1 00:00:10,070 --> 00:00:12,000 good morning 2 00:00:12,000 --> 00:00:14,820 isn't getting out thanks for getting up for never spoken 3 00:00:14,820 --> 00:00:16,170 on 9 a.m. 4 00:00:16,170 --> 00:00:21,680 for I did not expect this is Wrexham so 5 00:00:21,680 --> 00:00:25,140 is we're going to cover the day um time permitting 6 00:00:25,140 --> 00:00:28,320 given the one hour speaking thirty-minute question format might go 7 00:00:28,320 --> 00:00:29,750 over to get to talk sim 21 8 00:00:29,750 --> 00:00:35,670 making am so it's a part 1 will will be security team 2.0 which is the 9 00:00:35,670 --> 00:00:38,840 content as described in in the AM 10 00:00:38,840 --> 00:00:44,100 in the program and what we're doing here is we're trying and you talk where we 11 00:00:44,100 --> 00:00:44,710 sort of 12 00:00:44,710 --> 00:00:48,430 look at some other things we've done very differently to traditional security 13 00:00:48,430 --> 00:00:48,780 team 14 00:00:48,780 --> 00:00:52,100 when we set up the crime security team I'm eating some things we've done 15 00:00:52,100 --> 00:00:53,440 differently worked out quite well 16 00:00:53,440 --> 00:00:56,570 so I'd like to tell you about them on the course that there is that by 17 00:00:56,570 --> 00:01:00,110 thanks for sharing the things that we've done nah methodology on 18 00:01:00,110 --> 00:01:03,390 you might I want to copy some other things with them when you find yourself 19 00:01:03,390 --> 00:01:05,320 sitting here and security teams in the future 20 00:01:05,319 --> 00:01:09,830 and the second thing is I'm whenever 21 00:01:09,830 --> 00:01:13,640 with a little work done we find that one of the things people most excited about 22 00:01:13,640 --> 00:01:17,640 am another miss questions about his is a vessel wall programs that's why we 23 00:01:17,640 --> 00:01:20,729 and get monetary rewards to researchers he or 24 00:01:20,729 --> 00:01:23,798 things to us that we think a significant and time permitting 25 00:01:23,799 --> 00:01:27,310 will will dive into the history there and some of the statistics 26 00:01:27,310 --> 00:01:31,210 other in statistics relating to the sort of man 27 00:01:31,210 --> 00:01:35,158 with pay with PayPal and so on and also hope to you 28 00:01:35,159 --> 00:01:41,500 devotes a time questions I'm so some brief introductions 29 00:01:41,500 --> 00:01:45,249 the mine I'm Chris Evans informal 30 00:01:45,249 --> 00:01:49,170 try Nancy and im phone tight love troublemakers and he said 31 00:01:49,170 --> 00:01:53,960 um I got my business cards would ever had remote cabin with me and 32 00:01:53,960 --> 00:01:58,158 says trouble-maker something they've done 33 00:01:58,159 --> 00:02:01,409 tended to what's important things going to be talking about 34 00:02:01,409 --> 00:02:05,520 just to give you an idea of where I'm coming from so in 2009 I found it 35 00:02:05,520 --> 00:02:08,940 he the former Prime security thing um 36 00:02:08,940 --> 00:02:11,780 I wanna for sins we didn't wanna the best things we did in retrospect was 37 00:02:11,780 --> 00:02:12,420 relaunched 38 00:02:12,420 --> 00:02:15,929 war program to try I'm get more community involvement 39 00:02:15,930 --> 00:02:19,010 I'm that one so of crime that am 40 00:02:19,010 --> 00:02:22,410 Google wide in the same year we launched a web reward program 41 00:02:22,410 --> 00:02:25,420 that was kind of a big deal with all the time because 42 00:02:25,420 --> 00:02:29,670 inviting searches to serve download your your clients I product in research is 43 00:02:29,670 --> 00:02:30,640 very different mean by 44 00:02:30,640 --> 00:02:36,220 my searches to um researcher life services is not you can download Gmail 45 00:02:36,220 --> 00:02:37,549 insurance or local 46 00:02:37,549 --> 00:02:40,860 machine and research ship that several 47 00:02:40,860 --> 00:02:44,260 how that went I'm following on 48 00:02:44,260 --> 00:02:48,609 later we launched a competition for Michael pentium with larger prizes but 49 00:02:48,610 --> 00:02:49,159 with a 50 00:02:49,159 --> 00:02:53,120 with more difficult challenges will that little bit um 51 00:02:53,120 --> 00:02:58,349 others may consoles work in the past and when I'm not I'm not too busy to injury 52 00:02:58,349 --> 00:02:58,879 if I 53 00:02:58,879 --> 00:03:04,569 when time permits loading a bit of securities his history of the crime 54 00:03:04,569 --> 00:03:05,450 security team 55 00:03:05,450 --> 00:03:09,329 so am I think it all started back in 56 00:03:09,330 --> 00:03:12,650 probably 2007 was the first significant event in life 57 00:03:12,650 --> 00:03:16,069 I'm security team and that was actually an acquisition 58 00:03:16,069 --> 00:03:20,280 I'm people acquire a company called green border on this was a 59 00:03:20,280 --> 00:03:23,950 the company that hedonism some books and technology 60 00:03:23,950 --> 00:03:28,280 and that actually the time worked to some books Internet Explorer browser 61 00:03:28,280 --> 00:03:32,260 and the name report comes in the fact that when you would run 62 00:03:32,260 --> 00:03:35,689 Internet Explorer running inside disagree with technology you actually 63 00:03:35,689 --> 00:03:36,909 see the Internet Explorer window 64 00:03:36,909 --> 00:03:41,390 with the green border I indicating that this some actual samples again on their 65 00:03:41,390 --> 00:03:45,219 am of course a %uh plans with you crime went public at this time but team 66 00:03:45,219 --> 00:03:45,920 expects 67 00:03:45,920 --> 00:03:49,939 obviously this is an acquisition sort of forming a the basis of the crime 68 00:03:49,939 --> 00:03:50,810 security model 69 00:03:50,810 --> 00:03:54,290 which was from some boxing so 70 00:03:54,290 --> 00:03:58,000 do himself on so its public launch in 2008 71 00:03:58,000 --> 00:04:01,689 based course in the green for some books technology on 72 00:04:01,689 --> 00:04:05,930 right out of the gate was wearing in beta we tangled with a few security 73 00:04:05,930 --> 00:04:07,870 issues maybe that one of the motivations to 74 00:04:07,870 --> 00:04:13,879 formalizing crime security team the beginning we've had this role call the 75 00:04:13,879 --> 00:04:14,890 security sheriff 76 00:04:14,890 --> 00:04:18,469 and we still have it Anna number for 77 00:04:18,470 --> 00:04:21,680 in before st. formalize the crime security team 78 00:04:21,680 --> 00:04:25,550 the engineers from the green border position I'll see for a strong engineers 79 00:04:25,550 --> 00:04:26,100 and 80 00:04:26,100 --> 00:04:29,450 know about security so they sort of handle income security issues 81 00:04:29,450 --> 00:04:33,650 and in May 2009 I which they've been 82 00:04:33,650 --> 00:04:36,650 inside google to go in fun prints greeting 83 00:04:36,650 --> 00:04:41,469 so I was very excited I'm and I'll see you just want me is difficult to 84 00:04:41,470 --> 00:04:46,100 get everything you want on silent to the task hiring and it wasn't until October 85 00:04:46,100 --> 00:04:49,450 I'm that I managed to get a first higher and 86 00:04:49,450 --> 00:04:55,440 am as many things from 10 just just really hot hard to hide it security 87 00:04:55,440 --> 00:04:57,290 people in the United months have elapsed 88 00:04:57,290 --> 00:05:00,420 between me starting in getting my first time next 89 00:05:00,420 --> 00:05:05,160 underline we we are in a situation where it's hard to find good security people 90 00:05:05,160 --> 00:05:10,140 and then it was another say six months also forgot mass get a second higher 91 00:05:10,140 --> 00:05:13,340 being the team to three am by name inferno 92 00:05:13,340 --> 00:05:18,340 you since then has probably from a browser bugs anyone on the planet 93 00:05:18,340 --> 00:05:24,609 am South bit higher expect I'm and then after those first he has them 94 00:05:24,610 --> 00:05:27,780 unknown reasons thing sped up and realtor 95 00:05:27,780 --> 00:05:32,429 too great a team quite significantly 96 00:05:32,430 --> 00:05:36,810 so what what we think we we've done well in from skating and them 97 00:05:36,810 --> 00:05:39,660 this is the sales pitch those cases quickly but it's sort of a background 98 00:05:39,660 --> 00:05:40,110 for 99 00:05:40,110 --> 00:05:43,320 name think they've done some things well and then we're going to what we did 100 00:05:43,320 --> 00:05:47,010 cause these things so I'm for the beginning we 101 00:05:47,010 --> 00:05:51,180 am willing to tackle from about a bit software which we thought was for the 102 00:05:51,180 --> 00:05:52,260 biggest problem that was 103 00:05:52,260 --> 00:05:55,620 is causing the damage out there on the internet so was a baked 104 00:05:55,620 --> 00:05:58,660 I know automatic update process into the browser so that you don't have to worry 105 00:05:58,660 --> 00:05:59,080 about 106 00:05:59,080 --> 00:06:04,620 up to date on up on I mention the green border positions so 107 00:06:04,620 --> 00:06:07,930 we'll see with a we think the first puzzle with them 108 00:06:07,930 --> 00:06:12,340 with the samples for the isolated the file system from and from our 109 00:06:12,340 --> 00:06:15,340 on we've since you since looked at the 110 00:06:15,340 --> 00:06:18,700 threats out there and there's a lot of if he is God's love 111 00:06:18,700 --> 00:06:22,840 I'm the bugs around the area Adobe Flash so 112 00:06:22,840 --> 00:06:26,039 across multiple years meet with Pope to that plugins either 113 00:06:26,040 --> 00:06:31,380 the fulcrum samples on 114 00:06:31,380 --> 00:06:34,600 we also think ahead of the curve with the recent Sam 115 00:06:34,600 --> 00:06:38,380 Java issues you may have read about has quite a a little press earlier this year 116 00:06:38,380 --> 00:06:38,940 about him 117 00:06:38,940 --> 00:06:42,630 problems in scares in Java plugin I'm a couple of years 118 00:06:42,630 --> 00:06:46,420 before this we actually were sort of predicting that this might happen and we 119 00:06:46,420 --> 00:06:47,330 were 120 00:06:47,330 --> 00:06:51,710 the plans and defense in that area such as user interaction forum 121 00:06:51,710 --> 00:06:55,159 for launching some in the morning just plugins 122 00:06:55,160 --> 00:07:01,530 we've demonstrated the ability to to a very fast turnaround 123 00:07:01,530 --> 00:07:07,340 mmm because if I mention they were all programs free feel ready 124 00:07:07,340 --> 00:07:11,190 want things I'm most proud of as telling mentioned in the introduction -ism 125 00:07:11,190 --> 00:07:15,219 some the technologies we baked into the browser actually 126 00:07:15,220 --> 00:07:19,450 could have a significant in which is where allegedly 127 00:07:19,450 --> 00:07:23,180 some something Iran that compromised 128 00:07:23,180 --> 00:07:26,820 it in a toast if authority I'm is definite 129 00:07:26,820 --> 00:07:30,610 special originate authorities compromising is alleged that 130 00:07:30,610 --> 00:07:33,820 that some given Iran it done this now of the 131 00:07:33,820 --> 00:07:37,230 has love I'm I love safety consequences potentially for people 132 00:07:37,230 --> 00:07:40,780 in in that area of the world 133 00:07:40,780 --> 00:07:44,590 and we maintain /url Wareham for to be a modest but we 134 00:07:44,590 --> 00:07:49,099 now says one /url on our on a website where we have some unabashed modesty and 135 00:07:49,100 --> 00:07:50,450 sorta 136 00:07:50,450 --> 00:07:54,070 list things we've done keep up to date 137 00:07:54,070 --> 00:07:57,210 okay so into part 1 so 138 00:07:57,210 --> 00:08:00,549 I'm a hypothesis is that some other successes 139 00:08:00,550 --> 00:08:03,740 which we've just nervous list of to me after heated 140 00:08:03,740 --> 00:08:07,010 just some things we've done in setting up the security team that 141 00:08:07,010 --> 00:08:12,780 very different out additional security team might be set up 142 00:08:12,780 --> 00:08:15,969 so let's look at these differences so the way we're going to look at each 143 00:08:15,970 --> 00:08:16,700 difference 144 00:08:16,700 --> 00:08:20,580 -ism festival going to look at how 145 00:08:20,580 --> 00:08:23,609 a more traditional company or perhaps most companies might have the security 146 00:08:23,610 --> 00:08:24,420 team set up 147 00:08:24,420 --> 00:08:29,710 and so more traditional companies donated by this icon agency 148 00:08:29,710 --> 00:08:34,079 I'm have a other seeking titanate more 149 00:08:34,080 --> 00:08:37,490 same a corporate environment Anna 150 00:08:37,490 --> 00:08:41,890 and the first difference going to talk about is fix it yourself 151 00:08:41,890 --> 00:08:45,620 so i think is an object or dirty syringes but 152 00:08:45,620 --> 00:08:49,660 this one with we found is a Withings a particularly big difference to me think 153 00:08:49,660 --> 00:08:50,800 the benefits it is bordered 154 00:08:50,800 --> 00:08:54,500 up on I want the bigger benefits 155 00:08:54,500 --> 00:08:57,519 so by fix it was by fixed itself 156 00:08:57,519 --> 00:09:01,110 what we mean well in this case let's look at what it means is that if not do 157 00:09:01,110 --> 00:09:02,279 things to fix itself 158 00:09:02,279 --> 00:09:06,560 same in what additional security team 159 00:09:06,560 --> 00:09:10,349 on my final the security team operates quite 160 00:09:10,350 --> 00:09:13,550 missus time in a consultancy roles maybe 161 00:09:13,550 --> 00:09:16,649 so looking for issues doing all this Alan 162 00:09:16,649 --> 00:09:20,389 is a founding might just sort of write a report and more I'm 163 00:09:20,389 --> 00:09:24,550 use the term throw it over the wall that's where you sorta found some issues 164 00:09:24,550 --> 00:09:27,599 and shove for David FM team say 165 00:09:27,600 --> 00:09:31,610 a the world's on fire you are I'm the sort out these issues 166 00:09:31,610 --> 00:09:36,509 so that's thats yeah security governing consult your own 167 00:09:36,509 --> 00:09:42,500 yes 168 00:09:42,500 --> 00:09:47,830 can get hurt if the back okay 169 00:09:47,830 --> 00:09:51,100 I your I can france pick up we can meet Mike maybe 170 00:09:51,100 --> 00:09:55,270 I am 171 00:09:55,270 --> 00:09:59,220 so still on for national security team on 172 00:09:59,220 --> 00:10:04,240 you may find that the Thai people employed on a more traditional security 173 00:10:04,240 --> 00:10:04,650 team 174 00:10:04,650 --> 00:10:08,490 maybe the sort of job titles awaited more towards 175 00:10:08,490 --> 00:10:12,350 analyst or researcher I'm as opposed to 176 00:10:12,350 --> 00:10:15,630 more engineering like titles so 177 00:10:15,630 --> 00:10:19,830 but see it as a different way to do things 178 00:10:19,830 --> 00:10:25,340 so this icon he represents so that the more progressive way of doing things 179 00:10:25,340 --> 00:10:28,820 and the way we've done things in the ukraine skating am sincerely 180 00:10:28,820 --> 00:10:32,410 loss thus even tie weaver don't have collated gotta 181 00:10:32,410 --> 00:10:37,079 t-shirt here on the who claim they gonna and a all pretty happy as well as you 182 00:10:37,080 --> 00:10:37,620 can see 183 00:10:37,620 --> 00:10:43,360 say something 184 00:10:43,360 --> 00:10:46,950 we do being often see say the members the crime security team 185 00:10:46,950 --> 00:10:50,080 often actually write code and 186 00:10:50,080 --> 00:10:54,710 commit K representing the fixes for security bugs and get ourselves 187 00:10:54,710 --> 00:10:58,950 and that's that's going to be different so we we might even find about ourselves 188 00:10:58,950 --> 00:11:00,410 and then is that a friend over the wall 189 00:11:00,410 --> 00:11:03,630 say well you know but only just fixity 190 00:11:03,630 --> 00:11:09,180 and of course 191 00:11:09,180 --> 00:11:12,339 more things we fix you find something familiar with the case say 192 00:11:12,340 --> 00:11:16,660 as well as just fixing individual issues you might find ourselves motivated to 193 00:11:16,660 --> 00:11:19,790 to jump in and actually improve areas whether 194 00:11:19,790 --> 00:11:24,459 have been I'm statistically enormous amount of bugs might say well it's just 195 00:11:24,460 --> 00:11:25,990 going to help the rights there 196 00:11:25,990 --> 00:11:29,110 making more robust and ami 197 00:11:29,110 --> 00:11:32,700 knowing that his we do WEA you can empower to sort of plan not just 198 00:11:32,700 --> 00:11:34,560 security fixes but serves 199 00:11:34,560 --> 00:11:41,030 security hardening measures so in effect of this house 200 00:11:41,030 --> 00:11:44,990 is that your service is a part of the product team I'm 201 00:11:44,990 --> 00:11:48,080 and organization that we are actually if you look at our organization which are 202 00:11:48,080 --> 00:11:50,350 actually part of the crime organization not some 203 00:11:50,350 --> 00:11:57,350 not some dedicated security organization most people with hired 204 00:11:57,660 --> 00:12:01,290 the weapon it is you've hyped and anti-people the 205 00:12:01,290 --> 00:12:04,390 engineers a passionate about security 206 00:12:04,390 --> 00:12:09,210 on as opposed to perhaps people to conserve security people 207 00:12:09,210 --> 00:12:13,500 you now if engineering and that sort of helps with the mentality where 208 00:12:13,500 --> 00:12:16,910 when you find something that's it's broken and needs fixing 209 00:12:16,910 --> 00:12:19,920 consider throwing it over the wall with just which dive in and fix ourselves 210 00:12:19,920 --> 00:12:22,270 because we're we like coating when motivated 211 00:12:22,270 --> 00:12:27,189 to dive in and change the code base so putting all this together we really 212 00:12:27,190 --> 00:12:27,710 found 213 00:12:27,710 --> 00:12:31,070 some significant and positive feedback need to develop 214 00:12:31,070 --> 00:12:34,670 yes a the more we get our hands in the code and fix things 215 00:12:34,670 --> 00:12:38,680 more we learn about the case the more we know about the case more likely be our 216 00:12:38,680 --> 00:12:39,189 last 217 00:12:39,190 --> 00:12:42,280 lost on changing things make a disorder use a sick 218 00:12:42,280 --> 00:12:46,560 security powers native do believe kaelin on the site and find additional issues 219 00:12:46,560 --> 00:12:47,689 for fixing one issue 220 00:12:47,690 --> 00:12:53,280 that's one feedback loop that develops another the public that develops 221 00:12:53,280 --> 00:12:56,360 we find is um is 222 00:12:56,360 --> 00:13:00,150 a deep respect from the security people and 223 00:13:00,150 --> 00:13:03,959 me product engineers say if you have never wanted the 224 00:13:03,960 --> 00:13:06,790 they's to the security people in the previous companies maybe they've worked 225 00:13:06,790 --> 00:13:07,079 at 226 00:13:07,080 --> 00:13:10,110 who are suffering problems on them and his buddies 227 00:13:10,110 --> 00:13:13,650 emergency put down my speech you working on a fix is now 228 00:13:13,650 --> 00:13:17,120 and said now it's like a fun about I'm but we 229 00:13:17,120 --> 00:13:19,920 you know we think this patch might fix it would you mind would you mind helping 230 00:13:19,920 --> 00:13:20,740 us with you 231 00:13:20,740 --> 00:13:23,920 and things like things like this and we find that 232 00:13:23,920 --> 00:13:28,040 suddenly went on these hated security people there is causing problems with 233 00:13:28,040 --> 00:13:28,860 these people 234 00:13:28,860 --> 00:13:32,710 engineers his peers at the coming to them with solutions and 235 00:13:32,710 --> 00:13:36,180 and we think down that that 236 00:13:36,180 --> 00:13:39,910 encourages other respect between the two teams and 237 00:13:39,910 --> 00:13:43,050 this respect we found it's actually bankable say the more you do the more 238 00:13:43,050 --> 00:13:44,890 you think someone else's bucks for them 239 00:13:44,890 --> 00:13:49,240 the more so the Moorebank you build up and then when something really naughty 240 00:13:49,240 --> 00:13:50,240 comes in that's a 241 00:13:50,240 --> 00:13:53,560 maybe more for design Aravind just about him and was struggling to fix it 242 00:13:53,560 --> 00:13:54,560 ourselves we can 243 00:13:54,560 --> 00:13:58,969 over to the engine and say hey I'm would you mind helping us with this and of 244 00:13:58,970 --> 00:13:59,690 course since we've 245 00:13:59,690 --> 00:14:02,709 help them so much that have their more than happy to help out 246 00:14:02,709 --> 00:14:07,430 so they take away from this is that the closer you bet your security people 247 00:14:07,430 --> 00:14:11,260 with the product team we find that within the KC 248 00:14:11,260 --> 00:14:14,890 case you get those two groups just a more benefit 249 00:14:14,890 --> 00:14:18,839 and this applies some within for all there is a sphere 250 00:14:18,839 --> 00:14:22,080 in ranging from the initial response to this for proactive work 251 00:14:22,080 --> 00:14:27,610 and so on so the next if 252 00:14:27,610 --> 00:14:31,089 say this on school is all of ok and this is a 253 00:14:31,089 --> 00:14:35,030 this is a mentality we've will try to develop I'm 254 00:14:35,030 --> 00:14:38,520 and say the 255 00:14:38,520 --> 00:14:41,579 the corporate guy he's a uniting some crazy no its not all 256 00:14:41,580 --> 00:14:46,670 all of what he talking about am 257 00:14:46,670 --> 00:14:50,089 what that really means is that as a as a traditional security team yuri 258 00:14:50,089 --> 00:14:53,150 disinclined dispatching disincentive ice tackle 259 00:14:53,150 --> 00:14:57,240 problems outside the product immediately a an to say say say it was good teams 260 00:14:57,240 --> 00:14:59,010 multiple product tax 261 00:14:59,010 --> 00:15:03,680 as we did for a little incentive fee to go in and fix things in in product white 262 00:15:03,680 --> 00:15:04,380 because thats 263 00:15:04,380 --> 00:15:08,850 units know how your it's not I agree it performance review time it's 264 00:15:08,850 --> 00:15:12,440 not how are your manages want you to be doing 265 00:15:12,440 --> 00:15:19,440 save is there a different things 266 00:15:20,850 --> 00:15:23,780 turns out there is so of us here a 267 00:15:23,780 --> 00:15:26,790 is this we've taken a step back and try to apply 268 00:15:26,790 --> 00:15:30,280 there's a company-wide use a focused 269 00:15:30,280 --> 00:15:35,560 culture Salem we sorta look at that and security remote watch the 270 00:15:35,560 --> 00:15:39,089 coming back with is that we think that if any problem we see out there 271 00:15:39,090 --> 00:15:42,120 is a security problem affecting of harming line uses 272 00:15:42,120 --> 00:15:45,460 will just say well you know what is awful and we're gonna 273 00:15:45,460 --> 00:15:48,630 gonna solve this or at least tackle it 274 00:15:48,630 --> 00:15:52,410 for have problems of course week and not yet sold in security 275 00:15:52,410 --> 00:15:58,439 so that mean in practice 276 00:15:58,440 --> 00:16:01,530 it's different from what we might might do if you want thinking it was awful 277 00:16:01,530 --> 00:16:02,620 well this means that 278 00:16:02,620 --> 00:16:05,740 if we depend on any third-party code 279 00:16:05,740 --> 00:16:09,430 in that's not so the valve falls our code hours 280 00:16:09,430 --> 00:16:12,640 our bugs gonna go and fix as anyway regards a few 281 00:16:12,640 --> 00:16:16,030 in a regardless of politics sometimes 282 00:16:16,030 --> 00:16:19,930 analyzes the party code of course 283 00:16:19,930 --> 00:16:23,459 a lot of web browsers these days special events or things like crime is a Firefox 284 00:16:23,460 --> 00:16:26,660 a built-in pop-up love open source code am 285 00:16:26,660 --> 00:16:30,890 I'm since we know collapse directly involve product in bed of course we 286 00:16:30,890 --> 00:16:31,580 consider that 287 00:16:31,580 --> 00:16:35,490 yeah I responsibility if there are bugs that but I am 288 00:16:35,490 --> 00:16:40,670 increasingly we're looking at sort of know my pencils proprietary 289 00:16:40,670 --> 00:16:45,110 non vendor non-google vindicated that has an effect on the security of the web 290 00:16:45,110 --> 00:16:45,700 as a whole 291 00:16:45,700 --> 00:16:48,800 and with considering 292 00:16:48,800 --> 00:16:53,240 well the best since before uses is is help out getting stuff fixed 293 00:16:53,240 --> 00:16:57,200 I'm there are some historical 294 00:16:57,200 --> 00:17:00,440 is expensive sessions in area browsing to do with 295 00:17:00,440 --> 00:17:05,550 I'm for example love security 1.0 X perhaps on the optimal 296 00:17:05,550 --> 00:17:09,448 trying to although all the browsers behave the same way in this regard so 297 00:17:09,449 --> 00:17:09,959 we're trying to 298 00:17:09,959 --> 00:17:14,209 we're trying to tackle some some history there in some legacy that 299 00:17:14,209 --> 00:17:17,640 and Sam you may seem agents paper 300 00:17:17,640 --> 00:17:21,699 earlier conference where she's looking at that some the problems that you act 301 00:17:21,699 --> 00:17:22,350 and how we can 302 00:17:22,349 --> 00:17:27,679 with the web forward their including buddy web sites 303 00:17:27,680 --> 00:17:31,350 so to give one example 304 00:17:31,350 --> 00:17:35,830 that's the lot across site scripting out there my have me this far along here as 305 00:17:35,830 --> 00:17:36,639 we had hoped City 306 00:17:36,640 --> 00:17:40,000 that is such a big problem that we we so say well maybe 307 00:17:40,000 --> 00:17:42,740 if his love cross-site scripting out that maybe it's the fault of the 308 00:17:42,740 --> 00:17:43,490 platform 309 00:17:43,490 --> 00:17:47,410 maybe the browser's of a different platform facilities in a bit less 310 00:17:47,410 --> 00:17:48,600 besides getting out there 311 00:17:48,600 --> 00:17:52,280 so we see that as a problem take said we 312 00:17:52,280 --> 00:17:55,620 we just try to focus on what the right thing to do is to improve the security 313 00:17:55,620 --> 00:17:56,310 of the web 314 00:17:56,310 --> 00:17:59,879 we try to ignore anti-politics your concerns here 315 00:17:59,880 --> 00:18:03,540 and to give some concrete examples 316 00:18:03,540 --> 00:18:08,040 what what's in scope a first look at say to 317 00:18:08,040 --> 00:18:11,700 main categories come to mind one is plugins so we don't 318 00:18:11,700 --> 00:18:14,740 of the major plugins you'll find on the web things like um 319 00:18:14,740 --> 00:18:18,620 flash PDF plugins Java we don't really 320 00:18:18,620 --> 00:18:21,870 own the code base for days but we still try to 321 00:18:21,870 --> 00:18:25,239 where we can help out secure those and increasing in 322 00:18:25,240 --> 00:18:29,300 in modern times colonels so along most of these days you finds 323 00:18:29,300 --> 00:18:32,840 is getting some books and said the attacker 324 00:18:32,840 --> 00:18:36,070 has a sort of break your software and then they find themselves in the sandbox 325 00:18:36,070 --> 00:18:40,360 and then they have to break out over someone's our the most popular and 326 00:18:40,360 --> 00:18:44,870 and in fact dangerous ways to make up for some boxes to attack the underlying 327 00:18:44,870 --> 00:18:46,030 operating system 328 00:18:46,030 --> 00:18:50,850 so actually you with a lot of research to try and improve the quality of both 329 00:18:50,850 --> 00:18:51,550 the windows 330 00:18:51,550 --> 00:18:55,129 panel and the and the Linux kernel by today's 331 00:18:55,130 --> 00:19:00,430 what product on Kb own safe I use is very important that these 332 00:19:00,430 --> 00:19:04,000 those two camels be very solid against against security attacks a 333 00:19:04,000 --> 00:19:07,650 if they suck bugs me just say well you know considered of als 334 00:19:07,650 --> 00:19:14,650 so putting and some sources to try and fix that 335 00:19:14,830 --> 00:19:17,860 okay um this one's more nebulous difference 336 00:19:17,860 --> 00:19:22,409 say I we're gonna look at it was an examples but I go the extra mile 337 00:19:22,410 --> 00:19:26,570 is this the %um to different say I i've just 338 00:19:26,570 --> 00:19:30,090 season of Lost phase where they are but I'm these a 339 00:19:30,090 --> 00:19:34,260 the point of me quoting me is that 340 00:19:34,260 --> 00:19:38,850 you'll sees things like this everywhere every company maverick source project 341 00:19:38,850 --> 00:19:42,080 so if you go and look up like the false fears random Project X 342 00:19:42,080 --> 00:19:45,330 try and find that security force the page it will be fine 343 00:19:45,330 --> 00:19:49,540 the bait him a phrase like we take security very seriously 344 00:19:49,540 --> 00:19:52,720 am have as anyone here 345 00:19:52,720 --> 00:19:56,020 reported about it all to to a vendor tool anyone 346 00:19:56,020 --> 00:19:59,150 10 securities in extent Bhatia maybe 347 00:19:59,150 --> 00:20:02,540 you go back north may deem a fairly quickly and and maybe verbatim it 348 00:20:02,540 --> 00:20:03,889 included a phrase such as 349 00:20:03,890 --> 00:20:07,050 we take security very seriously after thank you for your report so 350 00:20:07,050 --> 00:20:10,270 its or maybe I'll 351 00:20:10,270 --> 00:20:13,970 securities on our top priorities is a is another one I'm if you 352 00:20:13,970 --> 00:20:17,860 go on Google for these for these these quotes using the quotes to get the exact 353 00:20:17,860 --> 00:20:20,000 match your DC 354 00:20:20,000 --> 00:20:23,680 row after row of Cooper corporate website the quote these things 355 00:20:23,680 --> 00:20:27,790 ansonia the I'm getting too is this this is what we Michael talk the talk 356 00:20:27,790 --> 00:20:30,980 %ah this is walk the walk so 357 00:20:30,980 --> 00:20:33,980 I mean I mean you have to say these things I mean what you gonna say we know 358 00:20:33,980 --> 00:20:38,140 securities name maybe eight out of 10 on a Friday list or 359 00:20:38,140 --> 00:20:41,540 or you know is we should have designed this and then 360 00:20:41,540 --> 00:20:45,450 security on later and I've course is gonna because you're gonna say you takes 361 00:20:45,450 --> 00:20:46,240 very seriously 362 00:20:46,240 --> 00:20:50,020 say to go the extra mile you've got even look at actions 363 00:20:50,020 --> 00:20:53,910 you know where the what he'd done that that that basic cause you to 364 00:20:53,910 --> 00:20:57,490 take some invoked in pain upon yourself in order to it improve security 365 00:20:57,490 --> 00:21:00,530 so that's a plus they will will be something even if it's hard even if his 366 00:21:00,530 --> 00:21:01,160 painful 367 00:21:01,160 --> 00:21:08,160 or at least two will try it. them 368 00:21:15,760 --> 00:21:18,590 so had a 369 00:21:18,590 --> 00:21:22,730 glitch that so back to the old school working things 370 00:21:22,730 --> 00:21:26,340 so say and local government you might 371 00:21:26,340 --> 00:21:30,639 you might find generally known security concerns and outweigh security concerns 372 00:21:30,640 --> 00:21:35,110 what I mean by that is say on secure security engineers found this fantastic 373 00:21:35,110 --> 00:21:36,429 new security defense that 374 00:21:36,430 --> 00:21:39,740 really is quite powerful but it Anna maybe it's gonna 375 00:21:39,740 --> 00:21:44,860 cost you attempt some forms hit on some hotly contested benchmark I think you 376 00:21:44,860 --> 00:21:45,429 might guess 377 00:21:45,430 --> 00:21:51,660 you know when it comes to the product review stage he's going to win that you 378 00:21:51,660 --> 00:21:52,750 often find a 379 00:21:52,750 --> 00:21:55,770 few she finds it is my legacies 380 00:21:55,770 --> 00:21:59,680 is impeding progress and that's not the case where well perhaps I'm not going 381 00:21:59,680 --> 00:22:00,410 the extra mile 382 00:22:00,410 --> 00:22:04,830 where up the legacy is usually involves Holdco 383 00:22:04,830 --> 00:22:08,780 painful to change I'm to go the extra mile you've really got us a 384 00:22:08,780 --> 00:22:12,230 dive in and and be loved 385 00:22:12,230 --> 00:22:15,270 lot of work for the benefit you're going from security say 386 00:22:15,270 --> 00:22:19,720 will what might look like if he 387 00:22:19,720 --> 00:22:22,900 have a culture going the extra mile se recovered some say 388 00:22:22,900 --> 00:22:26,180 tackle others problems for them so 389 00:22:26,180 --> 00:22:29,240 I think I think we do go the extra mile when we on the sort of look at 390 00:22:29,240 --> 00:22:32,610 what compromises going on on web large 391 00:22:32,610 --> 00:22:36,990 and we see that from a quite different why is not necessary owned by us is 392 00:22:36,990 --> 00:22:37,680 causing 393 00:22:37,680 --> 00:22:42,150 unit offended if he's a compromise so what we've ended as we can 394 00:22:42,150 --> 00:22:46,090 I'm investment source in thing some security auditing on 395 00:22:46,090 --> 00:22:53,090 why and send these this box along one thing we found it's kind of painful 396 00:22:53,250 --> 00:22:58,460 but we do it because meetings right thing to do -ism is also the pasta what 397 00:22:58,460 --> 00:23:00,550 you found and fixed to security bug 398 00:23:00,550 --> 00:23:03,659 what he do next um 399 00:23:03,660 --> 00:23:07,210 you sort of have the easy option in the hard option where the easy option 400 00:23:07,210 --> 00:23:11,490 is just sort of that fix get picked up in the product 401 00:23:11,490 --> 00:23:15,190 in a couple reese's time when that they can actually get has picked up next 402 00:23:15,190 --> 00:23:15,880 major release 403 00:23:15,880 --> 00:23:20,090 we try doing this is painful I'm this risk to doing it 404 00:23:20,090 --> 00:23:23,290 week we tryin within a very short time frame 405 00:23:23,290 --> 00:23:27,020 grab that fix and back for it 406 00:23:27,020 --> 00:23:30,480 said use a get-tough fixed to the stable version of the product as soon as 407 00:23:30,480 --> 00:23:31,110 possible 408 00:23:31,110 --> 00:23:35,840 and a working stove goal is is a month which is quite aggressive 409 00:23:35,840 --> 00:23:39,679 but that's a month turnaround from above comes in and user 410 00:23:39,680 --> 00:23:43,400 has that that fixed in the stable version of that 411 00:23:43,400 --> 00:23:47,930 for these an important this applies to internal fines as well 412 00:23:47,930 --> 00:23:51,410 so most is about to be fine now we find internally because we've 413 00:23:51,410 --> 00:23:55,500 release you scaled up in and have thousands of CPU causes 414 00:23:55,500 --> 00:23:59,400 doing automated testing and fussing so fun little bugs internally 415 00:23:59,400 --> 00:24:02,460 and then we're faced with you know who do these bugs 416 00:24:02,460 --> 00:24:06,030 a meat-eating exactly the same as if we've received the report externally 417 00:24:06,030 --> 00:24:09,510 saving their internal we we declare we found these buttons that are 418 00:24:09,510 --> 00:24:12,830 you next week on the carpet and we also back for the city 419 00:24:12,830 --> 00:24:16,919 to the extent possible and that's been a painful them you know we get counted out 420 00:24:16,920 --> 00:24:18,360 a lot by the res managers for 421 00:24:18,360 --> 00:24:21,909 an emerging lots of things all the time and that they know 422 00:24:21,910 --> 00:24:26,150 that everything you change the risk of breakage or aggression or boxes if the 423 00:24:26,150 --> 00:24:27,260 balance that we 424 00:24:27,260 --> 00:24:30,370 we think we've got ourselves a seat at the table to discuss 425 00:24:30,370 --> 00:24:35,500 units risk versus reward trade-offs am spending money 426 00:24:35,500 --> 00:24:39,830 when something the extra mile like them to this day I don't have any particular 427 00:24:39,830 --> 00:24:41,310 budget or headcount 428 00:24:41,310 --> 00:24:45,080 limit I'm aware of this that's that's quite nice feeling 429 00:24:45,080 --> 00:24:48,570 will spend money on hardware I mentioned we we do a fucing 430 00:24:48,570 --> 00:24:52,850 I think we have we have we have an in the crime team have about 2,000 CPU 431 00:24:52,850 --> 00:24:53,980 cores at our disposal 432 00:24:53,980 --> 00:24:57,310 the white a skating bouquets and you do 433 00:24:57,310 --> 00:25:00,980 to work for us they've run up to like nine thousand CPU cores to be 434 00:25:00,980 --> 00:25:05,470 to do testing for security at times I think that 435 00:25:05,470 --> 00:25:09,680 and finally do not shy away from changes in behavior 436 00:25:09,680 --> 00:25:13,500 so no on re like to change in behavior 437 00:25:13,500 --> 00:25:17,780 because if you change some small the Nativity King something 438 00:25:17,780 --> 00:25:22,030 pictures like a father someone somewhere is probably going to be upset 439 00:25:22,030 --> 00:25:26,690 I'm am sometimes changing behavior is the right thing to do 440 00:25:26,690 --> 00:25:30,610 so we we should've at least 441 00:25:30,610 --> 00:25:35,570 this about we've come to is that we have to missions it to them 442 00:25:35,570 --> 00:25:39,750 to massive hats 443 00:25:39,750 --> 00:25:44,080 explain myself I went heavily we saw the company's understanding where where 444 00:25:44,080 --> 00:25:46,270 liberty to try things as long as we think so 445 00:25:46,270 --> 00:25:50,460 overstep the line 25 am and you know that you have this liberty 446 00:25:50,460 --> 00:25:54,290 if on occasion he love it if I'm break something a bit too significant and you 447 00:25:54,290 --> 00:25:55,510 know that's happened in the past me 448 00:25:55,510 --> 00:25:59,780 say sorry and scale things back but a K 449 00:25:59,780 --> 00:26:03,700 so just a brief tension here 450 00:26:03,700 --> 00:26:07,940 on kinda for reflection perhaps on 451 00:26:07,940 --> 00:26:12,330 on on our industry am 452 00:26:12,330 --> 00:26:17,480 and I'll say once one season understand this comic-con where it's coming from 453 00:26:17,480 --> 00:26:20,600 and that is actually kinda true it 454 00:26:20,600 --> 00:26:24,330 does change your mentality on on the going the extra mile we found say what 455 00:26:24,330 --> 00:26:26,389 what this is a comic 456 00:26:26,390 --> 00:26:30,110 I'm that was published as part of a series 457 00:26:30,110 --> 00:26:37,100 comics by some people on some morse we say attack side of the industry 458 00:26:37,100 --> 00:26:43,050 and and is coming to the palestinians what it's saying is that name 459 00:26:43,050 --> 00:26:46,830 site mocking tone it saying to you this as some random searches 460 00:26:46,830 --> 00:26:51,030 you know who I found a bug I'm I'm so pleased the basics paint either 461 00:26:51,030 --> 00:26:54,180 you with statistical probability 462 00:26:54,180 --> 00:26:57,450 you when not the first to know about this bug 463 00:26:57,450 --> 00:27:02,000 and yes but it's not was in public so therefore 464 00:27:02,000 --> 00:27:05,460 you know this this but was probably out there known by someone he 465 00:27:05,460 --> 00:27:08,720 using it for nefarious purpose I wants 466 00:27:08,720 --> 00:27:12,410 once the reality of this SM we found that change the mentality forget the 467 00:27:12,410 --> 00:27:13,050 extra mile 468 00:27:13,050 --> 00:27:17,090 say whenever we find about what I i with we've got the thing about this could be 469 00:27:17,090 --> 00:27:18,879 because someone else knows about this but 470 00:27:18,880 --> 00:27:23,630 so that this it strives of Los 471 00:27:23,630 --> 00:27:28,170 um time for a civil war story if you like so 472 00:27:28,170 --> 00:27:31,320 we find that so far too 473 00:27:31,320 --> 00:27:35,550 it's hard to define go the extra mile in SE so full that stories but we think you 474 00:27:35,550 --> 00:27:36,610 have gone the extra mile 475 00:27:36,610 --> 00:27:40,379 and that's what we quickly if you hear 476 00:27:40,380 --> 00:27:44,060 so I do apologize for the sudden an abrupt 477 00:27:44,060 --> 00:27:51,060 changes slight style Ibiza mixing and matching tax here a bit 478 00:27:51,310 --> 00:27:54,340 so is a couple is going out to a company called 479 00:27:54,340 --> 00:27:59,820 view and perform but we time a non-disclosure on us 480 00:27:59,820 --> 00:28:04,820 I mean it I think it's worth talking about full disclosure versus responsible 481 00:28:04,820 --> 00:28:06,030 disclosure anymore 482 00:28:06,030 --> 00:28:09,470 I think that what you have to be worried about his non-disclosure so that's where 483 00:28:09,470 --> 00:28:12,430 back to that comic that's where someone's found a bug and they're not 484 00:28:12,430 --> 00:28:13,080 telling 485 00:28:13,080 --> 00:28:17,389 anyone about it um because in it what he's up active 486 00:28:17,390 --> 00:28:21,060 make love money did which turn implies that that some 487 00:28:21,060 --> 00:28:24,379 something not good going on without bucks a non-disclosure 488 00:28:24,380 --> 00:28:28,050 Anna is what we are about and in fact if someone full discloses on its with the 489 00:28:28,050 --> 00:28:31,399 light it is something we can then immediately fix 490 00:28:31,400 --> 00:28:34,400 which is perhaps a turnaround from more traditional thinking 491 00:28:34,400 --> 00:28:37,930 anyways this non-disclosure was so that was a partial non-disclosure space 492 00:28:37,930 --> 00:28:42,640 me the formalism YouTube video 493 00:28:42,640 --> 00:28:46,370 I'm showing an alleged compromise if the Chrome browser 494 00:28:46,370 --> 00:28:49,709 but i've seen 0 details that would 495 00:28:49,710 --> 00:28:52,300 domestic and fix up but because that's not the business model if this 496 00:28:52,300 --> 00:28:54,419 particular company 497 00:28:54,420 --> 00:28:58,120 a more normal security team do well you know this claim is just a video of a cow 498 00:28:58,120 --> 00:29:03,159 popping up pretty much just to keep young verifiable claims the 499 00:29:03,160 --> 00:29:06,360 he just dnt no rain go away he's come to us for me 500 00:29:06,360 --> 00:29:09,959 when you want to share openly with this security research 501 00:29:09,960 --> 00:29:14,930 you know hand of the PR team to serve its back down the report is a 502 00:29:14,930 --> 00:29:19,710 trying to make a story out a number of a plane I would we d 503 00:29:19,710 --> 00:29:23,200 so we thought well as take this seriously most what we do about 30 504 00:29:23,200 --> 00:29:23,900 minutes 505 00:29:23,900 --> 00:29:28,080 this no details have any useful so to say I'm 506 00:29:28,080 --> 00:29:31,290 this is a freeze-frame from the actual reach you 507 00:29:31,290 --> 00:29:34,300 non-disclosure video am 508 00:29:34,300 --> 00:29:38,020 showing if you made a business this text inside the crime 509 00:29:38,020 --> 00:29:41,610 when themselves in your browser is being own not long of 510 00:29:41,610 --> 00:29:44,159 and something's going on in the background not long after this in the 511 00:29:44,160 --> 00:29:45,660 video thing account data pops up 512 00:29:45,660 --> 00:29:50,610 which is unity miss industry standard for demonstrating compromise to browse a 513 00:29:50,610 --> 00:29:55,209 am say what we did is we salute a frame by frame 514 00:29:55,210 --> 00:29:58,940 view at this video to see if there's any information leaked 515 00:29:58,940 --> 00:30:02,010 you know nor officers in a crowded around a machine for a day 516 00:30:02,010 --> 00:30:05,360 trying to work out if you get anything out this video and this particular frame 517 00:30:05,360 --> 00:30:08,120 is quite instructive we found saying 518 00:30:08,120 --> 00:30:12,310 racism observed in a piece and not how you can see it to 519 00:30:12,310 --> 00:30:17,300 um sit behind the crime when does the Windows Task Manager window 520 00:30:17,300 --> 00:30:20,419 and the reason that's been left office to serve demonstrates 521 00:30:20,420 --> 00:30:24,470 that they freak out a crime samples I'm 522 00:30:24,470 --> 00:30:28,710 as it happens you can see that the crime icon there and just above the crime I 523 00:30:28,710 --> 00:30:31,270 call you can see a couple of pixels have grave 524 00:30:31,270 --> 00:30:34,600 the sort of the to serve program entry fee like above 525 00:30:34,600 --> 00:30:39,320 I'm icon it as well as a significant invalid just that it really is to raise 526 00:30:39,320 --> 00:30:42,379 pixels and this is fifteen villages or it 527 00:30:42,380 --> 00:30:45,490 the only way you'd see that icon is if 528 00:30:45,490 --> 00:30:49,980 even launched if you've launched our day be fast break a process 529 00:30:49,980 --> 00:30:53,250 so immediate telling us why we think this might be 530 00:30:53,250 --> 00:30:56,570 very significant information me we thank you my point about 531 00:30:56,570 --> 00:30:59,620 in on incrimination in flash so 532 00:30:59,620 --> 00:31:03,780 is anything else we we can ascertain yes a 533 00:31:03,780 --> 00:31:07,110 integrity level is shown in the task manager 534 00:31:07,110 --> 00:31:10,520 fortunately wanna 120 members was was at the time 535 00:31:10,520 --> 00:31:14,330 an expert and in this some 536 00:31:14,330 --> 00:31:17,419 in this process via piece of lani happen to know that I am 537 00:31:17,420 --> 00:31:20,810 there's a bug in it way mislabeled something in his column 538 00:31:20,810 --> 00:31:24,240 so he was able to deflect sorta what we what would have 539 00:31:24,240 --> 00:31:27,820 sends out for Spartan tell us yes something is mislabeled and a 540 00:31:27,820 --> 00:31:31,679 songs with what that we're able to looked at their four-game processes that 541 00:31:31,680 --> 00:31:34,190 and the way they were sort of the relationship between them again 542 00:31:34,190 --> 00:31:35,370 indicated a plugin 543 00:31:35,370 --> 00:31:38,770 I'm Flash plugin more am 544 00:31:38,770 --> 00:31:42,370 30 minutes is that them for some reason the 545 00:31:42,370 --> 00:31:47,439 the memory usage of the if the process is in view which is interesting in it 546 00:31:47,440 --> 00:31:51,770 it's on spout half gigabyte which is huge that tells us that there's some 547 00:31:51,770 --> 00:31:55,030 former spring exploit going on since another leak 548 00:31:55,030 --> 00:31:58,550 I'm and also just this the position of the scroll bar on the crime when they 549 00:31:58,550 --> 00:32:02,770 I'm shows at this and some on the show and content and 550 00:32:02,770 --> 00:32:05,990 that's causing a scrollbar to appear in and that's a was vindictive what you 551 00:32:05,990 --> 00:32:06,930 might expect if you 552 00:32:06,930 --> 00:32:10,340 if you've got a.m. 553 00:32:10,340 --> 00:32:14,110 and an invisible plugin rectangle 554 00:32:14,110 --> 00:32:19,020 that's so all this case conference that well 555 00:32:19,020 --> 00:32:22,730 yeah it's a problem not the not with the North crime with flash 556 00:32:22,730 --> 00:32:27,140 bot slinking back already principles you know we're gonna call it off ok because 557 00:32:27,140 --> 00:32:30,920 if we can help we will even that's not necessary arcade 558 00:32:30,920 --> 00:32:34,580 to can fix so have a simply go to this eve 559 00:32:34,580 --> 00:32:37,780 as and when I don't have have have it civil 560 00:32:37,780 --> 00:32:40,889 on a far stronger security engineer so we we borrowed him 561 00:32:40,890 --> 00:32:45,650 to you to go and do some work on on fast security say on 562 00:32:45,650 --> 00:32:49,500 and we will send him a little bit of resorts to to help help him out 563 00:32:49,500 --> 00:32:53,220 I say will he use about 2,000 CPU cores to you 564 00:32:53,220 --> 00:32:56,790 to you I'm performer fighting techniques he 565 00:32:56,790 --> 00:32:59,820 hit by a little earlier which is where the 566 00:32:59,820 --> 00:33:03,970 you sort i've what time it is 567 00:33:03,970 --> 00:33:07,170 is in fussing with excellent code coverage than to do that what you can do 568 00:33:07,170 --> 00:33:08,510 is you can download a white 569 00:33:08,510 --> 00:33:13,760 sample input files and sort of crunch them down into a corpus of files 570 00:33:13,760 --> 00:33:16,850 the DOM that is minimal setup files but represents a 571 00:33:16,850 --> 00:33:20,080 maximum code coverage you can achieve I'm 572 00:33:20,080 --> 00:33:23,179 and fortune a.m. button Google you can access love 573 00:33:23,180 --> 00:33:26,380 large-scale not just these two thousand CPU cores but also you know 574 00:33:26,380 --> 00:33:29,790 a copy of the Internet security 575 00:33:29,790 --> 00:33:33,020 he it's a copy of the Internet and from 576 00:33:33,020 --> 00:33:36,320 from the internet he extracted on 577 00:33:36,320 --> 00:33:39,909 and many many many terabytes of flash files 578 00:33:39,910 --> 00:33:43,640 to perform this analysis and cool lunch this huge set down 579 00:33:43,640 --> 00:33:46,810 on I think the important I 580 00:33:46,810 --> 00:33:50,149 twenty thousand files I think may have I'm of us the inputs and I must be the 581 00:33:50,150 --> 00:33:53,370 output sets I think maybe they're like millions and millions of ash Barty 582 00:33:53,370 --> 00:33:55,350 Crouch down into this 583 00:33:55,350 --> 00:33:58,760 quite dangerous at a twenty thousand files that represents forget code 584 00:33:58,760 --> 00:33:59,610 coverage 585 00:33:59,610 --> 00:34:02,850 was being a good basis for fussing am 586 00:34:02,850 --> 00:34:05,879 anyway he sort of then use the same 2000 CPU cause 587 00:34:05,880 --> 00:34:09,350 to crank out about a about a hundred uni bugs um 588 00:34:09,350 --> 00:34:13,799 in in flax and UVC work for the day be to get this fixed 589 00:34:13,800 --> 00:34:17,130 am also we thought well as an opportunity to you improve after some 590 00:34:17,130 --> 00:34:18,940 boxes of him some deficiencies that 591 00:34:18,940 --> 00:34:23,159 sousa patch things up best week in the short term 592 00:34:23,159 --> 00:34:26,560 including that we believe the sample to skate used in this exploit because it 593 00:34:26,560 --> 00:34:28,480 was Sam 594 00:34:28,480 --> 00:34:31,500 quite discoverable so is likely to be the same on and 595 00:34:31,500 --> 00:34:35,330 that was used related a confirmation unofficially that it was 596 00:34:35,330 --> 00:34:38,540 on I'm excited work on 597 00:34:38,540 --> 00:34:42,699 what's known as paper fax which is long since now and is now long since a plate 598 00:34:42,699 --> 00:34:45,179 maybe it's been out every year it's it's basically 599 00:34:45,179 --> 00:34:48,460 the active bringing that the Flash plugin site some books if the same 600 00:34:48,460 --> 00:34:51,090 strength as the core people some books 601 00:34:51,090 --> 00:34:54,650 with its on the on more significant security improvements we've 602 00:34:54,650 --> 00:34:59,590 we've done in multi-year lifetime if the team 603 00:34:59,590 --> 00:35:02,750 meso went on I am some 604 00:35:02,750 --> 00:35:06,350 some heartening measures this is one of those incidents 605 00:35:06,350 --> 00:35:10,299 where I mention we have the leeway to assertive 606 00:35:10,300 --> 00:35:13,290 step up against the bounds of our security team can do and and go beyond 607 00:35:13,290 --> 00:35:15,190 it and this is missus clinton's when did 608 00:35:15,190 --> 00:35:20,120 when a bit too far I know enthusiasm to respond and we actually am 609 00:35:20,120 --> 00:35:23,190 we actually regressed functioning regressed the 610 00:35:23,190 --> 00:35:27,950 the Flash plugin crime on in quite amusing way if it's possible to you 611 00:35:27,950 --> 00:35:29,930 knowingly people in an amusingly 612 00:35:29,930 --> 00:35:33,629 what happened -ism we put a limit on something 613 00:35:33,630 --> 00:35:38,110 call called g8 pages to try and a try and explain potential 614 00:35:38,110 --> 00:35:41,430 and I when that when the limit hit which we think thought it would not do 615 00:35:41,430 --> 00:35:44,970 we popped up and what happened as a little dialogue box will pop up 616 00:35:44,970 --> 00:35:49,319 I'm with the extreme a bad idea any which is a bit cryptic but we recognize 617 00:35:49,320 --> 00:35:50,120 it right 618 00:35:50,120 --> 00:35:53,109 and was a need it's not recognizing it when people started blogging this 619 00:35:53,110 --> 00:35:54,960 strange dialogue was appearing 620 00:35:54,960 --> 00:35:58,190 if when they were just trying to um distracted 621 00:35:58,190 --> 00:36:02,820 do something in flash so we met the back of that is them 622 00:36:02,820 --> 00:36:06,380 and then yes that's the that's a bad idea in in hex 623 00:36:06,380 --> 00:36:11,580 am sorry if you if you saw that 624 00:36:11,580 --> 00:36:15,569 and finally um go get it more to this but we invited the community turns 625 00:36:15,570 --> 00:36:17,180 around paid on fashion's well by 626 00:36:17,180 --> 00:36:21,259 by bringing Adobe Flash into under the umbrella for reward system 627 00:36:21,260 --> 00:36:24,380 so if you want to if you find a facebook 628 00:36:24,380 --> 00:36:28,300 on for free send it to us and you may get him monthly award if it 629 00:36:28,300 --> 00:36:31,560 this significant for security 630 00:36:31,560 --> 00:36:35,850 yeah gay so next difference so 631 00:36:35,850 --> 00:36:39,390 I'm security number zero sum game so that some 632 00:36:39,390 --> 00:36:42,560 a statement a different size I suppose the difference is that we genuinely 633 00:36:42,560 --> 00:36:43,480 believe 634 00:36:43,480 --> 00:36:48,180 security is not a zero-sum game which is to say 635 00:36:48,180 --> 00:36:51,629 let's look at the traditional view of security on you know if you think 636 00:36:51,630 --> 00:36:52,280 securities 637 00:36:52,280 --> 00:36:55,910 zero-sum game you think that you can wind security expensive others you know 638 00:36:55,910 --> 00:36:56,799 by 639 00:36:56,800 --> 00:37:02,450 by by doing something and not sharing it and saying any we have this protection 640 00:37:02,450 --> 00:37:07,649 or you might its she security as just a PR game you know well 641 00:37:07,650 --> 00:37:13,400 would you say I was in ER maybe it maybe it'll mail settings mine sent same 642 00:37:13,400 --> 00:37:16,700 and some companies um collaboration 643 00:37:16,700 --> 00:37:19,990 me even in the security space for collaboration he's gone important may 644 00:37:19,990 --> 00:37:21,319 even be 645 00:37:21,320 --> 00:37:24,320 discouraged filtered or even outright jazz band 646 00:37:24,320 --> 00:37:31,060 because I'm is I because of concerns about confidentiality maybe 647 00:37:31,060 --> 00:37:34,620 is there a different way of doing things well yes for say I'm 648 00:37:34,620 --> 00:37:38,600 we do in the teen Kasia aberration openly and freely on security features 649 00:37:38,600 --> 00:37:42,670 and standards can have a few standards working on 650 00:37:42,670 --> 00:37:46,060 just just about final call it the IETF level I think for 651 00:37:46,060 --> 00:37:51,190 for certificate certificate authority related harming 652 00:37:51,190 --> 00:37:54,370 redo like it when we can share experiences and approaches such as this 653 00:37:54,370 --> 00:37:55,109 talk with 654 00:37:55,110 --> 00:37:58,360 with other vendors and even since making source project I'm 655 00:37:58,360 --> 00:38:01,930 we have elective share no code if any wants to become come borrow 656 00:38:01,930 --> 00:38:07,230 welcome to do so we've had several projects are some of us on Boxing Day 657 00:38:07,230 --> 00:38:10,890 and this one um surprises people perhaps the most 658 00:38:10,890 --> 00:38:15,089 on on this area but we we actively support to any employees 659 00:38:15,090 --> 00:38:18,540 want researching on Google 660 00:38:18,540 --> 00:38:22,020 products even if they want to know what time 661 00:38:22,020 --> 00:38:25,060 to an example where this this make sense and someone benefit 662 00:38:25,060 --> 00:38:29,049 mention that we've a little fuzzy on the structure and a lot of CPU resource 663 00:38:29,050 --> 00:38:32,270 we can dedicate that say once you've got 664 00:38:32,270 --> 00:38:36,340 the infrastructure running against Inc browser a like friend our brother 665 00:38:36,340 --> 00:38:40,970 justly fairly trivial to briefly point these two thousand Cebu cause a 666 00:38:40,970 --> 00:38:45,020 security fury at any other browser me sort from time to time do that 667 00:38:45,020 --> 00:38:48,690 and is just because easy to do and because 668 00:38:48,690 --> 00:38:51,440 that results in quite a few bugs against all other browsers themselves and 669 00:38:51,440 --> 00:38:53,580 there's a long service 670 00:38:53,580 --> 00:38:56,640 you know so the whole web get safer so we definitely believe our security is 671 00:38:56,640 --> 00:38:57,970 concerned 672 00:38:57,970 --> 00:39:01,569 the whole the whole arm not a zero-sum game 673 00:39:01,570 --> 00:39:05,400 and he says is that a a rising tide lifts all boats that if we can make the 674 00:39:05,400 --> 00:39:08,420 web safer for everyone across all processing technologies 675 00:39:08,420 --> 00:39:14,090 and people use the web more now that's that's good for us as a company 676 00:39:14,090 --> 00:39:20,210 next different so I removed the middleman 677 00:39:20,210 --> 00:39:24,160 say depending on a 678 00:39:24,160 --> 00:39:27,220 bingham which i'm talking about. Security Response 679 00:39:27,220 --> 00:39:30,250 is done can be done very differently 680 00:39:30,250 --> 00:39:35,000 how we do it so i made an attempt at trying to diagram for more traditional 681 00:39:35,000 --> 00:39:38,900 wasting secure response same to creep on from the internet I like 682 00:39:38,900 --> 00:39:42,600 drew a blank actually so had to draw on myself and my my 683 00:39:42,600 --> 00:39:45,960 a meeting in hex much ink has a pretty bad apologize for the stated this 684 00:39:45,960 --> 00:39:47,620 diagram leaving so if you can 685 00:39:47,620 --> 00:39:52,120 you can read it attempt at a flow chart a how 686 00:39:52,120 --> 00:39:56,600 how secure response often works on 687 00:39:56,600 --> 00:40:00,560 so arson run-through like this process a bit pretending I'm a security 688 00:40:00,560 --> 00:40:02,830 researchers is found about him 689 00:40:02,830 --> 00:40:06,160 I'm according to a company offering something like this 690 00:40:06,160 --> 00:40:09,470 feel free to raise your hand if this sounds familiar to an expensive at any 691 00:40:09,470 --> 00:40:10,250 time that an 692 00:40:10,250 --> 00:40:13,970 anyway so who I found about I'm gonna reported 693 00:40:13,970 --> 00:40:17,450 writing today so I sandbagging an ass and you know 694 00:40:17,450 --> 00:40:20,529 and immediate got an email back this is awesome 695 00:40:20,530 --> 00:40:24,150 well is an automated reply just let or somebody you know says that 696 00:40:24,150 --> 00:40:27,570 you know it says it says we take security very seriously I'm 697 00:40:27,570 --> 00:40:30,980 more fired up now and a day later I get a 698 00:40:30,980 --> 00:40:35,500 question yeah some clarification on how to reproduce the the park perhaps a 699 00:40:35,500 --> 00:40:39,370 an email back and I get an email back at a time when we think we've worked out 700 00:40:39,370 --> 00:40:42,230 after the fuses same 701 00:40:42,230 --> 00:40:45,410 annexing happens internally maybe it's a fairly tricky part in that the 702 00:40:45,410 --> 00:40:47,870 organization he is responsible for church 703 00:40:47,870 --> 00:40:51,410 a security people but I think necessarily in essay expert in all the 704 00:40:51,410 --> 00:40:53,850 main so they they bounces back over to their internal 705 00:40:53,850 --> 00:40:58,310 expert team which is a central resource who then 706 00:40:58,310 --> 00:41:01,320 has more questions so that saddam bounces back through the response 707 00:41:01,320 --> 00:41:02,610 organization to me 708 00:41:02,610 --> 00:41:05,950 I found these questions and then eventually 709 00:41:05,950 --> 00:41:09,299 internally the the bug sent over and filed with me 710 00:41:09,300 --> 00:41:12,910 product team to may or may not have 711 00:41:12,910 --> 00:41:16,670 some questions again they make consults internal security experts on how best to 712 00:41:16,670 --> 00:41:17,770 fix something 713 00:41:17,770 --> 00:41:20,890 particularly if it's not just about for the design level floor 714 00:41:20,890 --> 00:41:24,750 am internally them at a three-way disagreement may kick off on 715 00:41:24,750 --> 00:41:28,710 on the severity of the buck the and other products in the verses the 716 00:41:28,710 --> 00:41:30,340 Securities view this is what I 717 00:41:30,340 --> 00:41:33,680 claimed as a researcher on 718 00:41:33,680 --> 00:41:36,919 and so on and so forth so you know week later 719 00:41:36,920 --> 00:41:40,170 sizes in 10 lines and I sent us an email saying hey what's up 720 00:41:40,170 --> 00:41:43,390 yeah we get this fixed so you know 721 00:41:43,390 --> 00:41:46,770 the responsible for that price support team for a status update and sort of 722 00:41:46,770 --> 00:41:51,380 feel threatened send it back to me and so on and so forth so 723 00:41:51,380 --> 00:41:54,870 a lot of communication going on what I've failed to draw on this diagram is 724 00:41:54,870 --> 00:41:56,540 perhaps a big red line 725 00:41:56,540 --> 00:42:01,080 that was the top of the diagram across so the top couple boxes 726 00:42:01,080 --> 00:42:05,190 and the point having I any get visibility into you 727 00:42:05,190 --> 00:42:08,210 a very small part of the process an order this of internal 728 00:42:08,210 --> 00:42:14,320 discussion about the book I found is hidden hidden from view for me 729 00:42:14,320 --> 00:42:19,880 so Mike why be the problems operating in this order mana 730 00:42:19,880 --> 00:42:23,090 one is just latency so 731 00:42:23,090 --> 00:42:26,990 I'm justices round trips going on between people that I get to see any 732 00:42:26,990 --> 00:42:30,580 get involved with you know they it seems that you know I I won't get 733 00:42:30,580 --> 00:42:33,700 status update as often as I might I'm 734 00:42:33,700 --> 00:42:37,319 you know just everyday thats that this latest against that's it that's a day 735 00:42:37,320 --> 00:42:38,240 that the 736 00:42:38,240 --> 00:42:42,390 to take it sort of the to fix gets kicked out like users will 737 00:42:42,390 --> 00:42:46,359 will get fixes later we think because this them significant potential and I 738 00:42:46,360 --> 00:42:47,260 have personally 739 00:42:47,260 --> 00:42:50,590 for lost in translations it's where 740 00:42:50,590 --> 00:42:53,880 it's where you sort of have this middle man whose is your serve case officer: 741 00:42:53,880 --> 00:42:58,040 if you like a understand security not maybe perhaps as much as as the 742 00:42:58,040 --> 00:43:01,430 is the technical person he's actually working how to fix the thing and 743 00:43:01,430 --> 00:43:03,730 you know having a conversation with a technical person you having a 744 00:43:03,730 --> 00:43:06,120 conversation with is this middleman see 745 00:43:06,120 --> 00:43:09,410 be quite cumbersome sometimes am yes 746 00:43:09,410 --> 00:43:13,649 makes our top 10 discussion sometimes I'm significantly a I'm big on 747 00:43:13,650 --> 00:43:15,310 collaboration and I think 748 00:43:15,310 --> 00:43:18,180 the sort of the past if the process that I needed to you don't see a lot of the 749 00:43:18,180 --> 00:43:20,390 discussions going on regarding the back meanie conserve 750 00:43:20,390 --> 00:43:24,390 chime in and help am some bugs specially designed over bugs 751 00:43:24,390 --> 00:43:27,670 con hearts to come up with a a good thick sometimes that's 752 00:43:27,670 --> 00:43:31,210 the debate secured all saying it doesn't break the world so 753 00:43:31,210 --> 00:43:34,790 sometimes being able as the research to be involved in the discussion how to fix 754 00:43:34,790 --> 00:43:35,140 something 755 00:43:35,140 --> 00:43:39,990 is nice so we think we've removed the middle man how does how does it work 756 00:43:39,990 --> 00:43:43,680 how much something me different so report about against crime 757 00:43:43,680 --> 00:43:46,730 you go to a bug tracker and 758 00:43:46,730 --> 00:43:50,380 public the public the access for me on the internet bug tracking you fight 759 00:43:50,380 --> 00:43:50,730 about 760 00:43:50,730 --> 00:43:54,480 and one of the options is this is a security about will talk to you know I'm 761 00:43:54,480 --> 00:43:59,730 will restrict you from public and May 25 if I S 762 00:43:59,730 --> 00:44:03,650 and then we find that the more interesting bucks reported by the 763 00:44:03,650 --> 00:44:06,810 the morning sting researchers used on the same day 764 00:44:06,810 --> 00:44:11,230 like this a three-way Austin high-energy exciting conversation kicks off at 765 00:44:11,230 --> 00:44:15,120 on as in the bug tracker on between the person who sends buck 766 00:44:15,120 --> 00:44:19,609 between remember if the prime security team 767 00:44:19,610 --> 00:44:24,750 and a perhaps the also the engineer who's really the best to fix this issue 768 00:44:24,750 --> 00:44:27,970 and came back from a variety principles 769 00:44:27,970 --> 00:44:31,160 that the engineer fixing the issue in the crime security team member and a lot 770 00:44:31,160 --> 00:44:35,029 of situations water make that the same person 771 00:44:35,030 --> 00:44:38,230 and a on this blog additional experts in 772 00:44:38,230 --> 00:44:44,700 in the area on the cake base to see seed to keep the conversation going 773 00:44:44,700 --> 00:44:48,529 so does lead to Salem though it's definitely latency 774 00:44:48,530 --> 00:44:53,310 so on occasion we've had about coming and the same day we've landed a fix 775 00:44:53,310 --> 00:44:57,880 and take place that's not the same as is going to fix these are for same day 776 00:44:57,880 --> 00:44:59,320 because that would involve 777 00:44:59,320 --> 00:45:02,360 rushing something without queuing and waiting do that but 778 00:45:02,360 --> 00:45:05,750 but I i some the same day fixes that we do inspire people to 779 00:45:05,750 --> 00:45:08,850 to comment in the bug tracker you know as fast and then we 780 00:45:08,850 --> 00:45:12,420 and you know Nexus smile when we see things like 781 00:45:12,420 --> 00:45:17,230 am I justice can be the bug tracker for fast and in a 782 00:45:17,230 --> 00:45:20,540 find boats bikes with this this is this occurred 783 00:45:20,540 --> 00:45:24,450 and his last but this just popped up here and he and his Republican 784 00:45:24,450 --> 00:45:25,700 commitment 'cause 785 00:45:25,700 --> 00:45:29,250 on this is an example of where the the researcher was a sort of 786 00:45:29,250 --> 00:45:32,350 bounce ideas of -ism we bounced ideas of him 787 00:45:32,350 --> 00:45:35,910 you know on on the best way to fix fixed the bug in question and we came up with 788 00:45:35,910 --> 00:45:36,830 something that people were 789 00:45:36,830 --> 00:45:41,080 I was happy with and then we fixed it um 790 00:45:41,080 --> 00:45:44,160 I think our table turnaround time that was about five days in the sixties is 791 00:45:44,160 --> 00:45:45,200 which 792 00:45:45,200 --> 00:45:48,350 when always a fasting as a a fortune Constanza 793 00:45:48,350 --> 00:45:51,660 recycle time in the states that that I am 794 00:45:51,660 --> 00:45:55,259 this process you can be very late see to the system 795 00:45:55,260 --> 00:45:58,920 and then of course we I'm Gator jonsman a monetary reward 796 00:45:58,920 --> 00:46:02,230 at the end of things 797 00:46:02,230 --> 00:46:05,280 be transparent am 798 00:46:05,280 --> 00:46:08,160 so we have sort of an advanced i guess im being able to those projected that 799 00:46:08,160 --> 00:46:10,710 were fundamentally transform but I think there are some 800 00:46:10,710 --> 00:46:15,310 transparencies that that companies with closed source products could engage in 801 00:46:15,310 --> 00:46:20,009 that today said requiring open source 802 00:46:20,010 --> 00:46:24,770 so in if you're not being transparent 803 00:46:24,770 --> 00:46:29,060 how much you behave well of in my dealings with with vendors I often find 804 00:46:29,060 --> 00:46:31,980 the 805 00:46:31,980 --> 00:46:35,700 it feels like communication with me is minimized to the bad things a book 806 00:46:35,700 --> 00:46:40,500 he said I've thought long and hard about why this could be 807 00:46:40,500 --> 00:46:44,170 and I may be that I just think made maybe the many companies are concerned 808 00:46:44,170 --> 00:46:47,250 anything they may say extending my and getting quoted and 809 00:46:47,250 --> 00:46:50,940 with which it might I'm my and 810 00:46:50,940 --> 00:46:54,820 some you story perhaps I don't know say 811 00:46:54,820 --> 00:46:58,270 perhaps as some sort of fate of pounds going on in the risk of saying too much 812 00:46:58,270 --> 00:46:59,820 versus the risk if 813 00:46:59,820 --> 00:47:05,030 limiting coverage may not saying very much its 814 00:47:05,030 --> 00:47:09,250 not been comes back I'll definitely when you find bugs internally 815 00:47:09,250 --> 00:47:12,720 to the company you you'll keep them secret 816 00:47:12,720 --> 00:47:17,839 you fix in the course but you when you do say USA announced that the bug has 817 00:47:17,840 --> 00:47:18,930 been fixed 818 00:47:18,930 --> 00:47:23,589 and that's pretty relating to the fact that you have %um a setback for the fix 819 00:47:23,590 --> 00:47:25,050 a few announce the fix against 820 00:47:25,050 --> 00:47:28,110 the latest frightening you'll be expected to backport it 821 00:47:28,110 --> 00:47:31,390 some this or the lack of transparency might be considered considered dangerous 822 00:47:31,390 --> 00:47:32,640 for security 823 00:47:32,640 --> 00:47:38,290 I'm and when you do announced something fixed 824 00:47:38,290 --> 00:47:42,620 some this does mean time check on 825 00:47:42,620 --> 00:47:46,009 allow I'm minutes left 826 00:47:46,010 --> 00:47:48,900 say you may find that out when when you I'm it doesn't answer his critics 827 00:47:48,900 --> 00:47:50,090 announce 828 00:47:50,090 --> 00:47:54,240 I'm it in very broad a specific terms and they went 829 00:47:54,240 --> 00:47:57,379 doing us a shadowy full rip me original report the course 830 00:47:57,380 --> 00:48:02,490 fix so 831 00:48:02,490 --> 00:48:05,799 is there if my doing things well yes we can say say we mention that 832 00:48:05,800 --> 00:48:10,070 all of report about to see this file a bug tracker 833 00:48:10,070 --> 00:48:13,770 but I am that's just the start say all of us carry bags attract 834 00:48:13,770 --> 00:48:19,130 you know public contractor and that includes stuff we find internally 835 00:48:19,130 --> 00:48:23,150 and reedy weary really do enjoy making 836 00:48:23,150 --> 00:48:27,060 all security bugs after some suitable period of time for the public's you can 837 00:48:27,060 --> 00:48:28,440 go back and look at the history 838 00:48:28,440 --> 00:48:31,730 any security bug in the history of the product 839 00:48:31,730 --> 00:48:35,040 and read them of course that sometimes we delayed 840 00:48:35,040 --> 00:48:38,450 opening the but the public view because love the code we use shared with 841 00:48:38,450 --> 00:48:42,040 with other products that wasn't take the Tampa Bay 842 00:48:42,040 --> 00:48:46,750 I'm will be saved bug tracker box but I think every if you have a big impact on 843 00:48:46,750 --> 00:48:47,660 crime security 844 00:48:47,660 --> 00:48:51,660 its movies about its really is a conversation 845 00:48:51,660 --> 00:48:54,920 any sort of see aberration going on and you can see discussions about how the 846 00:48:54,920 --> 00:48:56,280 fix should be 847 00:48:56,280 --> 00:48:59,300 should be implemented you see their search for jumping in from time to time 848 00:48:59,300 --> 00:49:01,100 is reported as the bug 849 00:49:01,100 --> 00:49:04,460 heehee native had stabbed at something and helpers in the 850 00:49:04,460 --> 00:49:10,140 senator transparency that lets us do that 851 00:49:10,140 --> 00:49:13,920 and I don't know I'm a people that do this but uniqueness me historical gems 852 00:49:13,920 --> 00:49:15,840 available now but they do say so 853 00:49:15,840 --> 00:49:19,120 for example we have a competition format 854 00:49:19,120 --> 00:49:23,819 comment call premium where we actually for lots of money require people to 855 00:49:23,820 --> 00:49:24,160 actually 856 00:49:24,160 --> 00:49:27,460 ex white boxes that is fine bugs and 857 00:49:27,460 --> 00:49:32,830 course the principal transparencies dictates that the full working expertly 858 00:49:32,830 --> 00:49:36,130 did work at some point in time is just there's an attachment 859 00:49:36,130 --> 00:49:39,900 go back and look at those and 860 00:49:39,900 --> 00:49:43,160 and study them and learn from them we 861 00:49:43,160 --> 00:49:46,710 eyepiece that some people do you go in and studies expertise 862 00:49:46,710 --> 00:49:50,450 right papers on the techniques used in someone so like he's about the 863 00:49:50,450 --> 00:49:55,279 collaboration is encourage that 864 00:49:55,280 --> 00:49:59,170 and the best story I could find work demonstrates why transparency with is a 865 00:49:59,170 --> 00:50:01,850 huge win for us is just some other bug 866 00:50:01,850 --> 00:50:05,339 the numbers are random number B its public you can read it 867 00:50:05,340 --> 00:50:08,060 what actually happens is we have researchers and is above its a very good 868 00:50:08,060 --> 00:50:08,440 book 869 00:50:08,440 --> 00:50:11,700 I'm we fix it and 870 00:50:11,700 --> 00:50:15,140 immediate within a day or two the researcher comes back as a comment on 871 00:50:15,140 --> 00:50:17,270 the back and what he says hi and you fixed it 872 00:50:17,270 --> 00:50:21,770 properly is this serves corn a case that still seems to work 873 00:50:21,770 --> 00:50:25,170 and what that enable us to do that trance and of course transparencies or 874 00:50:25,170 --> 00:50:29,300 18 with him to tell us that I'm what saved us the pain of is it's a just the 875 00:50:29,300 --> 00:50:30,780 pain of sort of 876 00:50:30,780 --> 00:50:35,140 fixing the bug releasing and then coming saying it's not fixed 877 00:50:35,140 --> 00:50:38,299 an outing kinda embarrassing you know anything exit security but probably 878 00:50:38,300 --> 00:50:39,620 asylum 879 00:50:39,620 --> 00:50:43,400 but what he needs to do is get it right get it right the first time 880 00:50:43,400 --> 00:50:47,910 is awesome and of course we with them probably doubled his reward 881 00:50:47,910 --> 00:50:54,069 as well as counts wings comes to bugs modest you twice as much for your help 882 00:50:54,070 --> 00:50:57,630 I'm freebie for you know the story 883 00:50:57,630 --> 00:51:00,950 the reason have this story's some people I think 884 00:51:00,950 --> 00:51:03,689 of mister there's a fear that transparency will lead to the 885 00:51:03,690 --> 00:51:05,380 possibility of attacks against you 886 00:51:05,380 --> 00:51:08,460 like if you if you have all your dirty laundry out there for public view that 887 00:51:08,460 --> 00:51:10,470 the fears that someone come in 888 00:51:10,470 --> 00:51:14,060 count how many bugs you hadn't said oh my goodness at 70 bucks or 889 00:51:14,060 --> 00:51:18,950 or someone saw review about database and saying I was an awful lot 890 00:51:18,950 --> 00:51:22,270 and maybe that stream it maybe there's a chance that will happen but but we think 891 00:51:22,270 --> 00:51:23,180 that the 892 00:51:23,180 --> 00:51:27,310 the benefits open transparent cooperation outweigh the risks of taking 893 00:51:27,310 --> 00:51:30,730 some PR hit and actually yeah 894 00:51:30,730 --> 00:51:33,790 to me we found that thing comes back to me very clear positive in 895 00:51:33,790 --> 00:51:36,890 in this recent incident so we face it some 896 00:51:36,890 --> 00:51:39,940 some blog post I'm related to crime re the 897 00:51:39,940 --> 00:51:42,670 that someone disagreed with and have to account for opinion which is which is 898 00:51:42,670 --> 00:51:43,860 awesome 899 00:51:43,860 --> 00:51:49,720 am have the reserve frame that counter pinions around this claim that they had 900 00:51:49,720 --> 00:51:54,589 tons of critical crime issues that were months old not been fixed 901 00:51:54,590 --> 00:51:58,610 obsessive and inflammatory story might get some traction so well look into this 902 00:51:58,610 --> 00:52:03,240 only we found that actually is this is not true there were some bugs 903 00:52:03,240 --> 00:52:07,950 been reported that they were sort of in our opinion on not security box 904 00:52:07,950 --> 00:52:11,600 say there's a transparent /param to respond by posing this link 905 00:52:11,600 --> 00:52:15,860 which is just a aquarian of about database for the name of the company 906 00:52:15,860 --> 00:52:16,630 that it 907 00:52:16,630 --> 00:52:20,120 made this claim listing all of the things they've reported 908 00:52:20,120 --> 00:52:24,100 enabling anyone wanted independent me you know verify lking buses 909 00:52:24,100 --> 00:52:27,279 that claim in the end the a in the end 910 00:52:27,280 --> 00:52:31,080 sooo over quite more than that impacted the block place making the claim was 911 00:52:31,080 --> 00:52:31,870 taken down 912 00:52:31,870 --> 00:52:35,170 handsome modified to be a little more true say 913 00:52:35,170 --> 00:52:39,430 transparency he was actually a a PR when 914 00:52:39,430 --> 00:52:42,690 and this is the final difference on my game 915 00:52:42,690 --> 00:52:46,660 that's when the ones where we think is is more significant 916 00:52:46,660 --> 00:52:50,420 so to a story in that celebrate community 917 00:52:50,420 --> 00:52:54,590 so on motivation company has been known to see the community 918 00:52:54,590 --> 00:52:57,700 in never reports if this 919 00:52:57,700 --> 00:53:00,870 may attempt to vilify members of the community is a No today 920 00:53:00,870 --> 00:53:06,980 see eye to eye in in a on the severity your time line maybe if some bucks 921 00:53:06,980 --> 00:53:11,850 as doesn't seem excited sifter to work with the community 922 00:53:11,850 --> 00:53:14,759 you may try and downplay the significance %uh for such as research 923 00:53:14,760 --> 00:53:17,570 and so on 924 00:53:17,570 --> 00:53:21,090 so as a principle we found that 925 00:53:21,090 --> 00:53:24,170 the morn gauge what we do with the white communities more the more 926 00:53:24,170 --> 00:53:27,870 or something gets a weary time and celebrate community contributions miss 927 00:53:27,870 --> 00:53:29,330 you can say 928 00:53:29,330 --> 00:53:33,549 now we have a Hall of Fame which lists this everyone Sun 929 00:53:33,550 --> 00:53:36,710 got among the few of us know so as on a the as 930 00:53:36,710 --> 00:53:39,740 not quite cross that bob is still send us some useful have a list of people and 931 00:53:39,740 --> 00:53:40,979 we just ran to haiti's 932 00:53:40,980 --> 00:53:44,560 is that list of people in there or sumn and and with we get feedback that that's 933 00:53:44,560 --> 00:53:46,440 helped people and jobs 934 00:53:46,440 --> 00:53:49,540 sometimes that's actually but also with with other companies that's that's quite 935 00:53:49,540 --> 00:53:50,779 appreciated 936 00:53:50,780 --> 00:53:53,990 I'm whenever we fix something that's so important to us we 937 00:53:53,990 --> 00:53:57,500 we declare it now release names I am 938 00:53:57,500 --> 00:54:03,510 just respect supported the transparency principle we saw earlier 939 00:54:03,510 --> 00:54:08,640 also is more server its its eye contact with the crimes gettin is also 940 00:54:08,640 --> 00:54:12,080 less mechanized and and more individualized inhuman I say 941 00:54:12,080 --> 00:54:15,930 when research comes to us and this is bargain its I'm just haven't thought of 942 00:54:15,930 --> 00:54:18,060 anything is really clever you know your your see 943 00:54:18,060 --> 00:54:21,509 myself one of my engine is the first response in the buck masses 944 00:54:21,510 --> 00:54:25,470 well this isn't or sumfin this is really clever have anything to this 945 00:54:25,470 --> 00:54:28,990 and we just fine that's a one on one researcher to research interactions 946 00:54:28,990 --> 00:54:33,209 I'm gets little respect on both sides of course we celebrates 947 00:54:33,210 --> 00:54:38,540 completions financially on on about basis 948 00:54:38,540 --> 00:54:42,480 just because we can sometimes we decided on someone's been so awesome I'll just 949 00:54:42,480 --> 00:54:46,060 issue a surprise monetary water them like sort of a 950 00:54:46,060 --> 00:54:50,520 like a best of the best for the year kinda for what may be 951 00:54:50,520 --> 00:54:54,930 knows only get something sent us this very spectacular 952 00:54:54,930 --> 00:54:59,169 will often do a write up ourselves as a celebration of the quality of the work 953 00:54:59,170 --> 00:55:02,580 some of the pentium entries we've received we've actually written them up 954 00:55:02,580 --> 00:55:07,279 and publish them on a official Google Blog to celebrate the sexes achievement 955 00:55:07,280 --> 00:55:10,520 I'm said this is the next couple of slides are not 956 00:55:10,520 --> 00:55:14,880 not new rewards but just this is just to illustrate that sometimes we just 957 00:55:14,880 --> 00:55:18,080 this last year we just randomly decided to give cover photo reporters an extra 958 00:55:18,080 --> 00:55:20,790 ten thousand dollar top up this way unit working with them 959 00:55:20,790 --> 00:55:24,120 and setting us up for some stuff say a couple slides for presentation I did 960 00:55:24,120 --> 00:55:25,700 last year oh it's just 961 00:55:25,700 --> 00:55:28,980 well just give these to or some people ten thousand dollars each yes as a top 962 00:55:28,980 --> 00:55:29,900 up to the 963 00:55:29,900 --> 00:55:33,390 other wards 964 00:55:33,390 --> 00:55:37,609 so that ends part 1 members can do exactly and check again with Allie 965 00:55:37,610 --> 00:55:42,490 see how much time to outside party won't guarantee 966 00:55:42,490 --> 00:55:45,709 five to 10 minutes K people 967 00:55:45,710 --> 00:55:48,910 infused to go into some more detail in our war program 968 00:55:48,910 --> 00:55:52,460 all and I wanna wants I'm 969 00:55:52,460 --> 00:55:56,030 what I then c2c 970 00:55:56,030 --> 00:55:59,080 so this is the story of people's history with rewards 971 00:55:59,080 --> 00:56:02,850 this is where we when we get good security reports him what we'll do is 972 00:56:02,850 --> 00:56:03,759 we'll 973 00:56:03,760 --> 00:56:09,630 will financially compensate such as the defender state awards 974 00:56:09,630 --> 00:56:13,700 I'm so we'll start with with the statistics that people are you most 975 00:56:13,700 --> 00:56:15,529 excited about which is of course 976 00:56:15,530 --> 00:56:18,590 while how much he I'm to be paid in Table 977 00:56:18,590 --> 00:56:22,630 as the first question you get and a some breaking news or at least it was new on 978 00:56:22,630 --> 00:56:23,160 Monday 979 00:56:23,160 --> 00:56:26,259 with a blog post about this I'm 980 00:56:26,260 --> 00:56:30,350 when our to you million USD across our various war programs 981 00:56:30,350 --> 00:56:34,029 crossed across that bar and interestingly enough I speak down almost 982 00:56:34,030 --> 00:56:36,440 equally a million each 983 00:56:36,440 --> 00:56:39,640 from this or chrome pony im side of things and the Google 984 00:56:39,640 --> 00:56:43,220 website side of things and I suppose I should admit it internally there 985 00:56:43,220 --> 00:56:46,390 as a bit of competition to get a million dollars first 986 00:56:46,390 --> 00:56:49,960 and I was reading for crime and I lost but I week 987 00:56:49,960 --> 00:56:55,270 we crossed a million dollars just just after am 988 00:56:55,270 --> 00:56:59,640 and doesn't bugs as well for that money is back two thousand bags across 989 00:56:59,640 --> 00:57:00,600 everything 990 00:57:00,600 --> 00:57:04,410 slight psyche skewed in favor of more bugs on the website of things 991 00:57:04,410 --> 00:57:07,710 public's because you have a lot more web sites you think and maybe a little 992 00:57:07,710 --> 00:57:08,810 easier to find 993 00:57:08,810 --> 00:57:12,070 certain classes of weapon ability than it is to find memory corruption in a 994 00:57:12,070 --> 00:57:14,360 browser 995 00:57:14,360 --> 00:57:17,540 and as the book basically put out about that 996 00:57:17,540 --> 00:57:21,270 that small 997 00:57:21,270 --> 00:57:25,350 glitch K um every time I talk about or was program 998 00:57:25,350 --> 00:57:28,950 the goal with the changes the talk changes so 999 00:57:28,950 --> 00:57:31,990 at first the call the talks to say hey we've done something a bit different a 1000 00:57:31,990 --> 00:57:33,970 little bit crazy was gonna tell you how it went 1001 00:57:33,970 --> 00:57:37,549 just share share our story and now 1002 00:57:37,550 --> 00:57:40,590 overtime things change dramatically 1003 00:57:40,590 --> 00:57:44,340 we now give these talks try and tell people 1004 00:57:44,340 --> 00:57:47,620 just engaging the community in his ways is just one hundred percent 1005 00:57:47,620 --> 00:57:51,759 fully positivism source emits exceeded our wildest expectations and 1006 00:57:51,760 --> 00:57:55,480 and you should launch a vulnerability or program 1007 00:57:55,480 --> 00:57:58,550 if you make sense and their couple love 1008 00:57:58,550 --> 00:58:03,880 caveats we give this a one is a you must have yet so if you 1009 00:58:03,880 --> 00:58:07,230 if you or your company responsible for software which is sort of 1010 00:58:07,230 --> 00:58:10,540 local front line in the mail fight say you know installed on 1011 00:58:10,540 --> 00:58:14,380 a white percentage of the world's computers or part of critical 1012 00:58:14,380 --> 00:58:15,000 infrastructure 1013 00:58:15,000 --> 00:58:18,240 you know the world depends on me it sounds dramatic 1014 00:58:18,240 --> 00:58:21,410 that but the world does depend on if you're in that position and 1015 00:58:21,410 --> 00:58:25,080 on way you can make your Posterous que possa batters to have a role program you 1016 00:58:25,080 --> 00:58:26,150 should 1017 00:58:26,150 --> 00:58:29,270 but before you do that you wanna have a mature 1018 00:58:29,270 --> 00:58:32,290 STL in place like this for war program is its 1019 00:58:32,290 --> 00:58:36,420 not a substitute for not bothering with security and in fact we have other 1020 00:58:36,420 --> 00:58:40,020 security in order will program probably or be overwhelmed say you need to have 1021 00:58:40,020 --> 00:58:41,780 your response organization 1022 00:58:41,780 --> 00:58:47,140 so funny chain WellStar using 1023 00:58:47,140 --> 00:58:50,240 so the history about bounties I'm 1024 00:58:50,240 --> 00:58:53,470 best we can trace it back we think that's jonsman you may have heard of 1025 00:58:53,470 --> 00:58:54,520 buying a 1026 00:58:54,520 --> 00:58:58,040 Donald Knuth may have kicked his whole thing off in 1981 1027 00:58:58,040 --> 00:59:01,640 I'm in a slightly different way but he found a acquits bug in his book 1028 00:59:01,640 --> 00:59:04,670 he would send you a check I'm 1029 00:59:04,670 --> 00:59:08,400 I know is and when he got a gotta frames check Donald 1030 00:59:08,400 --> 00:59:11,890 on their wall you do I i you get a hit in a in a crowd like this 1031 00:59:11,890 --> 00:59:15,810 excellent and then of course the first 1032 00:59:15,810 --> 00:59:19,299 significant vendor to do this was probably netscape back in 95 1033 00:59:19,300 --> 00:59:24,230 when estate became is Ella they carry that on in 2004 1034 00:59:24,230 --> 00:59:27,530 and so on and so on and as you can see that this autumn packing density is 1035 00:59:27,530 --> 00:59:29,510 these program launches 1036 00:59:29,510 --> 00:59:33,460 getting more dense this week it was Martin time and that is more more 1037 00:59:33,460 --> 00:59:36,810 is more more to love fact-based 1038 00:59:36,810 --> 00:59:40,130 this more more facts and a top this is a guide ACC normal 1039 00:59:40,130 --> 00:59:43,170 doing it sensor is slightly some very old 1040 00:59:43,170 --> 00:59:46,430 other on small companies you've probably heard of it dived into this game because 1041 00:59:46,430 --> 00:59:47,520 it works lol 1042 00:59:47,520 --> 00:59:51,160 including most recently Microsoft ISV dip their toe in the water and i think 1043 00:59:51,160 --> 00:59:52,109 thats 1044 00:59:52,110 --> 00:59:55,220 that's fantastic because they they sort of count on a 1045 00:59:55,220 --> 00:59:58,689 on on this summer these goals here they they definitely count on being front 1046 00:59:58,690 --> 01:00:00,670 line in the fight against my USA 1047 01:00:00,670 --> 01:00:04,110 it done this is awesome some history 1048 01:00:04,110 --> 01:00:07,490 I'm I think will skip 1049 01:00:07,490 --> 01:00:10,850 skip the sites were alone time but I this is just showing how we overtime 1050 01:00:10,850 --> 01:00:11,540 with racks 1051 01:00:11,540 --> 01:00:15,830 it up the reward levels and in some way you can see these will programs as an 1052 01:00:15,830 --> 01:00:17,190 economy 1053 01:00:17,190 --> 01:00:20,280 over time it gets harder to find bugs and 1054 01:00:20,280 --> 01:00:23,400 so what you want to do perhaps if you're serious about these programs is 1055 01:00:23,400 --> 01:00:27,190 as the incoming reportable trickles down is getting harder he served gives big 1056 01:00:27,190 --> 01:00:28,900 not be content with his 1057 01:00:28,900 --> 01:00:32,440 in a max payouts it ended up in that we made these people so 1058 01:00:32,440 --> 01:00:35,590 see found every time we've done quite a few 1059 01:00:35,590 --> 01:00:39,030 quality reward increases another question gotti's 1060 01:00:39,030 --> 01:00:42,170 you know what is it what it looks like when you launch a program this is the 1061 01:00:42,170 --> 01:00:43,500 crime launch 1062 01:00:43,500 --> 01:00:49,280 I'm that he launched and I think Jan 2009 at the beginning of the graph so 1063 01:00:49,280 --> 01:00:52,630 in terms have months collapse when a pretty slow do 1064 01:00:52,630 --> 01:00:56,450 ramp up for people and I engaging with us 1065 01:00:56,450 --> 01:01:00,040 on it wasn't immediately it did happen eventually say 1066 01:01:00,040 --> 01:01:02,970 maybe that's a reflection of the fact that research in a browser can be quite 1067 01:01:02,970 --> 01:01:03,549 are 1068 01:01:03,550 --> 01:01:06,960 need to serve invest a lot of time to learn a lot about a possible for you 1069 01:01:06,960 --> 01:01:07,580 necessary 1070 01:01:07,580 --> 01:01:10,819 diving in attacking 1071 01:01:10,820 --> 01:01:14,780 since on his dick poon Mr 1072 01:01:14,780 --> 01:01:18,310 competition format I'm so 1073 01:01:18,310 --> 01:01:21,570 to dipped out on the water by by sponsoring 1074 01:01:21,570 --> 01:01:26,200 top of the water cram into industry competition in 2011 1075 01:01:26,200 --> 01:01:31,220 and iraq has a misunderstanding so I'll just launch are in competition 1076 01:01:31,220 --> 01:01:34,569 we've we've try to calibrate things again 1077 01:01:34,570 --> 01:01:37,730 looking at this is an economy we try to calibrate insist reward was high enough 1078 01:01:37,730 --> 01:01:38,640 that someone was 1079 01:01:38,640 --> 01:01:42,870 short enter and got it just right got because men trees 1080 01:01:42,870 --> 01:01:46,799 so gentleman by the name of Pinkie Pie one sixty thousand dollars 1081 01:01:46,800 --> 01:01:51,840 for the second competition and that is like a 1082 01:01:51,840 --> 01:01:57,190 Pentium three I in quite the full price be turned up in and took a forty 1083 01:01:57,190 --> 01:01:58,550 thousand dollar when 1084 01:01:58,550 --> 01:02:03,800 on and the first only had he turned up for a sixty thousand dollar win is 1085 01:02:03,800 --> 01:02:05,590 getting a bit he's at this time say 1086 01:02:05,590 --> 01:02:08,870 he said a benchmark one day if we run a penny in competition and he doesn't show 1087 01:02:08,870 --> 01:02:11,509 up the collected sixty thousand dollars you know 1088 01:02:11,510 --> 01:02:14,930 madame really solid shape because this guy's amazing 1089 01:02:14,930 --> 01:02:18,240 am and skip that 1090 01:02:18,240 --> 01:02:21,959 say just to humanize the whole pay in competition 1091 01:02:21,960 --> 01:02:26,290 is something something mean may say that that's me with with shorter hair 1092 01:02:26,290 --> 01:02:30,110 directly shit this is and this is that a tense moment around the desk where 1093 01:02:30,110 --> 01:02:33,540 sums turned up and they like I can do this I i've got this 1094 01:02:33,540 --> 01:02:37,320 website when you visit it's that well compromise crime in a my sixty thousand 1095 01:02:37,320 --> 01:02:38,570 dollars avon's 1096 01:02:38,570 --> 01:02:42,740 all eyes on the laptop you may notice as a guy 1097 01:02:42,740 --> 01:02:46,839 um so that in the background to the right hand side and has a look at 1098 01:02:46,840 --> 01:02:50,570 abject terror on its face and if you can CA 1099 01:02:50,570 --> 01:02:54,120 there he's next terrified and the reason for that is 1100 01:02:54,120 --> 01:02:58,400 them we actually had in this competition we actually had 1101 01:02:58,400 --> 01:03:01,760 the Adobe Flash plugin in scope Anna and this 1102 01:03:01,760 --> 01:03:05,950 gentleman is an employee ever date me and 1103 01:03:05,950 --> 01:03:09,270 known quite news what's gonna go down yet so this is thought he's three 1104 01:03:09,270 --> 01:03:12,520 thinking oh my god the same be a flash but just just 1105 01:03:12,520 --> 01:03:16,480 just a and it wasn't so I Z I have the picture to prove it is looking a bit 1106 01:03:16,480 --> 01:03:18,510 happier about five minutes later 1107 01:03:18,510 --> 01:03:22,750 I'm say we we you know I thought to be about how is it that some successes we 1108 01:03:22,750 --> 01:03:23,310 also 1109 01:03:23,310 --> 01:03:26,690 something when poking fun at ourselves if we if we fail so 1110 01:03:26,690 --> 01:03:30,350 the the penny into sixty thousand dollar win 1111 01:03:30,350 --> 01:03:34,350 um involve two pieces have attack against crime like a 1112 01:03:34,350 --> 01:03:37,589 difficult piece I'm to 1113 01:03:37,590 --> 01:03:40,820 sorta breaking the kind and any though the way this gentleman think my break at 1114 01:03:40,820 --> 01:03:41,970 the same box 1115 01:03:41,970 --> 01:03:45,430 was just too easy by us and recesses high standards and we went we were 1116 01:03:45,430 --> 01:03:48,910 well very happy with it of course we your best foot forward to make some 1117 01:03:48,910 --> 01:03:50,930 changes to make correction happen again but in a 1118 01:03:50,930 --> 01:03:55,460 I'm we definitely and a double facepalm from performance ever 1119 01:03:55,460 --> 01:03:58,840 we're at the same box as he found a way for within the some books to request the 1120 01:03:58,840 --> 01:04:00,870 privilege context you just right 1121 01:04:00,870 --> 01:04:05,549 this sequence of bytes to this file name: just not have a good 1122 01:04:05,550 --> 01:04:09,460 property having any samples am and it was so bad we we just went 1123 01:04:09,460 --> 01:04:13,950 demean town with this in SI 1124 01:04:13,950 --> 01:04:17,250 you know member Trust I was gonna trust the final aim 1125 01:04:17,250 --> 01:04:20,460 to file past and the content of the file it's a great 1126 01:04:20,460 --> 01:04:24,170 say long since fixed and the sale went II 1127 01:04:24,170 --> 01:04:27,810 went on an internal audit rampage to make those no in other instances of this 1128 01:04:27,810 --> 01:04:28,490 happen 1129 01:04:28,490 --> 01:04:31,069 but that's what we did the pain in competitions not the value they provide 1130 01:04:31,070 --> 01:04:32,250 to be 1131 01:04:32,250 --> 01:04:35,040 you really wouldn't have found out about this if we haven't done this you know 1132 01:04:35,040 --> 01:04:37,120 60,000 best sixty thousand dollars with 1133 01:04:37,120 --> 01:04:41,299 weaves have a spending problem 1134 01:04:41,300 --> 01:04:45,940 just shoddy meter stop just beef it's going to the other main 1135 01:04:45,940 --> 01:04:50,470 reward program Google Web program more contentious because this is the first 1136 01:04:50,470 --> 01:04:52,810 time we know of that a large corporation 1137 01:04:52,810 --> 01:04:56,200 is gonna put up security I'm rewards 1138 01:04:56,200 --> 01:04:59,480 relative to 'em live production website is there's no other 1139 01:04:59,480 --> 01:05:03,720 good way to to do it really say you know you have to talk to you legal people 1140 01:05:03,720 --> 01:05:07,520 forty budget people have to get by in from thousands of teams as I've said it 1141 01:05:07,520 --> 01:05:08,750 is one product team 1142 01:05:08,750 --> 01:05:11,880 I'm the most interesting thing people want a ride is is legal 1143 01:05:11,880 --> 01:05:15,130 am lawyers or sumn it turns out that if something's illegal 1144 01:05:15,130 --> 01:05:18,160 you can't make it not a legal just by writing a blog post I mean 1145 01:05:18,160 --> 01:05:21,310 if the world if that will work like that I think we did 1146 01:05:21,310 --> 01:05:25,009 see its we see a lot of trouble in love love pastes 1147 01:05:25,010 --> 01:05:28,820 am say you're the sort of see don't lose basically the right to go of the 1148 01:05:28,820 --> 01:05:32,560 criminal activity by having a bounty program is this the principal 1149 01:05:32,560 --> 01:05:35,570 um also as long as you have 1150 01:05:35,570 --> 01:05:38,990 clearly-defined do this do not do that in a wat 1151 01:05:38,990 --> 01:05:42,549 you're so dang think lose the ability to chase people civilians they 1152 01:05:42,550 --> 01:05:46,170 reading try to damage am 1153 01:05:46,170 --> 01:05:51,090 so eagerly actually turns out I i he sort of a headache but it does just fine 1154 01:05:51,090 --> 01:05:54,200 am I'm for this launch we formed a formal 1155 01:05:54,200 --> 01:05:59,210 Warren like to have our finger readies gonna blog post saying hey 1156 01:05:59,210 --> 01:06:04,480 think about single web sites Amaral sat on a warm 1157 01:06:04,480 --> 01:06:08,260 and we don't know what's gonna happen so we had a sweepstake on me but getting 1158 01:06:08,260 --> 01:06:12,250 first 24 hours and eyes and I and maybe a few 1159 01:06:12,250 --> 01:06:16,160 hand I lost I 1160 01:06:16,160 --> 01:06:20,029 I lost to someone who sets something like yeah 1161 01:06:20,030 --> 01:06:24,400 maybe maybe if f you may be maybe I'm will look at a graph in it 1162 01:06:24,400 --> 01:06:28,400 states that so I'm quickly the eligibility 1163 01:06:28,400 --> 01:06:32,350 before you launch party you won't be you wanna publicly document 1164 01:06:32,350 --> 01:06:36,250 very clearly what is not scope to avoid any misunderstandings 1165 01:06:36,250 --> 01:06:39,680 said that I'm 1166 01:06:39,680 --> 01:06:43,020 we actually exempt acquisitions for six months 1167 01:06:43,020 --> 01:06:47,220 after we acquire them because when you acquire acquisition and 1168 01:06:47,220 --> 01:06:50,850 they may not necessarily have the same security posture you do so 1169 01:06:50,850 --> 01:06:53,740 yet we think it's reasonable for us to holders of the standard beating them 1170 01:06:53,740 --> 01:06:56,259 into shape within six months 1171 01:06:56,260 --> 01:06:59,970 challenges were worried about a few things before launch 1172 01:06:59,970 --> 01:07:03,100 my going to these cue thank you like but I'm 1173 01:07:03,100 --> 01:07:06,529 known as these challenges always came to be 1174 01:07:06,530 --> 01:07:11,740 came to be true so describes it we press the buttons 1175 01:07:11,740 --> 01:07:14,790 can you tell at what point in the time on this graph we launched the war 1176 01:07:14,790 --> 01:07:17,890 program 1177 01:07:17,890 --> 01:07:21,200 and I can actually save it as a race this is this is this a wise guy 1178 01:07:21,200 --> 01:07:24,930 holders up of being relative but a 1179 01:07:24,930 --> 01:07:28,009 you can see this is this the graph above box file duty 1180 01:07:28,010 --> 01:07:32,660 external reports week and this %uh villain a small drivel the bugs coming 1181 01:07:32,660 --> 01:07:36,759 in the first few weeks represented on the far bottom after the graph and then 1182 01:07:36,760 --> 01:07:42,170 bang that's me losing my like that Anna 1183 01:07:42,170 --> 01:07:45,910 so without a great night is that it's easier to immediately dive in and do 1184 01:07:45,910 --> 01:07:46,339 some 1185 01:07:46,340 --> 01:07:49,340 website security assessment is to browse a research 1186 01:07:49,340 --> 01:07:53,220 another takeaway is in a if you do this you want your response organization 1187 01:07:53,220 --> 01:07:54,230 primed and ready 1188 01:07:54,230 --> 01:07:57,290 for you want it wanted overstaffed such that the spec 1189 01:07:57,290 --> 01:08:00,830 nasty beyond the current level you're handling 1190 01:08:00,830 --> 01:08:04,680 to sort of put some numbers on that spike tacit 1191 01:08:04,680 --> 01:08:08,649 ten times biking coming up or strapping on 1192 01:08:08,650 --> 01:08:11,700 nor a magnitude-7 1193 01:08:11,700 --> 01:08:15,629 it's quite interesting um it then settled down a bit 1194 01:08:15,630 --> 01:08:18,710 to a five times late for several months and 1195 01:08:18,710 --> 01:08:22,620 we think it's that he stated about three times the load of what historically was 1196 01:08:22,620 --> 01:08:24,609 which is in a much more manageable 1197 01:08:24,609 --> 01:08:27,839 I'm just a shady 1198 01:08:27,839 --> 01:08:31,219 graph illustrating some the economies of the situation 1199 01:08:31,219 --> 01:08:34,600 this is of the old now twenty first launch he sorta 1200 01:08:34,600 --> 01:08:38,270 had led us to come in and then it's a drops off in I mathematically model this 1201 01:08:38,270 --> 01:08:39,820 is probably am 1202 01:08:39,819 --> 01:08:44,319 probably a a property maps for exponential decay perhaps I don't know 1203 01:08:44,319 --> 01:08:46,130 but it shows you that I am 1204 01:08:46,130 --> 01:08:50,420 you want to program and he's fine bucks relative and then over time it gets hot 1205 01:08:50,420 --> 01:08:54,730 bucks and that's when you might consider something up for awards 1206 01:08:54,729 --> 01:08:59,069 with us what type of what I'm bucks will find a XSS 1207 01:08:59,069 --> 01:09:02,889 which is the blue chunk is a percentage dominates number external ports which is 1208 01:09:02,890 --> 01:09:04,410 free no surprise to those view 1209 01:09:04,410 --> 01:09:08,559 researched all Minister web sites 1210 01:09:08,560 --> 01:09:13,620 this is gone cool when we launched the war programs of us he is 1211 01:09:13,620 --> 01:09:16,899 initially was that well we really love working with community 1212 01:09:16,899 --> 01:09:20,099 so the reward programs a thank you for 1213 01:09:20,100 --> 01:09:23,240 for working d %ah but 1214 01:09:23,240 --> 01:09:28,149 turns out having a row program will attract new researchers in fact 1215 01:09:28,149 --> 01:09:32,219 about 85 percent of people's many bugs a new verses 15 1216 01:09:32,219 --> 01:09:35,960 percent for such as that used to work with before the program 1217 01:09:35,960 --> 01:09:39,859 University um any 31 6 percent usa-based 1218 01:09:39,859 --> 01:09:44,049 the reporters stunning in person go into more detail 1219 01:09:44,049 --> 01:09:47,700 we have significant University Justin randomness countries if much we've had 1220 01:09:47,700 --> 01:09:48,630 people 1221 01:09:48,630 --> 01:09:52,380 come to us from I thought Finland involved because there's just something 1222 01:09:52,380 --> 01:09:55,310 about finland's 1223 01:09:55,310 --> 01:09:58,410 I don't have in Finland's so 1224 01:09:58,410 --> 01:10:02,760 now I can't delegate count the audience but a on the crime program 1225 01:10:02,760 --> 01:10:06,100 if every moment turned up the three people from know it turned up from 1226 01:10:06,100 --> 01:10:08,550 finland not really known each other just the random 1227 01:10:08,550 --> 01:10:12,060 I'm a native Finland and deserve man and tore the house up 1228 01:10:12,060 --> 01:10:16,300 you know register made a lot of money and send some more sandbags Finland 1229 01:10:16,300 --> 01:10:19,380 I'm missed you have to remain unsold I guess 1230 01:10:19,380 --> 01:10:26,040 I'm how charitable the 1231 01:10:26,040 --> 01:10:29,780 moving on its say air 1232 01:10:29,780 --> 01:10:34,030 the results you get an immediate you get an immediate spike in reports 1233 01:10:34,030 --> 01:10:36,719 %uh the signal to noise ratio is better than we thought we thought we were gonna 1234 01:10:36,719 --> 01:10:39,410 get some people who only had a profound understanding of security 1235 01:10:39,410 --> 01:10:42,730 come to us tryin I'm trained 1236 01:10:42,730 --> 01:10:46,799 make money for fan on security issues I'm 1237 01:10:46,800 --> 01:10:49,950 you really get a coverage that you just don't get it yet 1238 01:10:49,950 --> 01:10:53,160 your internal security net save an internal security number and save 1239 01:10:53,160 --> 01:10:57,460 even something big like a hundred how can you compete with you know that 1240 01:10:57,460 --> 01:10:59,920 tens of thousands of security researchers around the world both in 1241 01:10:59,920 --> 01:11:01,640 terms of Brett coverage 1242 01:11:01,640 --> 01:11:05,000 but also in terms of GES down just just sorta 1243 01:11:05,000 --> 01:11:07,750 thank you for the corner cases say you're getting some really clever stuff 1244 01:11:07,750 --> 01:11:10,700 if you if you want to the wider community 1245 01:11:10,700 --> 01:11:14,019 I'm getting some fun but is also this this with someone other 1246 01:11:14,020 --> 01:11:17,160 for me serious security but I never seen I'm 1247 01:11:17,160 --> 01:11:21,400 so this gentleman claim the issuance transito 1248 01:11:21,400 --> 01:11:25,750 transit would give a common specifically trying to transition Portuguese to 1249 01:11:25,750 --> 01:11:29,120 Spanish in specifically typing a long sequence apiece 1250 01:11:29,120 --> 01:11:36,120 security bug is sounds just like a helicopter 1251 01:11:36,620 --> 01:11:39,720 I at I 1252 01:11:39,720 --> 01:11:43,350 I was on the rewards panel for the weapon I'm I voted to reward him just 1253 01:11:43,350 --> 01:11:44,110 the 1254 01:11:44,110 --> 01:11:47,530 being awesome um II was 1255 01:11:47,530 --> 01:11:51,090 I was shot down by simpson more some other members of the panel on 1256 01:11:51,090 --> 01:11:54,750 apps upset my own like the a like the 1257 01:11:54,750 --> 01:11:58,970 like the icon I've been using earlier today yes 1258 01:11:58,970 --> 01:12:05,000 I'm not sure we fix that neither in which is a very bad response times came 1259 01:12:05,000 --> 01:12:05,300 in 1260 01:12:05,300 --> 01:12:08,830 several years ago so summery positives um 1261 01:12:08,830 --> 01:12:12,290 say it's not objectify 1262 01:12:12,290 --> 01:12:15,960 how how much more secure email users but any good where we found 1263 01:12:15,960 --> 01:12:20,280 doing it is some we talk to the people he send a steak is regularly 1264 01:12:20,280 --> 01:12:24,120 and we decide have seen every month or we haven't seen for a while saying a is 1265 01:12:24,120 --> 01:12:25,490 getting harder and I yes 1266 01:12:25,490 --> 01:12:29,120 its very hard now i know i in fact going to 1267 01:12:29,120 --> 01:12:32,260 spend my time doing something else it's a hot so you know the 1268 01:12:32,260 --> 01:12:35,900 if you don't from these programs it you really can so flush out the 1269 01:12:35,900 --> 01:12:39,549 or the qualities bugs that your normal security process my 1270 01:12:39,550 --> 01:12:43,350 missed everyone's human we all we all miss security bugs I'm 1271 01:12:43,350 --> 01:12:49,970 taking a thinking about the darker side of our industry we from 1272 01:12:49,970 --> 01:12:53,060 we've actually a few months back I was verified we've had what we call 1273 01:12:53,060 --> 01:12:53,920 collisions 1274 01:12:53,920 --> 01:12:57,830 so that's where Whitecap researcher his intent is to make the weapon 1275 01:12:57,830 --> 01:13:01,410 the world a safer place ascent is about we fixed it and that is 1276 01:13:01,410 --> 01:13:05,300 collided or stepped on the toes a more nefarious intent 1277 01:13:05,300 --> 01:13:09,280 you know someone who all sonya is a bug going back to the early a comic 1278 01:13:09,280 --> 01:13:12,960 and goodness is a day with it but you know by May 28 in the community 1279 01:13:12,960 --> 01:13:16,290 as a has to step up here you know yesterday making SBS 1280 01:13:16,290 --> 01:13:19,590 a dent in the dark side of the industry am 1281 01:13:19,590 --> 01:13:23,130 nowadays is just a reflection of the fact that since we launched the program 1282 01:13:23,130 --> 01:13:23,780 was not ready 1283 01:13:23,780 --> 01:13:27,190 had someone drop it Google access are 1284 01:13:27,190 --> 01:13:31,990 you know is to have people sale all on the Lexus estimates come with a fix it 1285 01:13:31,990 --> 01:13:35,620 I'm now it turns out that yeah few thousand dollars is 1286 01:13:35,620 --> 01:13:38,890 more fun and posting a message for 1287 01:13:38,890 --> 01:13:43,310 rated as the new people 1288 01:13:43,310 --> 01:13:47,530 we've actually hired a bunch of people specifically through introductions made 1289 01:13:47,530 --> 01:13:48,580 on a wall programs 1290 01:13:48,580 --> 01:13:52,130 I'm out of here security hires is always difficult so 1291 01:13:52,130 --> 01:13:57,370 really he's not that aspect cost-effective 1292 01:13:57,370 --> 01:14:01,030 there's a paper by dev was presented earlier conference 1293 01:14:01,030 --> 01:14:04,530 try to to the objectify some of the cost-effectiveness 1294 01:14:04,530 --> 01:14:08,130 which is awesome cuz we display my hands in the air and say it's really cost 1295 01:14:08,130 --> 01:14:08,730 effective 1296 01:14:08,730 --> 01:14:12,750 and anti-china and the paper comes up with some figures like maybe 1297 01:14:12,750 --> 01:14:16,640 maybe a be ten times more cost effective than other ways of getting the same 1298 01:14:16,640 --> 01:14:17,160 results 1299 01:14:17,160 --> 01:14:22,730 and so on apps 1300 01:14:22,730 --> 01:14:26,450 negatives 1301 01:14:26,450 --> 01:14:29,950 of launching the program I mean it 1302 01:14:29,950 --> 01:14:33,290 specific and slide right but I i we've racked our brains trying 1303 01:14:33,290 --> 01:14:39,910 think I've any I'm wrong and it's just all good just so the 1304 01:14:39,910 --> 01:14:42,990 hope said from the stage it is not as me rounding up here 1305 01:14:42,990 --> 01:14:45,990 I'm others to have jumped into the 1306 01:14:45,990 --> 01:14:50,719 into his reward game in positive on same ranging from the payout CISA 1307 01:14:50,720 --> 01:14:54,410 you-know-who freely admits he had reservations about the whole concept 1308 01:14:54,410 --> 01:14:57,809 but then data the key word being data 1309 01:14:57,810 --> 01:15:02,580 has proven him wrong say a that him to launch their program um 1310 01:15:02,580 --> 01:15:06,480 and down to the bottom XE security says what I 1311 01:15:06,480 --> 01:15:10,599 also believe now that you know this is industry best practice so I think where 1312 01:15:10,600 --> 01:15:14,250 heading right before the world by any company who 1313 01:15:14,250 --> 01:15:17,750 you know has significant importance of where does not have a rich bounty 1314 01:15:17,750 --> 01:15:20,680 program is you know is not following industry best practice 1315 01:15:20,680 --> 01:15:24,260 recommendations selling launch 1316 01:15:24,260 --> 01:15:27,880 if you do want to launch on these things you would make an invite to lunch with 1317 01:15:27,880 --> 01:15:28,740 myself and others 1318 01:15:28,740 --> 01:15:31,870 people who think for might wanna start small 1319 01:15:31,870 --> 01:15:35,019 if you're a bit bit nervous about the fact that ten times like 1320 01:15:35,020 --> 01:15:38,090 so you might want to launched against a subset of your products 1321 01:15:38,090 --> 01:15:42,530 am yes we've covered having a response machinery primed and ready 1322 01:15:42,530 --> 01:15:45,750 and proactive communication Watson sky 1323 01:15:45,750 --> 01:15:51,020 remain respectful we recommend paying for issues in pre-production versions if 1324 01:15:51,020 --> 01:15:51,710 you suffer 1325 01:15:51,710 --> 01:15:55,660 kind of obvious if you think about it would you rather have a find a bug 1326 01:15:55,660 --> 01:15:59,750 before you launch it to the to use as all after he wanted two years 1327 01:15:59,750 --> 01:16:05,240 and have gone over too much 1328 01:16:05,240 --> 01:16:12,240 any better juncture I'd love to invite any you may have 1329 01:16:18,220 --> 01:16:20,180 at Allan Sherman UMBC 1330 01:16:20,180 --> 01:16:24,650 how does your security team in Iraq proactively with the design of new 1331 01:16:24,650 --> 01:16:25,400 products 1332 01:16:25,400 --> 01:16:30,269 on from the very beginning of the design phase yes I have a question said 1333 01:16:30,270 --> 01:16:33,730 question was about how we handle design movies 1334 01:16:33,730 --> 01:16:37,830 I it differs across company brought I'll talk about my perspective on crime 1335 01:16:37,830 --> 01:16:41,540 um what we do is we we have a formal 1336 01:16:41,540 --> 01:16:45,390 launch process for new features and security has a seat at that table 1337 01:16:45,390 --> 01:16:48,440 say I want something here doing a skit 1338 01:16:48,440 --> 01:16:51,549 you feature 12 on the team they talk a security and 1339 01:16:51,550 --> 01:16:54,860 at that time immediately look to see if this feature 1340 01:16:54,860 --> 01:16:58,130 you know is carries little risk if it does then we'll 1341 01:16:58,130 --> 01:17:01,140 assigns and dedicated security people to actually 1342 01:17:01,140 --> 01:17:04,190 I'm sitting on the design meetings and be 1343 01:17:04,190 --> 01:17:07,650 of Co offers on the design doc say that we have confidence that 1344 01:17:07,650 --> 01:17:12,179 at the design level nothing's been done right and as I'm sure wasn't 1345 01:17:12,180 --> 01:17:16,340 isn't this in your question if you mess up the design level at the design level 1346 01:17:16,340 --> 01:17:19,910 and find out about problems later as you can in place to launch as a really 1347 01:17:19,910 --> 01:17:23,690 horrible situation to be in because you make may be faced with launching with 1348 01:17:23,690 --> 01:17:24,530 security issues 1349 01:17:24,530 --> 01:17:28,599 or also delaying months the project 1350 01:17:28,600 --> 01:17:32,490 chris what's actor Sam 1351 01:17:32,490 --> 01:17:36,599 am I think you're good neighbor policy is a really good one so you kind of go 1352 01:17:36,600 --> 01:17:38,960 above and beyond to solve other people's problems 1353 01:17:38,960 --> 01:17:42,600 a but do you get tired of solving problems in Flash 1354 01:17:42,600 --> 01:17:45,610 and do you reach out to Adobe to try and 1355 01:17:45,610 --> 01:17:48,980 figure out if there's a better way to solve that problem 1356 01:17:48,980 --> 01:17:52,900 that's a good question so do we get tired of at helping other people out 1357 01:17:52,900 --> 01:17:56,230 I mean I'm yards no cuz we fully enjoy health Wiese 1358 01:17:56,230 --> 01:18:00,530 in enjoy a finding in security bugs especially ones that may have a positive 1359 01:18:00,530 --> 01:18:01,750 impact not just on 1360 01:18:01,750 --> 01:18:05,820 us now uses but the whole web on in terms if I'm 1361 01:18:05,820 --> 01:18:09,410 getting getting tired specific projects what we 1362 01:18:09,410 --> 01:18:12,440 what we do try and do the define or to make such that we have 1363 01:18:12,440 --> 01:18:16,870 computers on the task and they thing ready get tired with humans d 1364 01:18:16,870 --> 01:18:20,450 so for example some other work we're doing on on flash 1365 01:18:20,450 --> 01:18:25,269 and a lot of our internal I'm k bases we 1366 01:18:25,270 --> 01:18:29,390 We have ongoing of causing that basis based will the tech aggressions and also 1367 01:18:29,390 --> 01:18:30,910 some tireless the flesh out 1368 01:18:30,910 --> 01:18:35,639 the corner cases a bug's I'm 1369 01:18:35,640 --> 01:18:39,260 America ID from the receive Utah actor that there was a good lead and 1370 01:18:39,260 --> 01:18:43,930 my question so I'm I'm active in fuzz testing and I'm interested to learn a 1371 01:18:43,930 --> 01:18:44,800 little bit more 1372 01:18:44,800 --> 01:18:48,380 about the was testing the that you apply 1373 01:18:48,380 --> 01:18:52,890 this is maybe cluster funds if we could use a little bit more about that and 1374 01:18:52,890 --> 01:18:56,970 yes us of the store you mentioned plus the bus which is the 1375 01:18:56,970 --> 01:19:01,450 affectionate name we have for our 2000 CPU cores on 1376 01:19:01,450 --> 01:19:04,950 so to be effective fuzzing we 1377 01:19:04,950 --> 01:19:10,570 we find have to several things one is 1378 01:19:10,570 --> 01:19:15,880 want to scale which we we think we have covered although 1379 01:19:15,880 --> 01:19:19,020 although there are plans TN bump up the number 1380 01:19:19,020 --> 01:19:24,780 computers we haven't and the second is things picking a target say 1381 01:19:24,780 --> 01:19:28,130 assertive he should have to know which areas if your product 1382 01:19:28,130 --> 01:19:31,760 will benefit from fuzzing if you like and what type of housing 1383 01:19:31,760 --> 01:19:34,890 comes as monty the third thing we do some 1384 01:19:34,890 --> 01:19:38,310 defense not simple and then get clever so 1385 01:19:38,310 --> 01:19:42,330 something for about flashvars Inc say we start a simple 1386 01:19:42,330 --> 01:19:45,650 on flash which is better than large corpus a twenty thousand files 1387 01:19:45,650 --> 01:19:49,240 mention but I'm mutations may apply to solve 1388 01:19:49,240 --> 01:19:52,870 the files to try and finds 3.10 particularly intelligent 1389 01:19:52,870 --> 01:19:56,340 in a dose of fitting bits here and there and see if you get crashes 1390 01:19:56,340 --> 01:20:00,310 so it is not simple and sort of fuzz heart 1391 01:20:00,310 --> 01:20:04,190 until with so I've gotta love the crash is we think we can find 1392 01:20:04,190 --> 01:20:07,610 with simple thousand and them with weekend and more creative like 1393 01:20:07,610 --> 01:20:11,440 will like 1000 as understand more about the structure of the file for months 1394 01:20:11,440 --> 01:20:11,929 they can 1395 01:20:11,930 --> 01:20:16,190 for mutations that some surprising to the to the piece of cake 1396 01:20:16,190 --> 01:20:19,509 positing the the former but no actual violations a 1397 01:20:19,510 --> 01:20:22,810 say the specification that within a cause cause that 1398 01:20:22,810 --> 01:20:27,100 the past to stop I'm and more so than 1399 01:20:27,100 --> 01:20:30,820 so keep going in that direction we then the gramma based buzz is that 1400 01:20:30,820 --> 01:20:34,980 sort of generating thankful on existing test cases and generate from scratch 1401 01:20:34,980 --> 01:20:38,129 serve slightly off test miles 1402 01:20:38,130 --> 01:20:41,240 along the lines of before the program's expecting but 1403 01:20:41,240 --> 01:20:48,099 with me a little bit surprising truant from 1404 01:20:48,100 --> 01:20:51,440 anything I have so I'm quite interested in 1405 01:20:51,440 --> 01:20:55,110 on than number of security engineers 1406 01:20:55,110 --> 01:20:58,410 that are in com team 1407 01:20:58,410 --> 01:21:03,300 I'm or more specifically what is the ratio of security engineers 1408 01:21:03,300 --> 01:21:07,290 versus the restive the team 1409 01:21:07,290 --> 01:21:11,290 yes that's right questions says about coming secured engineers we have sought 1410 01:21:11,290 --> 01:21:12,080 a few numbers 1411 01:21:12,080 --> 01:21:16,030 I'm fortunately where not quite a secretive is some companies we do we do 1412 01:21:16,030 --> 01:21:19,380 you got some numbers in this area said I'm 1413 01:21:19,380 --> 01:21:23,120 company-wide number scared people have this -ism 1414 01:21:23,120 --> 01:21:28,140 hundreds and hundreds and hundreds sent I don't know is a percentage if 1415 01:21:28,140 --> 01:21:32,240 engineers I know that there's a industry recommendations about 1 percent 1416 01:21:32,240 --> 01:21:35,559 I know that were significantly above that by choice 1417 01:21:35,560 --> 01:21:39,250 I'm in chrome maybe some more specific details so that 1418 01:21:39,250 --> 01:21:44,260 the crime security team itself its I accounts about 20 people now 1419 01:21:44,260 --> 01:21:48,050 which we think the reason be stuffed team for just just one product 1420 01:21:48,050 --> 01:21:51,640 I'm and it's not just 20 S is more than that so we have a 1421 01:21:51,640 --> 01:21:54,840 sigh from the twenty secure in his we have we have 1422 01:21:54,840 --> 01:21:58,310 experts in SSL and certificate authorities 1423 01:21:58,310 --> 01:22:01,430 you know technically on my team 1424 01:22:01,430 --> 01:22:04,730 you know the 10 from the network stack team but hundreds and that time day in 1425 01:22:04,730 --> 01:22:05,570 day out is 1426 01:22:05,570 --> 01:22:08,830 security-related features and pouncing so 1427 01:22:08,830 --> 01:22:14,320 maybe the time and the numbers thirty I'm as a percentage 1428 01:22:14,320 --> 01:22:17,580 I i think as they know the latest number overall 1429 01:22:17,580 --> 01:22:18,400 convention is in sight