HackerOne CEO: Every Computer System is Subject To Vulnerabilities (cnbc.com) 49
An anonymous reader writes: Every computer system in the world is vulnerable to hackers and criminals, according to Marten Mickos, CEO of HackerOne. That's nothing new with major data breaches at Yahoo and the federal government. But not to worry, teams of ethical hackers could be an answer to the growing cybersecurity concerns. "There are far more ethical hackers, white hat hackers, in the world than criminals," Mickos told CNBC's "Squawk Alley" on Thursday. "So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch. You're asking the good guys around you to help you see what's wrong with your system and help you fix it." Mickos has assembled 70,000 white hat hackers in his venture-backed company HackerOne. He explains the intent of white hat hackers is to hack for good and not for exploitation.
Second coming of teams of ethical hackers (Score:4, Interesting)
Ethical hacking is like a starving artist gig, you need a day job and could only do this as a side gig.
Re: (Score:2)
Yes, only this time the day job can well be the side gig, just with different "customers" ...
Re: (Score:1)
You mean companies have to pay the white hats because otherwise they will take their white hats off and put their black hats on? Hmmm, makes sense...
Re: (Score:3)
It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclos
Re: (Score:2)
Ooops sorry slashdotters - three zeros missing. Above it should say "HackerOne has already paid out over $10,000,000 to hackers".
Re: (Score:2)
Ok, that increases the number of potential locations for the mother's apartment that I had considered.
Re: (Score:1)
One thing I disagree with, is the statement that "when you just invite the good guys to help you, you will always be safe".
The white hats will find some vulnerabilities, the black hats will find some as well, and those two will overlap (increasing your security) but that still leaves those bugs found by the black hats and yet to be found by the white hats. Which will be plenty.
Re: (Score:2)
Re: (Score:2)
Yep this is true. It is also a common situation that humanity has dealt with successfully many times. To keep a ship afloat, you must find and fix every hole. Even one hole might sink it. To keep an aircraft safely flying, similarly every safety aspect must be in shape. Shipping and airlines have great safety track record these days.
To keep software secure, you must attempt to fix all serious vulnerabilities. You may never get to 100% vuln-free software, but the closer you get and the faster you can asympto
stop the presses (Score:3, Funny)
thanks hackerone ceo, nobody knew this until today
glad youre on the case
Re: (Score:2)
Is there a term for this? Newsverisment? What's that called?
Re: (Score:2)
Re: (Score:2)
:-)
Sometimes we need to repeat old insights to make sure that the broader society is aware.
In other news... (Score:4, Funny)
Re: (Score:1)
Re: (Score:1)
What laptop is that? Usually the documentation not only states that you shouldn't get it wet, but also that if you do get it wet, you should not attempt to dry it using a microwave oven. Are you sure you read all of the documentation?
There's certainly a place for that, a ROI point (Score:5, Interesting)
As mentioned in the interview, they took 13 minutes to find a major vulnerability in the Pentagon systems. Heck you can have someone run a Nessus scan for you at a cost of about $50, and probably find some significant vulnerability.
Of course it's also possible to go overboard, to spend more on pen testing and security consulting than it's worth, but some really smart security people can be had for under $200 / hour, and in a couple hours they can do a lot of good for a company.
Along the same lines, I think it's definitely worth it to involve a security expert in a about three meetings for any major software project - once when the overall architecture is first being discussed, once when specific plans are in place, and once to review before going live on production. using my self as an example, I've been doing security full time for 20 years, and I know what the common mistakes are. I know what the "smells" are - if you mention certain words, I can tell you those are areas you need to be careful. You don't have to spend a lot to teleconference me for three one-hour meetings, and I can potentially save you millions.
Besides what most people think of as security, "confidentiality", my view of security is "the system continues to operate correctly - even when an attacker is trying to make it fail". That implies that it operates correctly when it's NOT being attacked. My suggestions give you better up time and more reliable results. A simple example is a government system I looked at which was subject to SQL injection on a name field - it had SQL like "INSERT INTO tbl lastname='$lastname'; ". Sure, that's SQL injection, but it also failed on names like O'Reilly - perfectly legitimate customers couldn't use the system. Applying security concepts (it should work correctly even when it's being attacked) made it work much more reliably every day, and at a very low cost.
Re: (Score:3)
You can have us for a little over 1000 a day. And you can find a LOT of security flaws in a day. I dare say hiring a pentester for 2 days can close 80% of your security holes, and since they're going for the same low hanging fruits that black hats go for, this should make you safe, unless you're a high profile target where someone really, really, really wants to hack you and is willing and able to spend the time for that.
Money does not match (Score:2)
Sure, people like you and I can save companies money. The problem is that companies don't pay millions to fix bugs, and don't generally pay penalties for bugs. Large companies can look at the trade off and see ROI and even immediate value to adding security staff to all phases of development, but small companies don't get the same bang for the buck as it were. Established companies have a potential to lose millions in revenue, small companies don't have the same amount of risk and startups have virtually
Unless you've put your entire life savings into it (Score:2)
In terms of dollar amounts, larger companies obviously work on a larger scale.
On the other hand, "mom and pop" businesses often have their whole life invested in their business.The server being out of commission for two weeks while you both secure it and clean up the mess from the hackers means they can't make their personal mortgage payment. The smallest companies have been my best customers. Of course my business is designed for small companies - low-priced, high value per dollar offerings, simple web ord
Re: (Score:2)
Cost is a big consideration. Every business needs (Score:2)
Cost is certainly a big consideration. As I said in my post, one reason that the smallest companies were my best customers was because I designed low-price offerings specific for their needs and budget - and I told them what to NOT buy from us, because it wasn't worth it for them.
One example of something that most any full-time business should have is backups. If the business is your sole source of income, you should probably spend a couple hundred bucks for serious offsite backups. Larger companies, with b
Re: (Score:2)
This sounds like IT / System administration (Score:1)
Re: (Score:2)
Re: (Score:2)
Using common scanning tools from external and internal sources is pretty basic sys admin task. Then deciding what the best path to remediation is.
Another item on the list (Score:2)
I wouldn't say it's "different than", I'd say it's another item on the check list:
a) Ensure security updates are installed in a systematic way
b) Ensure up firewalls are set up and regularly reviewed
c) Review configuration port forwarding, NAT, VPN, etc annually
d) Annual security review by objective third-party security professional
We can also help you with A, AB, and C. Updates, for example, are important for confidentiality and integrity, but some upgrades can create problems for availability - they can br
It's like a neighborhood watch ? (Score:2)
So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch.
More like mafia watch. If you just invite them for help, you will always be safe. Otherwise ...
Wrong Solution (Score:1)
How about we get ethical management instead so developers and IT staff are trained in security and given the resources to properly develop secure systems? Secure enough* system are possible. The entire software security industry doesn't need to exist if developers were better.
*Excluding spy level stuff like scanning the monitor's emissions to read the display.
Hal and half. SQL expert, UI expert, security expe (Score:2)
Agreed, it would be a great help if developers in general switched from thinking in terms of "how can this work" to "how can this be broken". That's the topic of the next OWASP meeting I plan to attend - how can we help developers become more security aware and develop more secure systems, given all the demands on them, deadlines, etc. Security is just one of many things developers need to think about. They need to learn security, but they also need to learn the Next Big Thing - another language, framework
Oh really? (Score:2)
I've just checked. My ZX Spectrum, which is in a box under the stairs, is still secure. Never been hacked. Take that black hat hackers.
Meanwhile unhackable code confirmed (Score:1)
In other news (Score:2)
water is wet.
Re: (Score:2)
Yep, 70,000 is a lot! The number keeps growing, and we hope to get to a million. To serve all companies and government organizations worldwide who will be needing bug bounty programs, we need a lot of excellent hackers.
It should also be noted that it takes a lot of hacking to find even a simple vulnerability. Of the 70,000 hacker accounts we have, about 1 in 6 have filed an actual vulnerability report. To help them get going, we have an ebook on hacking that we give to new hackers. Once new hackers get the
Re: (Score:2)
Ha ha. That's a common joke about the security industry. There is some truth to it.
What's great with bug bounty programs is that customers pay for results. You pay for valid and useful vulnerability reports. You don't pay for reports that are not useful. For hackers to make money (and the best ones make a lot of money), they must produce useful and relevant vulnerability reports.
That's a HUGE difference compared to traditional security products and services and it explains why bug bounty programs are becomi
And after half an hour of probing their website (Score:2)
I spy so much shitty code. Most of the site doesn't even serve static content from a cookieless domain, and most of the site itself is scripting/code instead of media/text.
Exploitable from the bottom up.
Turn your own people against your site first before advertising out to others, eh?