WEBVTT

00:00:00.000 --> 00:00:06.480
JACK: I have a degree in Software Engineering, but can you remember a time in your life when

00:00:06.480 --> 00:00:13.440
there wasn’t such a thing as software engineers? I can’t. All my life it’s been a thing, but I bet my

00:00:13.440 --> 00:00:18.480
great-grandparents went their whole life without ever hearing about software engineering. So, let’s

00:00:18.480 --> 00:00:24.060
take a quick look backwards to find when software engineering popped into existence. [MUSIC] In the

00:00:24.060 --> 00:00:30.600
1950s, NASA was doing some pretty amazing things; flying spaceships to the moon and beyond. These

00:00:30.600 --> 00:00:36.420
spaceships were loaded with lots of technology; antennas, radios, computers, cameras, software,

00:00:36.420 --> 00:00:42.060
and hardware. That’s just onboard the spaceship. You’ve seen these giant command centers they have,

00:00:42.060 --> 00:00:47.760
where Mission Control is. There are computers on everyone’s desk and giant screens in front

00:00:47.760 --> 00:00:51.540
of the room, and there are dozens of scientists and engineers in the room,

00:00:51.540 --> 00:00:57.900
yet not a single one of them was a software engineer, because the term had not been used

00:00:57.900 --> 00:01:04.800
at any point in the 1950s. In the 1960s, NASA developed the Mariner Space Program. The goal

00:01:04.800 --> 00:01:10.200
here was to send unmanned spaceships to Mercury, Mars, and Venus, to take photos of them.

00:01:10.200 --> 00:01:16.740
In 1962, the first Mariner spaceship was launched, and it was headed for Venus.

00:01:16.740 --> 00:01:21.480
It didn’t have anyone onboard. It was controlled remotely, and onboard were just electronics,

00:01:21.480 --> 00:01:28.140
antennas, computers, jet fuel, and cameras. But only a few minutes after launching, things started

00:01:28.140 --> 00:01:33.180
to go wrong. The computer onboard that was in charge of controlling the ship was acting erratic,

00:01:33.180 --> 00:01:38.580
giving all kinds of wild commands for the ship to do. The folks at Mission Control tried to correct

00:01:38.580 --> 00:01:44.160
the computer gone wild, but they couldn’t do anything about it. Then they started to realize

00:01:44.160 --> 00:01:50.400
this rocket’s not gonna make it to Venus. It’s not even gonna make it out of the atmosphere, and it

00:01:50.400 --> 00:01:57.540
might even crash into Earth and hurt someone. So, the people at Mission Control decided there was no

00:01:57.540 --> 00:02:05.340
choice but to push the self-destruct button and blow up Mariner 1 over the Atlantic Ocean. That

00:02:05.340 --> 00:02:13.440
was the end of the Mariner 1 spacecraft, an $18.5 million-ship blown up. So, what happened?

00:02:13.440 --> 00:02:18.120
Well, scientists and engineers spent days replaying the events and logs that they

00:02:18.120 --> 00:02:23.820
captured after launch. A piece of hardware failed, which caused an onboard computer to

00:02:23.820 --> 00:02:29.640
kick in and try to control the craft, but the way it was trying to control the craft wasn’t right.

00:02:29.640 --> 00:02:34.680
Something was wrong with that computer, so they examined the code that was put on that computer,

00:02:34.680 --> 00:02:42.540
and that’s when they saw the problem; a mission dash in the algorithm. A single missing dash. It’s

00:02:42.540 --> 00:02:46.620
not like the dash you’re thinking; it’s more like a bar that was supposed to be above the letter R,

00:02:46.620 --> 00:02:52.500
which stands for radius, and that meant it should have been a smoothed value for radius. Without

00:02:52.500 --> 00:02:57.960
this bar, it was taking the current value for R, and since this rocket was trying to recover from

00:02:57.960 --> 00:03:02.760
some bad hardware, the values for R were bouncing all over, so the output of the program was

00:03:02.760 --> 00:03:07.200
bouncing all over. It should have been taking an average reading for R, not the wildly fluctuating

00:03:07.200 --> 00:03:11.520
values. So, the computer was telling the rocket to fly all crazy and out of control.

00:03:11.520 --> 00:03:17.400
The logic and algorithm that the scientists gave the programmer was correct,

00:03:17.400 --> 00:03:24.360
but whoever programmed that algorithm into the computer missed this little dash above the R,

00:03:24.360 --> 00:03:31.440
and because of that tiny little bug in the code, it resulted in the whole rocket being destroyed.

00:03:31.440 --> 00:03:36.060
When NASA makes a mistake like this, they try to find ways to prevent anything like

00:03:36.060 --> 00:03:40.980
this happening in the future. They realized they were implementing software on a lot of systems,

00:03:40.980 --> 00:03:48.060
but had no way to test the reliability of that software. This is when it became clear that

00:03:48.060 --> 00:03:54.060
software engineering should be a discipline, and shortly after that, it started getting developed

00:03:54.060 --> 00:04:01.140
and became a thing. This software bug didn’t just crash a spaceship, but it launched a whole new

00:04:01.140 --> 00:04:09.840
field of study and new principles for designing, developing, and testing computer software.

00:04:09.840 --> 00:04:19.800
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m

00:04:19.800 --> 00:04:23.640
Jack Rhysider. This is Darknet

00:04:23.640 --> 00:04:38.820
Diaries. [INTRO MUSIC ENDS] JACK:

00:04:38.820 --> 00:04:41.700
Are you ready? MADDIE: Yep, sounds good to me.

00:04:41.700 --> 00:04:46.560
JACK: So, what got you start – hold on, let’s start with your name and what do you do.

00:04:46.560 --> 00:04:50.580
MADDIE: My name is Maddie Stone and I am a security researcher focused

00:04:50.580 --> 00:04:53.460
on setting zero-days that are actively exploited

00:04:53.460 --> 00:04:57.480
in the wild at Google Project Zero. JACK: We’re gonna get into what she does at

00:04:57.480 --> 00:05:01.860
Google, but I find that the path to get there is interesting. So, when she was a teenager,

00:05:01.860 --> 00:05:05.880
she developed an interest in computers, and after high school went to college at

00:05:05.880 --> 00:05:11.280
Johns Hopkins University in Maryland. MADDIE: Yeah, so I actually double-majored

00:05:11.280 --> 00:05:16.260
in Computer Science and Russian Language and Literature, ‘cause I wasn’t fully committed to

00:05:16.260 --> 00:05:21.480
this whole engineering thing. I didn’t know if I would be bored during – doing that, so I was like,

00:05:21.480 --> 00:05:27.900
let’s learn a new language, and ended up really enjoying the Russian in just a very different

00:05:27.900 --> 00:05:33.300
way of using your brain in classes and everything like that, and it allowed me to study abroad too,

00:05:33.300 --> 00:05:36.780
which I’ve always loved to travel. JACK: Whoa, this is crazy. So,

00:05:36.780 --> 00:05:39.708
you know Russian. MADDIE: Well, I used to. I used to be good.

00:05:39.708 --> 00:05:44.700
JACK: Yeah. But then you moved? You studied abroad; to where?

00:05:44.700 --> 00:05:48.360
MADDIE: So, I did two months in St. Petersburg and four months in Moscow.

00:05:48.360 --> 00:05:55.200
JACK: [MUSIC] And after graduating, got a job at the Applied Physics Lab at Johns Hopkins.

00:05:55.200 --> 00:06:01.080
MADDIE: Which is a government research laboratory. That’s where I ended up for

00:06:01.080 --> 00:06:04.980
the first four-and-a-half years, studying – or working on reverse-engineering

00:06:04.980 --> 00:06:08.520
of firmware and hardware. JACK: It looks like a really cool place,

00:06:08.520 --> 00:06:12.960
actually. There are about 8,000 employees at this Applied Physics Lab, and they take on

00:06:12.960 --> 00:06:18.000
research projects for the Department of Defense and NASA, so they get hands-on experience while

00:06:18.000 --> 00:06:20.880
doing advanced research. MADDIE: So, I was also working

00:06:20.880 --> 00:06:24.480
with literal rocket scientists, if that doesn’t keep your ego in check.

00:06:24.480 --> 00:06:28.200
JACK: While working there, she simultaneously was able to get a master’s

00:06:28.200 --> 00:06:32.820
degree in Computer Science, too. MADDIE: I was super fascinated by the

00:06:32.820 --> 00:06:38.820
hacking portion and when you see all these things but have never actually done it, it sounds really

00:06:38.820 --> 00:06:46.080
sexy and everything like that. I had really, really loved Assembly. I had actually listed

00:06:46.080 --> 00:06:51.900
that that was my favorite language when, you know, they did a round and did profiles of folks and

00:06:51.900 --> 00:06:57.180
interviews with different companies. They ask you and they’re like, you love Assembly? I was like,

00:06:57.180 --> 00:07:02.220
yes. I became the teaching assistant for that course and then as an independent

00:07:02.220 --> 00:07:07.080
study, created all new projects. JACK: Hm, that’s very interesting to me. I,

00:07:07.080 --> 00:07:12.480
too, have an IT degree, and I learned Java and C and C++ and Visual Basic and all these programming

00:07:12.480 --> 00:07:17.940
languages, all of which I could understand no problem. But when I took the Assembly language

00:07:17.940 --> 00:07:24.180
class, I was so lost. It was the only IT class that I actually struggled with, and that’s because

00:07:24.180 --> 00:07:30.300
it’s so different than everything else. Assembly language is very low-level. A high-level language,

00:07:30.300 --> 00:07:36.120
you can see things like variables, if statements, for loops, and functions, but with Assembly, you

00:07:36.120 --> 00:07:43.620
have commands like move, push, pop, add, subtract, real basic and rudimentary stuff. A program that

00:07:43.620 --> 00:07:50.160
is just a few lines of code in Python can become ten times longer in Assembly. But Assembly has

00:07:50.160 --> 00:07:56.640
some superpowers. It can interact with memory and the CPU in ways that other languages can’t,

00:07:56.640 --> 00:08:02.940
and it can be incredibly efficient, too. You get much better control over the computer’s resources,

00:08:02.940 --> 00:08:07.980
and you know what? You can go even deeper, too, to a even lower level and look to see

00:08:07.980 --> 00:08:12.780
what’s going on in the hardware. You could open up the case of the computer, get out some probes,

00:08:12.780 --> 00:08:17.220
and jam them into the circuit board and watch what electrical signals are moving

00:08:17.220 --> 00:08:22.200
through the circuitry. This is even more hard to read because all you see at that level is

00:08:22.200 --> 00:08:28.200
whether the voltage is high or low, but having this kind of read/write access gives you really

00:08:28.200 --> 00:08:33.120
the ultimate power over your computer. It was this low-level stuff that fascinated

00:08:33.120 --> 00:08:38.220
Maddie. It was like doing brain surgery to teach someone something or to see how they

00:08:38.220 --> 00:08:43.860
think. A computer can’t hide its thoughts when you’re this deep into it. Another big reason she

00:08:43.860 --> 00:08:48.960
liked it was because she could break down any program into Assembly. It doesn’t matter what

00:08:48.960 --> 00:08:54.180
language a program is created in; you can run any compiled program through a disassembler and see

00:08:54.180 --> 00:09:00.240
the whole program in Assembly language. A lot of applications and programs are compiled and in a

00:09:00.240 --> 00:09:05.220
sort of byte code that’s not human-readable, and you certainly can’t see the original code that was

00:09:05.220 --> 00:09:10.860
used to create it, so you can’t tell what so many programs actually do. But at the end of the day,

00:09:10.860 --> 00:09:16.320
the computer has to know what to do, and that byte code can be converted into Assembly so

00:09:16.320 --> 00:09:21.240
you can kind of read what’s happening. So, if you get good with Assembly, you can get a much deeper

00:09:21.240 --> 00:09:27.000
understanding of how computers handle memory and processes, and you can decipher any program. It’s

00:09:27.000 --> 00:09:30.960
just really hard to read at that level. It’s kind of like reading a book, but you only get to look

00:09:30.960 --> 00:09:36.720
at one letter at a time, and the book only has ten usable letters that make up all the words. Anyway,

00:09:36.720 --> 00:09:40.860
getting better at Assembly and learning more about hardware is what she spent four

00:09:40.860 --> 00:09:45.360
years doing at the Applied Physics Lab. MADDIE: [MUSIC] Then one day, Google calls and

00:09:45.360 --> 00:09:51.960
says hey, are you interested in interviewing with us? Which I was pretty shocked about because as a

00:09:51.960 --> 00:09:59.160
student, I tried really hard to get any – even interviews or calls with all of the big tech

00:09:59.160 --> 00:10:04.980
companies, but I was not someone of interest to them, so I was very surprised to get the

00:10:04.980 --> 00:10:11.520
call and ended up going through the interview process and getting the offer to join the Android

00:10:11.520 --> 00:10:18.000
security team as a reverse engineer. JACK: A reverse engineer is someone who takes

00:10:18.000 --> 00:10:23.640
a program and tries to figure out what it does by sometimes converting it to Assembly language

00:10:23.640 --> 00:10:28.320
and trying to make sense of it. I mean, Google is where Android is made, so why would someone

00:10:28.320 --> 00:10:32.520
need to reverse-engineer Android when they could just look at the source code written

00:10:32.520 --> 00:10:35.520
right there in the same building? MADDIE: I was focused on all of the malware,

00:10:35.520 --> 00:10:40.860
you know, in the Android ecosystem. JACK: Oh, duh, that makes sense. The malware

00:10:40.860 --> 00:10:46.020
that’s targeting Android is often compiled, where you can’t see the code that’s used to make it,

00:10:46.020 --> 00:10:51.240
and Maddie’s job was to reverse-engineer and decompile some of this code and examine it for

00:10:51.240 --> 00:10:55.020
malware, and if it was malware, figure out what it’s doing and then tell the

00:10:55.020 --> 00:11:00.060
Android developers how to fix this. MADDIE: More specifically, I started leading

00:11:00.060 --> 00:11:08.100
a team that was focused on finding any sort of malware or bad apps that were one, potentially

00:11:08.100 --> 00:11:14.760
pre-installed on different OEM or manufacturer devices, ‘cause there’s thousands of different

00:11:14.760 --> 00:11:23.280
manufacturers of Android devices, as well as looking at can we find malware for all the apps

00:11:23.280 --> 00:11:29.820
that are off of Google Play Store? So, in lots of parts of the world, there’s apps that are passed

00:11:29.820 --> 00:11:34.860
around through different stores other than Google Play or they’re peer-to-peer passed or things

00:11:34.860 --> 00:11:40.560
like that, so are there ways that we can still protect Android users from those apps as well, and

00:11:40.560 --> 00:11:45.060
figuring out what’s malware and what’s not? JACK: Okay, so I just got curious what kind of

00:11:45.060 --> 00:11:48.540
malware we’re talking about here when it comes to Android, and I started looking some things

00:11:48.540 --> 00:11:54.300
up. [MUSIC] One really popular virus going around is GinMaster. Apparently there are

00:11:54.300 --> 00:11:58.680
millions of Android devices infected by this, and don’t forget, Android is an operating system

00:11:58.680 --> 00:12:03.840
that’s used on both phones and tablets. But this GinMaster malware, once it gets into a device,

00:12:03.840 --> 00:12:09.000
it will capture private data from the device and send that to an external server. It can

00:12:09.000 --> 00:12:14.100
also give attackers access to that device. GinMaster is clearly something you’d never

00:12:14.100 --> 00:12:20.040
want on your phone or tablet, so why does it exist on millions of devices? Well, the way it

00:12:20.040 --> 00:12:25.740
often gets onto a device is that it gets tacked onto another app, and it’s typically a bad app

00:12:25.740 --> 00:12:31.740
that a user is tricked into installing. A common strategy is to make a lookalike app

00:12:31.740 --> 00:12:36.180
of a popular game out there. This is to trick people into thinking that they’re getting the

00:12:36.180 --> 00:12:41.220
app that they want, but it’s not the real one. Then when someone downloads it and installs it,

00:12:41.220 --> 00:12:47.460
not only do they not get the app they want, but they get infected with this GinMaster malware.

00:12:47.460 --> 00:12:51.840
So, at the end of the day, it’s actually a user who downloads and installs the virus;

00:12:51.840 --> 00:12:59.040
they just don’t know it’s a virus. When a device is infected with it, it can steal user data, take

00:12:59.040 --> 00:13:04.680
control of the device, or install more malicious stuff. So, it’s malware like this that gets sent

00:13:04.680 --> 00:13:10.380
to Maddie for analysis, and she can flag apps like that to warn Android users that this app contains

00:13:10.380 --> 00:13:16.140
malware, and specifically the way Android apps are packaged is in something called an APK file,

00:13:16.140 --> 00:13:21.300
which stands for Android package. MADDIE: Yes, so we find an APK file,

00:13:21.300 --> 00:13:27.600
which is basically just a .zip file with all of the different components of an Android app.

00:13:27.600 --> 00:13:31.980
JACK: Not all Android apps are written in Java, but I think it is the most common language they’re

00:13:31.980 --> 00:13:37.200
typically written in. What’s nice for Maddie is Java apps can be decompiled pretty easily,

00:13:37.200 --> 00:13:42.300
and you can see a pretty close picture to how the original program looked. So, she doesn’t need to

00:13:42.300 --> 00:13:46.680
break it down into Assembly. She can read through what it’s doing close to its original format,

00:13:46.680 --> 00:13:52.800
making it a lot easier to understand. But it’s not always this easy; sometimes hidden in the

00:13:52.800 --> 00:13:58.860
Java is additional compiled programs. MADDIE: [MUSIC] Yes, so that’s where some of

00:13:58.860 --> 00:14:04.920
the more sophisticated malware authors would try to hide their – some of their

00:14:04.920 --> 00:14:13.080
behaviors in need of libraries within the APK file. So, these are compiled C or C++,

00:14:13.080 --> 00:14:21.060
which once it’s compiled, it’s in machine code which we can disassemble to Assembly code.

00:14:21.060 --> 00:14:25.560
JACK: Of course, this is where Maddie shines. She can read this Assembly

00:14:25.560 --> 00:14:30.780
language to understand how the malware does what it does, then reports it to the Android

00:14:30.780 --> 00:14:34.980
team to see if there’s anything they can do to protect users from malware like this.

00:14:34.980 --> 00:14:44.280
MADDIE: Yeah, so, the first thing is we had to put flags into the Google Play protect system,

00:14:44.280 --> 00:14:49.980
because the number one thing is you want users to be alerted, to given the option to remove it

00:14:49.980 --> 00:14:57.120
or disable the application from their device. The next step is really writing automated solutions,

00:14:57.120 --> 00:15:03.180
because especially when you’re in a malware team – and there’s always more apps or samples to look

00:15:03.180 --> 00:15:08.520
at than there are humans to analyze them, so the goal is always that it’s only ever

00:15:08.520 --> 00:15:14.700
reverse-engineered once in that terms, and that – then after you’ve reverse-engineered it once,

00:15:14.700 --> 00:15:20.340
then there’s software automated solutions that can find all the other copies that may come up out of

00:15:20.340 --> 00:15:26.460
that. So, that’s really the processes; analyze it, figure it out, flag it so users were protected,

00:15:26.460 --> 00:15:33.420
and then figure out automated solutions. JACK: Mm-hm. So, tell me a story about maybe some

00:15:33.420 --> 00:15:37.200
interesting malware that you found or landed on your desk. You’re like alright, I’ll take a look,

00:15:37.200 --> 00:15:44.520
and whoa, this is crazy, this stuff. MADDIE: So, one of the biggest malware families

00:15:44.520 --> 00:15:50.640
that I was not expecting and it ended up into a year-plus investigation, was what we called

00:15:50.640 --> 00:15:57.780
Chamois. It took a lot of practice to learn how to pronounce that correctly, but it was a large

00:15:57.780 --> 00:16:05.400
botnet and what was really interesting and how I got into it is that this application, which was

00:16:05.400 --> 00:16:13.020
usually written in Java, had this native library, so C or C++ compiled code in it. As I kept trying

00:16:13.020 --> 00:16:18.180
to dig into this native library, [MUSIC] it became obvious that it was heavily, heavily

00:16:18.180 --> 00:16:24.900
obfuscated as well as doing an incredible amount of anti-analysis and anti-debugging checks. So,

00:16:24.900 --> 00:16:33.600
it was very sophisticated trying to monitor like, am I being monitored and analyzed by a security

00:16:33.600 --> 00:16:40.380
engineer or am I running on a real device that I can infect? I ended up diving into – I think it

00:16:40.380 --> 00:16:48.480
took over a month or a month-and-a-half to really dive into all the aspects of that native library.

00:16:48.480 --> 00:16:53.820
Then when I started looking for other apps with similar native libraries, it became clear that

00:16:53.820 --> 00:17:02.640
it was this botnet and this family of malware that was doing some pretty sophisticated stuff.

00:17:02.640 --> 00:17:06.480
One of the funniest anecdotes to me is that I actually presented

00:17:06.480 --> 00:17:12.360
on that native library at Black Hat. JACK: Yeah, so in 2018, Maddie came onstage

00:17:12.360 --> 00:17:17.760
at the Black Hat Security Conference and showed everyone in the audience the exact techniques

00:17:17.760 --> 00:17:19.440
that this malware was using. MADDIE: [AT BLACK HAT] So, what are

00:17:19.440 --> 00:17:24.180
all these different techniques that we’re gonna talk about? What makes it so interesting? First

00:17:24.180 --> 00:17:28.440
we’re gonna start about some of the J&I or Java native interface manipulations, then

00:17:28.440 --> 00:17:34.080
we’re gonna go into some places where they’ve used anti-reversing techniques, in-place decryption,

00:17:34.080 --> 00:17:39.060
and finally to about forty different runtime environment checks that they use. [TO JACK]

00:17:39.060 --> 00:17:43.740
I think it was less than twenty-four – or definitely less than seventy-two hours later,

00:17:43.740 --> 00:17:51.420
we saw the malware authors changing different aspects and characteristics of this library that

00:17:51.420 --> 00:17:56.880
I had just presented on. [MUSIC] So, they only changed the characteristics and techniques I had

00:17:56.880 --> 00:18:02.940
discussed in the Black Hat presentation. So, that presentation hadn’t been streamed or anything like

00:18:02.940 --> 00:18:09.480
that, so that was very fascinating to see. JACK: Whoa, yeah, that is interesting. This means

00:18:09.480 --> 00:18:15.240
either the malware authors or someone who knows the malware authors were at her talk,

00:18:15.240 --> 00:18:21.480
watching her, taking notes on how she’s able to detect their malware, and then rushing back

00:18:21.480 --> 00:18:27.180
to their computers to update their malware to make it harder for the Google team to detect it.

00:18:27.180 --> 00:18:32.040
See, this is the thing about Maddie; she seems to be on this mission to make it

00:18:32.040 --> 00:18:38.580
harder for malware-makers to do what they do. She gets in their heads and learns where and

00:18:38.580 --> 00:18:43.560
how they’re hiding so she can shine a big old spotlight on it and make them scatter.

00:18:43.560 --> 00:18:48.240
Her goal is to make it easier for people to find malware, and at the same time,

00:18:48.240 --> 00:18:56.640
make it harder for someone to make malware. MADDIE: So, one day I had a new calendar invite

00:18:56.640 --> 00:19:04.020
in my inbox from Ben Hawkes, who was the long-time lead of Project Zero. We

00:19:04.020 --> 00:19:09.540
had never met before and he said hey, I just wanted to chat about this potential new role

00:19:09.540 --> 00:19:13.800
and experiment for Project Zero. JACK: Oh wow, Project Zero was trying to

00:19:13.800 --> 00:19:18.600
steal her? That’s pretty cool. This is a very talented team within Google which focuses on

00:19:18.600 --> 00:19:22.440
finding zero-day vulnerabilities. MADDIE: Yeah, so Google Project Zero is

00:19:22.440 --> 00:19:28.320
a team of applied security research with the mission of make zero-day hard.

00:19:28.320 --> 00:19:33.780
JACK: But the key thing here is this team will look for bugs in any software,

00:19:33.780 --> 00:19:38.820
not just Google’s products. I think the idea here is that Google users don’t just

00:19:38.820 --> 00:19:42.300
exclusively use Google products. MADDIE: Yeah, so if you think about it,

00:19:42.300 --> 00:19:46.800
to protect, say, Google Chrome users or Gmail users or things like that,

00:19:46.800 --> 00:19:55.440
a lot of Google users can be attacked through vectors other than just the Google products. So,

00:19:55.440 --> 00:20:00.900
whatever operating system you’re running Chrome on, for example, if that has vulnerabilities,

00:20:00.900 --> 00:20:08.820
than that could be a way to hack those users. Or back in 2014, Flash was one of the biggest ways

00:20:08.820 --> 00:20:14.820
to attack people via the web. So, doing a lot of research and vulnerability research into Flash

00:20:14.820 --> 00:20:20.220
would ultimately help protect Chrome users. JACK: So, the team at Project Zero looks for

00:20:20.220 --> 00:20:25.260
zero-day vulnerabilities anywhere. Oh, and zero-day vulnerabilities are bugs that the

00:20:25.260 --> 00:20:29.940
software maker doesn’t yet know about, which also means the defenders don’t know about it either,

00:20:29.940 --> 00:20:35.580
and they can’t defend against this kind of bug. Now, if the Project Zero team finds a bug,

00:20:35.580 --> 00:20:41.460
they tell the vendor to fix it and then start the timer. If ninety days goes by

00:20:41.460 --> 00:20:47.700
and the vendor doesn’t fix it, Google will publish this bug publicly. Anyway,

00:20:47.700 --> 00:20:52.560
this was the team who approached Maddie. MADDIE: So, his hybrid role would be not

00:20:52.560 --> 00:20:58.680
just – for me to not just be in vulnerability research, but sort of combine this threat

00:20:58.680 --> 00:21:03.900
intelly/malware/analyst side of it, and I would be – use the starting point of

00:21:03.900 --> 00:21:08.520
zero-days that are actively exploited in the wild. So, not just hunting

00:21:08.520 --> 00:21:15.660
zero-days that attackers could theoretically be finding, but instead having my starting point

00:21:15.660 --> 00:21:21.960
be the exploits that are actually used. JACK: Hm, yeah, I get it. If the goal of Project

00:21:21.960 --> 00:21:27.540
Zero is to make zero-days hard to make, adding a reverse engineer to the mix really boosts the

00:21:27.540 --> 00:21:32.100
potential research that can be done. Now, instead of just looking for unknown malware out there,

00:21:32.100 --> 00:21:37.140
you can feed known malware to Maddie and she can digest that and come up with patterns

00:21:37.140 --> 00:21:42.120
to look for more malware that’s out there. It’s sort of approaching finding malware a

00:21:42.120 --> 00:21:47.520
totally different way. Combining these forces makes them more effective. So, she took the

00:21:47.520 --> 00:21:51.540
job and joined Google Project Zero. MADDIE: [MUSIC] So, I really came into this

00:21:51.540 --> 00:21:59.100
team with not a lot of knowledge and just this basic idea from Ben that he told me take it and

00:21:59.100 --> 00:22:07.560
run with it and figure out what makes sense. So, I did not really have any Windows, IOS browser,

00:22:07.560 --> 00:22:13.020
et cetera, vulnerability research experience. My experience prior to Android had been on hardware

00:22:13.020 --> 00:22:20.580
and embedded devices, which doesn’t tend to be the biggest targets of interest for Project Zero. So,

00:22:20.580 --> 00:22:28.320
it was a lot of learning, but we started sort of off big and that I joined the team in July

00:22:28.320 --> 00:22:38.520
of 2019, and Google received information that the commercial surveillance company NSO had this

00:22:38.520 --> 00:22:44.160
Android exploit that they were using to target Android users in their delivery of Pegasus,

00:22:44.160 --> 00:22:52.860
the piece of spyware that has been all over the news lately. We actually got some marketing

00:22:52.860 --> 00:22:59.760
details about this capability. So, my first job was taking all of those details and seeing if

00:22:59.760 --> 00:23:07.200
I could figure out what the bug was so that we could patch it and break the capability.

00:23:07.200 --> 00:23:13.080
So, I was digging through all the different Android source code, Linux kernel source code,

00:23:13.080 --> 00:23:20.580
trying to figure out what is this bug, and somehow managed to figure out exactly which bug it was,

00:23:20.580 --> 00:23:26.100
because the details we were given happened to line up, that there was only one vulnerability

00:23:26.100 --> 00:23:32.460
that potentially matched every single detail we were given. So, that was a pretty wild first

00:23:32.460 --> 00:23:38.100
bug to report and put into the Project Zero issue tracker. We reported it to Android under

00:23:38.100 --> 00:23:43.860
a seven-day deadline instead of the ninety due to a high probability that it was being

00:23:43.860 --> 00:23:50.580
actively exploited in the wild. Then wanting to show that it could be exploited, I partnered up

00:23:50.580 --> 00:23:57.540
with Jann Horn to write a proof-of-concept not just triggering the vulnerability,

00:23:57.540 --> 00:24:03.660
but actually showing a way to exploit the vulnerability and how it would be useful to get

00:24:03.660 --> 00:24:09.900
– or to use in, say, the Pegasus chain. So, that was quite the wild week.

00:24:09.900 --> 00:24:15.480
JACK: For Maddie to identify how Pegasus software is used in Android and then to come

00:24:15.480 --> 00:24:21.360
up with a working proof-of-concept exploit all in a week, that’s amazing. That’s like finding

00:24:21.360 --> 00:24:25.560
and squashing a million-dollar bug. Seriously, there are companies out there who are willing

00:24:25.560 --> 00:24:30.720
to pay a million dollars for a bug like this, because it’s so valuable to certain people.

00:24:30.720 --> 00:24:37.080
Pegasus is the spyware used by NSO, which is a company based in Israel who sells the spyware

00:24:37.080 --> 00:24:42.300
to different countries around the world, and it’s quite expensive to buy this Pegasus software. So,

00:24:42.300 --> 00:24:49.500
when Maddie discovers how it’s used and makes it no longer usable, it must make NSO angry.

00:24:49.500 --> 00:24:55.860
Now they have to rip out their existing way of exploiting phones and find a new way to do that,

00:24:55.860 --> 00:25:02.760
which isn’t so easy. But this is Project Zero’s goal, to make it harder for exploits to be out

00:25:02.760 --> 00:25:08.280
there. If a company has a whole business model of selling malware and exploits to countries,

00:25:08.280 --> 00:25:14.580
then yeah, they’ll be impacted by this, and it’ll mean the price of Pegasus will go up, since it’s

00:25:14.580 --> 00:25:19.560
harder to find these vulnerabilities. MADDIE: Generally it is nation state actors

00:25:19.560 --> 00:25:26.160
who are using zero-day exploits, and they’re generally using the zero-days against human

00:25:26.160 --> 00:25:35.460
rights defenders, journalists, minoritized populations, politicians. So, while every

00:25:35.460 --> 00:25:42.660
human doesn’t necessarily need to be worried about being attacked with zero-day exploits,

00:25:42.660 --> 00:25:50.040
all of us are generally impacted when they’re used. When journalists become scared or unable to

00:25:50.040 --> 00:25:57.540
write the truth that they find and that human rights defenders are being targeted so fewer

00:25:57.540 --> 00:26:03.240
people are scared to stand up and speak out, or minoritized populations are begin targeted,

00:26:03.240 --> 00:26:06.900
or critical infrastructure companies and things like that,

00:26:06.900 --> 00:26:10.740
that does ultimately impact us all. JACK: If you want to know more about this,

00:26:10.740 --> 00:26:16.860
I did a whole episode on NSO. That’s Episode 100. You’ll hear how they sell software to countries,

00:26:16.860 --> 00:26:21.420
and then those countries turn around and use it to attack civil society. Of course,

00:26:21.420 --> 00:26:26.280
nation state actors aren’t always abusing their power; they do use their abilities to

00:26:26.280 --> 00:26:31.020
stop terrorist attacks and criminal activity, but at the end of the day, the measure of any

00:26:31.020 --> 00:26:37.320
technology is how it winds up getting used against vulnerable people, not just how it helps. So,

00:26:37.320 --> 00:26:41.880
if there are zero-day vulnerabilities out there that are being used to target innocent people,

00:26:41.880 --> 00:26:48.840
then finding those and fixing them will help civil society be more secure. It’s kind of wild to me

00:26:48.840 --> 00:26:54.780
to think that Maddie here is trying to disarm nation state actors by finding what weapons and

00:26:54.780 --> 00:26:59.880
exploits they have, and then once discovering it, getting it fixed so it can’t be used to exploit

00:26:59.880 --> 00:27:07.680
people anymore. Has there been any threatening reactions to this? Like, I can imagine NSO group

00:27:07.680 --> 00:27:13.620
being pretty upset after your first project there and being like okay, Maddie is now on our

00:27:13.620 --> 00:27:19.140
list. Do you ever get any weird stuff? MADDIE: Well, it was actually very strange,

00:27:19.140 --> 00:27:26.160
of – in January of 2020, I was invited to the conference Blue Hat Israel.

00:27:26.160 --> 00:27:31.920
So I went, and there were actually two people who came up to me and their badges said they

00:27:31.920 --> 00:27:40.740
worked for NSO, and they said – and they asked me questions about why I chose the techniques I did,

00:27:40.740 --> 00:27:44.220
so that was a very strange interaction

00:27:44.220 --> 00:27:55.140
overall. But one of the more anxiety-producing was back in – I believe it was 2021;

00:27:55.140 --> 00:28:00.000
Google TAG, the Threat Analysis Group, discovered that North Korean hackers were targeting security

00:28:00.000 --> 00:28:07.380
researchers, including security researchers from Project Zero in the hopes of trying to steal then

00:28:07.380 --> 00:28:17.160
zero-day exploits from security researchers to use in their campaigns. So, being personally –

00:28:17.160 --> 00:28:27.600
or personally, I mean in the population of folks targeted, is a rather frightening aspect of – but

00:28:27.600 --> 00:28:36.300
it also just gave a lot of empathy for people doing the real hard work and are often targets of

00:28:36.300 --> 00:28:43.740
the nation state attackers using zero-days. JACK: Yeah. So, some other philosophy here is

00:28:43.740 --> 00:28:53.220
like, NSA is in the business of finding zero-days and using them as weapons. Sometimes one of the

00:28:53.220 --> 00:28:58.740
nation states that you’re going up against is your own nation. Do you get cross-conflicted there,

00:28:58.740 --> 00:29:02.460
or how does that feel to you? MADDIE: I don’t think so, because the

00:29:02.460 --> 00:29:08.880
vast majority of the time, we have no idea who is behind a bug. Also because

00:29:08.880 --> 00:29:15.300
you’re just working so quickly that people don’t usually have attribution, you know,

00:29:15.300 --> 00:29:21.060
immediately. They just – if attribution even comes out – the threat intel experts are

00:29:21.060 --> 00:29:26.700
usually three to six months behind, so there’s never sort of that conflict, because all we get

00:29:26.700 --> 00:29:35.040
is here’s an exploit sample, or here’s a patch diff and the bug was labeled in release notes.

00:29:35.040 --> 00:29:40.380
So, I’ve never really felt conflicted in that way because there’s no way to

00:29:40.380 --> 00:29:44.820
know. All you know is that people are being harmed, so that would sit even worse with me

00:29:44.820 --> 00:29:49.380
to not try and get it fixed. Yeah. JACK: We’re gonna take a quick break here,

00:29:49.380 --> 00:29:54.720
but stay with us, because we’re gonna hear more from Maddie when we get back. Earlier this year,

00:29:54.720 --> 00:30:00.360
in 2022, Maddie saw that Apple patched a bug in their WebKit product. This is the browser

00:30:00.360 --> 00:30:06.000
engine that Apple’s Safari browser uses, and there was a pretty big vulnerability discovered in it,

00:30:06.000 --> 00:30:09.840
but the patch notes were a little vague, so Maddie started to try to learn more.

00:30:09.840 --> 00:30:16.380
MADDIE: When I started digging into it, one of the ways that I also analyze –when it’s just a

00:30:16.380 --> 00:30:23.940
patch diff; I don’t have any other information – is for open source software such as WebKit,

00:30:23.940 --> 00:30:28.260
I will look at the history of that file and the areas that they patched,

00:30:28.260 --> 00:30:33.840
or – it’s called the git blame of – it sort of tells you when did this line

00:30:33.840 --> 00:30:39.540
appear or when was this source code line last changed. What I ended up figuring out

00:30:39.540 --> 00:30:49.560
was that this was a zombie bug and that it had actually been originally fixed back in 2013,

00:30:49.560 --> 00:30:55.320
but then the bug was reintroduced because that patch was regressed and undone

00:30:55.320 --> 00:31:04.200
in 2016. Then here we were in 2022 with the bug exploited in the wild and patched again.

00:31:04.200 --> 00:31:09.960
JACK: Why do you think it regressed? MADDIE: So, I did a deep blog post into this

00:31:09.960 --> 00:31:14.340
really trying to understand, and it was actually – it became sort of a team effort because all of us

00:31:14.340 --> 00:31:21.180
were really interested in trying to understand how did this happen. There was also a very interesting

00:31:21.180 --> 00:31:28.080
overlap of – my teammate Sergei Glazunov was actually the original reporter of the bug back in

00:31:28.080 --> 00:31:34.980
January 2013 and was actually reported to Chrome because at that time, Chrome was still

00:31:34.980 --> 00:31:43.620
built on top of WebKit as their browser engine. They didn’t split off until 2014, I believe.

00:31:43.620 --> 00:31:49.560
So, he was jumping in and looking at it with me, so were some of my other teammates like Mark Bran,

00:31:49.560 --> 00:31:57.900
and what it looks like overall is that they were trying to chain – sort of do a refactoring

00:31:57.900 --> 00:32:04.620
to one, make it more performant, and through that, that meant there were some really huge

00:32:04.620 --> 00:32:13.560
patch changes. Just based on the structure of security teams and reviewing, a lot of times folks

00:32:13.560 --> 00:32:18.360
aren’t really given a huge amount of resources and time to scroll through and look at line by line,

00:32:18.360 --> 00:32:21.950
like what are all these changes that are being made, and things like that.

00:32:21.950 --> 00:32:26.820
JACK: Hm, it’s gotta be quite the embarrassing feeling to find that your code had been

00:32:26.820 --> 00:32:32.100
vulnerable for seven years and you’re just now discovering it. Makes you stop and wonder,

00:32:32.100 --> 00:32:39.120
who all knew about this? Is it possible some advanced hacking group or nation state actor

00:32:39.120 --> 00:32:45.240
had known about this and was using it to take over people’s browsers when they needed to?

00:32:45.240 --> 00:32:54.780
It’s hard to tell, and we’ll never know. MADDIE: [MUSIC] Back in the fall of 2020,

00:32:54.780 --> 00:33:01.980
we discovered some exploit servers and just happened to discover that they were delivering

00:33:01.980 --> 00:33:11.460
us exploits on different devices and different browsers. In that case, you’re generally first

00:33:11.460 --> 00:33:19.260
just getting the first stage exploit and then some sort of fingerprinting script, maybe, or something

00:33:19.260 --> 00:33:26.520
like that. So, we were like, oh my goodness, this is giving us exploits and our devices are

00:33:26.520 --> 00:33:33.180
fully-patched. What the heck is going on? JACK: This must have been a very exciting day,

00:33:33.180 --> 00:33:39.360
to find that there’s a server out there in the world that is able to remotely attack a device and

00:33:39.360 --> 00:33:45.660
exploit it in ways that are just not stoppable. For a security research team like this, it’s a big

00:33:45.660 --> 00:33:51.300
moment. You want to quickly try to capture as many exploits as you can from this server, and then

00:33:51.300 --> 00:33:56.760
analyze them and see exactly how they’re infecting devices so you can get them fixed.

00:33:56.760 --> 00:34:02.160
MADDIE: So, in this case it was a watering hole attack, where a watering hole attack is

00:34:02.160 --> 00:34:11.880
if you go to a website and it is just going to try to infect anyone who goes to this website.

00:34:11.880 --> 00:34:18.720
So, that was sort of the case here, of oh, this is weird; suddenly this is very weird traffic and oh,

00:34:18.720 --> 00:34:23.460
that’s an exploit and that’s a fingerprinting script? What did we stumble upon here?

00:34:23.460 --> 00:34:29.160
JACK: This website had active traffic and users coming to it. So, Maddie and the team at Project

00:34:29.160 --> 00:34:33.360
Zero knew that people were actively being hacked right now when they were visiting the site,

00:34:33.360 --> 00:34:38.100
and wanted to move as quick as possible to stop any more people from being infected.

00:34:38.100 --> 00:34:45.480
MADDIE: So, that was where we all really came together and were working through weekends and

00:34:45.480 --> 00:34:54.600
long hours to first get as many of the exploits as we could, and then teaming up, tearing them apart,

00:34:54.600 --> 00:34:59.340
getting around the obfuscation, trying to figure out what exactly is the bug that is

00:34:59.340 --> 00:35:04.440
being exploited here, and getting those reported and working with the vendors to get those patches

00:35:04.440 --> 00:35:08.220
out as soon as possible. JACK:

00:35:08.220 --> 00:35:13.080
So, they were able to squash any bugs that Google was responsible for, and then get all the other

00:35:13.080 --> 00:35:18.240
vendors who had bugs to squash them, too, which made this website no longer effective at being

00:35:18.240 --> 00:35:24.120
able to exploit updated devices that had come to visit the site. This is why I’m always telling

00:35:24.120 --> 00:35:29.580
you to patch your software. Always update your operating system and any apps you have if there’s

00:35:29.580 --> 00:35:35.880
an update available, because it makes it harder for someone to hack into your stuff. So, I mean,

00:35:35.880 --> 00:35:42.240
did you ever figure out who was doing this? Was it a nation state actor or who your thoughts were

00:35:42.240 --> 00:35:49.380
that would want to run this kind of attack? MADDIE: So, we assume that it is a nation state

00:35:49.380 --> 00:35:56.760
actor just because the sheer volume of zero-days and the sophistication behind those zero-days,

00:35:56.760 --> 00:36:03.120
it seems rather unlikely that anyone other than a nation state actor would one, have access,

00:36:03.120 --> 00:36:09.240
and be willing to use that number. I believe that when we looked at it,

00:36:09.240 --> 00:36:16.680
it was approximately – I believe eleven zero-days that the actor had used over

00:36:16.680 --> 00:36:25.380
the course of a year. So, that definitely would make me think a nation state, but no,

00:36:25.380 --> 00:36:32.700
I do not know who was behind it. I also – I am not an expert in attribution,

00:36:32.700 --> 00:36:39.480
but I have not seen or heard any definitive answers on who the threat researchers and

00:36:39.480 --> 00:36:45.900
threat intel experts believe was behind it. JACK: Whoa, eleven zero-days? That’s amazing. To

00:36:45.900 --> 00:36:51.000
make a zero-day vulnerability takes quite a bit of time and skill. This isn’t some simple social

00:36:51.000 --> 00:36:54.960
engineering attack or some off-the-shelf malware. Each of these eleven zero-day vulnerabilities

00:36:54.960 --> 00:37:01.500
were something that took a lot of resources to find and to turn into a usable exploit. On top

00:37:01.500 --> 00:37:06.240
of that, the way these exploits were chained together was incredibly sophisticated. So,

00:37:06.240 --> 00:37:11.220
because it takes so many resources to develop and weaponize that many bugs, then that’s why

00:37:11.220 --> 00:37:16.920
Maddie thinks it was likely some kind of nation state actor. This is beyond the capabilities of

00:37:16.920 --> 00:37:23.040
a cyber-crime group or hacktivist group. MADDIE: If you can use a less sophisticated form

00:37:23.040 --> 00:37:30.540
of attack to get access to whatever you need, then that will always be the choice. If your

00:37:30.540 --> 00:37:35.820
device – if your targets are insecure and say you know they’ll fall for phishing, then that’s the

00:37:35.820 --> 00:37:41.220
easiest route and that’s what you’ll take. If your targets don’t keep their devices up to date unless

00:37:41.220 --> 00:37:48.120
you can use a in-day exploit, that’s what you’ll take. So, these zero-days are when one, you really

00:37:48.120 --> 00:37:52.500
don’t want to leave a trace because people don’t know what this bug and exploit will look like,

00:37:52.500 --> 00:38:00.180
and you’re targeting entities or individuals who probably have some pretty good security hygiene

00:38:00.180 --> 00:38:06.660
and posture. Those are often going to be people who know their targets, such as our human rights

00:38:06.660 --> 00:38:11.940
defenders and journalists, et cetera. JACK: Hm, so the way I understand it,

00:38:11.940 --> 00:38:17.160
nation state actors typically have a few different objectives. It could be intelligence-gathering,

00:38:17.160 --> 00:38:21.720
like hacking into another nation and stealing information, and it could be disrupting the enemy,

00:38:21.720 --> 00:38:26.280
like deleting the servers that a terrorist organization uses. But we’ve also seen

00:38:26.280 --> 00:38:32.220
nation states participate in cyber-crime and hacktivism. North Korea has been hacking into

00:38:32.220 --> 00:38:37.080
banks and stealing money from them, and China has been hacking into US companies to steal

00:38:37.080 --> 00:38:41.820
their intellectual property. But we’ve also seen China hack into the Gmail accounts of

00:38:41.820 --> 00:38:46.860
human rights activists to try to stop them or figure out what they’re up to. We’ve seen the

00:38:46.860 --> 00:38:52.380
UAE hack into human rights activists’ phones to track them and arrest them. Of course,

00:38:52.380 --> 00:38:57.120
Russia is meddling with elections and even sabotaging the Olympics in some weird ways.

00:38:57.120 --> 00:39:04.320
So, there’s a big spectrum of what governments are doing out there in the mean streets of cyberspace.

00:39:04.320 --> 00:39:08.820
I don’t know about you, but to me, trying to figure out this space, it gets blurry

00:39:08.820 --> 00:39:16.080
fast. What’s good? What’s evil? Some things are clear, but others not so much. Like,

00:39:16.080 --> 00:39:23.040
when a country hacks into and spies on another ally country? Why? Because they don’t trust their

00:39:23.040 --> 00:39:28.320
ally? Because they want more information than what their ally is willing to give them? What happens

00:39:28.320 --> 00:39:34.500
when they do find out that their ally had some nefarious plan? Do the ends justify the means?

00:39:34.500 --> 00:39:41.760
It gets tricky, and I imagine the weight of who you may be helping and who you may be hurting must

00:39:41.760 --> 00:39:46.500
weigh on Maddie as she does her work. MADDIE: Of course. I don’t think anyone who’s

00:39:46.500 --> 00:39:55.920
in this industry or business can’t help but think about the philosophy of it. So, for me,

00:39:55.920 --> 00:40:01.800
it feels pretty easy and I hope I’m on the good side of – I want people to have safe and secure

00:40:01.800 --> 00:40:09.540
access to the internet, whether it’s just their data, their device, and everything like that. So,

00:40:09.540 --> 00:40:15.240
the case and the part of that, safe and secure that I am currently able

00:40:15.240 --> 00:40:22.260
to hopefully make the biggest difference on, is in the zero-day and zero-day exploit space.

00:40:22.260 --> 00:40:28.200
But previously I was trying to accomplish that with making sure every Android phone

00:40:28.200 --> 00:40:34.260
didn’t have malware on it. So, that’s sort of my guiding principle, is I think the world would be

00:40:34.260 --> 00:40:41.040
a pretty amazing place if everyone could access and connect to all this amount of

00:40:41.040 --> 00:40:47.640
information and education and everything like that if – with safe and security and know that

00:40:47.640 --> 00:40:56.940
their privacy is protected. So, yeah. JACK: [MUSIC] It’s nice that Maddie has a good

00:40:56.940 --> 00:41:03.180
ethical mindset to all this and is helping us all become more secure. But just keep this in mind;

00:41:03.180 --> 00:41:10.080
there are people just like Maddie who work for the bad guys, doing exactly what she’s doing, looking

00:41:10.080 --> 00:41:13.680
through patch notes and trying to figure out what exploit just got fixed to see if there’s anything

00:41:13.680 --> 00:41:19.020
the vendor missed or some sort of related bug, and then once they find the bug, they’ll develop

00:41:19.020 --> 00:41:25.500
it into an exploit and weaponize it instead of getting it fixed. That just makes me think okay,

00:41:25.500 --> 00:41:30.960
if there are enemies and allies out there where countries are hacking into each other, then what

00:41:30.960 --> 00:41:37.020
does that make Maddie, an enemy or an ally? Or is there some kind of third faction out there?

00:41:37.020 --> 00:41:46.260
Also, NSA stands for National Security Agency. Their job is to ensure the US is secure and is

00:41:46.260 --> 00:41:51.480
able to send secure communications without our data getting into the enemy’s hands. So,

00:41:51.480 --> 00:41:55.620
you’d think that if the NSA has found a way to bypass the security of something,

00:41:55.620 --> 00:42:01.080
they’d want to find a way to get that fixed right away to ensure that the software used by hundreds

00:42:01.080 --> 00:42:08.040
of millions of Americans is secure, right? But despite that the NSA spends millions of

00:42:08.040 --> 00:42:14.280
dollars on finding and developing vulnerabilities, they don’t report that much to vendors. We have

00:42:14.280 --> 00:42:19.800
seen them report some things sometimes, but it’s often under suspicious reasons. Like when the

00:42:19.800 --> 00:42:25.920
Shadow Brokers claimed they had NSA exploits, NSA told Microsoft to patch a certain bug right away,

00:42:25.920 --> 00:42:30.480
and there were other bugs that the NSA reported, which made me think that they

00:42:30.480 --> 00:42:35.460
might have intelligence that some other enemy nation might be actively using that exploit

00:42:35.460 --> 00:42:41.640
to hack into our stuff. It becomes even more difficult to navigate all this when so many of

00:42:41.640 --> 00:42:48.300
the tech giants are also US-based. I’m not saying there’s any sort of collaboration between the NSA

00:42:48.300 --> 00:42:54.900
and the US tech giants, but it makes sense to me that there is a closer relationship than other

00:42:54.900 --> 00:43:01.860
nations might have with US tech companies. I kind of see it as an arms race; while nation states

00:43:01.860 --> 00:43:06.120
around the world want more exploits and zero-day vulnerabilities to carry out their objectives,

00:43:06.120 --> 00:43:12.720
Maddie is over here trying to neutralize those and build up the defenses for everyone to be able to

00:43:12.720 --> 00:43:17.160
defend against nation states better. MADDIE: I don’t really think of it as a

00:43:17.160 --> 00:43:22.560
race unless we’re talking maybe in single vulnerability case, like oh, we know this

00:43:22.560 --> 00:43:28.800
bug is being exploited; it needs to be fixed as fast as possible. That’s really the only area

00:43:28.800 --> 00:43:36.900
that I sort of view as a race. Maybe also around the – this was just patched and we want to make

00:43:36.900 --> 00:43:44.580
sure that the patch is sufficient. We complete variant analysis before the attackers are able to.

00:43:44.580 --> 00:43:52.500
But at a longer haul, I don’t think of it as a race as much as making smarter decisions,

00:43:52.500 --> 00:44:02.040
because ultimately what we want is that – it is so difficult, so expensive,

00:44:02.040 --> 00:44:10.800
so – requires so much expertise that attackers really hold onto their zero-days close to the

00:44:10.800 --> 00:44:15.660
vest, and they’re so valuable to them that they only use them in really,

00:44:15.660 --> 00:44:22.080
really special cases. I think we’re still at the point now that yes, while it tends to be

00:44:22.080 --> 00:44:30.360
a smaller population of people targeted globally, I think we’re still seeing too broad

00:44:30.360 --> 00:44:37.200
usage of these zero-days to believe that attackers find them as valuable as we would hope. So,

00:44:37.200 --> 00:44:42.360
that looks like making it that much harder for them to find vulnerabilities. So,

00:44:42.360 --> 00:44:47.460
let’s say they cannot use variants of a previously-public vulnerability; they

00:44:47.460 --> 00:44:51.660
instead have to come up with their own. They have to come up with a whole new bug class

00:44:51.660 --> 00:44:57.000
that we’ve never seen before, not using these use-after-frees and buffer overflows. They’re

00:44:57.000 --> 00:45:04.440
not able to use a public exploit technique that someone has – we’ve seen before or they used

00:45:04.440 --> 00:45:08.760
before and just want to plug-and-play a new vulnerability in, because we as an industry

00:45:08.760 --> 00:45:14.580
are not only fixing the vulnerability, we’re mitigating the exploit technique.

00:45:14.580 --> 00:45:20.220
They don’t need three zero-days; they need six now to maintain the same capability they had

00:45:20.220 --> 00:45:25.740
before. That’s really the way I think about it and what makes me hopeful – where I know a lot

00:45:25.740 --> 00:45:32.460
of people can feel down and that zero-days are this sort of impossible problem to solve – is

00:45:32.460 --> 00:45:38.400
the exciting part is iterative progress we will see the return on investment from. So, it’s not

00:45:38.400 --> 00:45:45.060
that you have to do steps A through J and that’s the only time you will begin to see this return on

00:45:45.060 --> 00:45:50.640
investment. Every little step we take forward in this to make it just that much harder – they just

00:45:50.640 --> 00:45:57.420
can’t use the variant on this bug, we fixed this exploit technique; every single one of

00:45:57.420 --> 00:46:03.060
those actions make it harder. So, that’s sort of the way that I view this whole problem.

00:46:03.060 --> 00:46:08.400
JACK: So with all this effort, is it working? Is Project Zero actually making it harder for

00:46:08.400 --> 00:46:13.080
people to make zero-day vulnerabilities? MADDIE: I think on a long scale, definitely since

00:46:13.080 --> 00:46:19.200
2014, zero-day has become harder. But I think what’s hard is that to me, at least, it’s pretty

00:46:19.200 --> 00:46:29.280
obvious that it’s not hard yet. For example, for the first six months of the year through 2022,

00:46:29.280 --> 00:46:34.740
what was it? There was a huge percentage of the zero-day – in-the-wild zero-days

00:46:34.740 --> 00:46:39.720
were variants of previously-patched bugs. Okay, fifty percent of the in-the-wild zero-days from

00:46:39.720 --> 00:46:46.080
2022 as of mid-June were variants of previously-patched bugs. That makes it

00:46:46.080 --> 00:46:55.200
really hard for me to look at, of – we had chances to block one and two of these zero-days that we as

00:46:55.200 --> 00:47:02.760
an industry didn’t take. Twenty-seven percent or twenty-two percent, somewhere in that range of the

00:47:02.760 --> 00:47:08.160
in-the-wild zero-days from 2020 are even variants of in-the-wild zero-days from 2021. So, the

00:47:08.160 --> 00:47:14.340
attackers could come back less than twelve months later and just use a variant of the bug again. So,

00:47:14.340 --> 00:47:20.640
I think there’s – I’m more focused on what we can do and the opportunities we have rather than

00:47:20.640 --> 00:47:26.580
smirking at the news as much. But of course we’ve gotta take the wins when we can get them.

00:47:26.580 --> 00:47:29.160
JACK: You used this term before; private state-of-the-art versus

00:47:29.160 --> 00:47:32.640
public state-of-the-art. What does this mean and how does it apply to you?

00:47:32.640 --> 00:47:40.080
MADDIE: So, in vulnerability research publishing, what’s the new attack surface? What’s the new bug

00:47:40.080 --> 00:47:47.640
class or exploitation technique that we consider state-of-the-art in terms of novel, a great way

00:47:47.640 --> 00:47:54.540
to bypass new exploit mitigations, et cetera? So, offensive security researchers like my team,

00:47:54.540 --> 00:48:02.700
we publish a lot to show oh, we found this new way to bypass X to help show this is what has to get

00:48:02.700 --> 00:48:09.240
fixed and this is where its weaknesses lie. So, that would be the public state-of-the-art, because

00:48:09.240 --> 00:48:17.460
it is offensive security researchers talking about it publicly, of this is where the techniques stand

00:48:17.460 --> 00:48:24.060
right now. Private state-of-the-art is, but what techniques do the attackers actually have? So,

00:48:24.060 --> 00:48:30.420
part of the reason why I focus on zero-days that are actually exploit in the wild is because

00:48:30.420 --> 00:48:35.340
it can help us close that gap between public state-of-the-art and private state-of-the-art,

00:48:35.340 --> 00:48:39.480
because a lot of the time we use public state-of-the-art to help inform what is the

00:48:39.480 --> 00:48:44.520
next area of research that we should focus on. But if that’s diverging too far from what the

00:48:44.520 --> 00:48:50.400
attacker is actually doing, then this research is not as useful to us because we’re not having what

00:48:50.400 --> 00:48:57.660
we call those collisions with attackers and trying to fix bugs and vulnerabilities. We’re not putting

00:48:57.660 --> 00:49:04.740
our resources in areas that are super-useful. So, that’s what we mean by – when we say or I

00:49:04.740 --> 00:49:10.260
say public state-of-the-art versus private. JACK: That’s a really interesting concept to me.

00:49:10.260 --> 00:49:16.740
We know what’s out there when it becomes seen, but we don’t know what hasn’t been discovered yet,

00:49:16.740 --> 00:49:22.140
and what hasn’t been discovered yet could be a hugely overlooked use of technology

00:49:22.140 --> 00:49:27.660
or capability that we just haven’t been creative enough to imagine that scenario.

00:49:27.660 --> 00:49:34.020
So, it becomes almost a theoretical question; what theoretically could attackers do today,

00:49:34.020 --> 00:49:39.000
and how can we look into those areas to try to figure out what they are working on

00:49:39.000 --> 00:49:44.400
to stop them to make us all more secure? MADDIE: Well, one of the things I think is most

00:49:44.400 --> 00:49:52.740
promising is that in 2021, there were the most in-the-wild zero-days ever – since we’ve been

00:49:52.740 --> 00:50:03.840
tracking since mid-2014 – detected and disclosed as in the wild. That might sound sort of – not

00:50:03.840 --> 00:50:10.860
make sense why I think that’s promising to some people, but I think it is because I didn’t say we

00:50:10.860 --> 00:50:16.080
can’t track the number of in-the-wild zero-days used; we can only track the number of zero-days

00:50:16.080 --> 00:50:24.540
in the wild that are first detected by someone and then disclosed as hey, in the wild. If folks are

00:50:24.540 --> 00:50:30.000
finding them and reporting them to other vendors and never saying hey, this is in the wild as well,

00:50:30.000 --> 00:50:34.980
it’s not just another vuln, then there’s no way for us to know about it.

00:50:34.980 --> 00:50:41.400
So, I do think in the last three or so years, there have been huge improvements across the

00:50:41.400 --> 00:50:47.820
industry of people working on detection and trying to find zero-day exploits, not just brushing it

00:50:47.820 --> 00:50:54.420
off and saying this is an unsolvable problem. I’m also really hopeful of the trends and transparency

00:50:54.420 --> 00:51:02.700
around these. I think there’s still plenty of progress to make in the transparency space around

00:51:02.700 --> 00:51:08.580
these zero-day vulnerabilities and exploits. But I’m hopeful that we’re having more and

00:51:08.580 --> 00:51:16.500
more vendors transparently disclose when something is being actively exploited, that they’re – some

00:51:16.500 --> 00:51:24.300
vendors are making it easier to figure out which patch in open-source software goes with a CVE and

00:51:24.300 --> 00:51:31.620
getting more robust descriptions of it. My hope is then we get to areas where they’re

00:51:31.620 --> 00:51:38.220
doing these detailed and publishing root cause analyses and doing more variant analysis on

00:51:38.220 --> 00:51:44.640
their own rather than third parties like myself and my team and some other security researchers

00:51:44.640 --> 00:51:50.280
coming in and doing that work. JACK: Yeah, I think I would like to see

00:51:50.280 --> 00:51:56.160
on my phone whether or not I was exploited. If there’s some sort of play protect feature

00:51:56.160 --> 00:52:02.820
that says oh, we’ve updated this; wow, somebody was actively exploiting you,

00:52:02.820 --> 00:52:08.160
big notice there, I want you to know. MADDIE: Yeah. I think that would be super

00:52:08.160 --> 00:52:13.260
interesting, and I – that is one area that’s been growing, of lots of different researchers trying

00:52:13.260 --> 00:52:19.320
to figure out how do we – what type of forensics do we look for? These are sophisticated actors,

00:52:19.320 --> 00:52:25.020
so they’re also pretty good at cleaning up traces, and zero-day exploits don’t always

00:52:25.020 --> 00:52:31.080
leave a lot of traces, so how do we figure out if someone had spyware running on their phone,

00:52:31.080 --> 00:52:39.060
if they had an exploit delivered to their computer or device. Citizen Lab and Amnesty

00:52:39.060 --> 00:52:45.480
International are also doing some really awesome work in this space, as they also work

00:52:45.480 --> 00:52:49.800
closely with the targeted populations. (OUTRO): [OUTRO MUSIC] A big thank-you to

00:52:49.800 --> 00:53:01.740
Maddie Stone

00:53:01.740 --> 00:53:12.360
for coming on the show and talking with us about zero-days. You can follow her on

00:53:12.360 --> 00:53:17.400
Twitter and see what she’s working on. Her name there is @MaddieStone. This show is made by me,

00:53:17.400 --> 00:53:23.820
the zero – just zero – Jack Rhysider, editing help this episode by the reverser, Damienne. Mixing is

00:53:23.820 --> 00:53:28.020
done by Proximity Sound, and our theme music is created by the botnet known as Breakmaster

00:53:28.020 --> 00:53:34.500
Cylinder. I saw a really big cell tower the other day and I just walked up to it and I looked up

00:53:34.500 --> 00:53:42.000
all the way at the top, and I was like, whoa, that’s really high tech. This is Darknet Diaries.