Editors' note: This is part one of a four-day series examining the state and future of Web security.
Douglas Merrill first learned about online security while growing up in Arkansas. A natural geek, he spent Saturdays putting together computers with his dad, a physics professor.
While exploring the wilds of a young cyberspace in his early teens, he encountered bulletin boards run by hate groups. Appalled by what he read, Merrill figured out ways to "play with" membership rolls to convey his opposition.
"I had a goal to try and embarrass all the white supremacists in Arkansas," he said. "Arkansas is a relatively rural state. It is very beautiful. It is an incredible place to be a kid. There was also at the time a kind of unfortunate element in Arkansas that had some pretty strong political views that I pretty strongly disagreed with."
It was this formative experience, combating bigotry, that would teach him the power of technology in society. It was also the beginning of what would later become a guiding principle in his professional life as well.
As vice president of engineering at Google, Merrill stands at the forefront of a critical period in the Digital Age as so-called Web 2.0 technologies pose unprecedented challenges to online security. And because it is one of the leading companies and proponents of today's open social-networking universe, Google is at the nucleus of this revolutionary change.
The company creates online services at a rapid pace and was one of the first to adopt new Web 2.0 programming techniques that complicate security because of their interactive nature. Google also provides a large target for hackers: bugs have been found in Gmail, AdWords, the Google Desktop program and many other technologies developed and employed by the company.
Tight security is something of a metaphor for Google, which is known throughout the industry for a corporate culture that is perhaps second only to Apple in its exceptionally tight control over company information. In summer 2005, the company instituted a policy of not talking with CNET News.com reporters in response to an article involving its search engine and privacy. A few months later however, Google ended its boycott.
Recognizing the significance of its role in Web security, Google provided News.com with an exclusive look into its efforts on the issue for this report. Because of its unique station--in March it attracted more visitors to its sites than any other company--Google's efforts in securing its own technologies have exponentially important consequences, reflecting the broader state of security for the Web as a whole.
"We don't yet know what all the things are that can break in these interesting, exciting, new, highly interactive Web applications," Merrill said. "We believe we are at the forefront of a new science. We all have to invent the wheel in Web security."
The monumental importance of that objective is masked by the unassuming surroundings of his department. The security team occupies a small space in one of the buildings on the sprawling Google campus in Mountain View, Calif., that's far from the hardened bunker one might imagine for a mission-critical security operation.
Merrill's office is distinguished by the kennel he's installed for his Dalmatian, whose pictures adorn the surroundings. Other appointments include a soft couch and a Mac with two wide-screen displays.
Next to several cubicles that house other security experts stands a mannequin in full Darth Vader garb. Crew members joke that he's the "friendly face" of Google security. (He's a party relic.)
The core crew has about 50 members, but the importance of security means that all Google employees involved in product development have a responsibility to make their technologies safe.
"The Google way of doing things is to get really smart people and make it very easy for them to do the right thing and kind of hard to do the wrong thing," Merrill said. "We have imprinted these really brilliant engineers at all levels, fresh out of college all the way up to very senior people, with a particular way of building code."
The hyper speed of Web development
If Google's approach toward security is unique, perhaps the reason is that it is the only company among its immediate rivals that grew up in the Web 2.0 era, which was founded on a philosophy of openness and sharing that is stretching the boundaries of what Web sites can do--and how they can protect themselves.
Today's hyper speed of Web development from all corners of cyberspace, not just R&D staffs employed by corporations, has changed the notion of digital security from the days of desktop computing. Microsoft, for example, has been developing desktop software since it was founded in 1975, but it's come to learn security lessons the hard way.
"There is a lot more history in building client-side applications and with history, with practice, the science gets better," Merrill said. "We're much farther up that curve with traditional desktop applications than we are yet with Web applications."
Web security does build on established computing principles of application design and creation, such as input validation and the principle of least privilege, a widely recognized design consideration to enhance the protection of data and functionality from faults and malicious behavior. But because the unprecedented level of Web 2.0 interactivity and development is still so new, the security implications aren't always clear; sometimes, it can actually make security easier.
Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.
Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.
Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?
Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007
Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007
Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007
Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007
Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara
4 commentsJoin the conversation! Add your comment