Title: Leaving Google
Date: 2024-04-07 14:00

I joined Google November 5<sup>th</sup> 2018, and after 5 years and 4 months,
the 31<sup>st</sup> of March was my last day. During my time there, I've been part of
the Information Security Engineering team, in two different sub-teams:

1. Third Party Security, where I've been working on keeping the
  [monorepo](https://en.wikipedia.org/wiki/Monorepo)'s `//third_party` folder in
  an acceptable shape security-wise. The job involved fuzzing (both internally and
  [externally](https://github.com/google/oss-fuzz/commits?author=jvoisin)),
  security reviews, tooling development (especially in the wake of
  [FedRAMP](https://en.wikipedia.org/wiki/FedRAMP)), ultra-large-scale
  vulnerability management and of course politics regarding what should be
  upgraded, by whom and on what timeline. During my tenure there, I deleted
  around 2.5M lines of code, added 400k and changed 75k, in more or less 2000
  commits.
2. Around end of 2023, I moved to Sandboxing, isolating questionable code via
   Google-internal sandboxing technologies, to be able to both run it in
   production and sleep soundly at night, as well as producing tooling to make
   it easier to decide and enforce what should be sandboxed.

My [side project time](https://en.wikipedia.org/wiki/Side_project_time#Google_implementation)
was spent on the [GoogleCTF](https://ctftime.org/ctf/141) usually leading the `misc` category,
and on [co-leading]({static}/images/hackeler8_home.jpg) [Hackceler8](https://capturetheflag.withgoogle.com/hackceler8#about).
Both were [resounding successes](https://ctftime.org/ctf/141).

I was based in the [Zürich office](https://careers.google.com/locations/zurich),
which is [ridiculously]( https://businessinsider.com/google-zurich-headquarters-tour-2018-1 )
[nice](https://officeinspiration.com/en/offices/google_zurich) and filled with

an incredible amount of memorabilia and <del>cluttering</del> souvenirs,
tokens, trophies, experiments, …
The presence of a [bouldering](https://en.wikipedia.org/wiki/Bouldering) gym was
much appreciated. Of course, as anyone who has been there will tell you,
the food is absolutely delicious.

But the best perk was definitely working with incredible smart and welcoming coworkers,
resulting in things like:

- on my first day at my desk, I was setting next to [tsuro](https://twitter.com/_tsuro),
  who showed me a chrome exploit he wrote "for fun over the weekend", throwing my impostor symptom through the roof;
- my first task was to remove as many json parsers from `//third_party` as
  possible, for there used to be a surprisingly **large** number of them. I deleted
  80% of them.
- [Mardi gras]({static}/images/mardi_gras.jpg), and my manager didn't bother
  asking why I was dressed as a pink rabbit;
- I gave a bunch of internal talks: radare2, Nos oignons, Acunetix' Acusensor,
  a header-based `FORTIFY_SOURCE=3` implementation, memory allocators
  benchmarking, stalkerware at the internal *Safer with Google* summit,
  homelab, Snuffleupagus, …
- discussing [NSO's weird PDF machine/FORCEDENTRY](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html)
  over lunch with people from [Project Zero](https://en.wikipedia.org/wiki/Project_Zero);
- discovering that several coworkers are [OpenMW](https://openmw.org)
  contributors;
- attending the cryptography reading group,
  and being explained [SPHINCS+](https://sphincs.org),
  one of the winners of the [NIST PQC standardization](https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_Standardization))
  in the signature category, by [one of its authors](https://kste.dk);
- never being afraid of bothering anyone with stupid questions: everyone was
  always super happy to explain, discuss and more generally shit-talk;
- attending the [kCTF](https://google.github.io/kctf/vrp.html)'s
  *Kernel Exploit Reading Club* detailing the latest received exploits,
  techniques used, mitigations strategies, …
- performed security reviews on a wide range of products: new databases, wild
  third-party dependencies, hypervisors, parsers, …
- made good use of Google's "up to $10k matching donations" and assorted
  sponsorships;
- playing the [FacebookCTF](https://ctftime.org/event/781) with coworkers,
  and changing the team's name to `Visit g.co/ctf` once we won it;
- the "popcorn machine incident", followed by the song to get it back, followed
  by the poem to tell us "no, but…";
- launched the *Fashion Friday* on the `metal music` channel, where everyone
  every Friday shared pictures of their current metal t-shirt. It was a
  lot of fun to see that not only people are listen to the same awful music
  as I, but are also proud to wear whatever kitsch apparel to show it.
  Also, since it's metal, band names are hilarious, and it's always hilarious when
  an o so sweet coworker is wearing their favourite "orphan decapitation party"
  shirt or whatever and arguing that their latests albums aren't as good as
  their first EP if only because of the mastering;
- playing the DefconCTF Qualifications at the office, and arguing with
  coworkers about the proper way to use IDA and yelling "no you're the one
  holding it wrong!" over pizzas;
- the "dinosaurs parade";
- the never-presented "Ist das Kunst oder kann das weg?" slide deck about all
  the weird things I've found lurking in `//third_party`;
- realising, multiple times, that the author of software I'm using or papers
  I've read are/have been coworkers and were sometimes sitting right next to me!
- playing with the internal version of [OSS-Fuzz](https://github.com/google/oss-fuzz),
  and generally the completely overkill/oversized internal tooling,
  infrastructure and computation power. Most of it either deprecated or in beta, 
  sometimes daunting, always aiming for excellence and often approaching it.
- kind of freaked out during my hiring interview, when [Gynvael](https://gynvael.coldwind.pl)
  showed up and said "you put assembly, cryptography and php internals on your
  resume, so I have a question for you." Something about the keyspace of a
  custom PRNG on a 32b CPU architecture implemented in assembly and called from
  PHP;
- arguing with [REWS](https://careers.google.com/stories/how-googles-lobbies-are-designed-from-the-drawing-board-to-execution)
  on why we really do need to use London's office lift to put a car on the last
  floor of the building.
- [got a swiss knife](https://twitter.com/LeaKissner/status/1085624255381827584)
- and so much more.

<!--
$ gcertdestroy
Do you want to remove jvoisin.loas2credentials (LOAS2) valid for 19h51m0s? [y|N] y
Removing LOAS2
Do you want to remove corp/normal (SSH) valid for 19h59m0s? [y|N] y 
Removing corp/normal
$ echo ':P'
:P
$
-->

The reason I left was that my remote got denied, albeit the golden handcuffs
were definitely becoming heavy to wear, and the Google I joined was
definitively a better place than the one I left. Don't get me wrong, it's still
a great place to work, and I absolutely loved my time there, but I can't wait
to see more of the outside world. I don't have anything lined-up job-wise, so
feel free to [reach](https://dustri.org)
[out](https://linkedin.com/in/dustriorg) if you're hiring remote from France.