By Praveen Kannan and Anna Strokolyst The Hotspot Shield team believes the internet should be open and secure …
The Internet is a dangerous place. There are all kinds of malware that could infect your devices and steal your data and info.
Google’s Project Zero aims to make the Internet more secure so that users have less worry about the bad guys of cyberspace. What exactly is Project Zero, and will it really help?
Project Zero: The Idea Behind It
In mid-July, Chris Evans of Google said on the company’s security blog, “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications. Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities…Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks.”
Zero-day bugs are a big deal, as the Heartbleed bug fiasco illustrates. Zero-day doesn’t mean that a software flaw is brand new; it means that the programmer has had no days to fix the problem and no patch is available.
Google’s goal? To make sure there are zero—well, next to zero—zero-day attacks.
The announcement of Project Zero summoned some understandable applause from the Internet security crowd. The project is not just about Google; it is about the Internet as a whole, so the Project Zero team will not limit their hunting for bugs to Google products. It will take in all software that a large number of people use.
This is not the first time that Google has stood up as a champion for safer cyberspace. They already use strong SSL encryption for their applications such as Search and Google Drive, and they played a role in exposing the tyrannical Heartbleed bug.
Eyes on Transparency
Project Zero puts clean windows between the team and software vendors. As soon as Google discovers a vulnerability, they will report it to the software vendor but not to any third parties. Information about the bug will stay away from public eyes until a patch is available (in most cases). As the company says on their security blog, “We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time.”
This focus on openness is in line with Google’s past activities. Earlier this year, the famous hacker George Hotz picked apart Google Chrome’s defenses. Instead of trying to sweep Hotz under the rug, Google gave him a pat on the back in the form of $150,000 and later, a job offer. This contrasts with other companies whose products met with Hotz’s genius; Sony sued him, and AT&T ignored him.
Will Project Zero Prompt Companies to Act?
Since Google will share information about bugs only with software vendors, it raises the question, if the public doesn’t know about it, will companies want to devote resources to fixing the problem?
Google took that potential issue into account when formulating the plan for Project Zero. They will give a company 60-90 days to come up with a patch and make it available to customers before Google exposes the bug on its own initiative. In other cases, when they find that the bug poses an active threat to Internet users, Google will push companies to come up with a solution much faster. Chris Evans, quoted on wired.com, says, “It’s not acceptable to put people at risk by taking too long or not fixing bugs indefinitely.”
The Project Zero Team
So, who are the ones wielding the swords on the Project Zero team? Google is still hiring, but they already have some geniuses on board. George Hotz, mentioned earlier, is one of the project’s stand-out members. Working along with him are Ben Hawkes, who has unearthed several bugs in major software programs; Tavis Ormandy, who recently made noise by showing how flaws in antivirus software pose a big threat; and Ian Beer, who found bugs in some of Apple’s most popular products.
The team will fill out soon and will have more than 10 members working feverishly at Google’s Mountain View headquarters to expose zero-day flaws.
Will Project Zero Really Make the Internet More Secure?
All of the foregoing might make Project Zero seem like a dream initiative. It has noble goals, lots of thinking power, and the backing of one of the world’s biggest companies. However, it isn’t exactly a knight in shining armor swooping in to save the day.
Google is taking on both government spies and criminals—people who know how to fly under the radar. As the Techworld blog points out, “Google is right to take on this cartel but for it to become more than an interesting idea it needs others including Microsoft to do something similar. A single company, even one as large as Google, will never be enough to put a dent in a problem that spans everything from Heartbleed to everyday flaws.”
Without stronger regulatory measures, a completely secure Internet is out of the question for now, despite the efforts of well-intentioned companies such as Google. However, their efforts may prevent some carnage and create less collateral damage on the battlefield.