Hacker Newsnew | comments | show | ask | jobs | submit login
Google acquires Zynamics (techcrunch.com)
51 points by tptacek 1647 days ago | 22 comments



Most of you probably haven't the faintest clue who Zynamics is. They're based in Germany and used to be called Sabre Security. This is Halvar Flake's team; they sell BinDiff (the most popular binary diffing tool in reverse engineering, used by teams around the world to back security patches out to learn about flaws), along with BinNavi, a popular debugger-based reverse-engineering tool.

For the past few years, they've been working on an engine called VxClass that uses control flaw graph analysis to automatically classify malware. One presumes this is what motivates the acquisition. Google already scans content on the Internet for malware.

Or it could be mostly a talent thing. Google's been on a hiring tear. Extremely strong software security talent isn't easy to come by. Lord knows Halvar's got it. Zynamics is hugely well-known and respected in the software security world.

-----


Like a lot of folks, I'm curious how this will effect sales of BinDiff and BinNavi (I don't see Google in the business of selling security software); but this should be really good news for Halvar and Co.

-----


Wouldn't it be neat if they just open-sourced them? They almost might as well; both have open source substitutes already, neither could possibly make Google any money.

-----


That's what I'm hoping for.

BinNavi always seemed like it was priced the way that IDA should have been (considering that for what IDA does it's way under-priced).

-----


I am very sure this does not happen because the products (especially BinNavi) are entangled in commercial licenses for 3rd party components.

-----


Are those 3rd party components easily replaceable?

-----


Is it a sign when all the prices and ordering info for their products has vanished off the site? or is this SOP when a company is acquired?

-----


Kind words - thank you! Halvar wrote a more personal note about the acquisition on his blog: http://addxorrol.blogspot.com/2011/03/wow.html

-----


Thanks tptacek for sharing some insights!

-----


Congrats to my former company! I was lead devevloper of three of our products (BinNavi, BinCrowd, PDF Dissector) until 5 months ago when I was tired of the stuff we worked on and bailed out.

Curiously, we always saw HBGary as one of our main competitors. However, we were focused on tech, not shady deals. :)

-----


Curious if you happen to know the answer to this... but some eBooks I've seen when run through antiVirus programs report being 50% MATLAB. I can't tell where this comes from or if it means anything at all. Does MATLAB in PDF files ring any sort of bell for you?

-----


While Responder Pro and Recon are pretty awesome tools, I'd certainly say that BinNavi and BinDiff are very different and serve different purposes.

-----


What do you like about Responder and Recon? I've never used or seen them (I've used both BinNavi and BinDiff).

-----


They do different things, so I'll give you an overview:

HBGary have a tool called FastDump Pro for imaging memory. What Responder does is it takes (or acquires) a memory image and reconstructs the processes and left over memory modules. It also reconstructs details of open files, sockets, registry entries etc. at the time of the snapshot.

Responder Pro has a thing called Digital DNA (which backs up nearly all of HBGary's enterprise products) - it's a mechanism that looks for potentially malicious code (I say potentially because it's easily triggered by things like McAfee because it has a load of strings in memory at any one point in time). Digital DNA uses known indicators to look for specific signs of things like keyloggers. It's not 100% but it usually reduces analysis time by a lot.

There's a fairly straight forward disassembler, you can look at strings tied to processes and memory modules, check for hooked SSDT, IDT entries etc. and there's a canvas type function for mapping out a processes' structure. There's a C# interpreter for scripting but it's not well documented so most of our guys don't use it much for other than basic scans for specific things.

Recon comes with responder pro and is used to test potentially malicious code pulled off disk in a VM. You define how long it's going to run for then it runs the code under the VM. You can then go back to responder and there's an actual slider that shows you all the changes from registry, files, even cpu registers over time so you can zoom in on your process and see the encryption algorithm in the malware decrypting and flip back and forth, which makes it really cool for basic malware cryptanalysis when you're me and not you :) - it's also handy for extracting 0day from exploit code because you get to see what's being exploited and how, so you can quickly write a cheeky canvas/metasploit module.

There's another tool called flypaper that stops the process in recon from exiting, which can be quite handy.

Although the company's in a bit of disarray at the moment the products are really great for malware analysis, and could be used for exploit dev (but I wouldn't).

-----


I would love to know what the typical acquisition process for Google is like. Where does it start (product team, management, engineering, etc)? How long does it take? How intense are the negotiations? Are deals typically cash or stock?

-----


You probably have to sign an NDA about it.

-----


Indeed we did. Although I wasn't involved in the negotiations proper I can say from working with Halvar (I'm the BinDiff lead) that google is a tough bargainer... Intense indeed ;-)

-----


Any idea where you will end up, and what you'll be doing?

-----


We'll work at the Z├╝rich office. We are not (yet) allowed to talk about what we'll be doing.

-----


My understanding is that the level of disclosure depends on the circumstances. For small acquisitions by large companies, it's generally difficult to find information, especially for an asset purchase. For larger acquisitions (and other transactions) by US-listed public companies, if the threshold of materiality is met--usually around 5% of the pre-transaction market value of the acquirer--there will typically be public disclosure of the consideration paid, and sometimes further documentation such as fairness opinions, etc.

That said, the individual employees are typically subject to all kinds of agreements as part of the acquisition, including NDAs.

-----


Halvar is pretty much a baller in the security industry. I met him and immediately knew he was brilliant, even putting all the history and his contributions aside. Talking to him about some of the things I was working on was enlightening.

Kudos to him and his team. BinDiff is a great product.

-----


Congrats to Halvar and the team. They've done great products for years and as 'tptacek says, they've got great security talent.

And kudos to Google -- a great investment in technology and people. Acquisitions aren't easy, so let's hope they can make it work!

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: