Sophos Cloud Optix
Google’s been under the pump – a bit, anyway – over its Project Zero.
If you’ve missed the controversy, it goes something like this:
- Google’s bug-hunters find an exploitable vulnerability in your code.
- Google tells you about it.
- You get 90 days to make and ship a fix.
- If you fail to make it in time, for whatever reason, Google tells the world how to use the exploit.
If you're a critic, you'll consider this unfair.
Google is hanging a Damocletian zero-day over the heads of engineering departments, coders, QA teams, companies, shareholders.
No excuses, no extensions, not even a glimmer of human compassion: a computer does the countdown, and a computer presses the button that drops the 0-day.
If you're a proponent, you'll argue that Google is trying to squeeze us all, including itself, to get more real-worldly at fixing things.
Nothing like a bit of no-nonsense, non-negotiable pressure to focus your mind, and to weed out those companies that tend to sweep vulnerabilities under the carpet to avoid the effort of fixing them.
No excuses, no political favours, no inconsistent human judgment that cuts favours to some wheedling vendors yet drops the anvil on others: a computer does the countdown, and a computer presses the button that drops the 0-day.
What do we think?
Over the past month or so, Chester Wisniewski and I have discussed these issues from various angles in our weekly Sophos Security podcast, the Chet Chat.
Here’s what we said about Project Zero at the back end of January 2015, in Episode 182. [Relevant content runs from 6’29” – 8’00”]
(Audio player above not working? Download the MP3, or listen on Soundcloud.)
We concluded with these words:
PD. If the Motor Vehicle Licensing Authority can give me two weeks' grace when my licence disc expires, Google could have given Microsoft two days. Wouldn't you say?
CW. Seems like it.
Apparently, either great minds think alike, or Google’s Project Zero team not only listens to but also is influenced by, the Chet Chat!
In a recent posting on Google’s Online Security Blog, the company announced some changes:
- Two weeks’ grace. If you have a patch coming out in a two-week window after the 90-day deadline, and you let Google know, they’ll give you an extension.
- Weekend and holiday deferral. If the 90 days would expire on a weekend or a public holiday, you get until the next working day.
That’s only US weekends and public holidays, by the way.
So if you’re a company which operates out of another country – Ireland, say, or The Netherlands – and that’s where most of your coders, and your customers, are, bad luck: many of your public holidays aren’t going to line up.
And if you genuinely are working on a patch but are going to be 15 days late getting it out, you won’t get the two weeks’ grace in return for actually having made some progress.
Whither disclosure?
The strange thing in all of this, which I hadn’t realised until right now, is that Project Zero doesn’t entirely remove politics or inconsistency from the disclosure period, as some proponents have argued.
As Google reminds us:
We reserve the right to bring deadlines forwards or backwards based on extreme circumstances.
In short, Google is determined to keep dropping zero-days, including proofs-of-concept, in its own way, whether you’re ready or not, in the belief that this will ultimately benefit the good guys more than the crooks.
Maybe a bit of pressure is good for us all?
Of course, if it turns out that the X-day squeeze works well, by induction, perhaps an (X-1)-day squeeze ought to work even better?
Place your bets in the comments below.
How long until the accepted zero-day droppage period is down to 45 days? 14 days? 7 days?
When Google first did that to Microsoft, my first thought was, OK, Google, please explain to me how this is not Evil. With the adjustments made, I think they have a better case.
Here are some examples of extreme circumstances that I hope would justify Google’s moving the deadline. Moving it forward would only be if the company responded, “Whatever, we really don’t care.” I don’t think anyone will ever say that, but the rule is there for that case. Moving it back could be for the case such as, “We acknowledge this is a serious security bug, but fixing it will require a very low-level change. It will take six months to make the change and fully test it. If we try to rush the process, innocent users could suffer from insufficient testing.”
I am more than happy for Google to extend Zero date, as long as the Bad Guys also agree to the same extension….. point taken?
If, by the “bad guys,” you mean “the people who found the vulnerability and produced a working exploit,” in this case, you’re talking about Google. So, in this case, both sides of the equation (the reporter of the hole and its discoverer) *are* agreeing to the same extension, pretty much by definition.
Perhaps. But, I think it’s likely that Google is also analyzing traffic through its search engine looking for exploit patterns, in addition to old-fashioned penetration testing. After all, the bad guys use Google’s search engine, too. (It’s even called out in “Hacking Exposed”, and it’s where I get some of my penetration techniques!)
Just for my own clarification please. My understanding was essentially that if you search for vulnerabilities on a site without the consent of the site owner, then you are violating the various anti-hack laws (yes, I understand they are very weak to begin with) currently on record. As such, how can google (or any self-appointed NGO task force) legally search out these vulnerabilities, and how are they avoiding legal trouble by finding and publicizing them.
Please note that I’m not necessarily against this, I’m just not sure how they are allowed to do it.
Thanks for any clarification
Actually, there are ways to get past those restrictions. For example, just create your own network that emulates whatever you’re cracking.
Copyright restrictions, though, may be a show-stopper. Almost every license agreement I’ve ever seen has a no-decompile, no-crack clause in it. Vendors hit with this could sue based upon the methods used to learn about the hack.
Personally, though, if I were Microsoft or another software vendor, I would make a deal with Google. LET Project Zero try to crack it, but give me time to fix it based on MY schedule, not Google’s. I suspect this is the way it will eventually end up happening, once someone realizes the legal issue here.
Generally speaking, Project Zero is about finding bugs in software, not on other people’s live systems. So provided that you don’t use live systems for your research without permission, you should be good to go.
(The problem with using a live system is that you might break it – a DoS attack – or access something you weren’t supposed to be – an Info Disclosure attack – or cause some other sort of unexpected and deleterious side-effect. So permission is required.)
Surely there is not an issue with publishing the basics of a vulnerability as would appear as a CVE. The issue comes with publishing exploit code or “Proof of Concept” information that would immediately allow attackers with limited knowledge to take advantage of the vulnerability. Surely publishing such malicious software should count as an offence under most jurisdictions.
Google, are you now opening backdoors for hackers now?
If Google has a security issue itself, do you think they will be reporting it for all the world to see. LOL.