Platform Security Part Deux, feat. Justin Schuh

We did not run out of things to talk about : Chrome vs. Safari vs. Firefox. Rust vs. C++. Bug bounties vs. exploit development. The Peace Corps five. The Marine Corps. transcript : hypertext transfer protocol : //share.descript.com/view/DpeqIOCREyZ Find us at : hypertext transfer protocol : //twitter.com/scwpod hypertext transfer protocol : //twitter.com/durumcrustulum hypertext transfer protocol : //twitter.com/tqbf hypertext transfer protocol : //twitter.com/davidcadrianJustin:
0:00
my sister works in urban policy and design and she ‘s like, we do n’t need people building bridges. We people fixing we have
Deirdre:
0:16
Hello, welcome to security system, cryptanalysis, whatever. I ‘m Deirdre .
David:
0:21
I ‘m David.

Thomas:
0:23
I ‘m tom and we have a, we have a especial guest today. I ‘ll let our guests introduce himself .
Justin:
0:29
I ‘m Justin Schuh. I ‘m the any .
Thomas:
0:31
Okay .
Deirdre:
0:32
indisputable. and nowadays, this is basically chopine security, redux ? Part Deux ? Because we put out— this is in response to our first sequence when we were trying to talk about why is io always on open fire ? If it ‘s supposed to be one of the best, the most secure, operating systems in the world, quote unquote. and now we have more people to talk about what makes a fasten platform ? Are we improper ? Why are we improper, Justin ? Why are we incorrectly ? And where are we not wrong ?
Thomas:
1:04
Justin, before you tell us why we ‘re wrong, us what would make you qualified to tell us that .
Justin:
1:11
Gotcha. Yeah. I ‘ll try not to run down my whole history. There are a few identify points. so, starting my career, was, news community, listed the Marines as a adolescent ended up, doing besides a few years as a civilian in NSA followed by a few years of civilian in CIA, had a set of exposure to, crime defense, et cetera, from that perspective, then switched over number of years, of, uh, security confer, uh, which is where Tom and I foremost ran into each other, coauthored, book, uh, the art of software security assessment. Some of you might be familiar with, with, honestly better security people than me. and then last 10 plus years, until good earlier this class, I was, say. Helped build out Chrome security, kind of, depending on your definition of founding member, I was a establish member of the Chrome security team, ended up being creditworthy for pretty much all of, or actually be all of Chrome security and counter abuse, by the time I left. and that was, earlier this class and now I ‘m retire .
Thomas:
2:21
I feel like we ‘ve, established now that you ‘re qualified to tell us where we ‘re wrong. I ‘m uh, I ‘m, trying to get my question around what it was that I said on that first base thingy that we recorded. Cause my normal MOS, just to like hear a couple words, then randomly reply guy stuff. But I remember us, David, you might remember this better than I do, but like we, we had some thoughts about, bug bounties. Like I think I ‘ll look up a perennial thing that comes up, in these discussions it ‘s like, are the major technical school firms paying adequate for vulnerabilities and it ‘s the problem here that they ‘re merely not taking a research worker badly enough. And then we had a bunch of thoughts on Rust and whether we can merely code our way out of this trouble, I ‘m missing some things now. Cause we babbled for like an hour about that .
David:
3:04
I think roughly kind of where we landed is that it is possible to have major security focused initiatives at big companies. We pointed to some of the things that Microsoft did in the past, their root and branch, indeed to speak, efforts, that you described as removing arouse replicate everywhere. You, and I think we ‘re a short more doubting that anyone could buy their way out of this trouble, like buy the entire volume commercialize because you know, markets are markets. even if Apple decided to spend a billion dollars a year buying all the exploits, they probably could n’t. and then we pull the numbers out of thin air saying— well, not wholly out of sparse air, based off of empiric results from Alex Gaynor and then our own opinions that of rewriting and memory dependable terminology would credibly remove 80 % of the vulnerabilities in the code al-qaeda. And then we had this week kind of notion that and iPad io are kind of easier to secure than say less because they are a more stiffen engage arrangement as compared to a Mac book ,
Deirdre:
4:10
With like specifically express capabilities per application and things like that .
David:
4:15
and built in sandbox .
Deirdre:
4:18
Yeah .
Thomas:
4:19
would come out of the gate hera saying like, I have like this ironclad conviction that I formed in 15 seconds when the interview was put to us in that first gear podcast. But now it ‘s something I believe forever, that, that like the basic estimate of a state sponsored adversary is that they have an inexhaustible budget and that goes for the United States, but besides like, this, uh, shells, um, or any Billy ‘s any country that you can imagine, the dollar amounts that we ‘re talking here versus the bribe that you get, um, for, you know, what an exploit buy you versus for exemplify, having to pay for the health insurance of all the people that will do the homo intelligence, those numbers are sol humble proportional to the value that there ‘s no count that the market could realistically come to, where that would make a indent on the market. therefore. guess that ‘s like my first affirmation. wonder, Justin, I wonder if you ‘d want to knock that down. Am I, you
Justin:
5:12
Yeah .
Thomas:
5:12
address experience on the state funded adversarial english of this deoxyadenosine monophosphate well. Am I crazy to say that ?
Justin:
5:18
Okay. So I, yea. This is not where I disagreed with you. Um, I actually like the way that I put it, is that truly you ca n’t buy or bounty your room out of these problems. You ‘re correct. From the position of a person actually building the software and trying to secure it, they do n’t have outright money, but from your position, they do. Bug bounties, what they ‘re very, actually useful for is after you have some flat of maturity and process, the problem is that security teams start to develop like group think, uh, they start to, they start to get very, very blind to anything that they do n’t see day to day. And wiretap bounties are amazingly helpful, at getting you a steady stream of remark, on the vulnerabilities that you are not seeing, the stuff that your team would n’t look for, but then the correct answer to a bug bounty is to go back and, you know, fix your work. Find the chilling areas of the code that you did n’t know were there, fixing them up, et cetera. On Chrome, we would, you know, you ‘d see a course of reports coming in and it ‘s like, “ okay ! It turns out that, DOM objects are very, very loosely bound to JavaScript, um, and people are just getting used to after freeze there ”. It ‘s like, oh, okay. then you designed a way to deeply root them. It ‘s like, oh, it turns out you can blow up the give corner stuff in the render and, and you get cold pointers all over the try tree. It ‘s like, “ oh, okay ”. then you do a partition based allocator structure, where you can dispose of the unharmed undertreat at once. And it ‘s like, okay, now you ‘ve done that. But now— it ‘s yeah, it barely, it piles on, and what it ‘s useful. that ‘s that is why like hemipterous insect bounties. Okay .
Deirdre:
6:50
very cool. So it ‘s basically a sign preferably than like truly the kind of, trying to use the grocery store dynamics to try and like push one way or the other, it ‘s for you, the defender of the platform or the software plan or whatever to be like, tell me what I ‘m not seeing. And if you ‘re seeing a long ton of small things in one area, you can triage that and prioritize that and what you have to do to make that better. Whereas if you ‘re seeing like one or two actually bad things in like one or two areas, like you can, it, that that ‘s kind of what you ‘re. Yeah ,
Justin:
7:26
Yeah, precisely. It ‘s like you develop a feel of smell for it ? These are the one-offs it ‘s like, okay, this was just a screw up, but it does n’t seem like a systemic problem. Um, but it ‘s, we ‘re glad people found those, but the real use is the, “ oh belly laugh. This is a systemic exit. We have to solve this ” .
Deirdre:
7:39
Cool. All right. How do you use that to inform How you plan ? if you ‘re just like getting a constant stream of like, could see it being identical vulnerable to just like, kind of range around with like a chicken with their head cut off and I ‘d be like, oh, blasted, like, there ‘s like a stream of this. how do you that to inform your planning of what to do when and rearchitect things, if they need rearchitecting .
Justin:
8:05
so this is, into the hale discussion of like, embedded security teams versus what I call the, “ throw it over the wall “ security teams. and the answer is that, uh, so I refer to “ throw it over the wall ” security teams and like the extreme casing of this is, external security system consultants, where you hire person to come in, do an audit, you know, every six months here or any. And, I did that for years. I did it in the federal government. I did it as a adviser. I do not like it. Uh, I learned that it precisely does n’t tend to work a well because the questions that you ‘re asking about prioritizing and all that, you ‘re not able to do it, good ? The people with the expertness, separate of those architectural decisions and that, and so from identical early on, uh, we were spinning up the Chrome security system team, our captive was to have a profoundly embedded security team where like bombastic chunks of Chrome code, were, uh, owned or are owned by Chrome security. For many years I was one of the eight path owners of the Chromium repository. So I was one of the, you know, one of the people who could, approve any change in that .
Deirdre:
9:05
okay .
Justin:
9:06
There are teams in Chrome security that are like deeper experts on, on some of the core, uh, Chrome code infrastructure, then. regular feature teams are. Uh, and so that ‘s, that ‘s how you do it. You have to, I think it merely works if you have a, an embedded security team and you ‘ve resourced them well adequate so that they can make big changes. Yes .
Deirdre:
9:25
Yeah ,
David:
9:25
I was gon na say. The hemipterous insect bounties, have that like sort of one-third party take use font to drive rearchitecture or for things that are n’t necessarily a web browser or an operational system ? Like have a big musical composition of SAS software or a mid-sized SAS software, can you get value out of a bug bounty, beyond PR ? I guess is the, like the hot take manner of phrasing it ?
Justin:
9:56
sol if you, if, if you ‘re just talking about sort of. what does a tease Barney tell you ? It basically tells you, “ have you staffed up a center decent security team ? ” Like I will say when we started the Chrome bounty, we were not ready for the barrage of WebKit bugs that we got. and it was merely, yeah, it was, it was, uh, yeah, I do n’t know how to describe it. Um, it was a tidal wave, and he gave us the insight that, oh, we need to beef up our security investment more, on this corresponded with the unharmed, uh, Aurora incident. Um, it, yeah. so I was character of the answer team on the recourse Aurora incident. Um ,
Deirdre:
10:32
us what is the word incident ,
Justin:
10:34
ohio yea. Sorry. The Aurora incident was, um, back in 2009 and 2010, it span 2009, belated 2009 to 2010. it was when, taiwanese intelligence, compromised, not fair Google, but compromised. Google was detected and we found lots of other compromises, et cetera, as part of running it down. One thing that happened after the Aurora incident was— Google took security seriously, but, post Aurora is, it was a world of remainder. They was saying Google ignored security. They had some very full people, but like the massive focus and investment, I mean, had Sergei Brin, saying he wanted the name Google, to be synonymous with security and throwing the investment necessity to make that happen. And so, handily, as there was a big push to invest in security system, we were besides, able to respond to that Pope bounty that we started by staffing up .
Deirdre:
11:23
you happened to read Nicole Perloff spotlight ? this is how they told me the worldly concern ends ‘ ? they have an account of the Aurora is, at the time I sort of like a history of the zero day market. I think it ‘s quite good, but you were there, so possibly you could tell me about .
Justin:
11:39
I read the reserve. I will admit that I ‘ve seen respective excerpts from the book, and like heard interviews in that that made me less disposed to read the ledger .
Deirdre:
11:49
Okay .
Thomas:
11:51
All I know. All I know about the bible is that they were mean to Dave I tell That ‘s like the
Deirdre:
11:56
I
Thomas:
11:56
thing I have about the bible is that it
Deirdre:
11:58
average .
Thomas:
11:59
Okay .
David:
12:00
have the book on my shelf, but I have n’t read it so far .
Justin:
12:02
beggarly, a lot of people have been bastardly nowadays. I think he about, uh, rebels at it a morsel. At some point you have to have Dave on. but, uh, what I would say is one of the fundamental premises of the record seemed to be, you can buy your way out uh, security vulnerabilities, which, I guess possibly like the NSA or whatever could audit their way out of it. And, uh, and yeah, I ‘ve already expressed, I disagree with that fundamental privates, Unless I ‘m misreading. I see an formula. It makes me feel like a misreading .
Deirdre:
12:27
like this is happening and we are all vulnerable. Like we, users of software are vulnerable it ‘s barely sort of it ‘s
Justin:
12:36
Okay .
Deirdre:
12:37
acknowledge, it culminates with like this wave of ransomware attacks across the world in the by a class plus or whatever. there ‘s this kind of like, oh, we ‘ve got a Charlotte brokers precisely like releasing these exploits based on this, like five-year-old, uh, zero day windows they sat on for ages. And now we ‘re all screwed because person got that out and it got
Justin:
13:00
Okay .
Deirdre:
13:01
I forget which one it was not. Petia one of those. and we ‘re all screwed and this is happening and that ‘s kind of the thing. Like there are bug amplitude markets, it ‘s not so much that, they are estimable and they solve the problem. It ‘s precisely that they exist. And besides, oh my God, everything is insecure. We ‘re all gon na die .
Thomas:
13:20
I guess that there ‘s like interesting like dynamics Justin and I have like a shared background in, security system, like, software security consult work. Right. And like, there are some actually basic things you learn quickly when you ‘re doing consult. And one of them is that, even for in truth excellent teams that have actually capital track records of, you know, doing appraisal workplace, right ? Like If you take three different teams and throw them at the same target, there ‘ll be like a 60 % overlap or possibly a 70 % lap in what they find, but different sets of eyes will decidedly find, vulnerabilities. besides. So like one thing tease bounties do is they optimize for the number of different eyes that you get there. besides, like I think the incentives of microbe bounties are probably actually good for finding systemic issues because bug bounty people are motivated in a way that consultants are n’t to find variants of things. so, as a security adviser, like. What you ‘re very kind of fighting against, um, or you ‘re working against is boredom, when you ‘re going after a aim. So like the temptation is always you find a convention of vulnerabilities, you find the game over formulation of that vulnerability, and then you report it as systemic. Right. And then you ‘ve done your job, right field ? Like I found more than one and here ‘s the game over translation. So you have to take it badly. And now you guys, you ‘re the engineers, you ‘d go do the make. and bug bunny people have precisely the inverse incentive .
David:
14:33
Are you making a cathedral and bazaar argument
Thomas:
14:37
Yeah. You know, I said, I use, use and I immediately regretted it. it was, it was in my
Deirdre:
14:44
Okay .
Thomas:
14:44
at it, and like, you know, it ‘s very regretful and I find a different metaphor so that we ‘re not raise, uh, that. My know with wiretap bunny, people that been like they ‘re incredibly motivated to find and get paid for the most hour variations of things. so like, we ‘ve had clients where like, before we got to those clients, they had paid out, know, several rounds of bounties for like the like redirect vulnerability. YOu know, it was like an open redirect on a network application. And then like, they break it with a trickle and the filters broken. Like they report that five or six times. And like the first thing you do when you come in there and say like, you know, okay, we ‘re done with the redirect vulnerabilities. We ‘ll go track them down. But that ‘s the dynamics of how that works, right. Is like you find the traffic pattern of vulnerabilities, then you scour everything for it. Cause you ‘re making money on it. Right. so like that the incentives kind of line up with, trying to flush out— I do n’t know how dependable that is in large scale, like, merchandise work, like Chrome, causal agent I thought were worked on a team like that, you know, Manny Mounties for SAS products, that was decidedly one of the values that you got out of it. besides like, bug bounty people find different bugs .
Deirdre:
15:41
Yes .
Thomas:
15:41
There ‘s less condition involved the work that they ‘re doing. decidedly a bias in consulting to look for high status vulnerabilities, or interest vulnerabilities and bugged Donnie people are, I was going to use the password shameless, but it ‘s not shameless. It ‘s like what we ‘re doing is black with the bug bunny people that are n’t doing it, it ‘s credibly correct .
Deirdre:
15:58
if they
Thomas:
15:59
Okay .
Deirdre:
15:59
and they ‘ll get paid for it, they ‘ll submit it. It does n’t matter if it ‘s like
Justin:
16:02
Okay .
Deirdre:
16:03
or the shiniest of the cool or novel or whatever it ‘s like, does it work ? Does it count ? Gim me. here it. is .
Justin:
16:10
Yeah, they ‘re just, coaching, coach, coaching. that is their finish. And yeah, there ‘s a— consultants We ‘ll find you a different class of vulnerabilities. And so far I mean, I spent a batch of time as a adviser. you ‘re kind of going for the flamboyant report card, ampere, as Thomas said, and yeah, you get, you see very different things, from consultants that you, than you do from, uh, from wiretap bounties .
David:
16:28
The exploit developers who are like selling to NSO and indeed on are finding however another I ‘ll possibly not a wholly unlike class, but they have different incentives again, because they ‘re trying to, one, they ‘re entirely looking for the plot over versions, or they ‘re more concerned in things that could turn into the game over versions. And they do n’t have the PR aspects associated with submitting to the bug bounty, They ‘re trying to develop a product about .
Justin:
16:53
Yeah. I do n’t know if it ‘s so much a different classify. it, it depends on like which shop class came out of. Right. it ‘s not a huge number of people that are actually doing this, correct. You tend to have unlike people, different styles. I think it, a way it ‘s about more comparable, personal vogue plays into it, but at the end of the day, I think when you were talking about it, uh, you were talking about how it ‘s immediately become like a service industry. And it ‘s actually been a service diligence for a long time. Um, where it was a farseeing time ago that people would just sell a proof of concept, and hand it over to, you know, whoever ‘s going to use it in the wilderness. And immediately it ‘s like, they got tantalum keep these things up to date. There are service contracts, stuff like that. It ‘s a, it ‘s a big fricking commercial enterprise. Um, and they have to, they have to support this software. You ‘re not just, “ Hey, I found this wiretap. here you go. ” No, there ‘s a, there ‘s a bunch more to it .
Thomas:
17:38
I think we all know that there ‘s like a, the solve of actually producing dependable exploits, that ‘s, there ‘s a division of department of labor. Right .
Justin:
17:44
Yep .
Thomas:
17:45
so. There there ‘s like the find of vulnerabilities and qualifying and vulnerabilities, and then writing a proof of concept and then in full weaponizing and making them dependable, I guess, like here ‘s a put where I ‘m flying completely blind and all of you might know better than I do, but like how much of that division of parturiency is expressed in the market. Right. do we think, do we believe that like NSO has a team of people that can take actually bad. proof of concept exploits, then they can internally good weaponize them. Like they do n’t very, they do n’t have to care about how easily the vulnerabilities are weaponized or is it the research worker themselves that has to do that work. figuring out how to like bounce through this set of allocations and you know, all that work. And the rationality I ask is that like, if it ‘s the latter, if it ‘s the research worker that has to figure out how to make the exploit authentic, then there might be an argument for, um, reducing the add of those experts, you know, by paying more to bounties and things like that. But on the early hand, if it ‘s NSO doing most of the or whatever the matter is, right, I ‘m
Deirdre:
18:40
be in between .
Thomas:
18:42
work um, you know, you have a a lot broader pool of people that can potentially find those vulnerabilities. And then NSL can good full-time that people that can take that work and turn them into reliable ten plates .
Justin:
18:53
so accepting that any detail cognition I have on this is fairly stale. I think what ginger said about it might be in between : from my old past understanding, that ‘s it ? Yeah. It. It depends was, was my experience, but this, this is, this is cognition that today might be stale. Like it ‘s entirely possible things are a lot more productionized, than, uh, than they used to be .
David:
19:16
My agreement from the black hat talk a pair of years ago. more dependable, your exploit is the more you will get paid by the firms buying it as
Deirdre:
19:27
yea .
David:
19:28
they will spend efficaciously engineering feat productionizing your ex— but obviously the less they have to do of that, like
Deirdre:
19:37
The better the ROI for
Justin:
19:39
Okay .
David:
19:39
prefer to spend the money to do less of
Deirdre:
19:41
Yeah .
David:
19:41
because everybody wants to spend money rather of doing software development. but I imagine that they have to do some of it anyhow, because they need to, they want to like hook it to their command and control
Deirdre:
19:49
Yes .
David:
19:50
what payloads there ‘s something, even if the after dislodge is wholly authentic to get whatever they want to send in and they hush need to decide what they want to do with it .
Deirdre:
19:59
precisely .
Thomas:
20:00
Do we think like the blank market for vulnerabilities, whatever the word is. Cause flannel market sounds frightful, but any, like display panel market for vulnerabilities is, we think those vulnerabilities are undervalued right now ? I do n’t know. Right .
Deirdre:
20:12
Apple and like
David:
20:15
what do you mean by above display panel ?
Deirdre:
20:16
Yeah .
Justin:
20:17
You ‘re precisely talking like bounty programs. right ?
Thomas:
20:19
Bounty programs. Yes .
Justin:
20:21
I do n’t think it ‘s undervalued. Cause I think you ‘re, cause you ‘re trying to do something different. I mean, like we ‘re at a place where, depends on the seller. I would say that people who I talked to, they find Apple ‘s terms on their bounty program to be burdensome. so that is one thing, I would say that broadly consider, Chrome ‘s terms to be bonny. reasonably amenable .
David:
20:44
And those are like the conditions and the terms, not the wish price ,
Deirdre:
20:48
correct .
David:
20:49
you submit and when you get to talk about it and when you do n’t and how they respond to you, type thrust
Justin:
20:54
and besides honestly, what, what counts is in telescope ? What counts is out of telescope, et cetera ? Chrome has, my position on Chrome is that Chrome has constantly been fairly open-minded on what counts is. Yeah .
Thomas:
21:02
What would you change about the Apple rules, if you could like move in justly now and just fix them ?
Justin:
21:07
thus this is the trouble. I have n’t actually sat down and read their terms. I ‘ve by and large heard grapes. and so I ca n’t say precisely what I would change. my impression was that— actually, you know, I probably should n’t even give an impression that might be wholly uninformed. Uh, all I know is that the people ,
Thomas:
21:23
show
Justin:
21:25
basically the big charge that you would get, is like haggling over what counts as in telescope, um, haggling over as what ‘s rewardable, et cetera, being very ambiguously defined .
David:
21:36
What does it mean to like have the consumption of the chromes was more open as to what account ? I did n’t scope. What does it mean to do that versus .
Justin:
21:45
indeed with Chrome, there was, um, a fortune of feat, put in to get pretty specific about what was rewardable, why, what counted as a security boundary, et cetera, both from an technology point of view, campaign it made it easier internally and externally it made it easier for people reporting bugs. Like for a bounty hunter, they— amplitude hunter for polka honey hunter. They do n’t want to, uh, they do n’t want to burn a lot of cycles on something it ‘s not going to pay money. Um ,
Deirdre:
22:10
is hard to tease out is, there ‘s prices and it ‘s hard to tease out with the prices for microbe bounties are actually moving markets, are moving people to report, to vendors, to the white market, as opposed to the grey commercialize or black marketplace, when you ‘ve got these unlike terms between microbe bounties that may besides be affecting what gets reported to whom .
Justin:
22:34
Yeah, but I think you ‘re dealing with different groups of people
Deirdre:
22:37
Okay .
Justin:
22:38
these markets. I do n’t think there ‘s a, there is obviously going to be some overlap, but I do n’t think there ‘s a short ton of overlap between people who are, uh, who are doing hemipterous insect bounties, and people who are selling material to NSO, et cetera .
Deirdre:
22:51
Okay .
David:
22:53
On my sample size of one, the one person I know who ‘s like sold exploits does not submit to bug bounties. Yeah .
Justin:
23:00
The people
Deirdre:
23:01
Oh ,
Justin:
23:01
you interact with the people who do the bounties and they ‘re like, so Chrome ‘s, as an example, actually a perfective example for Crohn ‘s it ‘s like, you show a memory corruptness. we do n’t require you to prove that it ‘s exploitable. and in fact, I think there ‘s a good chance that Chrome rewards, lots of memory corruption vulnerabilities that are not pragmatically exploitable. Um, it ‘s like, this is the production line. If you can demonstrate memory corruption, boot. And that means that, It merely makes it easier. Cause you do n’t have to write an exploit or anything else like that. You barely have a bare proof of concept, uh, and chromes, uh, like the chromosome systems we ‘ll do the minimization and everything to try to create a reduce trial case. So it ‘s, it ‘s relatively low clash. there are a lot of things that Chrome does to incentivize people reporting, um, and to make it easier for reporters, it was fair a cultural, it was depart of the culture that created the program and it ‘s carried its means through .
Deirdre:
23:50
I love that .
Justin:
23:52
well, like I said, it ‘s an input transmit you want, you want, you want to get that sign ? You want to get a strong bespeak .
Thomas:
23:58
I feel like, like the peak note of this discussion is constantly merely the mind that like, a reliable RCE or whatever is, I mean, people on message boards think that, you know, log-out Caesar are worth $ 10 million or whatever, equitable like come up with like some percentage of the sum grocery store value of a company. And then that ‘s the respect of a vulnerability. But like, there ‘s like a cosmopolitan estimate that like, you know, a authentic tug by, you know, iPhone outside or something like that has some kind of market value that we can assign and we should be paying the actual market value for that vulnerability for it. I ‘m pretty certain I feel like that ‘s wrong. right ? Like, um, I ‘m having trouble oneself putting my finger on why I feel that ‘s amiss. Right. I write the second book .
Deirdre:
24:36
they ‘re not one marketplace, it ‘s
Justin:
24:37
Yeah .
David:
24:38
Okay .
Deirdre:
24:39
impossible— if they ‘re not playing in your commercialize they ‘re disjoint. So what are you doing ?
Justin:
24:45
Yeah, precisely. That was my take being responsible for that program for respective years is that you ‘re dealing with, with different groups of people. There might be some overlap, but I think there ‘s people have this assumption there ‘s lap and that ‘s not something that I observed in commit .
Deirdre:
25:01
basically you ca n’t model them as like, oh, if we raise a price over here that will incentivize the lapp type of reporter to come over to here. And it ‘s like, no, except for outliers. That ‘s not true. basically
Thomas:
25:15
I mean precisely a devil ‘s recommend, right ? there is n’t perfective overlap, right ? Like there ‘s a draw of work that, person who sells functional exploits does that a bug amplitude person for the Chrome bounty It does n’t have to do, um, you know, and they can go for breadth and astuteness and the other person has to go for depth and all that. Right. But in theory, if you dial the bonus up adequate, you can have the bounty people, you know, affluent out— both groups of people have to do that initial kind of reconnaissance work of finding where the vulnerabilities are in the first place. Right ? so in theory, if you dial the price up enough, you can have the amplitude people finding vulnerabilities before the exploit people
Justin:
25:50
potentially. Yeah. I should clarify the Chrome bounty course of study besides does have incentives where it ‘s like, Hey, look, we will pay you a lot more. If you can produce a authentic exploit. And if you chain a series of reliable exploits together to produce like a full sandbox scat, et cetera, within a certain time window, we will like pay you for that entire sandbox escape. And there ‘s a lot of details to the amplitude broadcast to try to sort of maximize, the, the kind of information that you get and to encourage people. but yeah, at the end of the day, most of the reports are, are, are not people or running it down and building a full moon overwork, etc .
David:
26:26
I saw a talk recently, where they were saying that hemipterous insect bounties need to allow people to like study on a tease over a period of clock time so that they can take it from, “ I ‘ve found like initial bug excessively. I have a wide exploit overwork ”. like, is that a thing that ‘s feasible to do ? Cause it seems like you might good want to go fasten the thing. like if you learn that you have a memory corruptness, you might just go sterilize it before the person writes a broad exploit. flush if you did have that type of power .
Justin:
26:53
No that ‘s the way that the Chrome bounty is actually structured. So that it ‘s like, you were, you know, it was that first, like the engineering team went and fixed it. but you know, you could however finish up. Cause the idea is you want them to report the vulnerability arsenic quickly as it ‘s confirmed. if you want to encourage that extra research, you besides have to have that extra compromising flexibility
David:
27:14
Yeah. Cause I think I saw person on Twitter was saying they had found the above, that was used by the NSO group, on the ILS. and they did n’t report it because they did n’t have a entire work feat so far. They had just located the wiretap and they were wanting to turn it into a wide exploit .
Thomas:
27:31
that ‘s not a good term .
Deirdre:
27:33
Yeah .
Thomas:
27:34
Whatever they ‘re doing .
David:
27:35
bump, but it was a bug in Apple that was similar. Something that ‘s been passed recently .
Thomas:
27:40
You can see justly away the incentives there are frightful. If you ‘ve got a, if you ‘ve got a condition in your bounty that asks people not to report until they ‘ve done all of the work for it, that ‘s awed. See .
Justin:
27:49
but that was, that was we, we made that mistake when we primitively designed the program and started adding like extra things where it ‘s like, okay, you know, for a wide, for a full sandbox escape chain, we will get this a lot. And so people started sitting on things, um, and we realized there were synagogue things where like, “ o, we are updating the program to account for this ” .
Deirdre:
28:06
okay, so how does it go now ? So how ‘s it go ? To avoid that ?
Justin:
28:11
Oh, so people can, some can report um, but there ‘s like a, my remembrance is that there ‘s a time window. I ‘ll throw out six months. It might be six months where it ‘s like from when you report the one microbe and you can keep report bugs and kind of chain it in concert and develop, uh, you know, full feat, et cetera, and kind of support racking up a higher payout as a solution. therefore, you ‘re incentivized to report the first base one earlier, because they ‘re besides concern about, collisions, right ?
Thomas:
28:37
right .
Justin:
28:38
You do get collisions. I think people dramatically overestimate the volume of collisions, but, um, everybody gets collisions and this was the matter that we had been hearing, like what we heard from, dear reporters who would regularly reported bugs to us. They ‘re like, oh, I found that one, but, uh, had n’t reported it yet because, I wanted to develop a full feat or I wanted to try to use it in a chain. And that ‘s why we revise the program .
Deirdre:
29:02
then basically if your first you get foremost dibs, but you get to keep racking up your seduce. If you get like a amply working feat, repeatable overwork, kill chain and so on and thus on. Cool. I like it .
Thomas:
29:16
so if David reports a memory corruption vulnerability to Chrome, without the, you know, without the lie of the overwork chain attached to it. And then I come in, this is a fantasy world where I do browser exploit solve, and I ‘m not wholly incompetent at that stuff now .
David:
29:29
a illusion world where I can do memory corruption at all without screwing up the mathematics. Like I taught, intro calculator security system before, and for the memory corruption share, I would bring person else in to teach it because I ca n’t subtract two memory addresses to save my life sentence. even if I could tell everybody where the vulnerabilities were in there .
Justin:
29:46
It was therefore comfortable when, when Tom and I started out .
Thomas:
29:49
I remember feeling very cool and particular for coming up with beat code that did n’t have any uppercase letters on it. Like for a while. That was like my colleague menu. Yes. I ‘m, I ‘m decidedly, uh, I I ‘m very hearty this stuff. here. It ‘s this overwork. I produced it
Justin:
30:00
Or UTF 16 blast code think of you were like a frickin master. Yes. Yeah, Yeah ,
Thomas:
30:05
get, it ‘s decidedly grow, worse. Right. But, so, so in this wyrd fantasy global, right where like David submits the memory corruptness, vulnerability, and then like, we collide on what the vulnerability is, but I submit the tease chain that goes with it. do we both get paid
Justin:
30:19
Uh, no. then the program, arsenic far as I recall, is however entirely inaugural come, first gear different programs have chosen to do this different ways. Some people say, Hey, look, if a group of people reports it within this meter interval, they each get a cut of it. but, the decision was made very early on, on Chrome team that the first person to report is the one who gets the bounty. and then, and separate of that ‘s just because when you do put bug report, it ‘s just, like there ‘s a certain logistic thing to it. But besides I think it ‘s barely fair to say beginning one to report gets it. Cause then you ‘re incentivizing people to report quickly .
David:
30:50
And Hey, Boba Fett does n’t get paid if he ‘s not the person that gets the kid .
Justin:
30:55
Bounty hunters .
Thomas:
30:57
so like, I guess for, years, for awhile, I think David was involved in this a fiddling moment. And so it was dear to him, we did some security shape for campaigns, and like the election bicycle before this election cycle. adult time. uh, we, we came up with a crowd of security system recommendations for, um, kind of ordinary people, like our top line recommendations, like things that we would tell normal people, to try and understand, like the menace landscape would be that, for phones, we ‘d recommend iPhones, that like every iPhone was, you know, more secure. just broadly I ‘ll be more intellectually honest about it and equitable say that at the time we said iPhones, io is more secure than Android. But then on the browser side, I would powerfully prefer, chrome over campaign. And I would say right now, I still, I kind of stand by the, the, Chrome and the actual Chrome or Chromium project and not spin-outs of Chrome or Chromium ,
Justin:
31:46
should .
Thomas:
31:47
which would be kind of my gospel and what browser to use. And I hush tell people, and I believe that io is, more procure than Android, although there ‘s a meme going around ever since that, um, that zero diem thing came out where “ We ‘re not paying for io vulnerabilities anymore ! ” There are now people that believe that io vulnerabilities are despicable. so I guess I, I guess I have two questions, right ? therefore I ‘m I telephone over Android and I ‘m chrome over Safari. so I ‘d be curious to see your thoughts on whether I ‘m wrong about that. then I have a hot question to add to this ,
Justin:
32:20
Okay .
Thomas:
32:20
what about Firefox ?
Deirdre:
32:22
Yeah. I was supposed to say
Justin:
32:24
All right. So what I would say, is that I am personally Pixel over io. Uh, it is decline that if you ‘re barely going to compare, uh, Android to, as a wholly io, then you are dealing with a massive and extremely deviate ecosystem. Uh, but, Android deservedly, Had a bad rap for security, the sum of investing, and the, like everything that went into that over over many, many years now, I feel has, uh, has changed that game. I think, where it gets more complicated though, is it ‘s, it ‘s not alike windows, correctly, where, they control the visualize. they can— and even in windows, there ‘s like, you know, who did you buy your personal computer from ? It, might ‘ve had a bunch together of stuff, extra material on it, et cetera. Um, and that ‘s, and that ‘s the thing, even on windows, because it ‘s a adult ecosystem and not just one seller that you get, that, you know, you ‘re exposed to a wide assortment of, of things. and I, I am identical much, uh, on the side of a well configured windows 10, like a properly configured windows 10 machine, is a safer count than, say
Deirdre:
33:35
Hmm .
Justin:
33:36
ohio yea. I ‘ll, I ‘ll go on that one excessively .
Thomas:
33:39
I ‘m with you on that. I ‘m with you on that .
Justin:
33:41
yea, the, uh ,
Deirdre:
33:42
I ‘ve learned anything from swift on security, that, that that ‘s basically true now .
David:
33:47
What does it mean to be decently configured though ?
Justin:
33:51
A lot of there ‘s a batch of that bunch where it stuff that out of the box— it decently configured, it is basically did they install a bunch of bundleware, and Microsoft has gotten in truth aggressive at trying to prevent the kind of dangerous bundleware, so I think a newly windows 10 machine actually comes relatively safe .
David:
34:06
Yeah. indeed like a scavenge install by a world power exploiter counts as properly configured .
Justin:
34:11
But I think most of the stuff you ‘re getting in the store, because Microsoft has been therefore aggressive with the room, uh, the jumpstart incentives and everything works. they ca n’t do the same kind of bundleware they used to see. but yeah, the reason why I would pick, Android over io is that, or a specifically Pixel over io is that Pixel you are getting you ‘re getting, monthly security updates, you are getting, basically the most harden translation of Android. The browser is a huge, is a massive fire surface, and yes, I will go into detail why I would put, Chrome up against, campaign any day of the week. but I think that ‘s one of the areas where you have a short ton of attack open, and it ‘s good much stronger. to get into the ‘why ‘ of, Chrome over campaign .
David:
34:50
Before you say that I have one question
Justin:
34:52
yes .
David:
34:53
so, as you know, interned in Chrome security system back in 2016, and I kind of commemorate the general attitude amongst people
Deirdre:
35:03
people that were not on
David:
35:04
at Google about Android security circa, 2016. Has that tenor— how was that tenor changed ? Like, do you think there ‘s been improvements since 2016 ? Is it, or was
Deirdre:
35:17
pixel
David:
35:18
good ? Everything else having bundleware issues kind of the state of the world back in 2016 .
Justin:
35:23
In 2016— they had started the work long earlier 2016, like target blank Andy Rubin was hostile to the mind of security. Like remember he went and started another call company and his, he, you know, they listed all of the staff and for the two security roles, it was Andy Rubin ‘s dogs. Uh, like he just, he, he, he did n’t conceptually, he, he argued against, security system of So I would say that things started dramatically improving after Andy left. And we can all agree that that was, that Andy ‘s attitude towards security was credibly among the least of his flaws. Uh, it barely, it takes time, good ? like, you ca n’t move a ship that big nightlong. And it just, it took time and a fortune of sour and the Android team put in a lot of time put in a draw of bring. I do n’t know, I ‘ve seen a draw of improvements, but it took meter for those improvements to, to very have an effect .
Deirdre:
36:11
Okay. this plays to some of the things we were talking about in our first episode about io security. What were some of those things that you had to turn the aircraft carrier around to accomplish : architectural ? Practices ? give me, give me the meat .
Justin:
36:27
Yeah. all right. so I was not on Android, so this will be in reference to Chrome. Uh ,
Deirdre:
36:32
so .
Justin:
36:34
yea, but honestly it was— Google’s— so the thing about Google that I think ,
Deirdre:
36:38
It ‘s like all these orgs, like Android and Chrome
Justin:
36:42
yes ,
Deirdre:
36:42
then there ‘s like the pillow of Google and there ‘s like Search is its own like bastion .
Justin:
36:46
Yeah, precisely. org, Google operate. I spent a batch of time going in and out of companies as a adviser. I saw the deep internals of how the us government worked in a lot of places. I have never seen the level of listserv, independent organizational process, elsewhere that I ‘ve seen like Google and I was in the Marines where a general was basically alike, my base is my base and I ‘m even like, yeah, he does n’t hold a candle to, an SVP of a product area at Google. therefore, yeah. but yeah. I, so, but I can give you examples from Chrome. so site isolation, uh, was like fundamental rearchitecture of huge swaths of the browser. you had, uh, an ASCO Koskoff and his team .
David:
37:27
what web site isolation
Justin:
37:28
yea. Sorry. thus .
David:
37:29
isolation was there before ?
Thomas:
37:31
can you give me a couple sentences that I can just drop on people on hacker news for site isolation ?
Justin:
37:35
That this is a bonny point. So locate Isolation was designed around the notion that, so we have this full process sandbox. And if you can say, Hey, we are going to bind the process sandbox to an lineage and say, if you open up something on google.com, only google.com is going to go in this process. So the idea being, alternatively of having to do a whole crowd of checks all over the code to determine if one origin can interact with another, in ways that, you know, memory corruption in, even the renderer work could bypass you say, no, look, this renderer is google.com. It does n’t get to touch anything outside of google.com and nothing outside of Google got to.com gets to dig into it .
Deirdre:
38:13
And it ‘s HTTPS or HTTP. The beginning is HTPs, google.com, not HTTP, google.com. Those are unlike origins .
Justin:
38:23
Yes sol well, and this is why it ‘s called site— the definition of web site is fuzzy because it ‘s not in truth an origin. So HTTP is kind of in the, in the kennel. You know, that ‘s in the dirty bucket where you ‘re like, eh, we ca n’t actually make guarantees with HTTP, but yes, for all .
Deirdre:
38:38
you everlastingly now .
Justin:
38:40
Yeah, that is, that is actually the scheme of solving the HTTP problems to finally upgrade everything. But, yeah, basically, effective top level world plus one, goes in its own process. and that just makes, uh, the security rationality around origins so much simple, but one of the truly decent things it gets you is that if you get a code murder inside of a render process, so like you compromise V8 or whatever, um, you still have to find a way to bypass locate isolation to manipulate any early lineage. Like the old exemplary. And this is honestly, the direction that the early browsers work, uh, uh, yes, hush is that if you get code execution inside process, you efficaciously have universal cross-site script, but in Chrome, if you get code execution inside the renderer process, you are still bound to always origin hosted that. now there are some exceptions where, um, it ‘s, it ‘s amusing. usage patterns on desktop allow you to do a crowd of coalesce of processes, but custom patterns on desktop are identical different from custom patterns on mobile. On mobile, you do n’t have the same kind of coalesce. so alternatively of applying web site isolation everywhere, on mobile, locate isolation is— there, there are versatile heuristics that are used to determine if, oh, this site needs to be isolated. Like one of them being, if we detect that you ‘ve logged into the locate that it ‘s like, okay, it decidedly needs to be isolated, et cetera. Um, they are doing angstrom much as they can to get the resource utilization gloomy. Yes, it ‘s a resource use thing. and they keep sort of expanding the set of things that can be isolated. but, Right off the squash racket. If you ‘re isolating things that the drug user logged into, that ‘s already, helping a lot. so isolation not uh arrant, but it is a huge win. the other thing I would say in terms of like a big advantage of Chrome over early browsers is Chrome has a much more robustly sandbox process. the Chrome renderer process does n’t have, uh, access to the network. It does not have access to, graphics devices. It does not have entree to, the, stimulation events batch, et cetera. Like all of that is split out, because the mind being that, Uh, like you remember the old windows, moo integrity mode, or for anyone who does n’t remember the honest-to-god windows, depleted integrity and mode. The problem is that there was a batch of ambient agency because you could fire off events. Uh, so there are a lot of ways to, misuse input signal, to abused, access to graphics stack. Uh, you had the net, like you had all of these things, and that was why people were always finding escapes out of, uh, low integrity mode. so, from the beginning of the invention of the Chrome renderer procedure, the intent was to have none of that. Okay.

David:
41:07
the renderer not have graphics card ? Is there a classify, actual renderer ?
Justin:
41:13
There is a GPU process and the GPU procedure, is, sandboxed to degree it can be. So this is the other man where it ‘s like people talking about sandboxing, like it ‘s a binary country where it ‘s like, no, no, no sandboxing is an overture. It ‘s like where, what you allow in what you allow out. There ‘s, there ‘s a enormous sum of discrepancy there. so it ‘s not the kind of thing where you can say ? oh, it ‘s equitable sandbox .
Deirdre:
41:35
this goes to something that you might ‘ve, you might ‘ve been already wanting to talk about, but, you ca n’t mitigate your way out of a failure to isolate your software along. It ‘s a security boundaries. so
Justin:
41:44
yes .
Deirdre:
41:45
immediately be about sandboxing and early things .
Justin:
41:49
well, and it does n’t merely have to be sandboxing, right ? Like there are other ways to isolate. Memory safe languages, provide forms of isolation, the V8 team, precisely made the announcement of, I think they ‘re calling it Uber cage or something where, Uh, well, cause I think it ‘s Apple already took like giga cage besides. They ‘re a german team. so, you know, uh, but the theme being, that they already had to do this thing called arrow compression where the V8 runtime is actually only dealing with a four gigabyte address space. but what they ‘re doing is it ‘s actually quite like to the design of the honest-to-god 64bit NACL sandbox. They are bounding operations within that address outer space and they ‘re providing boastfully ranges to block the edges of that savoir-faire distance. So that ‘s another, now, now we ‘re not talking about a process flat sandbox, but we are talking about something that, uh, provides guarantees about confined murder. You ca n’t touch anything outside this address distance. Um, and therefore like they ‘re working on that right now. Yeah, rewriting parts in Rust are another model. there, there ‘s lots of different primitives that you can use to isolate, reduce your attack surface. one of you said, on that sequence, something approximately, uh, how adept when dealing with, bundles of, messages
Deirdre:
42:59
yea .
Justin:
43:01
something along those lines. And that ‘s, that ‘s my take on
Deirdre:
43:03
And thrust .
Justin:
43:05
it. And this is, this is my trouble with— so this was one of my complaints with classify of the Apple strategy that I ‘ve been observing. It, it has a very similar smack to the Microsoft 1990 scheme where it ‘s, uh, is it classify of, belligerent approach to how they deal with, vulnerability researchers and cope with the security community. and they they ‘re layering on mitigations, but mitigations, are n’t going to solve your architectural issues. You just have to get in there and fix the computer architecture. Yeah .
Deirdre:
43:32
Would you consider blastdoor a moderation or an architectural variety ?
Justin:
43:39
I have not taken it apart to see. Yeah. And that ‘s the, I do n’t, I do n’t understand what it does well enough. Right ? Like it ‘s like, okay, you know, we wrote this in a memory, dependable linguistic process and we, and we maximize the seat belt policy. I would like to see the seat belt policy to get a common sense of what it is. but it depends, right field ? I do n’t know if you ‘ve anyone seen me go on a bombast against Electron, but. Okay. So my problem with Electron is that with Electron people, people would complain. Yeah. They shut off the sandbox. I ‘m like, I do n’t care if they shut off the sandbox. I care that every electron app opens these IPC messages that even if you are sandboxing things, it does n’t matter. It ‘s like the thing on the other side, it ‘s hush exposing all of its attack airfoil. And so I would, that ‘s the thing I would have to. So you ‘d asked about like architectural things, like action wise, it ‘s very important to have your security team deeply necessitate. then Chrome has a very solid code review, uh, culture. You have to get a code review, um, from an owner before he can land things, the IPC, message system. and when you create your IPC messages, et cetera, that ‘s owned by the Chrome security team. Yes. Interprocess communication. Yeah. because that ‘s your main uh, attack surface between uh, between different sandbox processes, that has to be reviewed the normal code reappraisal process has to go through, one of the. dependent reviewers on Chrome security. And so anytime you are bridging that attack surface, you have person who, you know, should have sufficient security expertness review to try to catch errors, get mistakes, catch things where like, oh, you good added a back door and you did n’t know it. Um, because it ‘s truly, truly easy to do that .
Thomas:
45:08
I ‘ve I have so many questions that I wo n’t keep us excessively long on this, but asked you, right. indeed, with regards to like the success story for, for Chrome, I guess this is three questions, correct ? then first of all, when you read published accounts of bum chains and things like that, like, I feel like there ‘s, there ‘s a survivorship diagonal in terms of what you ‘re reading, like the bugs that we ‘re reading about. It would seem from reading it like that, the sandbox thing is n’t working at. All right. Like every vulnerability you read about comes with a story about how they then bypass all the, you know, the sandbox and then got a kernel LPE and things like that. Right. so I guess I have two related, first of all, questions about how successful do you feel like, the sandbox is like, what do you think its success pace is at, you know, at cutting memory corruptness vulnerabilities off. And then I guess my other relate question is if you had to like, do like a hundred percentage of Chrome security and divided it up, sandboxing would own what, 60 % of that versus runtime harden, or 80 % of it versus runtime hardening .
Justin:
46:01
uh, yeah, that ‘s, that is unvoiced to say. There ‘s, there ‘s not a lot of development left on sandboxing. like in terms of the actual, like ongoing influence where it ‘s like, it ‘s the architecture it ‘s built it ‘s this manner. I would say the adjacent big thing in Chrome is to memory safety, but it ‘s something that you have to, like, it ‘s something you have to roll in slowly and carefully. And, um, you know, I made it, I made a remark to all of you beforehand about, you know, you ca n’t, “ rewrite it in Rust ” is not a scheme. It ‘s just logistically, it ‘s not a strategy. There ‘s way excessively much code .
Deirdre:
46:29
parts in Rust .
Justin:
46:31
Yes. And I think rewrite parts in Rust makes sense. then again, there ‘s a lot of things that could be done to fix C++ ,
Thomas:
46:38
Okay. Hold on, hold on a second .
Justin:
46:40
deplorable .
Thomas:
46:40
have, we have a good, we have a good segue here, right. But before I let you, before I let you fully take the segue ,
Justin:
46:45
Yes .
Thomas:
46:47
Rust, I ‘m not gon na let you off the hook on Firefox .
Justin:
46:49
Oh, thus simply by looking at the security computer architecture and that I think the Firefox team does very well, but chrome has a more restrictive sandbox. Chrome has proper locate isolation. Chrome has, more isolation between different, uh, processes by capability. You know, there ‘s a network processes, GP action, et cetera. So I think Chrome fair has a better computer architecture. I think the Mozilla they have, um, the architecture, the extent to which they ‘ve evolved Gecko to make it safer and more multi-process and they, at least they ‘re introducing a human body of site isolation, which basically address space isolation, um, which will address things stuff like that. so I think they ‘re doing big work. but I ‘m still gon na, when I look at the break and the numbers, I, yeah, I ‘m going to recommend, Chrome .
Thomas:
47:42
so west why has n’t Chrome been rewritten in Rust ?
Justin:
47:47
because it ‘s millions and millions of lines of code. thus I spent a large ball of my time on Chrome, actually managing non-security teams excessively. There were precisely different points where, because of situations I took on, I took on the background team. Uh, I took on the extensions team, uh, enterprise team, like diverse unlike teams where I was responsible for— I say team causal agent more, it ‘s an org than a, more than a team, for, for many of these. But, uh, I, I had to closely learn about voting staff and prioritization and all of that and figure out how to balance all those things. And so I look at Rust, uh, and I say, okay, You could not practicably rewrite it in Rust. I look at Rust, and, think that I think they’re— it ‘s to not be testing out Rust for certain parts of the code, for like, there are tons of places where you could be making target uses of Rust. and it ‘s, and it precisely the correct call right now, Rust is ripe adequate, et cetera. then again, I besides, I have been trying to, I ‘ve been playing with Rust since I, you know, uh, I ‘m no long employed ,
Thomas:
48:51
What do you think ? I started writing rest like last year. So .
Justin:
48:54
I do not like the developer ergonomics of it so far. I do not like the avail the well, and it ‘s, it might take some getting used to, I it logistically I have, C++ programmers, I of things to add safeguards and division things, et cetera. I can staff teams. It is hard for me to find rust programmers. the Rust programmers are probably going to be, significantly less generative if only because we, you do n’t have, the full set of like existing code, et cetera. Like there ‘s, it ‘s, it is just a very expensive proposition. Like even in my side projects that I ‘m doing right now, where I was trying to use Rust, I ‘ve given up on using Rust for the majority of the undertaking, because I would have to rewrite a unharmed crowd of code that I already wanted to use that, uh, that was available. I ‘d have to rewrite it Rust and I, and I ‘m comparable, this is just an run down experience. So alternatively I partitioned out and it ‘s like, okay, I ‘ll use Rust over here. but I ‘m not gon na use it for the kernel of the code. And I think that ‘s actually a reasonable strategy. I wish that the people that started Rust had taken more of a C++ dash set about to it, which is, figure out a way to build a bridge between the languages. Uh, it is, it is afflictive to .
Deirdre:
50:03
not the FFI interface ?
Justin:
50:05
well, the FFI interface though, but it ‘s not going to let you import existing code. Right. so now you can write new code. Um, there ‘s actually person on the Chrome team who, uh, uh, on a Chrome security system, who ‘s been doing a bunch of influence on improving, you know, C++ compat with Rust, uh, because there ‘s distillery a bunch more that can be done, but like take the FFI interface. You ‘re not get C++ objects. right field. Because that ‘s not standardized, et cetera. and yeah, it ‘s just, it ‘s hard. Uh, I would say that, if there ‘d been a way to create basically a dialect of C++ that you piece meal port with, similar guarantees to Rust, you would n’t inevitably get all the lapp guarantees. I feel like that would have, would just be so much easier logistically .
Deirdre:
50:43
just have a giant star `unsafe` block and merely copy spread your C++, and then merely fight with Roth rustc until it compiles
David:
50:51
well, is n’t a dialect of C++ besides known as gecko. Like is n’t that thing whole just written in macros and macros and macros .
Justin:
51:00
I mean, if you ‘re using macros in C plus, plus you ‘re about surely doing something improper, but, but yes, there are lots of there ‘s lots of bequest code that there ‘s a lot of atrocious, atrocious parts of C++. Uh, so I ‘m not defending, the, like the lyric in its entirety, but the fact is that pragmatically speaking, it ‘s very intemperate to find something else for something like a browser .
Deirdre:
51:21
You ‘re practically starting from scratch in a set of areas
Justin:
51:25
Yes .
Deirdre:
51:25
you are not is like small pieces. And, you know, I ‘ve been working on a entire Rust project for over two years and have, we were entirely able to get started we had things like the Tokio async runtime to build on top of, and a bunch of libraries that we built built on acme of. we ‘re besides doing a lot of architectural stuff from scratch .
Justin:
51:46
Yeah. And that ‘s, and that ‘s why I equitable do n’t think I mean, look, what happened tried to redo like, or when it became a, you know, it was Netscape at the time and they were like, they were gon na redo their runtime. They did gecko, et cetera. And even that, that distillery has a lot of eldritch quirks of the original locomotive, but that was years of work for that. And they, were n’t talking about a different linguistic process .
Thomas:
52:08
concluding clock you checked Chrome, would you, would you say that the Chrome team is in a target good nowadays where to whatever extent the engineers actually doing the knead on the project, want to use Rust for things like if you, if that team spots a part that makes smell to write in Rust, can they do it ? Are there any wish current logistic obstacles to doing it, or is it like the Linux kernel where there ‘s still a huge permissions process to get that influence started ?
Justin:
52:30
gon na throw anyone under the bus topology. Uh, I will say that, there are north deficit of firm opinions. Um, and I think adding a newfangled runtime, uh, adding a new language, uh, et cetera, it ‘s a boastfully, it is constantly for any sort of stable, suppurate product. and frankly it ‘s a merchandise that has very high development standards, uh, in my impression, that ‘s always going to be kind of ,
Deirdre:
52:52
contentious. Yeah .
Thomas:
52:53
It ‘s not like Firefox where like the Firefox team spots something they want to do in Rust, they ‘re just going to do it in Rust .
Justin:
52:58
I ‘ll say it ‘s surely not my impression, but this is the thing. I ‘m not involved in those discussions anymore. Um, and they, when I left those discussions were, you know, sort of quickly evolving, so they might ‘ve evolved quite a morsel .
Thomas:
53:11
the thing you ‘ll get from like C++ plus programmers and I, I was a C plus plus programmer, but a long time ago. Right. so people talk about modern C plus plus, I assume it ‘s a completely unlike speech than the one I was reading in 2001. Right. but like you hear modern people ‘s plus programmers saying that there ‘s not that much of a security break between Rust and idiomatic modern, you know, it moderates people ‘s watering place kind of the same room you might be able to make that claim about like objective C versus C, correct ? Like if you ‘re using just the idioms, you ‘re credibly justly. Okay .
Justin:
53:42
I mean, if you ‘re using avoid avoiding raw pointers, you know, you ‘re using like owned pointers and shared pointers, but then there ‘s the interrogate of like your compilation options ? Like, is your, are your containers bounds checked or not ? Depending on how you ‘re compiling it. I, I would say that, I guess the way I ‘d put it is that. idiomatic advanced C++ actually opens up the opportunity to introduce some of the core concepts of Rust into C++, but then you ‘re going to have to like break ABI, then you ‘re going to have to get the standards committee on board, et cetera. I think one thing that could just create a sea change is arrow tagging. because like you look at pointer tagging and you could actually, you can basically write, uh, rewrite your allocator. So you basically have like a GC allocator. You could do things like have an actual security enforce, um, aSAN, like address sanitizer, built in, into like a production runtime. If you have that hardware accompaniment for something like, cursor chase, uh, what that will do is it will give you. many of the memory base hit guarantees of Rust. It wo n’t give you all of them. You wo n’t get like that. You wo n’t get the thread safety guarantees, but you will, you will get a number of the hazardous ones. And I, and I do think that that might turn into kind of one of the paths of least resistance for C++ .
David:
54:58
I do n’t know. There ‘s silent just a lot of ways for stuff to go awry, even
Deirdre:
55:03
Yeah .
David:
55:03
like barely strcomps everywhere. If you do n’t return a rate from a officiate, the compiler can always warn you and it can silent run like that, you can set compiler flags to help with that sometimes. You by and large do n’t know if a cursor needs to be freed or not. Like if you ‘re using it as an output parameter, your constructors might do god knows what, when, like, depending on how you typed in your low-level formatting ,
Justin:
55:27
But this is where I was talking about. If you have cursor tag in hardware, you can actually make all of that behave far well. your allocator basically becomes like a generational GC, and it ‘s just like rotating through the tags and you can have even more fine grain checks I mean, you ‘re paying the cost in the Silicon, right. But once you pay the cost of Silicon, you ‘re not paying, performance time command processing overhead time for it. So this is the thing. My interview is if you ‘re going to have like far-flung corroborate for, the kind of hardware you need, like pointer tag, soon adequate so that rewriting in Rust, is n’t something that people are seriously considering for large-scale things like, remember Mozilla tried to do the rewrite in Rust with Servo, um, and finally had to give it up and it was a huge undertake .
Thomas:
56:09
I mean, I think a thing you ‘ll get from Rust is ,
Deirdre:
56:12
well, besides the pandemic hit and they had to lay out, lay off like half of Mozilla. then I do n’t want to, conflate why Servo has not succeeded with merely, it was hard to rewrite it in the stigmatize raw language we came up with
Justin:
56:24
I do n’t think it was barely, I think the pandemic was a smaller piece of it, but, I do n’t see Mozilla ‘s financials. so I ca n’t say ,
Thomas:
56:32
Rust has like a security system activist, you know, terminology kernel .
Justin:
56:36
Yeah ,
Thomas:
56:36
And I, you could tell me that C++ has a security activist standards committee, but I would n’t believe
Justin:
56:41
I mean, I ‘m not gon na, I ‘m not gon na ever say that because it ‘s not true. now the standards I, my concern is that the C++ standards committee does not take security anywhere near adenine seriously as they should. I mean, there ‘s the hale, uh, what ‘s the .
Deirdre:
56:55
Sound like Andy
Justin:
56:56
rubin. Well, no, because, um, Andy Rubin was actively hostile to security .
Deirdre:
57:01
Okay. Different .
Justin:
57:02
but, uh, but yeah, There ‘s the unharmed, whatever the specifier is in C++ to say that you have to check the render value. and there ‘s like a solid debate going back and away about, uh, like they added it to the standard for 20, but they ‘re like, oh, it ‘s a lot of work to do this, for libraries and figure out which thing needs to check our restitution respect and does n’t then possibly we should barely take it out and say, no, the standard library wo n’t always, uh, apply that, uh, specifier. And it ‘s like, ok that ‘s a atrocious mind. And therefore you get, you get quite a bit of, of this where it does kind of feel
Deirdre:
57:36
does it
Justin:
57:36
there ‘s, there ‘s a set of estimable things to learn from other languages. And, I think the people working on C++ standards and the standards can be, should be a bunch more open to learning utilitarian things from other languages .
Deirdre:
57:47
Okay, the rest of discussion. I want a Fuchsia call. I want a Fuchsia computer, like a end-user Fuchsia calculator, not just like, get a, get a, board and compose Fuchsia for myself .
Justin:
58:00
not just a NUC with Fuchsia on it .
Thomas:
58:02
I ‘ll be good and say that like, whenever the topic of
Deirdre:
58:04
Yeah .
Thomas:
58:04
fuchsia comes up, my brain fair turns off. I equitable stopped thinking about it. Like sell me on, sell me on paying any attention to Fuschia .
Justin:
58:12
I do n’t know if I could tell you I ‘m paying any attention on to Fuchsia because I do n’t know the future of Fuchsia, but I can say is it is a, it is a very elegantly designed engage
Deirdre:
58:22
Yes not good because it ‘s written in rust with a microkernel I like the way
Justin:
58:26
Yeah, I would, yeah, I would say that the Rust part is even sort of like a smaller firearm of it. It ‘s barely like, from an architectural position, like. a process in Fuchsia is not created with any ambient, capabilities. Uh, it, yeah, it has to be like, it is born into being with nothing. Um, and you have to you have to actually consciously choose to hand over capabilities. Like the simplest, like it ‘s funny story, you look at the sandboxing code for Chrome on like every platform it ‘s like, there ‘s a whole bunch together of work to go shut down all of this stuff that mechanically gets turned on for all of these different processes. Where it ‘s like the Fuchsia, uh, crimson agent like this bantam small thing, that precisely basically does nothing. Um, except for like set up the IPC distribution channel or whatever. Um, yes. it ‘s a much clear design. uh, a good acquaintance of mine, he ‘s one of the, uh, leash engineers on Fuchsia. uh I think he described it as the love
Deirdre:
59:18
yea
Justin:
59:19
for everybody who does n’t like windows. You in truth have to take a closer attend at NT. I think most of the things you do n’t like about windows are the succeed 32 things, but the actual NT kernel, the core, the invention, it was a, it was a very well thought out, very forward thinking design. and think Fuchsia it took a set of the best parts of that. and it actually like incorporate lessons learned in that. So it is, it is a, it ‘s a capabilities-based operational organization. actually takes the capabilities separate badly .
Deirdre:
59:50
Yes. And I think the latest I ‘ve heard is they are swapping out like the Linux kernel or whatever, the, the establish operational system for things like the Nest Hubs or something like that. And they just kind of were able to like push button it out and fair be like flip a pin, use Fuchsia alternatively of what you ‘ve been using since the begin of your universe. And it precisely worked ?
Justin:
1:00:12
I mean, whenever you have to do, um, firmware updates in the field, you ‘re constantly going to have some number of things that just rando-fail. Um, but yes, uh, a crowd of the existing nest devices got the update, um, and it ‘s just a, it becomes a much elementary operating system. It actually, you know, resources promptly, the return with the real topic with Fuchsia is that you do n’t have device driver support, like remember the, honest-to-god Linux problems from the mid nineties. where fuchsia is. honestly, there ‘s actually a bunch of thrust
Deirdre:
1:00:39
it ‘s not that erstwhile. Like you still run into that when you ‘re just trying to plug in random stool. It ‘s
Justin:
1:00:44
That ‘s fair. Although every, although every, the reason why, Linux-based manoeuver systems are therefore popular for implant devices is because you do have some drivers support for all of that. If Fuchsia has to build up that, uh, driver support, like I have friends on the fuchsia team, uh, colleagues, et cetera, but I do n’t have any more insight into it than anyone from the outside would have, but I merely, I very much liked the design. I identical much, uh, like the decisions they ‘ve made. I besides look at it as there ‘s, you know, fuchsia has layers. Uh, It ‘s wholly possible, to sort of take pieces of fuchsia and integrate them over time. and I think that ‘s actually that ‘s probably the best path forward, then you look at something like the nest, uh, nest devices where they, they precisely, they did n’t do it a heck of a fortune. So it ‘s easy to build that on top of fuchsia. Uh, but if you ‘re looking at something like an Android device or a ChromeOS device, you would, you would probably start at alike, be like, okay, we ‘re going to stop using the Linux kernel because these devices have hardware subscribe for the, uh, you know, these drivers, et cetera. And we are going to swap out the Linux kernel and have a level here above the Linux kernel. And you would equitable keep evolving that .
Deirdre:
1:01:47
I like that .
Justin:
1:01:48
That ‘s, that ‘s fair my guess. I am not speaking for anyone. I have no insight into how that would work, but I do, it is how it was the thing that makes sense .
Deirdre:
1:01:56
I am a fan .
Thomas:
1:01:57
Justin, you do n’t come across as a Marine .
Justin:
1:02:03
I ‘m not, I was, I ‘m not anymore. That was 20 years ago .
Thomas:
1:02:07
if there was a group of people in a room and I was going to point out the one that was likely to be a Marine, it would n’t be you. that a bad thing to say ?
Justin:
1:02:15
uh ,
Thomas:
1:02:16
Should I say that you come across as a Marine ?
Justin:
1:02:19
uh, it was, it was an authoritative formative life feel. Um, but, but it ‘s the lapp point of, I bet you, I could find pictures of you 20 years ago. Uh, it ‘d be like, that ‘s a identical different person than that is in front of me today .
Thomas:
1:02:31
unfortunately, not. I ‘m asking just because I ‘m curious, but of all of the service branches, why the Marines ?
Justin:
1:02:38
I mean, obviously ,
Deirdre:
1:02:40
The Marines are cool. I knew Marines ,
Justin:
1:02:42
yeah, it was the, it was the, um, it, it was the hardest looking one. I dropped out of an artwork plan. I was at Northern Illinois, uh, up at DeKalb had dropped out of a graphic— well, they called it, I think like studio art or any of at like 19, uh, cause I just got sick of college. I ‘m like, I ‘m going to go engage into the Marines. So that was, yeah, that was how find .
Thomas:
1:03:01
How was that have for you ?
Justin:
1:03:03
utilitarian .
Deirdre:
1:03:04
useful .
Justin:
1:03:05
yea ,
Deirdre:
1:03:06
Yeah .
Justin:
1:03:06
I do n’t know. I think, I think
Thomas:
1:03:08
Okay .
Justin:
1:03:09
people should opportunities like broaden their horizons. I think people tend to be, it ‘s identical easy to sort of just getting inside your box, stuck inside of your perspective. I think besides there ‘s like, going to say that I ‘m, a kindhearted person on Twitter or anything like that, but I see a solid fortune of back and away, where people are making a unharmed bunch of assumptions about any given site. and I think it ‘s like, if you, if you ‘ve had enough diverseness of experience in your life, gets difficult to make so many assumptions because you ‘re like, Hmm, I do n’t, I do n’t know the rest of the details here. so I guess, yeah .
Thomas:
1:03:41
Would you say having worked in the ICU changed your views on anything that you work on
Justin:
1:03:46
I think I have a very, identical different position. Because of, you know, spending
Deirdre:
1:03:51
yea .
Justin:
1:03:51
years, in the intelligence community, seeing this a fortune of things from the other side, I besides, I am one of those people who was 100 % supportive of, uh, compulsory service, not necessarily like military, et cetera, but I think, people make a draw of assumptions about how their government works, having no exposure to how the government actually works. and it kind of feels like people do n’t have skin in the game. indeed I think, you know, if you want to, like, it ‘s funny, I did the Marine Corps, my brother did the peace Corps and my sister did AmeriCorps. We all did like very different things, but we all did like some term of government service and I
Deirdre:
1:04:24
Hmm .
Justin:
1:04:26
it ‘s very utilitarian experience .
Thomas:
1:04:28
you feel like people ‘s ordinary model of like, specially the unsavory employment that the IC does and computer security, do you think people have a estimable genial mannequin of how that stuff
Justin:
1:04:39
my cognition is cold by, by many years now. Um, I think people sometimes make a distribute of brainsick assumptions. Um ,
Thomas:
1:04:48
there ‘s, like a, there ‘s a standing meme in our community that like, once you ‘re at the NSA, when you leave and go rear and the industry, now you ‘re an asset. It most frequently comes up with Dave Aitel. I think it might be in Nicole. I think it might be in Nicole Perlroth ‘s script about he ‘s an NSA asset
Justin:
1:05:01
it ‘s hilarious. because honestly, there are a lot of people NSA were like, during there uh, were not happy with Dave. like the notion of, uh, like the, left NSA, went to the, you know, trace of commercial enterprise that he did, et cetera. yeah, I do n’t know, but David ‘s, and Dave ‘s besides always been a very outspoken, very mastermind person, um, he ‘s mellowed over the years, surely. Um, but yeah, I do remember, I remember my time at NSA. Dave and I were both in a program called, uh, Snip, which was like a, uh, it ‘s like an interdisciplinary plan. and, uh, I, I started it a few years after Dave left. and there were still stories, uh, about, about interactions, uh, or I was n’t even stories about interactions. So it just, people had opinions. But, yes, I am 100 % sealed Dave has never been an NSA asset after leaving debts .
Thomas:
1:05:56
I ‘m a kind of Dave Aitel admirer and that, like, there ‘s a confederacy park episode it ‘s called “ Simpsons did it ” where like the punchline ,
Justin:
1:06:01
Yes .
Thomas:
1:06:02
every antic came from the Simpsons first base and he was my Simpsons did it for a while. and I, I, I gave up, on ever getting ahead of him on stuff and moved into cryptanalysis, which is why I ‘m here nowadays. And, you know ,
Justin:
1:06:14
Yeah, I think, Tom, Dave was a identical polarize figure back in the day. not just, not just among his early government colleagues, but in general, Dave was a identical polarize visualize back in the day .
Thomas:
1:06:24
besides have a set of admiration for polarizing figures .
Justin:
1:06:27
Oh, I guess I find dave much less polarize, but possibly that says more about me .
Thomas:
1:06:32
I have a sort of built in wonder of polarizing figures to an extent ,
Justin:
1:06:36
I besides, like Dave, I find his input signal, uh, identical useful. he is he ‘s genuine. like, I will say the hardest thing for one of the craziest things for me was, um, when I started moving into like the privacy space, that there was about like an aversion to the idea of coming up with threat models and trying to like telescope the problem because people wanted the tractability of not having threat models. It being able to sort of ad hoc, define things in, uh, in, no, this is not like the, now I ‘m not talking about like a private outer space in terms of like, you know, when, when you ‘re actually like, spec-ing things down to, uh, like can outright levels of all bottle that I ‘m talking about things like, oh, we put up this new privacy feature. It ‘s like, okay, what ‘s your terror exemplary for that privacy feature ? It ‘s like, it ‘s a privacy feature. Yes .
Deirdre:
1:07:25
That sounds nerve-racking though It sounds like everything ‘s in setting. That sounds very nerve-racking as you as a defender ,
Justin:
1:07:32
yea this is the trouble that the privacy space is like, like, so I remember the security space back in like the, mid nineties or any, it was basically lots of security, like lots of AV, lots of security products, stuff like that. Um, not much in terms of like, hey, let ‘s actually reengineer these things like, I wholly remember what Thomas was talking about with the solid, like, you know, replacing strcopy everywhere. Microsoft actually did care. It actually did put in the time and energy to, to make some significant changes But the first respective years of my exposure was, was it reminds me of the privacy space right now
Deirdre:
1:08:03
Hm .
Justin:
1:08:04
of people saying, expect, it ‘s a— no coherent menace model. It ‘s like, expression, it ‘s a privacy thing. So I guess it ‘s, I do n’t know. I see. I guess what I ‘m kind of saying is that I would like to see like, uh, like a Dave Aitel in the privacy quad or, or, you know, more people like that who will like directly sort of like call things out when they are, when, when, you know, when it ‘s just ambiguous bullshit ,
Deirdre:
1:08:26
This leads me into one of the last things. I think we have time to talk about, organizational mentality about security privacy, in Apple versus not Maybe that ‘s in Google or in Android or in Chrome. because it seems like io should be identical secure. It has good bones. like architecturally. It has beneficial bones. and however, however, they say that they care about privacy, but it ‘s like, Define that a little spot more, uh, particularly some of the things that they ‘ve been pushing out recently, versus not Apple. And it seems to be an organizational thing because like, we started this spill basically saying like, we know so many amazing security and I think privacy people working at these companies, but then, but then it kind of peters off .
Thomas:
1:09:20
I mean, I think ,
Justin:
1:09:21
Yeah .
Thomas:
1:09:22
you, you can talk about like there ‘s different engineering disciplines between the
Justin:
1:09:25
Yes .
Thomas:
1:09:26
you guys have good insight into— Justin, scandal. you, you in particular have effective insight into the engineering culture differences, like, I feel like, Apple ‘s bonafide on privacy engineering are reasonably solidly kind of like they, they did a bunch of work that was n’t published for a long time, but is now published. Like for case, like the quorum HSM work for the, uh, the, the peg search for iCloud and all that stuff. Right. They, they put a fortune of technology feat into stuff that other people are n’t evening considering doing. Um, you know, the, the enclave processes and other things, correct ? Like that was nowhere ahead, before they did it. Right. They, they do a distribute of stuff that they ‘re not required to do. Um, but, you know barely campaign they take the problem seriously. I tend to come at these things like as a last thing to talk about, I think credibly io CSAM, probably not the best thing for us to open up right immediately. Right. But like any technical ferment that they say or any mastermind work that they say that they ‘re doing, or any safeguard work that they say they ‘re doing, I tend to believe them and kind of take them, you know, in, in good religion on that they put the feat in. That does n’t mean it ‘s the correct necessarily the correct thing inevitably for them to do my feelings about that are super, ace complicated. Right. But like, I would n’t put that down, proper. Like to a culture of not caring about that. I think they ‘d credibly like ,
Deirdre:
1:10:34
it ‘s I think I ‘m
Thomas:
1:10:36
Okay .
Deirdre:
1:10:36
at like, it ‘s feel sometimes like io, macOS security acculturation is resting on its laurels in terms of thoroughly architectural things. But then reintroducing the lapp microbe fixes, like, like they, they fixed a vuln then it came second and they had to fix it again, like
Justin:
1:10:56
well ,
Deirdre:
1:10:56
respective releases late .
Justin:
1:10:58
it ‘s the mastermind severity. Um, which so, and this is my personal take. Interacted with Apple quite a bite over my time at Google. particularly when we shared, uh, a code base, uh, with WebKit and, I think it is fair to say that, the team in mountain opinion was basically doing the security system ferment that for both of the browsers at that distributor point in time. Um, and my position interact with Apple over the years is they have very good people. but the total of people they have. This is a recurring convention across Apple. Like the phone number, the number, of people they invested in something like Apple will put, you know, a person on it. Google will put a team on it. This is, this is kind of like a mentality. Google, Google will over-engineer and overdo things. Uh, I have observed this. Um, but, like you look at, so Apple has been getting a set of hits, for, reasonably crafty network standard confirm, um, basic functionality that works in other browsers, but it ‘s it ‘s buggy and unreliable, et cetera, and Apple and this has been my know. That ‘s sort of a recurring pattern with Apple where they ‘re just, uh, that farce requires a larger work, just churning through bugs. It ‘s not it ‘s. so one thing you said about good bones, it ‘s like, I think there are a set of good bones. I think there are a set of things with comparable good designs. think like I actually think Apple ‘s, uh, design, for, notarization is actually a very dear design
Deirdre:
1:12:26
Yeah .
Justin:
1:12:27
is a purpose that I think would make that makes a lot of sense. If you want to get— most of the, uh, basically anti-malware profit of an app storehouse without actually having to have a close app storehouse. I think their implementation of it has been awful. Uh, but, but the actual design and architecture and the ideas behind it are quite effective. the way, the way you fix that is you throw a crowd more engineers at it to churn through the wiretap list and, and fix it and make it good. particularly post Aurora security technology excellence barely became a thing at Google. It ‘s like, well, obviously we are amazing engineers. And so our security technology must be amazing. Um, it ‘s sort of easy to like, to, to work that way. I do n’t know how you get that— so it was approve. We would throw a whole bunch of people, a whole bunch of engineers to merely churn through the bug tilt. I do n’t know how you get that lapp kind of like cultural, I do n’t know how you get that connection at Apple. Um ,
Deirdre:
1:13:19
like paradigm transformation in identity when you have n’t had something like Aurora happen to you .
Justin:
1:13:25
Although I feel like they keep having the, like, do keep having these things happen. Right. Remember Microsoft got hit with a whole bunch of worms until they, you know, they had
Deirdre:
1:13:34
Okay .
Justin:
1:13:34
to seriously internalize it. Microsoft actually was n’t hit directly that much. There
Deirdre:
1:13:38
That ‘s true. There ‘s lots of fiddling things .
Justin:
1:13:40
Yes. And I feel like Apple should be at that point where they ‘re like, okay, we precisely have to accept that this is n’t alike, this is n’t the thing where it ‘s like the whizbang shiny new feature, you commercialize around it. You ‘re adept. This is the thing we have, to do it correctly, we need to throw a bunch of bodies at it and they just need to churn through a bug tilt .
Deirdre:
1:13:56
And practically all over the place. They have to be like embedded and distributed. It ‘s not barely like, well, going to throw like a thousand engineers at iMessage and we ‘ll be fine, or, you know, whatever. it it ‘s all over the locate .
Justin:
1:14:09
Yeah, that was good was sort of like the apple people on, um, on webkit and campaign, prided themselves on having a divide of the size of a team that the equivalent Chrome people
Deirdre:
1:14:18
Yeah. But like the bugs, like, you know, that ‘s, you know, possibly you could pretty proud of that if you have n’t had like a zero day in like every, you know, eyepatch, every release it ‘s like, yeah, this was a zero day vulnerability and it was found by person else .
Justin:
1:14:34
Yeah. And that ‘s, so that, that is my take on this, that it ‘s, it ‘s one of those things where, when you ‘re one of these big companies, you ‘ll get to a point where you ‘re like, look, we have to, we have to rearchitect things. so are intelligent things that we can do to make this better. And I do see Apple doing a becoming amount of that, but the other pieces, and we have to throw the bodies at it to fix all the damn strcopies .
Deirdre:
1:14:55
Okay .
Justin:
1:14:55
And I do n’t see them saying— throwing all the bodies at it. Like, no, no, no, newfangled wizzbang technology that solves this. It ‘s like, nooooo
David:
1:15:03
It ‘s like an initiation versus care thing. Almost .
Justin:
1:15:07
It very a lot is. then I think that ‘s precisely it it ‘s like my baby works in urban policy and planning and she ‘s like, we do n’t need people building bridges. We people fixing we have ,
Deirdre:
1:15:15
Yep .
Justin:
1:15:16
people only want to build new bridges .
Deirdre:
1:15:17
Yeah. That ‘s arouse ! And playfulness ! And novel !
Justin:
1:15:21
it. Yeah. You get your name on the bridge potentially
Deirdre:
1:15:24
Yeah .
Justin:
1:15:24
Okay .
Thomas:
1:15:25
Bringing us back to fuchsia .
Deirdre:
1:15:26
yea. Well ,
Justin:
1:15:28
It ‘s a fair point. That Fuchsia is a modern thing, but
Thomas:
1:15:32
I do n’t know how much I disagree with the argument about, like, I think there ‘s a space for a big moves excessively. Right ? indeed .
Deirdre:
1:15:37
It ‘s not like no, one ‘s been doing the maintenance on Linux for the last 20 plus years .
Justin:
1:15:43
It ‘s not like Google in particular, has n’t been doing a long ton of the particular, the security alimony. And you have people like, like Case Cook who is equitable like, there are times where I ‘m like, wow, he is like, single-handed the protector— he ‘s not single-handed, but he ‘s sure doing a distribute protecting
Deirdre:
1:15:55
Linux. That feels like it .
Justin:
1:15:57
at times surely. um, I there is, there is space. to do big raw things, but I would say part of the fuchsia matter is that they ‘re besides doing all of the fiddling work to get it right .
Deirdre:
1:16:08
Nice .
Thomas:
1:16:09
I need case cook on just to run us from like 4. * Up to stream five, just on there ‘s a web log somewhere, and I try to keep up with it, but there ‘s just therefore much stuff going .
Justin:
1:16:18
Yeah, the stuff he does is merely, this is one of the things I in truth loved about working at Google. the total of comparable just public and open-source contributions that you get that you get to do, you just, you feel good about that ? Um, it ‘s not that there were n’t top and downsides to being at Google. It ‘s not, that is a perfect company in any way, shape or form, but very proud of the huge majority of what I did at Google. And I liked the fact that I got to make thus many public contributions in my time at Google .
Thomas:
1:16:46
I ‘ll ask you one last doubt, merely related to that. thus I think a draw of us credibly already know about the exercise that event cook does. is there person else besides them that we ‘re not paying enough attention to that your work has brought you into contact with in the discipline ? Come up with one substantial quick .
Justin:
1:17:01
Um, uh, Abishek Arya ,
Deirdre:
1:17:05
Yeah .
Justin:
1:17:05
Uh, yea, he, um, so he was my beginning, uh, you know, you ‘re a mentor for a Noogler that comes on display panel at Google. so a newfangled employee starts at Google, so he was the first person who I mentored at Google. he was, had good joined uh, Chrome security. but he ‘s a, principal engineer or director. Uh, he ‘s, he ‘s an white house now, but he ‘s basically responsible for the large fuzzing efforts, like
Deirdre:
1:17:26
Yes, sir .
Justin:
1:17:27
clusterfuzz, OSSFuzz, all of that. It was like literally started as him, grabbing interns ‘ workstations as they would leave. Like they would leave for the summer, he ‘d start grabbing their workstations and would like, was like stacking them under his desk, to run, fuzzers. then that evolved. from, his legs basically getting burned by all of these Xeon workstations under his desk to like moving into the cloud and all that. And now yea, he ‘s like in charge of an entire team. and just, yeah, that ‘s another one of those things that has good has a huge impingement on the industry as a solid, like, peculiarly with OSS bull, um, where they ‘re fair basically like, Hey, we ‘re good gon sodium, you know, all of this software is important. We ‘re going to give you a framework for build fuzzers and running against it. it ‘s amazing how much it ‘s evolved and the fuzzing stuff that they ‘ve done, they keep incorporating all of the modern advances in
Deirdre:
1:18:18
Yep .
Justin:
1:18:19
the fuzzing in terms of like the different the app, the input guided, I forget the names of all the
Deirdre:
1:18:23
And the coverage guided and, and
Justin:
1:18:25
Yes .
Deirdre:
1:18:25
they support, they support like AFL and they support multiple different kinds of fuzzers. they, they did all the software documentation to help, to help you get a Rust binary, uh, covered and automatically updated. And they ‘ll automatically report. It ‘s a, it ‘s, uh, extremely valuable because I tried to set up an example of bunch fuzz and I had it and it was like, okay, I could do this or everything could be open and they could report it. I could use to report back to me. And it ‘s like, it ‘s a nontrivial measure of oeuvre to merely make that project go. And it ‘s highly valuable to barely anyone who just sets up a, you know, a bull target. it ‘s big .
Justin:
1:19:04
Yeah. You can equitable, you got your loose reservoir software. You can just set up a bull aim. bastardly, it ‘s not entirely plug and gambling, but it ‘s about arsenic near as you can get to plug and play when you ‘re dealing with fuzzing. Yeah. that solid team .
Deirdre:
1:19:14
You can run your phys target as part of your CI. But the hale point is that you got to keep it going. You got to keep throwing the computers at the fuzzing or else you may not get the full value out of it. And that ‘s the hard part of bunch blur solves.

Justin:
1:19:26
do n’t get the thing where people have been trying to run hair targets as character of CIs. rather like, I ‘m, I ‘m merely gon na breathe oxygen, for like a minute or two. And then I ‘m gon na go about the lie of my day. And it ‘s like, no, that ‘s not the way fuzzing works .
Thomas:
1:19:38
Awesome. Okay. Well, uh, I Abishek Arya and besides OSSFuzz. excellent. excellent examples. Thank you Justin sol much for, for being here .
David:
1:19:48
Thank you .

Leave a Reply

Your email address will not be published.