Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

HackerOne CEO: Every Computer System is Subject To Vulnerabilities (cnbc.com) 49

An anonymous reader writes: Every computer system in the world is vulnerable to hackers and criminals, according to Marten Mickos, CEO of HackerOne. That's nothing new with major data breaches at Yahoo and the federal government. But not to worry, teams of ethical hackers could be an answer to the growing cybersecurity concerns. "There are far more ethical hackers, white hat hackers, in the world than criminals," Mickos told CNBC's "Squawk Alley" on Thursday. "So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch. You're asking the good guys around you to help you see what's wrong with your system and help you fix it." Mickos has assembled 70,000 white hat hackers in his venture-backed company HackerOne. He explains the intent of white hat hackers is to hack for good and not for exploitation.
This discussion has been archived. No new comments can be posted.

HackerOne CEO: Every Computer System is Subject To Vulnerabilities

Comments Filter:
  • by sinij ( 911942 ) on Friday October 21, 2016 @10:35AM (#53122711)
    Keep waiting for the second coming of teams of ethical hackers. Not that this method could not work in principle, it is just corporations are not willing to pay for this, instead often choosing to lawyer up, and as a consequence ethical hackers are rare. On other hand, with a thriving black market for exploits, unethical hackers could easily monetize.

    Ethical hacking is like a starving artist gig, you need a day job and could only do this as a side gig.
    • Yes, only this time the day job can well be the side gig, just with different "customers" ...

      • You mean companies have to pay the white hats because otherwise they will take their white hats off and put their black hats on? Hmmm, makes sense...

    • It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclos

      • Ooops sorry slashdotters - three zeros missing. Above it should say "HackerOne has already paid out over $10,000,000 to hackers".

        • Ok, that increases the number of potential locations for the mother's apartment that I had considered.

      • One thing I disagree with, is the statement that "when you just invite the good guys to help you, you will always be safe".

        The white hats will find some vulnerabilities, the black hats will find some as well, and those two will overlap (increasing your security) but that still leaves those bugs found by the black hats and yet to be found by the white hats. Which will be plenty.

        • by sinij ( 911942 )
          This is very valid, but understated point. Black hat needs to find one vulnerability to pwn, white hats need to find all critical vulnerabilities to protect you.
          • Yep this is true. It is also a common situation that humanity has dealt with successfully many times. To keep a ship afloat, you must find and fix every hole. Even one hole might sink it. To keep an aircraft safely flying, similarly every safety aspect must be in shape. Shipping and airlines have great safety track record these days.

            To keep software secure, you must attempt to fix all serious vulnerabilities. You may never get to 100% vuln-free software, but the closer you get and the faster you can asympto

  • by Anonymous Coward on Friday October 21, 2016 @10:36AM (#53122721)

    thanks hackerone ceo, nobody knew this until today
    glad youre on the case

    • :-)

      Sometimes we need to repeat old insights to make sure that the broader society is aware.

  • by necro81 ( 917438 ) on Friday October 21, 2016 @10:36AM (#53122725) Journal
    In other news: water is wet. I would like to sell you an umbrella in case you get rained on.
    • Which brings up a poorly documented vulnerability - no where in my laptop documentation does it state not to get the laptop wet. Where do I send to get my white hat?
      • What laptop is that? Usually the documentation not only states that you shouldn't get it wet, but also that if you do get it wet, you should not attempt to dry it using a microwave oven. Are you sure you read all of the documentation?

  • by raymorris ( 2726007 ) on Friday October 21, 2016 @10:47AM (#53122821) Journal

    As mentioned in the interview, they took 13 minutes to find a major vulnerability in the Pentagon systems. Heck you can have someone run a Nessus scan for you at a cost of about $50, and probably find some significant vulnerability.

    Of course it's also possible to go overboard, to spend more on pen testing and security consulting than it's worth, but some really smart security people can be had for under $200 / hour, and in a couple hours they can do a lot of good for a company.

    Along the same lines, I think it's definitely worth it to involve a security expert in a about three meetings for any major software project - once when the overall architecture is first being discussed, once when specific plans are in place, and once to review before going live on production. using my self as an example, I've been doing security full time for 20 years, and I know what the common mistakes are. I know what the "smells" are - if you mention certain words, I can tell you those are areas you need to be careful. You don't have to spend a lot to teleconference me for three one-hour meetings, and I can potentially save you millions.

    Besides what most people think of as security, "confidentiality", my view of security is "the system continues to operate correctly - even when an attacker is trying to make it fail". That implies that it operates correctly when it's NOT being attacked. My suggestions give you better up time and more reliable results. A simple example is a government system I looked at which was subject to SQL injection on a name field - it had SQL like "INSERT INTO tbl lastname='$lastname'; ". Sure, that's SQL injection, but it also failed on names like O'Reilly - perfectly legitimate customers couldn't use the system. Applying security concepts (it should work correctly even when it's being attacked) made it work much more reliably every day, and at a very low cost.

     

    • You can have us for a little over 1000 a day. And you can find a LOT of security flaws in a day. I dare say hiring a pentester for 2 days can close 80% of your security holes, and since they're going for the same low hanging fruits that black hats go for, this should make you safe, unless you're a high profile target where someone really, really, really wants to hack you and is willing and able to spend the time for that.

    • Sure, people like you and I can save companies money. The problem is that companies don't pay millions to fix bugs, and don't generally pay penalties for bugs. Large companies can look at the trade off and see ROI and even immediate value to adding security staff to all phases of development, but small companies don't get the same bang for the buck as it were. Established companies have a potential to lose millions in revenue, small companies don't have the same amount of risk and startups have virtually

      • In terms of dollar amounts, larger companies obviously work on a larger scale.

        On the other hand, "mom and pop" businesses often have their whole life invested in their business.The server being out of commission for two weeks while you both secure it and clean up the mess from the hackers means they can't make their personal mortgage payment. The smallest companies have been my best customers. Of course my business is designed for small companies - low-priced, high value per dollar offerings, simple web ord

        • by s.petry ( 762400 )
          There is a massive amount of business between the two ends of the spectrum. Save the appeals to emotion because I agree with the premise, but not the statement that everyone justifies (or can justify) the costs. There is no legal requirement in almost all cases for them to do so, so they don't.
          • Cost is certainly a big consideration. As I said in my post, one reason that the smallest companies were my best customers was because I designed low-price offerings specific for their needs and budget - and I told them what to NOT buy from us, because it wasn't worth it for them.

            One example of something that most any full-time business should have is backups. If the business is your sole source of income, you should probably spend a couple hundred bucks for serious offsite backups. Larger companies, with b

            • by s.petry ( 762400 )
              My point in saving the appeal to emotion arguments is because I have worked extensively in security and compliance in both the private and government (defense) sectors for over 25 years. Selling me on security is like selling a fish on water.
  • How is this any different from locking down systems, ensuring security updates are installed. Setting up firewalls, port forwarding, NAT, VPN, etc?
    • by Maritz ( 1829006 )
      Well, you have to find vulnerabilities in order to patch them.
      • Using common scanning tools from external and internal sources is pretty basic sys admin task. Then deciding what the best path to remediation is.

    • I wouldn't say it's "different than", I'd say it's another item on the check list:

      a) Ensure security updates are installed in a systematic way
      b) Ensure up firewalls are set up and regularly reviewed
      c) Review configuration port forwarding, NAT, VPN, etc annually
      d) Annual security review by objective third-party security professional

      We can also help you with A, AB, and C. Updates, for example, are important for confidentiality and integrity, but some upgrades can create problems for availability - they can br

  • So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch.

    More like mafia watch. If you just invite them for help, you will always be safe. Otherwise ...

  • by Anonymous Coward

    How about we get ethical management instead so developers and IT staff are trained in security and given the resources to properly develop secure systems? Secure enough* system are possible. The entire software security industry doesn't need to exist if developers were better.

    *Excluding spy level stuff like scanning the monitor's emissions to read the display.

    • Agreed, it would be a great help if developers in general switched from thinking in terms of "how can this work" to "how can this be broken". That's the topic of the next OWASP meeting I plan to attend - how can we help developers become more security aware and develop more secure systems, given all the demands on them, deadlines, etc. Security is just one of many things developers need to think about. They need to learn security, but they also need to learn the Next Big Thing - another language, framework

  • I've just checked. My ZX Spectrum, which is in a box under the stairs, is still secure. Never been hacked. Take that black hat hackers.

  • I would love him to address this news: https://www.quantamagazine.org... [quantamagazine.org]
  • water is wet.

  • I spy so much shitty code. Most of the site doesn't even serve static content from a cookieless domain, and most of the site itself is scripting/code instead of media/text.

    Exploitable from the bottom up.

    Turn your own people against your site first before advertising out to others, eh?

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...