I joined Google November 5th 2018, and after 5 years and 4 months, the 31st of March was my last day. During my time there, I've been part of the Information Security Engineering team, in two different sub-teams:
- Third Party Security, where I've been working on keeping the
monorepo's
//third_partyfolder in an acceptable shape security-wise. The job involved fuzzing (both internally and externally), security reviews, tooling development (especially in the wake of FedRAMP), ultra-large-scale vulnerability management and of course politics regarding what should be upgraded, by whom and on what timeline. During my tenure there, I deleted around 2.5M lines of code, added 400k and changed 75k, in more or less 2000 commits. - Around end of 2023, I moved to Sandboxing, isolating questionable code via Google-internal sandboxing technologies, to be able to both run it in production and sleep soundly at night, as well as producing tooling to make it easier to decide and enforce what should be sandboxed.
My side project time
was spent on the GoogleCTF usually leading the misc category,
and on co-leading Hackceler8.
Both were resounding successes.
I was based in the Zürich office, which is ridiculously nice and filled with
an incredible amount of memorabilia and cluttering souvenirs,
tokens, trophies, experiments, …
The presence of a bouldering gym was
much appreciated. Of course, as anyone who has been there will tell you,
the food is absolutely delicious.
But the best perk was definitely working with incredible smart and welcoming coworkers, resulting in things like:
- on my first day at my desk, I was setting next to tsuro, who showed me a chrome exploit he wrote "for fun over the weekend", throwing my impostor symptom through the roof;
- my first task was to remove as many json parsers from
//third_partyas possible, for there used to be a surprisingly large number of them. I deleted 80% of them. - Mardi gras, and my manager didn't bother asking why I was dressed as a pink rabbit;
- I gave a bunch of internal talks: radare2, Nos oignons, Acunetix' Acusensor,
a header-based
FORTIFY_SOURCE=3implementation, memory allocators benchmarking, stalkerware at the internal Safer with Google summit, homelab, Snuffleupagus, … - discussing NSO's weird PDF machine/FORCEDENTRY over lunch with people from Project Zero;
- discovering that several coworkers are OpenMW contributors;
- attending the cryptography reading group, and being explained SPHINCS+, one of the winners of the NIST PQC standardization) in the signature category, by one of its authors;
- never being afraid of bothering anyone with stupid questions: everyone was always super happy to explain, discuss and more generally shit-talk;
- attending the kCTF's Kernel Exploit Reading Club detailing the latest received exploits, techniques used, mitigations strategies, …
- performed security reviews on a wide range of products: new databases, wild third-party dependencies, hypervisors, parsers, …
- made good use of Google's "up to $10k matching donations" and assorted sponsorships;
- playing the FacebookCTF with coworkers,
and changing the team's name to
Visit g.co/ctfonce we won it; - the "popcorn machine incident", followed by the song to get it back, followed by the poem to tell us "no, but…";
- launched the Fashion Friday on the
metal musicchannel, where everyone every Friday shared pictures of their current metal t-shirt. It was a lot of fun to see that not only people are listen to the same awful music as I, but are also proud to wear whatever kitsch apparel to show it. Also, since it's metal, band names are hilarious, and it's always hilarious when an o so sweet coworker is wearing their favourite "orphan decapitation party" shirt or whatever and arguing that their latests albums aren't as good as their first EP if only because of the mastering; - playing the DefconCTF Qualifications at the office, and arguing with coworkers about the proper way to use IDA and yelling "no you're the one holding it wrong!" over pizzas;
- the "dinosaurs parade";
- the never-presented "Ist das Kunst oder kann das weg?" slide deck about all
the weird things I've found lurking in
//third_party; - realising, multiple times, that the author of software I'm using or papers I've read are/have been coworkers and were sometimes sitting right next to me!
- playing with the internal version of OSS-Fuzz, and generally the completely overkill/oversized internal tooling, infrastructure and computation power. Most of it either deprecated or in beta, sometimes daunting, always aiming for excellence and often approaching it.
- kind of freaked out during my hiring interview, when Gynvael showed up and said "you put assembly, cryptography and php internals on your resume, so I have a question for you." Something about the keyspace of a custom PRNG on a 32b CPU architecture implemented in assembly and called from PHP;
- arguing with REWS on why we really do need to use London's office lift to put a car on the last floor of the building.
- got a swiss knife
- and so much more.
The reason I left was that my remote got denied, albeit the golden handcuffs were definitely becoming heavy to wear, and the Google I joined was definitively a better place than the one I left. Don't get me wrong, it's still a great place to work, and I absolutely loved my time there, but I can't wait to see more of the outside world. I don't have anything lined-up job-wise, so feel free to reach out if you're hiring remote from France.