00:00:01
[Narrator] This
00:00:01
is Donald Knuth.
00:00:03
[⪠classical music âª]
00:00:04
[slides click]
00:00:06
Professor.
00:00:07
[slides click]
00:00:08
Author.
00:00:09
[slides click]
00:00:10
Math savant.
00:00:11
[slides click]
00:00:13
[⪠dramatic organ music âª]
00:00:15
Pipe organist.
00:00:17
And this
00:00:18
is Donald Knuth's
life's work,
00:00:21
"The Art of Computer
Programming"
00:00:23
clocking in at well
over 3,000 pages.
00:00:27
It's considered by many
00:00:28
to be a founding text
of computer science.
00:00:30
[⪠rousing classical music âª]
00:00:32
Bill Gates once said, "If
you can read the whole thing,
00:00:35
send me a resume."
00:00:37
[mouse clicks]
00:00:39
[film projector rolls]
00:00:40
[⪠upbeat music âª]
But in 1964,
00:00:42
when Knuth was
still in the middle
00:00:44
of writing volume one,
00:00:45
there was no guarantee
00:00:46
his opus would ever
see the light of day.
00:00:48
[film projector rolls]
00:00:49
That's because the same
perfectionist streak
00:00:52
that drove Knuth
00:00:52
to analyze his
college basketball team
00:00:55
and optimize his
home's kitchen
00:00:56
around the trash can
00:00:57
was getting in the way of
actually publishing anything.
00:01:01
Checking and
rechecking every page,
00:01:03
Knuth blew through
deadline after deadline.
00:01:06
His editor demanded progress,
00:01:09
his family missed him
00:01:11
and still, volume one
remained unfinished.
00:01:17
Finally, he arrived
at a solution.
00:01:20
If he could not make
his book perfect,
00:01:22
he would make it perfectible.
00:01:24
And so on page 12
of the preface,
00:01:26
he added a
short note.
00:01:28
[typewriter keys clack]
00:01:28
âI will greatly appreciate
receiving information
00:01:31
about any errors
noticed by the readers
00:01:34
so that they may be
corrected as soon as possible
00:01:37
in future editions.â
00:01:41
[paper rips]
00:01:41
It worked.
00:01:42
[⪠upbeat music âª]
00:01:43
As soon as the book hit shelves,
00:01:44
error reports started coming in.
00:01:46
Mathematicians corrected
flawed equations.
00:01:49
Knit pickers pointed
out punctuation errors.
00:01:51
With each find,
00:01:52
Knuth mails out
a reward of 256 cents.
00:01:56
That's 1-0-0 in hexadecimal,
00:01:59
in case you didn't know.
00:02:00
So far, Knuthâs got more
00:02:02
than $22,000 worth of checks.
00:02:05
They've even become a bit
of a collector's item.
00:02:08
More get framed than cashed.
00:02:10
And with each new
edition of his book,
00:02:12
fewer and fewer errors remain.
00:02:16
Flash forward to today,
00:02:18
and the software
engineers responsible
00:02:20
for the apps and services
00:02:21
billions of people rely on
00:02:22
face a conundrum
similar to Knuth's.
00:02:25
[traffic noises]
00:02:26
[machines buzz]
00:02:27
[keyboard clicks]
00:02:29
How do you make
your code perfect
00:02:31
without delaying
progress indefinitely?
00:02:35
You follow in Knuth's footsteps
00:02:38
and start rewarding the people
that hunt down your mistakes.
00:02:52
[⪠anthemic music âª]
00:02:53
When it's your job to keep
billions of people safe online,
00:02:58
you have to live and breathe
00:02:59
and see the internet just
like the attackers do
00:03:03
because the only
way to stop a hacker
00:03:06
is to think like one.
00:03:19
[⪠soft music âª]
00:03:26
This is Eduardo Vela,
00:03:28
Security Engineering Lead
at Google.
00:03:30
[Eduardo] Yeah. Hello. [laughs]
00:03:32
[Narrator] Eduardo doesn't
have a Knuth check,
00:03:34
but he has found
thousands of errors
00:03:36
in all kinds of softwareâ
00:03:37
including Google's.
00:03:39
[Director] Does Google
have bugs?
00:03:40
[Eduardo] Sure. Google has bugs.
00:03:41
Google has vulnerabilities.
00:03:43
Everything that we
do in everyday life
00:03:46
that relates to software,
00:03:48
we are putting some trust
00:03:50
on whoever wrote that code.
00:03:51
[⪠upbeat music âª]
00:03:57
We as Googlers,
00:03:58
we recognize
the responsibility
00:04:00
of the faith that
people place in Google.
00:04:05
We have a team of people
00:04:07
that will look at the codes,
00:04:08
that will look at the products
00:04:10
and we look for bugs.
00:04:12
But then inevitably,
00:04:13
there is going to be something
00:04:15
that we didn't know about.
00:04:18
[Narrator] Coming up with
new ways to keep bugs
00:04:20
out of Google's code
is a full-time job.
00:04:22
One that's held
by Christoph Kern,
00:04:25
Principal Engineer on Google's
Security Foundations Team.
00:04:28
He knows more about bugs
than just about anyone.
00:04:31
[Christoph] There's basically
two kinds of bugs.
00:04:32
There's functional bugs
00:04:33
where the program just
doesn't work correctly,
00:04:35
like some UI element.
00:04:36
You click on the button,
00:04:37
nothing happens,
00:04:38
that kind of thing.
00:04:38
[error noise]
00:04:40
And then there's security bugs
00:04:41
where the program
doesn't work correctly,
00:04:43
but it has a security
implication where,
00:04:45
for instance, somebody else
might be able to get data
00:04:48
that they're not
supposed to have.
00:04:49
[⪠soft music âª]
00:04:50
[Narrator] He's talking
about bugs likeâ
00:04:52
[Christoph] Memory
corruption vulnerabilities,
00:04:54
buffer overflows,
00:04:55
injection bugs,
00:04:56
cross site script injection,
00:04:57
SQL injection,
00:04:58
predictable identifiers,
00:05:00
various authorization
vulnerabilities.
00:05:03
I don't know.
00:05:04
Let's leave it at that,
maybe. [laughs]
00:05:06
[Narrator] Fair enough.
00:05:07
But if we already know
about all these bugs,
00:05:09
why do they keep popping up?
00:05:11
[Christoph] One
particular challenge
00:05:13
with a software
that's being delivered
00:05:14
over the internet is that
it's so malleable, right?
00:05:18
Many web-facing
applications basically
00:05:20
get delivered a new
version every couple weeks
00:05:22
or even every week.
00:05:23
So the software is
constantly changing.
00:05:25
Every time there is a change,
00:05:26
there is a possibility of
introducing a subtle flaw
00:05:29
that could potentially
have security implications.
00:05:31
[Narrator] So
change causes bugs
00:05:33
and code is always changing.
00:05:36
Faced with this problem,
00:05:37
there are two approaches
companies can takeâ
00:05:40
hope no one finds their bugs
00:05:42
and threaten to
prosecute those who do,
00:05:46
or think like Knuth
00:05:48
and ask the
community for help.
00:05:50
[⪠suspenseful music âª]
00:05:52
[Camille] So there are a
lot of people who,
00:05:54
for the intellectual
stimulation of it all,
00:05:57
tend to search for
vulnerabilities in systems.
00:06:02
[Royal] When you
think back to this
00:06:03
community of hackers,
00:06:05
one of the things
that they
00:06:06
loved doing
00:06:07
was finding something
00:06:09
that no one else
has found before.
00:06:12
[Tim] I think it
just comes from
00:06:13
an innate sense of curiosity,
00:06:16
wanting to figure
out how things work.
00:06:18
[Eduardo] Literal
translation of hacker
00:06:19
in Spanish is
00:06:21
"pirata informático,"
00:06:22
which means
"information pirate."
00:06:24
I think it represents
better what we do
00:06:26
when we talk
about bug hunting
00:06:27
or vulnerability researchers.
00:06:28
You are looking for clues,
00:06:29
you're looking for hints
00:06:30
and you're trying to
chase weird behavior
00:06:32
into something that is like
a bug or vulnerability.
00:06:35
That's why it's
called bug hunting
00:06:37
and yeah,
00:06:38
it's like hunting
00:06:39
[laughs] for bugs.
00:06:43
We have this program
00:06:44
called a Google
Bug Hunters Program
00:06:46
in which we ask
people in the world
00:06:48
that are able to
find security issues
00:06:51
to tell us about it.
00:06:52
[Narrator] Across more
than 100 countries,
00:06:55
thousands of amateur and
professional hackers alike
00:06:57
have answered the call,
00:06:59
filing thousands of
bug reports every year.
00:07:02
Over time, a few of these
hunters have risen to the top,
00:07:05
the best of the best.
00:07:07
[Eduardo] Bug hunters are from
all around the world.
00:07:09
They come from as many
countries as you can imagine.
00:07:12
Sometimes it's very
difficult to ship them gifts,
00:07:14
and that's usually
how we found out
00:07:15
where exactly they are from.
00:07:16
[⪠western music âª]
00:07:17
There is one guy named Callum.
He's from the United Kingdom.
00:07:20
[Callum] I hack companies in
my free time. [laughs]
00:07:23
It's the easiest way
to say it. [laughs]
00:07:26
[Eduardo] There's
Yesenia from Mexico.
00:07:27
[Yesenia speaks
in Spanish]
00:07:33
[Eduardo] We have João
Lucas Melo Brasio.
00:07:36
He used the money
that we gave him
00:07:37
for rewards
00:07:38
to build companies.
00:07:39
Now he has many
companies. [laughs]
00:07:41
He has houses and [beep].
00:07:42
Sorry.
00:07:43
[laughs]
00:07:44
He has houses
and "stuff."
00:07:47
[Narrator] Look at the
top of the leaderboard,
00:07:48
and you'll find
Tomasz Bojarski,
00:07:50
the number one ranked
bug hunter in the world.
00:07:54
[Tomasz] I'm number one
since 2016,
00:07:58
and I'm not really
putting any effort
00:08:00
into keeping number one.
00:08:02
I don't know why.
People are so lazy, I guess.
00:08:04
[laughs]
00:08:05
[Narrator] But hot
on Tomasz's heels
00:08:06
is a new generation of hackers.
00:08:09
One that entered the hunt
before they could even drive.
00:08:12
Meet Ezequiel Pereira,
00:08:14
hacker since homeroom.
00:08:16
[⪠mellow music âª,
school bell rings]
00:08:17
[Ezequiel] When I
was in high school,
00:08:19
I decided to try
00:08:20
to find like, vulnerabilities
00:08:21
in the high school website.
00:08:23
Bringing the site down
00:08:27
or editing some
page to say,
00:08:28
"Oh, there are no classes,"
or something like that.
00:08:32
Then I got caught.
00:08:34
They suspended me for a month
00:08:36
and made me clean
the high school
00:08:39
until the end of
the school year.
00:08:41
[mop drags]
00:08:42
[mop bucket creaks]
00:08:43
[water splashes]
00:08:44
And that was not fun at all.
00:08:46
That was not fun at all.
00:08:48
[Narrator] Youthful
hijinks aside,
00:08:50
it didn't take long for Ezequiel
00:08:51
to start putting his
skills to good use.
00:08:54
[Ezequiel] In 2018,
00:08:55
I reported a security
vulnerability in Google Cloud.
00:09:00
Suddenly, I get
an email.
00:09:02
"Congratulations.
00:09:03
Thank you for reporting
this vulnerability to us."
00:09:06
Called my mother.
00:09:07
[phone ringing]
00:09:08
"Hello, by the way,
00:09:09
Google told me that
00:09:11
a vulnerability
that I had reported,
00:09:13
they would be rewarding
me with $10,000."
00:09:17
Suddenly, she screamed
00:09:18
[Ezequielâs mom screams
through the phone]
00:09:19
[laughs] and I had to
put away the phone.
00:09:24
[⪠dramatic music âª]
00:09:25
[Reporter] Authorities are
still deciding whether
00:09:27
to file charges
against the hackers.
00:09:29
[Narrator] As long as
there's been an internet,
00:09:31
there have been
people like Ezequiel,
00:09:33
but there hasn't
always been a way
00:09:34
for their skills
to be rewarded.
00:09:36
At least not ethically.
00:09:39
Early resistance
to the idea of
00:09:41
paying for bugs
00:09:42
drove hackers to the
darker corners of the web,
00:09:44
where bug brokers that operate
outside the law welcomed them
00:09:48
and their discoveries
00:09:49
with open arms.
00:09:51
It's a problem that
still exists today.
00:09:54
[Tim] These days, you
can go to websites,
00:09:56
you can look
it up and see
00:09:57
what the price of
a certain exploit is
00:09:59
and also,
00:10:00
if you're a security researcher,
00:10:01
you can submit
that exploit into
00:10:04
what's basically known as
the gray market
00:10:06
where you would sell
that vulnerability
00:10:08
to a bug broker
00:10:10
who would then
go sell it
00:10:11
to unspecified clients,
00:10:13
usually at a
much higher price,
00:10:15
and the clients we're
talking about here,
00:10:17
nation states
00:10:18
or people with
very deep pockets.
00:10:20
[Director] Why would they be
buying something like that?
00:10:22
[Tim] Almost certainly to
use to exploit users.
00:10:27
[Narrator] In the early
days of bug hunter programs,
00:10:29
rewards were given out
just a few times a year
00:10:31
from a limited prize pool.
00:10:33
[⪠dramatic music âª]
00:10:34
To counter the growing
appetite of the black market
00:10:37
and to find more of the errors
hiding in Google's code,
00:10:40
Tim and Eduardo had
to change tactics
00:10:42
and increase the
stakes considerably.
00:10:46
[Tim] We thought,
"Wouldn't it be cool
00:10:47
if we said we'd pay infinity
million dollars for bugs?"
00:10:52
We spoke about it. And
we're like, "Well, why not?
00:10:53
Like, would there
be a case where we
00:10:56
would not pay for
that type of bug?"
00:10:58
No?
00:10:59
Okay.
00:11:00
Then aren't we basically saying
00:11:01
there's infinity million
dollars on the table?
00:11:03
[Narrator] Since moving
to an unlimited war chest,
00:11:06
bug finds have gone parabolic
00:11:08
with new records
being set every year.
00:11:10
But it's not just about
financial incentives.
00:11:14
Here's Katie Moussouris,
CEO of Luta Security.
00:11:17
She's an expert in what
makes bug hunters tick.
00:11:20
[Katie] Having a steady stream
00:11:22
of high-quality
security researchers,
00:11:24
that takes a whole bunch
more community building,
00:11:28
and that is
something that
00:11:29
I think Google
really excels in.
00:11:32
They have their own very highly
skilled security researchers
00:11:35
interacting with
their counterparts
00:11:37
on the outside of
Google all the time.
00:11:40
[Narrator] That starts with
a handwritten thank you note
00:11:42
or at least a handwritten email.
00:11:44
[Tomasz] The engineer who
is taking the bug,
00:11:46
he actually writes a
message to himself and says,
00:11:48
"Nice catch!"
00:11:49
"Nice catch!"
00:11:50
[João] "Nice catch!"
00:11:51
[Ezequiel] "Nice catch!"
00:11:52
[Tomasz] They always
send you that.
00:11:52
[Callum] The classic
Google line
00:11:53
the "nice catch," yeah.
00:11:54
They've got an
emoji now. [laughs]
00:11:57
[Yesenia speaks
in Spanish]
00:12:01
[João] And sometimes
when you receive a,
00:12:03
"Whoa!
00:12:04
Very nice catch!
00:12:05
Oh my God, you are
a superhero!!!â
00:12:07
It's nice.
00:12:09
[Tomasz] And I love
that because
00:12:10
it's individual thing
to you, right?
00:12:12
For the bug.
00:12:12
[Katie] And that
sort of
00:12:13
direct engineer to
engineer interaction
00:12:16
is one of the most powerful
ways to attract outsiders,
00:12:20
way more than money.
00:12:22
[Narrator] The respect
Google engineers have
00:12:24
for the hunters is about
more than technical prowess.
00:12:28
It's about gratitude
00:12:29
[⪠upbeat music âª]
00:12:30
because the bugs they find
aren't just stamped out.
00:12:33
They're also studied.
00:12:34
[Katie] The best hackers
in the world are ones
00:12:37
who continually learn
from other hackers.
00:12:40
We are exchanging ideas,
00:12:41
learning new techniques
00:12:43
and expanding upon
each other's knowledge.
00:12:46
[Narrator] Bugs reported
today will be used
00:12:47
to strengthen the preventative
measures of tomorrow,
00:12:50
allowing the code of the future
00:12:52
to start out a little
closer to error-free.
00:12:55
[Christoph] Sometimes
you see a report
00:12:57
from a bug hunter
00:12:57
where somebody found a
really subtle problem
00:13:01
that actually betrays a
fairly detailed understanding
00:13:04
of how the application works.
00:13:06
You wonder, "How do they
figure this out," right?
00:13:08
And you're like, "Oh,
this is pretty cool."
00:13:10
And then quite a few of
those bug hunters end up
00:13:13
getting hired [laughs]
because they
00:13:16
sort of emerge as somebody
00:13:17
who really has a particular
knack for this kind of work.
00:13:22
[Narrator] Yep.
00:13:22
Sometimes the error-finders
end up as system designers.
00:13:26
[Ezequiel laughs]
00:13:28
It's a journey Knuth
might appreciate.
00:13:30
[⪠dramatic music âª]
00:13:31
Today, engraved in the
entry way of his home
00:13:34
are the words of
Danish poet Piet Hein.
00:13:37
"The road to wisdom?
00:13:39
Well, it's plain
00:13:41
and simple
to express:
00:13:44
Err
00:13:45
and err
00:13:46
and err again,
00:13:50
but less
00:13:51
and less
00:13:53
and less."
00:13:55
A fine message
00:13:57
for the
next generation
00:13:58
of software engineers
00:14:00
and the bug hunters
00:14:00
that will bring their code
00:14:02
a little closer
to perfection.
00:14:08
[Director] Eduardo,
we are all good.
00:14:09
Thank you so much.
[Eduardo] Awesome, yeah.
00:14:11
[Director] This is wonderful.
00:14:12
[Eduardo laughs]
00:14:13
[Eduardo] All right. Goodbye.
00:14:14
Have a nice day. [laughs]
00:14:16
[light switches off]
00:14:26
[⪠anthemic music âª]
00:14:27
[Tim] Zero-day is a type of
vulnerability in a system
00:14:30
that attackers know about
00:14:32
but defenders don't.
00:14:33
[Royal] And so we're gonna
dedicate a team
00:14:35
to finding
00:14:36
the hardest-to-find
vulnerabilities
00:14:38
and get them fixed
before they're abused.
00:14:40
[Parisa] At Project Zero,
00:14:41
we rigorously,
00:14:42
ruthlessly
00:14:44
break the internet.
00:14:44
[Natalie] My motto
is âHack Everything.â
00:14:47
[Tim] The weakest
point for Google
00:14:48
might be a non-Google product.
00:14:50
The implant allowed them
to pull chat history,
00:14:53
photos,
00:14:54
GPS locations.
00:14:55
[Sen. Fred Thompson] Within
30 minutes,
00:14:56
the seven of you could
make the internet unusable
00:14:58
for the entire nation.
00:14:59
[Tim] If the company doesn't
fix the bug in 90 days,
00:15:01
we put it all online.
