Project Zero | HACKING GOOGLE | Documentary EP005

00:15:47
https://www.youtube.com/watch?v=My_13FXODdU

Summary

TLDRThe video narrates the 1204 capture of the English-occupied Chateau Gaillard, highlighting a French soldier, Peter Bogis, who discovered a vulnerability in the fortress's defenses. This historical event is used as a metaphor for modern cybersecurity where digital fortresses, made of code, face similar threats from hackers searching for overlooked vulnerabilities. Google's Project Zero is introduced as a proactive force, identifying and patching these weak points across software and digital platforms. The team, led by experts like Parisa Tabriz and Tim, follows the mantra of hacking to secure. They work on exposing zero-day vulnerabilities, which are unknown software flaws discovered by attackers first. By simulating attacks, Project Zero helps preemptively secure digital systems. They provide companies with a 90-day notice to fix vulnerabilities before public disclosure, thus pushing for a safer internet ecosystem. Through cases like the protection of the Uyghur community from mobile surveillance, the video underscores the critical role of cybersecurity in safeguarding users worldwide. Project Zero operates with a mission to make discovering and exploiting vulnerabilities increasingly difficult, maintaining a focus on user safety and internet security.

Takeaways

  • 🏰 Historical analogy to cybersecurity vulnerabilities
  • 🛡️ Project Zero's proactive role in finding digital vulnerabilities
  • 💻 Importance of identifying zero-day vulnerabilities
  • 🕵️‍♂️ Hack to secure: Project Zero's strategic approach
  • 🕒 90-day policy for patching vulnerabilities
  • 🌍 Impact on global user safety
  • 🔍 Vigilance in security research by experts
  • 📱 Vulnerability discovery in mainstream applications
  • 🔓 Real-life implications of security flaws
  • ⚔️ Cybersecurity as modern defense mechanism

Timeline

  • 00:00:00 - 00:05:00

    The first part of the video introduces the historical context of Chateau Gaillard in Normandy, 1204 A.D., which was occupied by English forces and under siege by the French army. The stalemate was broken by a humble French soldier, Peter Bogis, who discovered a weak point—the latrine chute—and helped the French infiltrate and conquer the fortress. The narrative then draws parallels between ancient fortresses and modern cybersecurity, emphasizing the vulnerabilities in today's digital structures and the importance of anticipating potential threats.

  • 00:05:00 - 00:10:00

    It introduces Royal, the head of Privacy, Safety, and Security at Google, and spotlights the challenges his team faces in protecting a vast internet ecosystem. This complexity is likened to interconnected systems where any vulnerability can have a domino effect. Parisa Tabriz, responsible for Google's Project Zero, is highlighted as a former hacker turned manager whose team finds vulnerabilities proactively. The origin of zero-day vulnerabilities is explained, illustrating how critical it is to address them before attackers exploit these weaknesses.

  • 00:10:00 - 00:15:47

    The focus shifts to a noteworthy incident where Natalie, a team member, discovers a vulnerability in video chat apps allowing unauthorized video and audio access. This revelation underscores the team's impact as Natalie patches the issue, preventing potential exploitation. The history of reporting and fixing vulnerabilities is addressed, with an emphasis on the 90-day policy for rectification. The content covers broader ethical implications, touching on incidents like the surveillance of the Uyghur community, showcasing the real-world significance of Project Zero's efforts in digital fortification.

Mind Map

Video Q&A

  • What is the historical event described in the video?

    The video describes the siege of Chateau Gaillard in 1204, where the fortress was captured by exploiting a vulnerability.

  • Who was Peter Bogis?

    Peter Bogis was a French foot soldier who discovered a vulnerability in the English-occupied Chateau Gaillard's defenses, leading to its capture.

  • What is Chateau Gaillard?

    Chateau Gaillard was a formidable fortress occupied by the English until it was captured by the French in 1204.

  • What modern issue is the video relating to the siege of Chateau Gaillard?

    The video relates the historical siege to modern cybersecurity challenges, where experts need to find and fix digital vulnerabilities.

  • What does Project Zero aim to do?

    Project Zero aims to find and fix zero-day vulnerabilities in software before they can be exploited by attackers.

  • What is a zero-day vulnerability?

    A zero-day vulnerability is a software flaw that has been discovered by attackers but is unknown to the software's developers.

  • Who leads Google's Project Zero?

    Project Zero is led by experts like Parisa Tabriz and Tim, who are focused on identifying and mitigating security vulnerabilities.

  • What is the methodology of Project Zero?

    Project Zero identifies vulnerabilities, reports them to the affected company, and gives them 90 days to fix the issue before public disclosure.

  • What was a significant find by Project Zero?

    Project Zero discovered vulnerabilities being exploited to surveil the Uyghur community through popular mobile devices.

  • How does Google's Project Zero impact cybersecurity?

    Project Zero improves cybersecurity by finding security flaws before hackers can exploit them, thus protecting users and businesses.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:00
    [army shouting]
  • 00:00:02
    [Narrator] Normandy.
  • 00:00:03
    1204 A.D.
  • 00:00:05
    For two years,
  • 00:00:05
    the English-occupied fortress known as the Chateau Gaillard
  • 00:00:08
    has withstood the trebuchets,
  • 00:00:10
    battering rams
  • 00:00:11
    and tunneling efforts of an attacking French army.
  • 00:00:14
    It was a stalemate,
  • 00:00:16
    one that might have continued indefinitely
  • 00:00:18
    were it not for an otherwise unremarkable
  • 00:00:19
    French foot soldier
  • 00:00:20
    [Bogis] Bonjour!
  • 00:00:21
    [Narrator] named Peter Bogis.
  • 00:00:23
    One bloody day as the battle raged around him,
  • 00:00:26
    Bogis scanned the exterior of the fortress
  • 00:00:28
    and saw what no one else did.
  • 00:00:30
    A weak point ready to be exploited.
  • 00:00:32
    By some accounts, it was the exit chute of a latrine
  • 00:00:35
    located inside the fortress's chapel,
  • 00:00:38
    added at the specific request of England's King John.
  • 00:00:42
    Regardless of origin, it was a flaw.
  • 00:00:44
    The only one Bogis needed to enter undetected.
  • 00:00:47
    Once in, he hauled up dozens of his waiting French comrades.
  • 00:00:50
    Chaos ensued.
  • 00:00:52
    English defenders scattered.
  • 00:00:53
    The siege was over.
  • 00:00:55
    [crowd cheering]
  • 00:00:58
    Thousands of tons of stone,
  • 00:01:00
    the latest in defensive architecture,
  • 00:01:02
    and yet no one had thought to secure the toilet.
  • 00:01:06
    And so the vulnerability sat unnoticed for years
  • 00:01:09
    until the moment when Peter Bogis spotted it
  • 00:01:12
    and crawled his way into history.
  • 00:01:16
    Today's fortresses are made of code, not stone.
  • 00:01:19
    They guard information, not territory or treasure.
  • 00:01:22
    But they still contain vulnerabilities—
  • 00:01:25
    architectural flaws overlooked by their creators.
  • 00:01:28
    And just like in 1204, the Peter Bogis of today—
  • 00:01:32
    hackers,
  • 00:01:32
    spies,
  • 00:01:33
    cyber criminals,
  • 00:01:34
    are searching for undiscovered ways to gain access.
  • 00:01:38
    So what do you do if you are responsible
  • 00:01:40
    for protecting the accounts,
  • 00:01:41
    data centers
  • 00:01:42
    and cloud systems relied on by people around the world?
  • 00:01:46
    You do everything you can to find the vulnerabilities first,
  • 00:01:50
    wherever they may be.
  • 00:01:54
    [♪ anthemic music ♪]
  • 00:01:55
    When it's your job to keep billions of people safe online,
  • 00:02:00
    you have to live and breathe and see the internet
  • 00:02:02
    just like the attackers do,
  • 00:02:05
    because the only way to stop a hacker
  • 00:02:08
    is to think like one.
  • 00:02:27
    Remember Royal?
  • 00:02:29
    He's in charge of Privacy, Safety and Security at Google.
  • 00:02:32
    [Royal] How are you?
  • 00:02:34
    [Director] Hey, Royal. Good to see you again.
  • 00:02:35
    [Royal] Good to see you.
  • 00:02:36
    You're coming out of that little box there.
  • 00:02:39
    We are the central team that looks out across all
  • 00:02:42
    of the Google products
  • 00:02:44
    for the privacy of users,
  • 00:02:47
    the security of Google and much of the internet.
  • 00:02:50
    [Narrator] Wait, much of the internet?
  • 00:02:51
    That seems like a lot of extra work.
  • 00:02:53
    [Royal] Right. [laughs]
  • 00:02:55
    [Narrator] But to make sure Google's users are safe,
  • 00:02:57
    it's necessary.
  • 00:02:58
    After all, people don't just use Google's apps
  • 00:03:01
    and cloud services.
  • 00:03:02
    They use hundreds of devices, tools, websites
  • 00:03:05
    and operating systems, all different, all connected,
  • 00:03:08
    just as the internet's founders intended.
  • 00:03:10
    [Royal] They made a decision very early on
  • 00:03:13
    to open-source the standards by which computers
  • 00:03:18
    and then ultimately webpages would communicate
  • 00:03:20
    with one another.
  • 00:03:21
    That was a conscious decision to have an open internet.
  • 00:03:26
    You can place the improvements in the lives of the billions
  • 00:03:30
    of people on this planet at the feet of that decision
  • 00:03:33
    to allow everyone to participate and innovate.
  • 00:03:38
    [Narrator] But this interconnected world
  • 00:03:40
    comes at a price.
  • 00:03:41
    Today, a vulnerability in any part of the system
  • 00:03:44
    threatens every part of the system.
  • 00:03:46
    [Alex] Let's say I'm a normal user.
  • 00:03:48
    I wake up, I get my coffee.
  • 00:03:50
    I open up my phone.
  • 00:03:51
    This phone is made by one company.
  • 00:03:53
    I click on a button to check my email.
  • 00:03:55
    The app is written by another company.
  • 00:03:57
    I see a link, I click that link.
  • 00:03:59
    It opens up my social media site.
  • 00:04:01
    Something that to a normal user is a 90 second experience
  • 00:04:05
    that seems like it's nice and smooth and integrated,
  • 00:04:07
    there's actually a lot of complexity on the back end.
  • 00:04:11
    [Royal] The safety of that individual depends
  • 00:04:13
    on finding a vulnerability and getting it fixed faster
  • 00:04:17
    in one of those dependent platforms,
  • 00:04:19
    computers,
  • 00:04:20
    software packages,
  • 00:04:22
    before they're abused.
  • 00:04:23
    The open internet is harder to defend.
  • 00:04:26
    Google said "We're gonna dedicate a team
  • 00:04:29
    to finding
  • 00:04:30
    the hardest-to-find vulnerabilities."
  • 00:04:33
    [♪ upbeat music ♪]
  • 00:04:36
    [Narrator] Who’s responsible for this team of elite hackers?
  • 00:04:38
    Meet Parisa Tabriz.
  • 00:04:40
    She oversees Google's Project Zero
  • 00:04:42
    and in a former life, was a bit of a hacker herself.
  • 00:04:45
    [Parisa] I think I identified at some point as a hacker.
  • 00:04:48
    I still am in spirit,
  • 00:04:50
    but I also think of myself as more a hacker manager
  • 00:04:53
    than a hacker.
  • 00:04:54
    [♪ video game music ♪]
  • 00:04:55
    [Narrator] Years of dealing with the world's nastiest
  • 00:04:57
    exploits and vulnerabilities has made her the perfect person
  • 00:05:00
    to guide a team
  • 00:05:01
    that's always on the hunt for new ones.
  • 00:05:04
    [♪ upbeat music ♪]
  • 00:05:05
    [Parisa] Project Zero makes the internet safer
  • 00:05:07
    by looking at it through a hacker lens
  • 00:05:12
    and trying to rigorously,
  • 00:05:14
    ruthlessly break it
  • 00:05:16
    and then fix it
  • 00:05:17
    and prevent problems from happening in the first place.
  • 00:05:21
    [Narrator] That's right.
  • 00:05:22
    Project Zero is a team
  • 00:05:23
    of hackers that makes the internet safer
  • 00:05:25
    by trying to hack it.
  • 00:05:27
    Each success eliminates a weak point
  • 00:05:28
    that would have threatened the people and businesses
  • 00:05:30
    that rely on Google and the internet at large.
  • 00:05:34
    But to understand this team's name,
  • 00:05:35
    you have to understand the vulnerabilities they hunt.
  • 00:05:39
    A zero-day vulnerability
  • 00:05:40
    is a weak point in a program's code
  • 00:05:42
    that’s been discovered by an attacker
  • 00:05:44
    but not by the people responsible for fixing it.
  • 00:05:48
    That means when the vulnerability is exploited,
  • 00:05:50
    defenders will have had zero days notice.
  • 00:05:53
    They'll be surprised,
  • 00:05:54
    exposed,
  • 00:05:55
    scrambling,
  • 00:05:55
    just like the English defenders inside Chateau Gaillard.
  • 00:05:58
    [Tim] Zero-day vulnerabilities are too powerful,
  • 00:06:01
    too cheap and too numerous.
  • 00:06:03
    [Commander] There is nothing you can do now.
  • 00:06:05
    [Tim] And we think someone has to do something
  • 00:06:07
    about making them harder to use,
  • 00:06:09
    making them more expensive,
  • 00:06:11
    making them less frequent.
  • 00:06:13
    [Narrator] Zero-days have been used in cyber attacks
  • 00:06:15
    of all kinds,
  • 00:06:16
    from surveilling human rights activists
  • 00:06:18
    to damaging physical infrastructure,
  • 00:06:20
    to well, you remember Aurora.
  • 00:06:24
    [Tim] The vulnerability that was exploited there
  • 00:06:26
    was a bug in Internet Explorer,
  • 00:06:28
    a Microsoft product.
  • 00:06:30
    That is the kind of case
  • 00:06:31
    in point that sometimes the weakest point
  • 00:06:33
    for Google might be a non-Google product.
  • 00:06:37
    [Narrator] This is Tim.
  • 00:06:38
    [Director] Smiling is encouraged.
  • 00:06:40
    [Tim] Ha!
  • 00:06:40
    [laughs]
  • 00:06:42
    Alright. Hi.
  • 00:06:44
    [Narrator] Tim is the ringleader of Project Zero.
  • 00:06:46
    And at the age of 15, he was hacked.
  • 00:06:48
    [Tim] I was chatting to random people
  • 00:06:50
    and they're like "Do you want a cup holder?"
  • 00:06:52
    And I'm like, “What?”
  • 00:06:53
    "Do you want a cup holder?"
  • 00:06:54
    I'm like, "Uh...
  • 00:06:55
    okay."
  • 00:06:56
    And then they opened my CD drive,
  • 00:06:59
    and I was like,
  • 00:07:01
    “Oh, that's really cool.
  • 00:07:04
    How did you do that?"
  • 00:07:05
    And then they wouldn't tell me.
  • 00:07:07
    [Narrator] Each member of the team
  • 00:07:08
    has their own origin story,
  • 00:07:09
    but they all have a few things in common.
  • 00:07:11
    [Parisa] So a great Project Zero member is somebody
  • 00:07:15
    who loves security research
  • 00:07:17
    and finding bugs
  • 00:07:20
    and wanting to find problems
  • 00:07:22
    that nobody else knows exists.
  • 00:07:25
    Sometimes people will ask me,
  • 00:07:27
    “How do you find a bug?”
  • 00:07:28
    Or, “How do you do vulnerability research?"
  • 00:07:30
    And at the end of the day,
  • 00:07:33
    it's almost like asking someone,
  • 00:07:34
    “How do you make art?”
  • 00:07:36
    [Narrator] To find vulnerabilities hidden
  • 00:07:37
    inside connected fortresses of all kinds,
  • 00:07:40
    you need the best— a hacker who can hack anything.
  • 00:07:45
    [Natalie] My motto is
  • 00:07:46
    "Hack Everything."
  • 00:07:48
    [Narrator] Meet Natalie.
  • 00:07:49
    [Natalie] Hey.
  • 00:07:50
    [Narrator] True to her motto,
  • 00:07:51
    Natalie has hacked phones,
  • 00:07:52
    webcams,
  • 00:07:53
    arcade games,
  • 00:07:54
    microwaves,
  • 00:07:54
    selfie sticks—
  • 00:07:55
    [Natalie] I do have a crate
  • 00:07:57
    of 50 dismantled selfie sticks.
  • 00:07:59
    [Narrator] Keyboards,
  • 00:08:00
    USB sticks,
  • 00:08:01
    battery packs,
  • 00:08:02
    fans,
  • 00:08:03
    and Tamagotchis.
  • 00:08:04
    [Natalie] I won't lie.
  • 00:08:05
    I am an extremely big fan of Tamagotchis.
  • 00:08:08
    If you wanna hack strange things,
  • 00:08:09
    there's a lot of stuff out there.
  • 00:08:11
    [Narrator] And that's just what she does on the weekends.
  • 00:08:13
    At work, she looks for dangerous vulnerabilities
  • 00:08:16
    in the apps used by billions of people.
  • 00:08:18
    [Natalie] I've been looking for vulnerabilities
  • 00:08:19
    in software for more than 10 years now.
  • 00:08:22
    And you start to get a feel
  • 00:08:23
    for where vulnerabilities will be.
  • 00:08:26
    What sort of stuff do developers make mistakes
  • 00:08:29
    while writing?
  • 00:08:31
    And video processing is actually a big one.
  • 00:08:35
    [Narrator] That's right.
  • 00:08:36
    The apps we use every day to talk to
  • 00:08:38
    family,
  • 00:08:38
    friends,
  • 00:08:39
    school
  • 00:08:39
    and work
  • 00:08:40
    were potentially home to a zero-day vulnerability.
  • 00:08:44
    With little more than a hunch,
  • 00:08:45
    Natalie went to work testing the defensive architecture
  • 00:08:48
    of various video chat apps by calling herself...
  • 00:08:51
    [phone ringing]
  • 00:08:51
    a lot.
  • 00:08:53
    [Natalie] I would say one in a thousand things
  • 00:08:56
    I tried or less worked.
  • 00:08:57
    That's the nature of hacking and finding vulnerabilities.
  • 00:09:00
    Almost everything you try doesn't work.
  • 00:09:02
    But the odd thing does.
  • 00:09:04
    [Narrator] In this case,
  • 00:09:05
    the odd thing led to an important discovery,
  • 00:09:07
    a way to force someone's phone
  • 00:09:09
    to start transmitting video and audio
  • 00:09:11
    without them even knowing.
  • 00:09:13
    Here's how the hack actually works:
  • 00:09:15
    Natalie sends a chunk of data
  • 00:09:16
    known as a packet
  • 00:09:17
    to a target phone.
  • 00:09:19
    A perfectly normal step in making a video call.
  • 00:09:21
    But hidden in this packet
  • 00:09:23
    along with the typical call commands is extra data
  • 00:09:25
    that the target software isn't expecting.
  • 00:09:28
    Most random extra data would simply cause an error,
  • 00:09:31
    but this extra data,
  • 00:09:33
    one of the thousands of combinations Natalie tried,
  • 00:09:35
    acts like a key,
  • 00:09:36
    tricking the target phone
  • 00:09:38
    into answering the call without anyone even touching it.
  • 00:09:41
    Vulnerability confirmed.
  • 00:09:43
    Exploit executed.
  • 00:09:44
    Hack completed.
  • 00:09:47
    Five different video chat applications
  • 00:09:49
    all had the vulnerability.
  • 00:09:51
    Meaning if you're one
  • 00:09:52
    of the billions of people that use these services,
  • 00:09:54
    it would've been possible for someone to watch
  • 00:09:56
    and listen to you without your knowledge.
  • 00:09:59
    Fortunately, there was no evidence the flaw
  • 00:10:01
    had ever been used for harm,
  • 00:10:03
    but just like with all of Project Zero's biggest finds,
  • 00:10:06
    the implications for the safety
  • 00:10:08
    of our connected world were more than a little ominous.
  • 00:10:11
    [Natalie] There always is this caution where
  • 00:10:13
    what might be a good day of work for you
  • 00:10:16
    is actually a bad day
  • 00:10:18
    for users and might reveal something
  • 00:10:21
    about security that shows things
  • 00:10:23
    are less secure than we thought.
  • 00:10:24
    [Narrator] As soon as Natalie notified
  • 00:10:26
    the various companies of their apps' vulnerabilities,
  • 00:10:29
    changes got made,
  • 00:10:30
    patches went out.
  • 00:10:31
    The online world got a little more secure.
  • 00:10:34
    [♪ ambient music ♪]
  • 00:10:37
    But getting zero-days fixed quickly
  • 00:10:39
    hasn't always been so easy.
  • 00:10:40
    [dial up modem beeps]
  • 00:10:41
    Back in the 90s,
  • 00:10:42
    members of the hacker collective The L0pht
  • 00:10:44
    would look for vulnerabilities in the early internet,
  • 00:10:47
    then do whatever it took to get people to listen,
  • 00:10:50
    even talk to Congress.
  • 00:10:52
    [Sen. Fred Thompson] The Washington Post describe you
  • 00:10:53
    as rock stars of the computer hacking elite.
  • 00:10:56
    We appreciate your being with us here today.
  • 00:11:00
    Within 30 minutes,
  • 00:11:00
    the seven of you could make the internet unusable
  • 00:11:03
    for the entire nation.
  • 00:11:05
    Is that correct?
  • 00:11:06
    [Mudge] That's correct.
  • 00:11:07
    And until the problem mushrooms up
  • 00:11:10
    and enough people complain about it,
  • 00:11:13
    then they'll come out with a public fix.
  • 00:11:16
    [Tim] It was fairly common for particular companies
  • 00:11:19
    if you report a bug to them,
  • 00:11:20
    some of them took more than six months to get fixed.
  • 00:11:24
    Some of them were just, they just were never fixed.
  • 00:11:26
    They just went into a black hole.
  • 00:11:27
    [♪ ambient music ♪]
  • 00:11:31
    So when Project Zero finds a vulnerability
  • 00:11:33
    from our own research, [♪ upbeat music ♪]
  • 00:11:34
    we report it to the company.
  • 00:11:36
    "That's day zero.
  • 00:11:37
    This is the vulnerability.
  • 00:11:37
    This is where we think it is."
  • 00:11:39
    Sometimes even ,"This is how we think you should fix it."
  • 00:11:42
    And that's when we'll start the timer.
  • 00:11:45
    If the company doesn't fix the bug in 90 days,
  • 00:11:47
    then on day 90, we put it all online.
  • 00:11:51
    [Narrator] By online,
  • 00:11:52
    he means on the Project Zero blog.
  • 00:11:54
    And while this kind of reveal doesn't happen often,
  • 00:11:57
    the prospect of having an unpatched vulnerability exposed
  • 00:12:00
    to the whole world is a powerful motivator.
  • 00:12:02
    [Tim] Companies would disagree with us by the way.
  • 00:12:05
    They would prefer that we stay silent a lot of the time
  • 00:12:07
    and not talk about this type of stuff.
  • 00:12:10
    The real core of all of this
  • 00:12:11
    is that
  • 00:12:13
    users lose when things don't get fixed quickly.
  • 00:12:16
    [♪ ominous music ♪]
  • 00:12:18
    In December 2018,
  • 00:12:19
    Google's Threat Analysis Group, or T.A.G.
  • 00:12:22
    had discovered a cache of exploits
  • 00:12:25
    that were being used
  • 00:12:26
    against a popular mobile device.
  • 00:12:29
    They came over to Project Zero for analysis.
  • 00:12:31
    We were able to reverse the exploits,
  • 00:12:33
    reverse out the vulnerabilities.
  • 00:12:36
    The implant in there allowed them to pull chat history,
  • 00:12:39
    photos,
  • 00:12:40
    GPS locations,
  • 00:12:41
    you name it—
  • 00:12:43
    it was capable of doing it.
  • 00:12:45
    We reported those issues to the company and the company
  • 00:12:48
    that makes that device,
  • 00:12:51
    I believe, pushed out a fix within seven days.
  • 00:12:55
    [Narrator] More troubling,
  • 00:12:56
    was that Project Zero's analysis revealed the exploits
  • 00:12:58
    had been in use for quite some time.
  • 00:13:01
    [Tim] The exploits that were discovered
  • 00:13:03
    went back many generations
  • 00:13:06
    of this particular mobile technology device.
  • 00:13:09
    This had been happening for many years.
  • 00:13:14
    [Narrator] The exploits were being used to surveil members
  • 00:13:16
    of the Uyghur community, an ethnic minority in China.
  • 00:13:20
    [Tim] Seeing a capability like this being used
  • 00:13:22
    against a population,
  • 00:13:24
    it's like a stark reminder
  • 00:13:25
    of what we're doing here has importance.
  • 00:13:28
    And it's not just playing around
  • 00:13:30
    with code or dealing with vendor politics
  • 00:13:34
    or company politics when it comes to disclosures
  • 00:13:36
    and to and fros.
  • 00:13:37
    There are real people getting attacked by bugs like this.
  • 00:13:40
    And it's important that we do something about it.
  • 00:13:43
    [city sounds]
  • 00:13:44
    [♪ soft music ♪]
  • 00:13:45
    [Narrator] The exploit being used
  • 00:13:46
    to surveil the Uyghurs was a major find,
  • 00:13:49
    but it was just one of many.
  • 00:13:51
    To date, Project Zero has found
  • 00:13:53
    over 1,800 zero-day vulnerabilities
  • 00:13:56
    in everything from operating systems to dating sites
  • 00:13:58
    to Google's own apps and services.
  • 00:14:01
    That's 1,800 trap doors
  • 00:14:03
    that will never be crawled through.
  • 00:14:04
    1,800 fortresses that have been made a little more secure.
  • 00:14:08
    But every day new code is written,
  • 00:14:10
    new apps are launched
  • 00:14:11
    and the internet we all depend on
  • 00:14:13
    gets a little more interconnected
  • 00:14:15
    and a little more vulnerable.
  • 00:14:17
    [Tim] Is my job getting harder every year?
  • 00:14:19
    Well I hope so,
  • 00:14:20
    because otherwise we're probably not doing it well.
  • 00:14:23
    [Natalie] We could sometimes see on the forums
  • 00:14:24
    these financial attackers,
  • 00:14:26
    credit card thieves being like, “Darn it,
  • 00:14:28
    that didn't work anymore.”
  • 00:14:30
    And that was extremely satisfying
  • 00:14:33
    because I think everyone deserves to be secure.
  • 00:14:35
    I think that vulnerabilities
  • 00:14:37
    and security problems harm people
  • 00:14:40
    both financially and sometimes physically.
  • 00:14:43
    And I think it's important
  • 00:14:44
    that everyone is able to use computers
  • 00:14:46
    in a way that doesn't threaten them.
  • 00:14:49
    [Tim] Is there an end game for Project Zero?
  • 00:14:52
    I would like to see a world where
  • 00:14:55
    it's incredibly hard to find a vulnerability.
  • 00:14:57
    Will we get there anytime soon?
  • 00:14:58
    Probably not.
  • 00:15:00
    But does that mean we should stop trying?
  • 00:15:01
    Absolutely not.
  • 00:15:03
    [Narrator] So Project Zero stays on the battlefield,
  • 00:15:07
    inspecting the walls,
  • 00:15:09
    trying to find and test vulnerabilities first
  • 00:15:11
    so they can never be used for harm.
  • 00:15:15
    [Parisa] You have hackers who use their skills
  • 00:15:17
    to harm other people and profit.
  • 00:15:20
    And I usually call them attackers
  • 00:15:23
    and you have a lot of hackers
  • 00:15:25
    who do their work
  • 00:15:27
    to make software and systems more secure.
  • 00:15:29
    And I call those folks...
  • 00:15:34
    heroes.
Tags
  • Chateau Gaillard
  • Cybersecurity
  • Zero-day vulnerabilities
  • Project Zero
  • Vulnerability discovery
  • Google
  • Digital security
  • Hacking
  • Historical analogy
  • User safety