Credit to Author: Lily Hay Newman| Date: Sun, 25 Oct 2020 11:00:00 +0000
To revist this article, visit My Profile, then View saved stories.
To revist this article, visit My Profile, then View saved stories.
Even with a knee injury, Maddie Stone is formidable. As she sets up to do modified circuits at her San Francisco Olympic weightlifting gym—essentially a glorified garage and driveway that have been converted into an indoor/outdoor workout space—she’s totally at ease, even gleeful despite the chilly January fog. I joke nervously that if I end up puking in a trash can while Maddie is crushing reps, it’ll at least make for a good anecdote. Casually setting the clips on her loaded barbell she flashes one of her trademark grins. “You could probably make it happen!”
Stone’s smile and easy laugh may be her most recognizable traits, but her determination reveals itself quickly, too. Her bum knee has been keeping her from doing her preferred workouts—everything from wall stands to the rowing machine is now off limits—so she settles for modified lifts and grinds away on upper-body machines. (“Now is the time to get Michelle Obama arms.”) After years playing competitive tennis in her youth, Stone, now 29, is more used to knee surgeries than she would like. Moving her focus to Olympic lifting and hiking during her twenties didn’t help. Last year she even summited Mount Kilimanjaro.
Stone is a prominent researcher on Google’s Project Zero bug hunting team, which finds critical software flaws and vulnerabilities—mostly in other companies’ products. But her journey through the ranks of the security research community hasn’t always been easy, and has galvanized her to speak openly, often on Twitter, about the need to make the tech and engineering industries more inclusive.
“When you see that you’re physically strong, that translates to so many other mental aspects,” she says. “I think it helped me in situations like my first job [at the Johns Hopkins University Applied Physics Laboratory] where I was in lots of rooms with many men from the military. I was like, OK, I can do pushups. I can deadlift 305 pounds.”
Even while dealing with injuries, Stone can move serious weight. As the workout comes to a close, she offers me some final pointers on “Turkish Get Ups,” in which you hold a kettle bell over your head as you move from laying down to standing in a specific progression. For a beginner, and even pros, the carefully choreographed motions require a certain trance-like concentration. In a way, this is exactly what Stone is seeking from all her squats, lifts, and treks: dedication to and focus on something she loves that has nothing to do with her professional life.
At Google’s Mountain View campus, 40 minutes south of her gym, Stone’s job could easily be all-consuming. She joined Project Zero in 2019 after two years working on the Android security team, where she was hired for her skills in hardware and software “reverse engineering.” It’s a discipline where you take unknown code—in this case, some of the most sophisticated malware in the world—and deconstruct it to see what makes it tick. Once you’ve done that, you can figure out how to defuse it.
Stone eventually rose to lead a team that studies and neuters the Android malware actively used by criminals and nation state hackers.
“There was such a clear, direct impact,” Stone says of her Android-focused work. “I find these potentially harmful apps, I flag the malware and the defense we develop propagates to 2.8 billion devices. It was just such a massive, tangible impact that most people don't get in their jobs.”
Some of the work involved countering one-off hacking tools, but other times got more personal. Stone and her colleagues once spent 18 months battling a botnet maker intent on infecting Android devices and skilled at circumventing deterrents. While the fight was still raging in the summer of 2018, Stone gave a talk at the Black Hat security conference in Las Vegas about features that helped the botnet malware avoid being analyzed. Within 72 hours, Stone says, the attacker group started altering each of the features she had touched on—despite the talk not being made public.
Her experience on Android made Stone a natural fit when Project Zero decided to expand. Finding previously undiscovered software bugs and motivating developers to patch them quickly is core to the group’s mission: “Make zero-day hard.” But in 2019, the team broadened its focus beyond just disclosing unique zero days the researchers found themselves to tracking and studying those that hackers actively exploit in the wild—the exact types of flaws Stone had been stamping out on Android.
“The key thing to remember is that the problem we’re working on is not theoretical. These are issues that are affecting real people, cause user harm, and have an impact on society,” says Ben Hawkes, who runs Project Zero and was one of its founding members. “So the idea was essentially to create a hybrid role within Project Zero.” Stone would bridge the gap between combing code to find individual flaws and looking at how attackers behave and evolve more broadly.
Essentially, Stone helps give Project Zero a longer view, working to understand what makes certain vulnerabilities valuable to hackers and how to make it even more difficult and costly for them to find and exploit those types of bugs.
In her first year at Project Zero, Stone has investigated dozens of actively exploited software flaws to determine how each one works, whether the techniques it uses are novel or widespread, what tools attackers may have used to find the initial bug, and whether structural improvements in software could make whole classes of exploits more difficult to craft.
“A lot of the findings so far have been things that we weren’t quite expecting,” Stone says, “And my ultimate conclusion from that has been that we actually don’t have enough data yet to do this work the way we want to.”
For example, Project Zero’s tracking spreadsheet for actively exploited zero days currently shows 15 examples that have come to light this year. Three of those were found in security scanning tools like antivirus software. Stone points out that this number of AV-related entries is surprising given how modest their user base is relative to massive platforms like Chrome, Windows, or iOS. But it’s difficult to tell whether they’re especially vulnerable, or other actively exploited zero days remain undiscovered.
“Basically the data shows us that we are probably missing quite a bit,” Stone says.
With too many exploited zero days still slipping by, Stone's most important job isn't just to check the mouse traps. It’s to figure out how Project Zero and the security industry as a whole can build a better one.
Growing up in Rockwall, Texas, a small town east of Dallas, Stone was surrounded by friends whose brothers and uncles had fought in US wars or were being deployed, especially in the wake of the September 11 attacks. Every morning, school started with the pledge of allegiance, then the Texas state pledge of allegiance, then a moment of silence.
“That’s just the atmosphere I grew up in, that the best way to help the world is to support your country,” Stone says.
Rockwall sits on Lake Ray Hubbard, a reservoir that was dammed in the late 1960s. Though it’s close to Dallas, Rockwall was more isolated until Interstate 30 was extended over the lake in the mid 1990s, reducing commute time into downtown Dallas. Stone’s mother was the manager at a law firm in the city and her father worked for an investment firm there. He later became an elementary and middle school teacher in Rockwall.
As a kid Stone wasn’t taking apart electronics, coding after hours on a basement PC, or getting up to any of the other typical hacker tropes. Instead, her early interactions with technology reflected a mainstream millennial experience. In the early 2000s, her first AIM screen name was Keepsmilin27—a moniker that sounds juvenile and cringeworthy to Stone today, but encapsulates her sunny personality even now.
Other than crafting the perfect AIM away message or playing Reader Rabbit and Math Blaster, computers were far from Stone’s mind. “My big computer thing was using tie-dye word art on tie-dye backgrounds in PowerPoint presentations,” she says.
In seventh grade, Stone barely made the tennis team; by the next year she was the top player. “That’s when it switched and became everything I wanted to do,” she says.
Her father, Steve Stone, remembers her independence, drive, and confidence developing at a very young age. But watching her play tennis in those first years revealed something even deeper.
“I remember her first club tennis tournament after she had just picked up tennis in seventh grade,” he says. “Somehow she made it to the finals and was playing against a girl who was ranked. It was three sets and Maddie ended up losing, but she had no business giving this girl such a run. I just thought wow, this kid has something very, very special—there’s a grit that I don’t see often in kids. So that’s when I started calling her ‘Maddog,’ because she just would not give up.”
In high school, Stone had thought that she wanted to pursue interior design. But the idea of serving her country also stuck in her mind. In the summer before her junior year of high school she attended a program focused on national security and intelligence through the National Student Leadership Conference. Visits to the National Security Agency, Central Intelligence Agency, and Pentagon piqued her interest in defense work, although she still found it opaque.
Meanwhile in high school, she took honors and Advanced Placement courses and had strong grades, but wasn’t focused specifically on math and science. Her high school didn’t offer AP Calculus, so she attempted to do the class as an independent study. Stone struggled to grasp the concepts in such an ad hoc environment, though, and had a similar experience with a computer science independent study. She picked up some rudimentary skills, but “nothing that prepared me for introductory programming at a university.”
When it came time to apply for college, Stone’s father thought her interest in national security and math might open up promising career paths. So standing in the family’s living room he made her an offer: Apply everywhere as an engineering major, and he would give her 15 bucks. “I just needed that $15 to go to the movies with my friends,” Stone says. “So I chose computer engineering. I didn’t even know the difference between computer science and computer engineering.”
She had heard, though, about “computer forensics,” thanks to Tim McGee, the resident hacker in the police procedural NCIS. Stone started watching the show in early high school with her mom after it had already been on the air for a few years. One Christmas, her parents even got her the DVD box sets of the seasons she had missed.
“It always had this very positive ‘we’re helping people, we’re saving the world’ type of direction,” she says. “But there was something about McGee. Through computers he seemed to solve these insolvable problems.”
Stone was waitlisted at all but one of the elite universities she applied to. The exception was Johns Hopkins University in Baltimore—also the (fictional) alma mater of none other than Tim McGee, a coincidence not lost on Stone.
During admitted students day at Johns Hopkins she wasn’t getting a McGee vibe from the electronics and hardware-focused demos at the computer engineering event. So she and her dad went to the computer science open house nearby. “I’m really interested in computer forensics like McGee from NCIS,” she told Gerald Masson, a longtime Hopkins computer scientist who founded the department and was its first chair. She expected him to laugh at her, not get the reference, or both. “We can do that,” Masson replied. “We can make you McGee.”
Especially in the first couple of years, Stone often thought about dropping out of the program. She hadn’t taken the usual foundational courses, she was constantly playing catch-up while learning C and C++, and as the semesters went by she felt mired in esoteric algorithms. With all of this weighing on her, she struggled to get recommendations from professors for internships. But her Maddog determination prevailed.
“My grades and knowledge did not reflect any sort of expertise at that time, but as a student I remember feeling like, ‘why doesn’t everyone see that I’m going to be competent at this?’” she says.
As an undergraduate Stone applied to dozens of computer science-related internships. While other students in her program racked up work experience during summers and school breaks, she landed only a single interview. Since she was a Russian minor—a nod to possible future national security or intelligence work—Stone eventually elected to study abroad in Moscow, an opportunity to differentiate herself from her peers. Finally Stone clinched a technical internship at the defense contractor Booz Allen Hamilton for the summer before her senior year.
“I really just needed one person in one company to say, ‘yes, we’ll give you a shot,’” Stone says. “It’s such a different experience once you have that one job on your resume.”
Stone graduated from Hopkins with an offer for a research-focused job at the Johns Hopkins University Applied Physics Laboratory. Located in the Maryland suburbs between Baltimore and Washington, DC, APL is a specialized defense contractor that can take on difficult or hare-brained moonshot contracts, because the organization is a university-affiliated nonprofit. Stone joined the firm as a red teamer, or a hacker who tries to attack the organization they work for to find weaknesses before real bad actors do. In college Stone had shown a particular aptitude for “assembly,” a type of low-level machine code. So Stone’s supervisors at APL had her focus particularly on reverse engineering, looking at applications or Internet of Things devices, and working backward from the finished product to understand how their software works. Imagine being handed a soufflé and having to figure out the ingredients, proportions, and cooking techniques that make it delicious and fluffy.
Stone’s first reverse engineering project was to see if she could ferret out an attack method for an embedded device through its data port. In other words, she was looking for any vulnerabilities that could be exploited for hacking. Her sleuthing began with reconnaissance to understand how the device handled information that flowed in and out of the port and what system functions it could control. You can’t hack a smart home controller to open a garage door if there’s no garage.
Reverse engineering is all about pattern analysis and instinct. Surrounded by blinking servers and deconstructed computers in one of APL’s frigid electronics labs, Stone identified a mysterious function that seemed like it could potentially enable an attack. She spent hours and then days attempting to reverse engineer the suspicious feature. On the fourth day she managed to draw back the digital curtain—she had uncovered the measly print function.
While it seemed like a letdown, Stone eventually realized that her gut had been correct. As mundane as the print function sounded, she realized that she could in fact exploit it as part of an attack chain against the device.
In more than four years at APL, Stone delved deep into her field, and eventually oversaw a massive working group for reverse engineering within the lab. She began attending regional security research conferences like ShmooCon in Washington, DC, and even presenting talks. But as she started to come into her own professionally, Stone still faced challenges from the gender imbalances in her industry and colleagues and peers who underestimated her.
“She does stick out in our field,” says former APL colleague Mary Ann Saunders. “She wears floral dresses, she’s not the stereotypical engineer or hacker you have in your mind. But that’s something she and I connected on at the lab, because I don’t have a traditional background either.”
While still trying to envision a place for herself in the security research community, Stone remembers attending a conference where she was repeatedly mistaken for a recruiter, as if she couldn’t possibly have a background in hacking and anyone who wasn’t an engineer was insignificant.
“In some ways my ignorance of hacker tropes and stereotypes probably helped me out, because I didn’t really know that I wasn’t the stereotypical hacker,” Stone says. “To know what was being said sometimes, like ‘Oh, this person isn’t technical and doesn’t really belong here.’ It stunk. I didn’t feel included.”
About three years into her tenure at APL, Stone realized that the lab didn’t offer guidelines for what types of political speech its employees were allowed to make and whether they were allowed to participate in peaceful protests about political issues. So she worked with some colleagues to lobby for clear standards. Though the lab didn’t circulate anything at the time, her former coworker Saunders says that when Black Lives Matter protests gained momentum this summer in the wake of George Floyd’s killing, the lab finally issued guidance.
“Maddie definitely wasn’t shy about asking those questions and pushing things forward in a way that others weren’t, regardless of gender,” Saunders says. “She has always been herself and never tried to fit in.”
All the while, Stone was also dealing with another challenge: Her mother, with whom she had a difficult relationship, had been sick with multiple sclerosis since her senior year of high school and suffered a precipitous physical and mental decline beginning her sophomore year of college. To cope after graduation, Stone threw herself into her life and work in Baltimore. She joined an improv group and her first Olympic lifting gym, and took up hiking to get outside more. She also joined Twitter to connect with the security research community around the world.
In June 2017 Stone gave a reverse engineering talk at a conference called Recon that took place in Montreal that year. Within weeks a recruiter from Google reached out to her about joining the Android security team.
“My mom passed away in January 2018 three months after I uprooted my life and moved to California for Google,” Stone says. “And yet 2018 was one of my best work years. When other things seem very hectic in our lives, doing good work, solving challenging problems that don’t have easy answers, and trying to make the world a little bit of a better place has always been an outlet for me.”
For all the menace and mystique around hacking tools, actually shutting one down is a bit of an anticlimax. A researcher discloses the vulnerability that the weapon is taking advantage of, the company (hopefully) fixes it, and that’s that—even when the malware in question is some of the most dangerous in the world.
In her first weeks at Project Zero, in late summer 2019, various Google security teams had heard reports from outside researchers that hackers were actively exploiting an unknown Android vulnerability. The evidence pointed to the Israeli cyberarms dealer NSO Group or its customers, and they seemed to be exploiting the bug to infect target devices with NSO’s Pegasus spyware. NSO Group did not return WIRED’s request for comment.
"When she sees something that’s wrong going on in an organization she will speak her mind. She does not take any shit."
Amanda Rousseau, Facebook
Stone’s first assignment: Track down the bug. The tip Google had received didn’t come with a treasure map, but it did include some details about the attack that could be used as clues about where to look for the vulnerability. Observers had already established that the bug Stone was looking for allowed an attacker to gain system privileges by manipulating the kernel, or fundamental core of the operating system, through a flaw in how the system managed memory. And an attacker could even exploit the bug from within Chrome’s protective and restrictive “sandbox” designed to stop exactly that type of behavior. The vulnerability was also only exploitable on Pixel 1 and 2 smartphones, not the more recent Pixel 3 and 3a.
Stone started poking around Android like a malicious hacker would, looking for a weakness and corresponding exploit that fit the description she had been given. As a new member of the Project Zero team she felt pressure during those days to produce a result; the stakes were even higher because it potentially involved a tool made by a notorious exploit broker. Thanks to her Android expertise, though, and collaboration with her Project Zero colleague Jann Horn and others, it took Stone just a few weeks to finally close the case.
The vulnerability Stone had sussed out was so serious that Project Zero decided to give only seven days' notice—to Google itself—before going public, instead of the usual 90. But because this was her first assignment, Stone had never even filed a bug in Project Zero's issue tracker. She had to ask a teammate for help.
"And then I hit enter and the nervous energy really started," Stone says.
Through finding and disclosing a software bug, she had neutered a cyberweapon that was in active use; she had “burned” a zero day. But there was no Hollywood explosion or dramatic flourish. As Stone drove home later that night, no one outside a small cadre of security professionals had any idea that she had just caused a small stutter in the intricate dance of global cyberespionage.
Software is always going to have bugs and flaws. The goal isn’t to find every single zero day. Instead, it’s to raise the barrier to entry for attackers. In a way, that reflects Stone’s approach to all facets of her professional life: Make it harder for people to do the wrong thing and easier to do what's right.
“Her personality is so bubbly and happy it just makes you want to be excited about reverse engineering,” says Amanda Rousseau, a security researcher at Facebook and fellow reverse engineer who has worked with Stone to offer reversing workshops at cybersecurity conferences. “But she’s very outspoken, too. When she sees something that’s wrong going on in an organization she will speak her mind. She does not take any shit.”
Stone says she simply wants to do her work well, enjoy hiking and traveling and all of her other interests, and open doors in any way she can for those feeling left out or disempowered in the security community and beyond.
“For me the driving factor of my work is how cool it would be if every person on Earth regardless of how cheap or expensive their device is had safe and secure access to the internet. That could propagate to so many different parts of humanity,” Stone says. “But I’m also not just an information security robot. I have a lot of things I love besides infosec.”
After our weightlifting class—I managed not to hurl—Stone drives me the short way to her house on a quiet, curved San Francisco street and starts cooking dinner for us: chicken thighs and salad with sliced avocado and strawberries on top. Her house is adorned with art and throw pillows from her international travels, her beloved pink neon keyboard, and lots of sparkly and glittery accents—Stone’s signature aesthetic. I bring up her triumphant Mount Kilimanjaro trek from last year; she mentions that altitude sickness had stymied her attempt to hike Mount Kinabalu in Malaysia just a few months prior.
“That really messed with my mind, but I had to just focus on what I learned from it,” Stone says. “So as I kept training for Kilimanjaro I just kept thinking, ‘I want to be fit enough that I can enjoy it.’"
That's Stone's approach in work and in life. You don’t have to be the best at anything right away, you don’t have to fit in. You just have to enjoy what you’re doing—and have the raw determination to see it through.