get my tinfoil hat.)

  7. Peter Brooks 1

    An impossible job - as pointed out in 2012

    Here's some extremely good advice on cyber-security. It's all the more remarkable because it is from 2012. It makes it abundantly clear that, if you are concerned for your security, only open source software offers you any hope at all:


    The task of finding and eliminating every significant vulnerability from a complex product is monumental. If we also consider flaws intentionally inserted by a determined and clever insider, the task becomes virtually impossible. While there is a large body of literature describing techniques for finding latent vulnerabilities in hardware and software systems, no such technique claims the ability to find all such vulnerabilities in a pre-existing system. Techniques do exist that can prove a system implementation matches a design which has been formally verified to be free of certain types of flaws. However, such formal techniques must be incorporated throughout the design and development process to be effective. They cannot currently be applied to a finished product of significant size or complexity. Even when embedded into a design and development process, formal techniques of this type do not yet scale to the size of complete commercial telecommunication systems.



    A security evaluation of potentially suspect equipment being deployed in critical infrastructure roles may seem like an answer to the security problems posed. Unfortunately, given the complexity of the telecommunications grid, the limitations of current security evaluation techniques, and the economics of vendor-financed analyses provide a sense of security but not actual security. Significant security is available only through a thoughtful design and engineering process that addresses a complete system-of-systems across its full lifecycle, from design to retirement and includes aspects such as discrete technology components, their interactions, the human environment, and threats from the full spectrum of adversaries. The result of such a process should be a convincing set of diverse evidence that a system is worthy of our trust.


    This is who said it (full document):

    1. Caesarius

      An Analogy Re: An impossible job

      I often point out that, whereas I can spend ages looking for a leak in a boat and not find it, when I put the boat in water the water finds the leak immediately. Open source makes the fight more evenly matched by allowing many more people to look for the leak. (Yes, I know that this helps the hackers too, but I reckon it improves the ratio of effort, hackers vs debuggers)

  8. amanfromMars 1 Silver badge

    Fab Fabless Brothel Keepers Wanted ..... Apply within .....

    .....Glorious Perks Dispensed while Work in Progress, Enjoinably Appreciated.

    Are Project Zero Teamsters, GCHEESE Hookers/Drones/Clones?

    Enquiring minds have a wish to know.

  9. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Yeah ProjectZero

      keep those crackers busy boys, and keep using those holes.

      Sorry to ruin your cheerleading, but FIFY.

  10. asdf

    totally offtopic

    Referring to article icon from main page and no offense to Liam Nelson but there will only be one John 'Hannibal' Smith and in my memory it will always be George Peppard.

    "In 1972 a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Team."

    Lol maybe I will put that my head stone even if I haven't watched an episode in decades and it was really bad 1980s TV barely a step above Airwolf.

  11. amanfromMars 1 Silver badge

    Abuse at your peril

    Yes, asdf, special forces are starting to understand the powers and control they command ... or those in executive administration of their services enjoy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like