The U.S. certainly hacked Google. That was part of Snowden's reveal. Remember the NSA slide with a little map of Google's networking and a smiley face indicating the weak point (assuming one had an ally with a submarine and the capability to tap undersea fiber): https://www.washingtonpost.com/rf/image_404h/2010-2019/Washi...
I think there's a pretty good chance the China thing happened first, though. That was 2009, and I like to hope that Google didn't the NSA's activity for over five years.
My understanding from someone that worked there is that they were aware of it (if not with definitive proof of who) before Snowden, which is why they started their initiative to encrypt all datacenter-to-datacenter traffic.
From the WashingtonPost article on this, here's a TLDR:
Google didn't use to encrypt traffic between datacenters, as the lines were wholly owned by Google, so they thought they had nothing to fear. Snowden reveled that the NSA had tapped some of these fiber lines, then reverse-engineered the network encoding for protos (it wasn't the same as GRPC now uses), and were using it to decode messages going between datacenters. This ended up speeding up an effort to encrypt all network traffic on Google's network.
can you really be hacked if you were a DARPA funded honey pot from day 1? I'd say the main reason Google and many of the other big tech companies haven't faced much effort from the US government to be broken up is because federal agencies love being able to get a bunch of info on people through a single subpoena
Summary: Google covers how they use Google’s web crawler to build a threat analysis database, then cover how they protect users from government backed attackers using phishing by providing two-factor authentication.
Response: Strange, seems like offering end-to-end-encryption would likely protect more users from government backed snooping — but then I guess that would mean Google on was not able to snoop on billions of users.
Links related to video:
"Government backed attackers may be trying to steal your password"
Response: Targeted attacks and insider threats specifically for security professionals have been around forever. Fake profiles, trust-based pig back attacks, watering hole attacks, hack the hacker, honeypots, bribes, blackmail, break-ins, etc — aka hunting the keys to the kingdom.
Summary: Just covers Google Red Team and highlights a USB based key injection attack, paired with phishing and session jacking, ending in an failed attempt to physically enter Google.
Response: Red Teams get a lot of hype and even more rules of engagement, which results in false sense of security.
In the beginning they relate this to an English castle in Normandy that was defeated when in 1204 the French attackers climbed through the latrine chute to get inside. They like to start these off with some vague connection to a historical event.
Its pretty general but does have some valuable key points despite the slick infomerical feel.
Summary: Covers Google Bug Bounty program including interviews with staff and the top bounty hunters.
Response: As mentioned in the video, Knuth’s bounty program was largely to help him feel better about publishing a book with errors; checks are largely symbolic and rarely cashed, since they’re only worth few dollars. Similarly, black market for bugs continues to offer higher payouts than white hat markets. It’s an issue and building communities alone around bug bounties will neither fix it, nor stop true adversaries from developing talent and technology that exceeds current capacities, capabilities, etc. Obviously, complex problem, but if Google is going to market and position themselves as a community resource for protecting people, they need to be direct and honest about the limits of reality and the constraints they’re forced to work within; for example, that their interests, nation states, etc - frequently have security concerns that conflict with user security.
Summary: Covers Google’s Project Zero team, which is tasked hunting zero day exploits across the internet in software, hardware, and Google products.
Response: Beyond basic information and covering already publicly disclosed zero-days Project Zero has discovered, there was not much incite into how they prioritize research or hope to bring zero days down longer even as technology changes.
Summary: Chief Information Security Officer of Google Cloud, Phil Venables, covers all the teams listed in prior videos and describes how Google Cloud helps secure its customers.
Response: As an outsider watching video series, while it is possible I misunderstood, appears the Google Cloud CISO is the highest-level security leadership role within Google, which might be confusing to random outsider, since generally the public thinks of Google being Google, not Google Cloud. Lastly, as evident by my posts, really wish this had been accompanied by blog posts with links. These videos are obviously targeting general public and potential hires, but Google neither links to job opportunities or submit security issues, nor provides a way generally speaking to engage them with feedback, questions, etc - of the series or Google Security in general.
Hmmm... page loads, but clicking play results in an error; 76 views, 5 likes.
________
EDIT: Able to access the videos via the direct non-web links, but any of the ones with audio baked in are not accessible; the ones without audio do play. Assuming it’s glitch and will fix it itself.
> CONTEST IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA AND WORLDWIDE, EXCEPT FOR QUEBEC, CRIMEA, CUBA, IRAN, SYRIA, NORTH KOREA, and SUDAN.
Quebec has a lot of rules for contests; advance registration with the government, providing them with a % of the prize value in advance, etc. Probably not worth the paperwork when dealing with them internationally.
I love that the image in the article also includes parenthesis, you just know that someone had to point out that a lot of people would manage to get it wrong without them.
It doesn't seem like an AI to me. Seems like a human that might have had a couple three beers on Friday night after work, and then wrote an HN comment. I've done it before. It can be weird ;)
> It's because we've nationalized gambling[1], and so all gambling/contests need to be approved by the government.
What you're describing (the state has a monopoly on gambling) is applicable to many other jurisdictions in US/Canada that aren't excluded from the website.
Yeah, it doesn't have to do with nationalized gambling. It has to do with strict sweepstakes laws.
* Register the sweepstakes rules and all advertisements used to promote the contest with the Quebec government at least 30 days ahead of the sweepstakes' launch.
* Pay a fee of up to 10% of the sweepstakes' value, depending on who is allowed to enter.
* Offer the sweepstakes rules in French as well as English.
I was actually doing something, was a bit curious, spent 30 seconds on it and thought "well this looks like a waste of time" and then scrolled through to see the comments and now I'm bouncing and going back to what I was doing.
The people better than me wouldn't have even done that.
The best and the brightest are busy doing stuff. Why would they even come in contact with stuff like this?
This type of thing has been targeted at high school students and undergrads.
There are often cash prizes, comped travel, and companies are eager to give a lot of these people interviews. I'm fairly confident the US government is happy to shower this type of thing with money as well.
This is like ACM programming competitions. A significant number of the teams on ctftime.org represent colleges world wide.
CTF's come with points and scores and ranks. Why do people play recreational sports? Why do people do escape rooms or puzzle hunts or any of that other stuff?
As far as methods used to solve CTF problems, the practical knowledge gained from solving many CTF problems is directly applicable to future jobs in a way that other methods (like the majority of college homework) are not. If you do CTF's, you will definitely have to write programs that interact with file formats and you will definitely have to write programs that interface with webservers, and you are very likely to get into the esoteric edge cases of various languages that will result in a fairly deep understanding of how languages work past a few reserved words and a couple data structures. There are even problems that will draw you into learning about signal processing or how punch cards used to work.
the poster who mentioned students is totally right on.
There are many students who are doing higher level work than "pros" - the best and brightest are often bored out of their minds sitting in high school, undergrad, and graduate classes.
Don't discount the younger generation just because they don't have as much experience.
I guess. The best engineers and people I know with PhDs in computer security who can't reveal their employer really don't give a toss about games.
There's a lot of clever people that really do not care for competitive recreation. You can be a serious scholar without also being an enthusiastic puzzlemaster
So CTF is just another form of cohort filtering masquerading as competence selection; a modern version of going for beers and golfing with a candidate and then wondering why you have a bunch of beer drinking golfers working for you
I've got a PhD in security from arguably the best program in the world. A bunch of people in my cohort did CTFs regularly. Many of us didn't, but the idea that CTFs were only done by less skilled people is bogus. Further, security really is one of those fields where skill matters more than everything else. There really are people attending defcon that don't have any formal training but are as deeply skilled at the people published best-papers in Oakland or whatever.
> the idea that CTFs were only done by less skilled people is bogus.
And that's why it's not there.
Just about any filter, even the most arbitrary one will work some of the time.
To go back to the previous analogy, plenty of competent people like beer and golfing and plenty don't. It's about trying to recognize what's culturally myopic and extricating those signals.
The parent comment said: "The best engineers and people I know with PhDs in computer security who can't reveal their employer really don't give a toss about games."
As a person who is a member of the very group you are speaking about, I find this statement to be completely non-factual.
Do CTFs identify the very best security minds? No. They are fun hobbies. But you didn't say that CTFs aren't useful for finding the very best hires. Instead you said that the very best hires do not enjoy CTFs at all. This is just straight up wrong. Both in academic and industrial circles.
" The best engineers and people I know " clearly has a selection bias and is not equivalent to " the very best hires do not enjoy CTFs at all. " they're complete orthogonal
Saying I personally know smart people who don't play games doesn't mean I'm claiming all people who play games are stupid.
This is extremely basic logic stuff here. Do you need me to draw you some pictures? I can do that
Why would this be relevant if it were just about your group of buddies? The post was obviously making a general statement about people in the industry.
No. I think the diagram would be genuinely helpful.
This is a set intersection. There's something called Venn diagrams that can help you here.
Any recruitment of a feature by a proxy can do at best the intersection of the proxy and the feature set.
That's the small overlapping slice of the diagram.
You can argue how big that intersection is but recruitment by feature, directly, is a better strategy unless the feature matches the proxy in which case it's equivalent.
So just go direct and skip the proxy.
There's a tendency to hire by games of arguable relevance these days as opposed to direct observations of work. The optimizing towards the game is fundamentally dysfunctional for team building and eventually product development.
It's not coincidental that valley tech has become more manipulation, extraction and distraction services than substantive products as a lagging indicator of this trend. (Of course there's macroeconomic forces as well. I mean, obviously, no shit)
if you complete all 12 levels you'll get a interview.
Or a knock on the door in the middle of the night and an attempted online trolling campaign, maybe with a free side of attempted fake-rumor-based reputation assassination irl too.
The goal is to find the flag, usually somethign unambiguous like "flag{some_lind_of_message}". There are generally no other rules to a CTF other than "don't run a scanner against us"/"don't brute force."
Analyzing and listing out ways to interact with the site will show you your surface area, although sometimes the interaction is so opaque you might have to check the "robots.txt" or other well known files.
The start button, the difficulty level, making a move, and the admin panel all offer ways to test different inputs to see if you can get unexpected output.
What inputs do they accept? What headers do they have? What encodings do they use? Are there any input checks done client side rather than server side?
Then it becomes a matter of thinking about what happens with these inputs/outputs. Did it ask for a file name? What if I feed it a file it doesn't expect. Might this input be used for a database query, how could I abuse that? Could my input or the output be marshaled? Could my input be passed to an exec somewhere? Can I find artifacts that tell me what programming languages/servers/libraries are being used? How can I probe for these things?
The people who do these for fun several times a month will often make writeups that offer hints of techniques to solve problems when the competition is done.
I got to to prompt me for its own moves and fed it some invalid base64 and now it's completely broken unless I clear the session. That's as far as I'm really interested in going, but it was fun to play around.
So, I solved this challenge the "intended" way instead of just using an engine. But I'm pretty sure that you could just use an engine for longer than they are. Behind the scenes it appears to just be running stockfish with a timeout of "10" (10s? Didn't check what units, seems faster than 10s so maybe 10ms or something).
Mind that you're reading a comment written by a dude who got p0wned by Stockfish searching only depth 0. I mean, if you're going down the path of fighting against the AI, you do need an engine.
You got it to 500, which can be seen via the network dev tools console. (A place you can also right click and "Copy as cURL", to iterate on the command line faster) ^^
A 500 is almost always a good sign when it comes to hacking. Hacking is the art of finding the difference between intended behavior and actual behavior. That is pretty much the definition of a 500.
It sounds like you've tried [a-zA-Z]* usernames in an attempt to see if you could guess a username. It probably says "Invalid Login!" no matter what is guessed.
What do you imagine the code that takes the logins eventually does? It seems likely that the username and password will end up in a query against a database to see if the user is valid and (theoretically) if the hash of the password matches the stored value.
What kind of input could you try to see if that behavior is done securely?
>This is a clever way to recruit hackers into the Google Security team.
I can't help but wonder how effective something like this actually is. I'm trying to not be overly negative, even though I have nothing nice to say about the company. I just find it really hard to believe that anyone would be sincerely excited to work at a place like Google.
I mean, I'm sure the pay and benefits are good for the moment, but it just seems like an unethical move, you know? Drug dealers make tons of money, but it doesn't really entice smart or ethical people to the profession in large numbers. Is wrapping it in some shallow webpage supposed to push people over the edge for some queer reason?
> Similarly, there are lots of reasons why improving the security of google is a good thing _even if_ you think google itself is evil.
Especially when you consider the fact that a lot of stuff that Google security researchers do directly affects and influences (for the better, I'd say) the current industry too. See: Project Zero team, etc.
Disclaimer: I work at Google. Opinions are my own, etc etc
> a lot of stuff that Google security researchers do directly affects and influences (for the better, I'd say) the current industry too. See: Project Zero team, etc.
Yeah, and a lot of stuff that Google security researchers do directly affects and influences (for the worse, I'd say) the current (and future) users.
Perhaps. Security teams in general (including the ones at Google) are in the business of compromises. Sometimes they end up making the wrong ones. Many of the people I know who are at Google joined, at least in part, to be in a position to help the company do better.
> Drug dealers make tons of money, but it doesn't really entice smart or ethical people to the profession in large numbers.
Assuming the ethical premise as given, you are really glossing over the difference in potential consequences between doing something unethical and something illegal. Specifically the part where the latter can leave you locked up for life.
Whether by ignorance, stupidity, or mere indifference I draw little distinction between ethics and legality. This isn't to say that there isn't a different, but rather that I mush both together because of the three points mentioned.
Generally speaking, just because something is legal should not make it right, in the same way that something being illegal, merely by the fact of it being written and codified, does not make it wrong. To put a point on it: I think that some of the actions that Google has taken should have and still should result in prison sentences. As far as I am aware, they have not. That being the case, I certainly would not classify a drug dealer who is not currently in prison being free of wrongdoing.
I think these sort of things are the security equivalent of a company having a really good engineering blog. It probably wont directly lead to new hires, but increases mind share in the long term.
> I just find it really hard to believe that anyone would be sincerely excited to work at a place like Google.
> but it just seems like an unethical move
Whether you can empathize with it or not you must realize that of course people are sincerely excited to work at Google?
As for the ethics, at Google security you may be in a position to have some of the largest impact on the most people's personal security. You can say "oh but Google sells ads based on that data" - OK, and you might have a serious problem with that, but the person who's making sure that malicious 3rd parties can't read the GMail accounts of journalists probably doesn't see that as a deal breaker.
A lot of people also don't have the luxury to make these choices based on a purely ethical basis. If you're sending money back to your family back home is it a straightforward ethical question of "well Google sells ads, so my family has to starve" ?
Journalists can make personal choices but they are not always in a position to mandate the methods of communication used by the people they talk to. This is similar to why “use a dumb phone and never connect to the internet” is not a feasible solution for those targeted by state-sponsored attacks.
The parent comment was about protecting journalists' inboxes. They are absolutely in a position to avoid using Gmail to secure their end of the communication and you would hope that they are well enough informed to steer their sources towards more private options, too.
> maybe other jobs aren't paying as well or you don't have time to shop around
Sure, but there's a lot of distance between "I would have to take a pay cut" or "interviewing is time-consuming"(?) and "I have to do this or my family will starve to death". If that seems like a high bar to pass, that's the one that you set.
I'm not necessarily criticising people's choice to work for Google. I'm definitely not saying that every Googler should quit immediately. What I am saying is that there are people out there legitimately doing jobs because the only other option is their family going hungry. Silicon Valley software engineers are not in that category.
> It's a pretty good oen
But if we're talking about journalists' ability to protect the information and identity of their confidential sources (again, a bar that you set), of all the options available, Gmail is not a pretty good one. And if you are dealing with information whose security can affect people's lives and livelihoods, then "pretty good" isn't the sort of standard you should be working towards anyway.
Of course. Many people are not supporting a starving family, many people can take other jobs. I'm only trying to demonstrate there is a grey area.
> But if we're talking about journalists' ability to protect the information and identity of their confidential sources (again, a bar that you set), of all the options available, Gmail is not a pretty good one.
I disagree. Gmail is an incredibly secure mail service and is a fine way to perform some communications - in particular, while something like Signal may be ideal, Gmail can have a much better UX around initial contact.
Even if it weren't, it really doesn't matter, journalists do use it and they are targeted. But again, journalists are just an example, there are hundreds of millions of people using gmail - protecting them is something one could very easily consider to be ethical.
> I'm only trying to demonstrate there is a grey area
I'm not disputing that people are supporting their families. I'm not disputing that finding another job is a PITA. The grey area that I am trying to demonstrate is that every single Googler has more career options than "continue working for Google" or "let my family starve to death"
> Gmail can have a much better UX around initial contact
I have no idea what this means. An email is an email, no?
> there are hundreds of millions of people using gmail
No argument there. And I'm not saying that securing their inboxes isn't worthy work. My original comment was directed to the hypothetical journalists who use Gmail for professional communication - it had nothing to do with the hundreds of millions of other users. They should be using E2E encrypted communications with confidential sources and encouraging their sources to do the same. That's just part of being a responsible professional in that line of work.
> I'm not disputing that people are supporting their families
Literally just the very post before by you:
> What I am saying is that there are people out there legitimately doing jobs because the only other option is their family going hungry. Silicon Valley software engineers are not in that category.
This is incoherent.
Whatever point you're trying to make is not coming across and doesn't seem important. The initial point I made was that "is anyone
excited to work for Google?" is a hilariously naive point of view both in terms of the obvious fact that they often are, and also in terms of a basic ethical framework. I gave examples. Nitpicking them isn't important because there are a million other examples.
I'm sorry you're having trouble following this. I agree that the original "nobody could be excited about working for Google" is a weird and most likely wrong assertion. But answering it by inventing a sub-class of Google workers whose only options are a) keep working for Google or b) let their family STARVE TO DEATH is not very helpful.
My original comment: I suspect that if you work at Google you have plenty of other career options before reaching the point where your family has to starve. really said it all. You have every right to be contrary, but it's more interesting if you stick to the topic and don't introduce fanciful edge cases.
Yes, there are Googlers who are supporting their families. No, that is not their only option.
Maybe there are journalists using Gmail for what should be confidential communication. No, they should not be doing that.
Call that nitpicking if you like, that's fine. They seem like simple, fundamental points to me. This thing that you've done a couple of times in this thread of refusing to see a very simple point and then complaining that it isn't "coming across" doesn't really do much to progress the discussion.
I'm curious as to the main reasons you believe that Google is an unethical and bad company. Is the tracking of all its users are doing the main reason or are there other things?
I'm not particularly interested in talking about such things. It's clear that we don't agree on that point, which is fine. My concern was (attempting to) focus more on the effectiveness of the program in question.
I work at Google. Nice to meet you. My day job involves making security tools and systems freely available to the entire world in a way that makes Google exactly zero dollars and basically just exists to make the landscape of software a bit safer for everybody.
I can understand why some people wouldn't want to work at Google. I cannot understand how somebody couldn't understand how anybody would want to work at Google.
I don't recall comparing your comments with a chat bot but go off. Or, well, I'd prefer it if you didn't. Sometimes my replies get people to stop but if you'd like to not be in that group I guess I can't stop you.
This chain is pretty wild to me. I don't know if I'm just too pragmatic, too close to people whose lives have been ruined by drugs, or too much of a big tech apologist - but it seems impossible to me to draw any parallel between drug dealing and working at Google. And I'm just talking ethically - to say nothing of legally.
Maybe I'm a consequentialist and you're more of a deontologist? I see a big distinction between "I lost my money, my home and eventually my life" and "I feel my privacy has been infringed on at a conceptual level in the pursuit of ad sales". Do you think there are Google products out there that are actually harmful and ruining people's lives in a concrete way? I would love to hear about how, if yes.
The other interpretation is you have a much higher estimation of drug dealers than I do. No dramas with people dealing pot or pills, I'm talking meth and heroin.
"Drug dealers" are the result of regulatory failure - the war on drugs, and a failure of government to provide proper healthcare. People want drugs - no doubt there are some unscrupulous, or evil drug dealers, but it's certainly not a question of some evil cabal poisoning society, it's rational market actors working to meet a demand. Don't hate the player, hate the game.
Thanks for the link. Just finished Episode 0. Those were some solid classic puzzles based on PHP and Perl. I'm not sure if they are still relevant thou.
Unfortunately, I don't have time for the contest. Gotta go for a dinner with my family. I'm not a guy who aims for speed, so it's unlikely that I would win a prize anyway.
Weird, it's not letting me promote my pawn even though it looks like a valid move (unless I suck at chess and it's not valid for some reason).
The first challenge was fun, but I'll probably stop there since I really don't have the patience to do the more complex stuff (at some point debugging computers just feels like work even though I don't work in security at all haha).
I thought it was a fascinating and well produced history of Project Aurora and how it went down at Google. It was a massive attack, and the reason Google pulled out of China.
As an infosec professional my job is to protect end users from threats to their digital security, privacy, and sovereignty. To show them how to meet their digital needs without being manipulated or exploited. This ethical model is simply incompatible with surveillance capitalism.
Google has the hard job here of finding people highly experienced in security that lack strong ethical convictions yet also do not have a strong history of criminal behavior.
It's funny how cyber security appears to marinate itself in an aesthetic we used ironically 15-20 years ago. These people are trying really hard to become the stock photo hooded hacker. To me it's as ridiculous today as it ever was and doesn't exactly inspire confidence in the industry.
I just get the impression that it's lost on a lot of people new to the industry. The industry use this aesthetic (for lack of a better word) to market itself and attract talent (as evident by TFA). There's almost a subcultural element to it. I've seen perfectly dull boomer engineers go away on security conferences and come back with stickers on their laptops and looking like Lisbeth Salander.
What fashion has started from hackers? They have bad posture, and they don't go out. I wish I had a hacker boyfriend - they stay at home up in the bedroom.
https://www.youtube.com/watch?v=przDcQe6n5o
___________________
Links related to video:
Tech Model Railroad Club
- https://wikipedia.org/wiki/Tech_Model_Railroad_Club
Operation Aurora
- https://wikipedia.org/wiki/Operation_Aurora