Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Security

Facebook Invites Hackers To Attack Its Network 157

An anonymous reader writes "Nearly a year ago, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. Still, when the social network's security team received a tip from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network. Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. It should, therefore, come as no surprise that Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there's a million-dollar bug, they will pay it out."
This discussion has been archived. No new comments can be posted.

Facebook Invites Hackers To Attack Its Network

Comments Filter:
  • Grammar! (Score:1, Insightful)

    Holy hellbore, editors! At least read through the summary before letting it out onto the page teeming with grammatical errors. It reads like it was written by a grade schooler.

    • Well that escalated quickly...

      "Troll" moderation? Oh please, if anything, this is "Offtopic", but certainly not trolling. The summary is badly written, a grammatical wreck, there's no denying that. There's no denying that there are editors, either. And there's also no denying that as editors, verifying the accuracy, correctness, sources, and presentation of the summaries posted is their responsibility in the end. In this case, they failed their job, and I'm right to call attention to that.

      As for your ad hom

      • by bryonak ( 836632 )

        Seems like you're being trolled by someone with mod points copy-pasting the same ad hominem stuff anonymously and downvoting reasonable replies. Don't worry, it'll correct itself.

        Personally my French writing sucks and I'm thankful for people pointing out possible corrections - they help me improve. Reading a correct and nicely formulated writeup is simply more efficient than having to figure out what the author is trying to convey. It's the editors' job to pay attention to that, so yes, your kind is welco

  • by vawarayer ( 1035638 ) on Saturday July 28, 2012 @09:52AM (#40801295)
    Annoying Facebook Games.
  • by SpzToid ( 869795 ) on Saturday July 28, 2012 @10:07AM (#40801377)

    OK, so I'm the Facebook corp. and I run a cost vs. risk analysis and come up with the numbers and resulting decision we see here today. Clearly they have the money, and the relative risk plus technical infrastructure so they figure this works out for them.

    OK, let's say I'm a Blackhat criminal hacker, poking around the Facebook network doing nasty stuff all the time, as best as I can, because this is what I do. And one day I get caught by Facebook or someone else along those lines. I am so busted. But wait, I can explain I was really a white hat all along, just trying to feed my family the best I can. Whatever happens next can't be too bad, and I'll live to fight another day. So then I figure capitalism rocks. Also maybe I'll see what Facebook offers when I really find a big hole worth exploiting.

    Win, win, and so captilism = security?

    There must be something I am not seeing here. Could such pure capitalism do something about all those evil Chinese and Russian and Ukranian hackers too? That which laws and police cannot really do very well at this time?

    To look at this another way, the US/Israeli State Resources behind Flame and Stuxnet (etc.) seem to have been fairly successful doing harm.

    • There must be something I am not seeing here. Could such pure capitalism do something about all those evil Chinese and Russian and Ukranian hackers too?

      If the payout for playing for white hat team was guaranteed to be better, I could see a lot of those motivated by money to be swayed over.

  • by account_deleted ( 4530225 ) on Saturday July 28, 2012 @10:12AM (#40801411)
    Comment removed based on user account deletion
  • by mspohr ( 589790 ) on Saturday July 28, 2012 @10:14AM (#40801425)

    "Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. "
    I really don't think that all hackers are greedy. While there are hackers who are willing to take the risks of selling hacks to criminals, there are probably many hackers who would be interested in exploring vulnerabilities for a modest legal reward.

    • And how many actually have contacts to sell that kind of stuff?
    • Agreed. This won't cause black hats to have a change of heart, but it will bring more white hats to the table by giving them more of an incentive.
  • Just count each successful attack as another active user. I guess every bit helps when your stock value is on the line.

  • I tried going to Facebook today, didn't come up so decided to checkout Slashdod since I could see other sites, I find this story about Facebook inviting hackers on DefCON weekend. Well, seems my DNS doesn't resolve them, is this widespread? C:\Users\r>ping facebook.com Ping request could not find host facebook.com. Please check the name and try again.
  • Although I can see the appeal of something like "bug bounties", I can't help but feel that it's basically testing on the cheap. As an IT professional, it feels a bit like devaluing a highly skilled career; or at best, making testers nothing but self-employed, pay-as-you-go workers rather than full employees or traditional contractors.

    I mean, what Facebook are basically offering is "no win no fee" Penetration Testing. Rather than paying a team of certified, experienced Pen Testers to run a thorough and compr

  • by Bengie ( 1121981 )
    And here I thought someone was poking fun at FB using PHP. http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ [veekun.com]

    Virtually every feature in PHP is broken somehow. The language, the framework, the ecosystem, are all just bad. And I can’t even point out any single damning thing, because the damage is so systemic.

    fun read

  • If they care about paying the right price for the bugs, why not just buy the existing exploits from the black-hats? Hackers get paid what the bug is ACTUALLY worth (on the black market), you fix even more bugs, driving more folks to search for cracks, driving bug price down, everyone's happy?

    I get that white hatters are beneficial, but I'd still be careful attaching my name to a "bug bounty". They can throw you in jail for white hat hacking at a whim -- It's still illegal by the retarding letter of th

  • Let me guess... 24 hours later the workstation on Mark Zuckerberg's desk had its hostname changed to challengeaccepted.facebook.com?
  • Now it's legal to hack their network. Which is a nice move for white hats, but it also gives black hats permission to fuck around with people's private data.

    Why not provide a copy of the facebook software with mock up data to which you give permission to hack.

  • I think it's ironic that a company whose CEO has repeatedly made it clear [cnet.com] from the start that user's data should not be kept private is claiming to improve security while they themselves have intentionally and willfully made users' private data public again and again by changing default settings and making it hard to change them back. Or has everyone already forgotten? I for one assume everything I post on Facebook is going to become completely public, including private messges. Have you ever read the pe
    • by elflord ( 9269 )
      This is right on the money. FB's security model is poorly thought out, and the indifference of the CEO to privacy concerns probably has a lot to do with it. In generally, the ad-hoc revisions of their privacy settings (which have at times forced users to opt out of more permissive settings) are indicative of a poorly thought out security model. The kind of "attack" that is effective (and has been used against FB users) is the "viral app" -- basically, the typical facebook "app" requires that the app is ab

Programmers do it bit by bit.

Working...