DeepSummary
The episode starts with a discussion about the origins of software engineering and how a missing dash in a computer program led to the destruction of NASA's Mariner 1 spacecraft in 1962. This incident highlighted the need for better software testing and reliability, leading to the emergence of software engineering as a discipline.
The guest, Maddie Stone, shares her journey from studying computer science and Russian at Johns Hopkins University to working at the Applied Physics Lab and eventually joining Google's Project Zero team. She discusses her role in analyzing zero-day vulnerabilities actively exploited in the wild and her work on the Pegasus spyware used by NSO Group.
Stone explains the challenges of making zero-days harder to find and exploit, and the importance of collaboration between researchers, vendors, and the security community. She also touches on the ethical considerations of her work and the impact of zero-days on civil society, journalists, and human rights defenders.
Key Episodes Takeaways
- The origins of software engineering can be traced back to a NASA incident in 1962, where a missing dash in a computer program led to the destruction of the Mariner 1 spacecraft.
- Maddie Stone, a security researcher at Google's Project Zero, analyzes zero-day vulnerabilities actively exploited in the wild, with a focus on making them harder to find and exploit.
- Stone's work involves identifying and reporting vulnerabilities to vendors, collaborating with the security community, and addressing ethical considerations surrounding the impact of zero-days on civil society.
- Nation-state actors and cybercriminals actively use zero-day exploits, often targeting human rights defenders, journalists, and marginalized populations, highlighting the broader societal impact of these vulnerabilities.
- While progress has been made in detecting and disclosing zero-day exploits, ongoing efforts are needed to address the challenges of making them harder to find and exploit, including increased transparency and collaboration among researchers, vendors, and the security community.
- Stone's journey from studying computer science and Russian to working at the Applied Physics Lab and eventually joining Google's Project Zero highlights the diverse paths and skills that can lead to a career in cybersecurity research.
- The ethical considerations surrounding Stone's work, such as ensuring safe and secure access to the internet for all users, are an integral part of her approach and motivations.
- Stone's optimism and belief in the collective efforts of the industry to address the challenges of zero-day vulnerabilities underscore the importance of continued research and collaboration in this field.
Top Episodes Quotes
- “I don't really think of it as a race, unless we're talking maybe in single vulnerability case like, oh, we know this bug is being exploited, it needs to be fixed as fast as possible. That's really the only area that I sort of view as a race.“ by Maddie Stone
- “But I do think in the last three or so years, there have been huge improvements across the industry of people working on detection and trying to find zero day exploits, not just brushing it off and saying, this is an unsolvable problem.“ by Maddie Stone
- “And we actually got sort of some, like, marketing details about this capability. And so my first job was taking all of those details and seeing if I could figure out what the bug was so that we could patch it and, you know, break the capability.“ by Maddie Stone
Entities
Company
Organization
Product
Person
Episode Information
Darknet Diaries
Jack Rhysider
11/1/22
Maddie Stone is a security researcher for Google’s Project Zero. In this episode we hear what it’s like battling zero day vulnerabilities.
Sponsors
Support for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com.
Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.
Sources
https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/yu-vb2013.pdf
https://www.youtube.com/watch?v=s0Tqi7fuOSU
https://www.vice.com/en/article/4x3n9b/sometimes-a-typo-means-you-need-to-blow-up-your-spacecraft