Ad: Manage updates with the Download App
ie8 fix
News.com special report:

Wardens of the Web

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

Google: 'We all have to invent the wheel'

By Joris Evers
Staff writer, CNET News.com
June 25, 2007, 4:00 AM PDT

Editors' note: This is part one of a four-day series examining the state and future of Web security.

Douglas Merrill first learned about online security while growing up in Arkansas. A natural geek, he spent Saturdays putting together computers with his dad, a physics professor.

While exploring the wilds of a young cyberspace in his early teens, he encountered bulletin boards run by hate groups. Appalled by what he read, Merrill figured out ways to "play with" membership rolls to convey his opposition.

"I had a goal to try and embarrass all the white supremacists in Arkansas," he said. "Arkansas is a relatively rural state. It is very beautiful. It is an incredible place to be a kid. There was also at the time a kind of unfortunate element in Arkansas that had some pretty strong political views that I pretty strongly disagreed with."

It was this formative experience, combating bigotry, that would teach him the power of technology in society. It was also the beginning of what would later become a guiding principle in his professional life as well.

Google photos

As vice president of engineering at Google, Merrill stands at the forefront of a critical period in the Digital Age as so-called Web 2.0 technologies pose unprecedented challenges to online security. And because it is one of the leading companies and proponents of today's open social-networking universe, Google is at the nucleus of this revolutionary change.

The company creates online services at a rapid pace and was one of the first to adopt new Web 2.0 programming techniques that complicate security because of their interactive nature. Google also provides a large target for hackers: bugs have been found in Gmail, AdWords, the Google Desktop program and many other technologies developed and employed by the company.

Tight security is something of a metaphor for Google, which is known throughout the industry for a corporate culture that is perhaps second only to Apple in its exceptionally tight control over company information. In summer 2005, the company instituted a policy of not talking with CNET News.com reporters in response to an article involving its search engine and privacy. A few months later however, Google ended its boycott.

Recognizing the significance of its role in Web security, Google provided News.com with an exclusive look into its efforts on the issue for this report. Because of its unique station--in March it attracted more visitors to its sites than any other company--Google's efforts in securing its own technologies have exponentially important consequences, reflecting the broader state of security for the Web as a whole.

"We don't yet know what all the things are that can break in these interesting, exciting, new, highly interactive Web applications," Merrill said. "We believe we are at the forefront of a new science. We all have to invent the wheel in Web security."

The monumental importance of that objective is masked by the unassuming surroundings of his department. The security team occupies a small space in one of the buildings on the sprawling Google campus in Mountain View, Calif., that's far from the hardened bunker one might imagine for a mission-critical security operation.

Merrill's office is distinguished by the kennel he's installed for his Dalmatian, whose pictures adorn the surroundings. Other appointments include a soft couch and a Mac with two wide-screen displays.

Next to several cubicles that house other security experts stands a mannequin in full Darth Vader garb. Crew members joke that he's the "friendly face" of Google security. (He's a party relic.)

The core crew has about 50 members, but the importance of security means that all Google employees involved in product development have a responsibility to make their technologies safe.

"The Google way of doing things is to get really smart people and make it very easy for them to do the right thing and kind of hard to do the wrong thing," Merrill said. "We have imprinted these really brilliant engineers at all levels, fresh out of college all the way up to very senior people, with a particular way of building code."

The hyper speed of Web development
If Google's approach toward security is unique, perhaps the reason is that it is the only company among its immediate rivals that grew up in the Web 2.0 era, which was founded on a philosophy of openness and sharing that is stretching the boundaries of what Web sites can do--and how they can protect themselves.

Pullquote

Today's hyper speed of Web development from all corners of cyberspace, not just R&D staffs employed by corporations, has changed the notion of digital security from the days of desktop computing. Microsoft, for example, has been developing desktop software since it was founded in 1975, but it's come to learn security lessons the hard way.

"There is a lot more history in building client-side applications and with history, with practice, the science gets better," Merrill said. "We're much farther up that curve with traditional desktop applications than we are yet with Web applications."

Web security does build on established computing principles of application design and creation, such as input validation and the principle of least privilege, a widely recognized design consideration to enhance the protection of data and functionality from faults and malicious behavior. But because the unprecedented level of Web 2.0 interactivity and development is still so new, the security implications aren't always clear; sometimes, it can actually make security easier.

Next page: 'Security has been in our DNA'



4 comments

Join the conversation! Add your comment
Excellent Reportage
c/net News.com's 25.Jun.2007 story "Google: We All Have to Invent the Wheel" is a fine story: interesting, informative, and thought-provoking. Good Job!
Posted by Veritas_Photo (5 comments )
Reply Link Flag
Behavior check
Hacking into a web site run by someone who's politics Douglas Merrill disagreed with was vigilante action. Messing with their right to associate with people of their choice, messing with someone elses computer, destroying records? <P> Does he still take the law into his own hands?
Posted by Phillep_H (497 comments )
Reply Link Flag
I couldn't have said it better, Phillep
Thank you for your post, Phillep. It sounds like suppression on the part of Google - and if you look at how readily they complied with China's policy of limiting information to the Chinese people, this says quite a bit about Google.
What was once the best search engine out there has lost their edge as a search engine (supplies junk rather than good links) and they have their noses where the nose does not belong.
Posted by Dolphie1 (17 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

CONTINUED: 'Security has been in our DNA'…
Page 1 | 2