

Google acquires Zynamics - tptacek
http://techcrunch.com/2011/03/01/google-buys-security-analytics-startup-zynamics/

======
tptacek
Most of you probably haven't the faintest clue who Zynamics is. They're based
in Germany and used to be called Sabre Security. This is Halvar Flake's team;
they sell BinDiff (the most popular binary diffing tool in reverse
engineering, used by teams around the world to back security patches out to
learn about flaws), along with BinNavi, a popular debugger-based reverse-
engineering tool.

For the past few years, they've been working on an engine called VxClass that
uses control flaw graph analysis to automatically classify malware. One
presumes this is what motivates the acquisition. Google already scans content
on the Internet for malware.

Or it could be mostly a talent thing. Google's been on a hiring tear.
Extremely strong software security talent isn't easy to come by. Lord knows
Halvar's got it. Zynamics is hugely well-known and respected in the software
security world.

~~~
m0nastic
Like a lot of folks, I'm curious how this will effect sales of BinDiff and
BinNavi (I don't see Google in the business of selling security software); but
this should be really good news for Halvar and Co.

~~~
tptacek
Wouldn't it be neat if they just open-sourced them? They almost might as well;
both have open source substitutes already, neither could possibly make Google
any money.

~~~
sp_
I am very sure this does not happen because the products (especially BinNavi)
are entangled in commercial licenses for 3rd party components.

~~~
tonfa
Are those 3rd party components easily replaceable?

------
sp_
Congrats to my former company! I was lead devevloper of three of our products
(BinNavi, BinCrowd, PDF Dissector) until 5 months ago when I was tired of the
stuff we worked on and bailed out.

Curiously, we always saw HBGary as one of our main competitors. However, we
were focused on tech, not shady deals. :)

~~~
iuguy
While Responder Pro and Recon are pretty awesome tools, I'd certainly say that
BinNavi and BinDiff are very different and serve different purposes.

~~~
tptacek
What do you like about Responder and Recon? I've never used or seen them (I've
used both BinNavi and BinDiff).

~~~
iuguy
They do different things, so I'll give you an overview:

HBGary have a tool called FastDump Pro for imaging memory. What Responder does
is it takes (or acquires) a memory image and reconstructs the processes and
left over memory modules. It also reconstructs details of open files, sockets,
registry entries etc. at the time of the snapshot.

Responder Pro has a thing called Digital DNA (which backs up nearly all of
HBGary's enterprise products) - it's a mechanism that looks for potentially
malicious code (I say potentially because it's easily triggered by things like
McAfee because it has a load of strings in memory at any one point in time).
Digital DNA uses known indicators to look for specific signs of things like
keyloggers. It's not 100% but it usually reduces analysis time by a lot.

There's a fairly straight forward disassembler, you can look at strings tied
to processes and memory modules, check for hooked SSDT, IDT entries etc. and
there's a canvas type function for mapping out a processes' structure. There's
a C# interpreter for scripting but it's not well documented so most of our
guys don't use it much for other than basic scans for specific things.

Recon comes with responder pro and is used to test potentially malicious code
pulled off disk in a VM. You define how long it's going to run for then it
runs the code under the VM. You can then go back to responder and there's an
actual slider that shows you all the changes from registry, files, even cpu
registers over time so you can zoom in on your process and see the encryption
algorithm in the malware decrypting and flip back and forth, which makes it
really cool for basic malware cryptanalysis when you're me and not you :) -
it's also handy for extracting 0day from exploit code because you get to see
what's being exploited and how, so you can quickly write a cheeky
canvas/metasploit module.

There's another tool called flypaper that stops the process in recon from
exiting, which can be quite handy.

Although the company's in a bit of disarray at the moment the products are
really great for malware analysis, and could be used for exploit dev (but I
wouldn't).

------
glj
I would love to know what the typical acquisition process for Google is like.
Where does it start (product team, management, engineering, etc)? How long
does it take? How intense are the negotiations? Are deals typically cash or
stock?

~~~
brang
You probably have to sign an NDA about it.

~~~
BuschnicK
Indeed we did. Although I wasn't involved in the negotiations proper I can say
from working with Halvar (I'm the BinDiff lead) that google is a tough
bargainer... Intense indeed ;-)

~~~
tonfa
Any idea where you will end up, and what you'll be doing?

~~~
BuschnicK
We'll work at the Zürich office. We are not (yet) allowed to talk about what
we'll be doing.

------
borski
Halvar is pretty much a baller in the security industry. I met him and
immediately knew he was brilliant, even putting all the history and his
contributions aside. Talking to him about some of the things I was working on
was enlightening.

Kudos to him and his team. BinDiff is a great product.

------
jdp23
Congrats to Halvar and the team. They've done great products for years and as
'tptacek says, they've got great security talent.

And kudos to Google -- a great investment in technology and people.
Acquisitions aren't easy, so let's hope they can make it work!

