In the high-stakes world of casino gambling, some of the most effective security professionals that casinos hire to protect their fortunes are the very people who once tried to steal those fortunes for themselves.


It makes sense for casinos to hire former cheats. They know the tricks, they know the scams, they can think like a cheater and if they’re working for you, they’re not working against you.


Google’s Gang: A Hacker Dream Team


Google, it seems, is taking the same gamble with the best hackers as the casinos always have with the best cheaters.


When George Hotz — one of the most proficient hackers in the world — became the first person to successfully compromise Apple’s iPhone and Sony’s PS3, both companies took legal action against him.


When he hacked the Chrome browser, however, Google took a different route — they offered him a job.


Hotz is the latest and highest-profile addition to Project Zero, Google’s ambitious new undertaking to assemble the most elite team of “researchers” in the world. These researchers are often people like Hotz — creative and technological geniuses who used their talents to walk the dark side of the Internet. Google has brought them together not to commit corporate espionage, not to disable or attack competitors, but to beef up security by paying the best hackers in the world to exploit their systems in the search for vulnerabilities.


Like casinos hiring card cheats instead of prosecuting them, Project Zero brings together the world’s best hackers to educate Google on where their weaknesses lie.



One of Project Zero’s top priorities is shoring up Google’s defenses against the threat that is also the team’s namesake — a zero-day vulnerability.


Zero-day vulnerabilities are holes in software programs that the software’s vendor doesn’t know about. A hacker exploits a zero-day vulnerability with an infiltration such as spyware or malware. After realizing the infiltration, the vendor scrambles to come up with a patch, which is a solution to the exploitation released as a security update. Companies often release patches on a regular basis, such as Microsoft’s Patch Tuesday initiative.


In a post on Google’s Security Blog, the company wrote “Our objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet.”


By having the Operation Zero team find holes before the bad guys got to them, Google could get out in front of the zero day tit-for-tat game that has put software vendors on defense since time immemorial.

Defending Google or the entire internet

But Google didn’t stop there. The blog post also stated that “We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.”


Although Google stopped short of saying that the team would work in collusion with other firms — or even that they’d share the information they garnish — there is speculation that Project Zero could be an Internet-changing event.


Recently, Wired reported that the team’s ambition is to “apply Google’s brains to scour other companies’ products. When Project Zero’s hacker-hunters find a bug, they say they’ll alert the company responsible for a fix and give it between 60 and 90 days to issue a patch before publicly revealing the flaw on the Google Project Zero blog. In cases where the bug is being actively exploited by hackers, Google says it will move much faster, pressuring the vulnerable software’s creator to fix the problem or find a workaround in as little as seven days.”


Theoretically, this could position Google not just as the undisputed king of search, but also as the Internet’s de facto chief security officer.


The NSA antidote stopping the spooks


It is important to note that the Google Security Blog also stated that “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop.”


State-sponsored actor. Monitor your communications. Industrial espionage.


It is difficult to argue that this statement could be anything other than a thinly veiled reference to the National Security Agency’s domestic-spying program revealed by contractor-turned-whistleblower Edward Snowden. There is wide speculation that — on top of its primary mission of bolstering security both for Google and the entire Internet — Project Zero will work to become a counterweight to the massive, intimate and still-largely unknown power wielded by the NSA.


Wired notes that when the NSA was spying on Google users by intercepting data as it was being transferred between the company’s data centers, the company scrambled to encrypt those transfers. After that, it announced a Chrome plug-in that would encrypt their users’ email, and that they would publicly reveal which companies do and don’t allow their email to be encrypted.


Whether Google felt betrayed or used by the NSA — or if it simply wants to instill confidence in a climate of widespread public suspicion regarding all things digital — Project Zero appears to be at the forefront of Google’s attempt to establish a buffer between their users and the unbridled power of America’s spy organizations.


Project Zero not only gives Google the combined power of the world’s most feared and revered hackers, but it ensures that they won’t be launching attacks of their own on Google any time soon. But — if the project’s lofty goals come to fruition — it could mean a lot more than that. Project Zero could usher in a new era of security for the entire Internet and provide some balance against the seemingly unchecked power of the NSA.