Slashdot Mirror

← Back to Stories (view on slashdot.org)

HackerOne CEO: Every Computer System is Subject To Vulnerabilities (cnbc.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Every computer system in the world is vulnerable to hackers and criminals, according to Marten Mickos, CEO of HackerOne. That's nothing new with major data breaches at Yahoo and the federal government. But not to worry, teams of ethical hackers could be an answer to the growing cybersecurity concerns. "There are far more ethical hackers, white hat hackers, in the world than criminals," Mickos told CNBC's "Squawk Alley" on Thursday. "So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch. You're asking the good guys around you to help you see what's wrong with your system and help you fix it." Mickos has assembled 70,000 white hat hackers in his venture-backed company HackerOne. He explains the intent of white hat hackers is to hack for good and not for exploitation.

49 comments

  1. Second coming of teams of ethical hackers by sinij · · Score: 3, Interesting

    Keep waiting for the second coming of teams of ethical hackers. Not that this method could not work in principle, it is just corporations are not willing to pay for this, instead often choosing to lawyer up, and as a consequence ethical hackers are rare. On other hand, with a thriving black market for exploits, unethical hackers could easily monetize.

    Ethical hacking is like a starving artist gig, you need a day job and could only do this as a side gig.

    1. Re:Second coming of teams of ethical hackers by Opportunist · · Score: 1

      Yes, only this time the day job can well be the side gig, just with different "customers" ...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Second coming of teams of ethical hackers by martenmickos · · Score: 2

      It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclosure programs.

      - Marten (HackerOne CEO)

    3. Re:Second coming of teams of ethical hackers by martenmickos · · Score: 1

      Ooops sorry slashdotters - three zeros missing. Above it should say "HackerOne has already paid out over $10,000,000 to hackers".

    4. Re:Second coming of teams of ethical hackers by Coisiche · · Score: 1

      Ok, that increases the number of potential locations for the mother's apartment that I had considered.

    5. Re:Second coming of teams of ethical hackers by michelcolman · · Score: 1

      You mean companies have to pay the white hats because otherwise they will take their white hats off and put their black hats on? Hmmm, makes sense...

    6. Re:Second coming of teams of ethical hackers by michelcolman · · Score: 1

      One thing I disagree with, is the statement that "when you just invite the good guys to help you, you will always be safe".

      The white hats will find some vulnerabilities, the black hats will find some as well, and those two will overlap (increasing your security) but that still leaves those bugs found by the black hats and yet to be found by the white hats. Which will be plenty.

    7. Re:Second coming of teams of ethical hackers by Anonymous Coward · · Score: 0

      You mean companies have to pay the white hats because otherwise they will take their white hats off and put their black hats on? Hmmm, makes sense...

      Most of our governmental policies are founded on that expectation. Why does unemployment matter? Why do we count it only for people that are 'market participants' and not housewives or students? If we don't send young men off to war, or keep them busy for 40+ hours a week, they are far more likely to commit crime. They are typically the ones that overthrow their 'betters' when they themselves have nothing better to do. So lets keep them tired and running themselves to exhaustion in the rat race.

    8. Re:Second coming of teams of ethical hackers by sinij · · Score: 1

      This is very valid, but understated point. Black hat needs to find one vulnerability to pwn, white hats need to find all critical vulnerabilities to protect you.

    9. Re:Second coming of teams of ethical hackers by martenmickos · · Score: 1

      Yep this is true. It is also a common situation that humanity has dealt with successfully many times. To keep a ship afloat, you must find and fix every hole. Even one hole might sink it. To keep an aircraft safely flying, similarly every safety aspect must be in shape. Shipping and airlines have great safety track record these days.

      To keep software secure, you must attempt to fix all serious vulnerabilities. You may never get to 100% vuln-free software, but the closer you get and the faster you can asymptotically move towards that goal, the more you reduce your cybersecurity risk.

  2. stop the presses by Anonymous Coward · · Score: 3, Funny

    thanks hackerone ceo, nobody knew this until today
    glad youre on the case

    1. Re: stop the presses by Anonymous Coward · · Score: 0

      I too was wondering how this is 'News'?

    2. Re: stop the presses by Opportunist · · Score: 1

      Is there a term for this? Newsverisment? What's that called?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:stop the presses by Anonymous Coward · · Score: 0

      Ahem, it's pronounced hackeroni.

    4. Re:stop the presses by martenmickos · · Score: 1

      :-)

      Sometimes we need to repeat old insights to make sure that the broader society is aware.

    5. Re: stop the presses by Anonymous Coward · · Score: 0

      Slashvertisement, in this case.

    6. Re: stop the presses by Midnight_Falcon · · Score: 1

      Slashvertisement..if they wanted to have a neutral point of view, they could have included information about their competitor Bugcrowd. Instead it's a PR piece, but it's good we've got their CEO resurrecting his seldom-used-but-for-marketing-purposes Slashdot account.

  3. In other news... by necro81 · · Score: 3, Funny

    In other news: water is wet. I would like to sell you an umbrella in case you get rained on.

    1. Re:In other news... by Photonmaker · · Score: 1

      Which brings up a poorly documented vulnerability - no where in my laptop documentation does it state not to get the laptop wet. Where do I send to get my white hat?

    2. Re:In other news... by michelcolman · · Score: 1

      What laptop is that? Usually the documentation not only states that you shouldn't get it wet, but also that if you do get it wet, you should not attempt to dry it using a microwave oven. Are you sure you read all of the documentation?

  4. Capitalism is unethical. by Anonymous Coward · · Score: 0

    Therefore black hat hacking is ethical in all capitalist nations, and white hat hacking is unethical.

    OP aims to exploit the labor of white hat hackers by selling their services at profit, so of course he will argue the other way.

  5. There's certainly a place for that, a ROI point by raymorris · · Score: 4, Interesting

    As mentioned in the interview, they took 13 minutes to find a major vulnerability in the Pentagon systems. Heck you can have someone run a Nessus scan for you at a cost of about $50, and probably find some significant vulnerability.

    Of course it's also possible to go overboard, to spend more on pen testing and security consulting than it's worth, but some really smart security people can be had for under $200 / hour, and in a couple hours they can do a lot of good for a company.

    Along the same lines, I think it's definitely worth it to involve a security expert in a about three meetings for any major software project - once when the overall architecture is first being discussed, once when specific plans are in place, and once to review before going live on production. using my self as an example, I've been doing security full time for 20 years, and I know what the common mistakes are. I know what the "smells" are - if you mention certain words, I can tell you those are areas you need to be careful. You don't have to spend a lot to teleconference me for three one-hour meetings, and I can potentially save you millions.

    Besides what most people think of as security, "confidentiality", my view of security is "the system continues to operate correctly - even when an attacker is trying to make it fail". That implies that it operates correctly when it's NOT being attacked. My suggestions give you better up time and more reliable results. A simple example is a government system I looked at which was subject to SQL injection on a name field - it had SQL like "INSERT INTO tbl lastname='$lastname'; ". Sure, that's SQL injection, but it also failed on names like O'Reilly - perfectly legitimate customers couldn't use the system. Applying security concepts (it should work correctly even when it's being attacked) made it work much more reliably every day, and at a very low cost.

     

    1. Re:There's certainly a place for that, a ROI point by Opportunist · · Score: 2

      You can have us for a little over 1000 a day. And you can find a LOT of security flaws in a day. I dare say hiring a pentester for 2 days can close 80% of your security holes, and since they're going for the same low hanging fruits that black hats go for, this should make you safe, unless you're a high profile target where someone really, really, really wants to hack you and is willing and able to spend the time for that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. This sounds like IT / System administration by klashn · · Score: 1

    How is this any different from locking down systems, ensuring security updates are installed. Setting up firewalls, port forwarding, NAT, VPN, etc?

    1. Re:This sounds like IT / System administration by Maritz · · Score: 1

      Well, you have to find vulnerabilities in order to patch them.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    2. Re:This sounds like IT / System administration by silas_moeckel · · Score: 1

      Using common scanning tools from external and internal sources is pretty basic sys admin task. Then deciding what the best path to remediation is.

      --
      No sir I dont like it.
    3. Re:This sounds like IT / System administration by Anonymous Coward · · Score: 0

      If you define any task that a competent person should know how to do as being basic, there is no such thing as complex.

      Tasks that are basic for many IT people are impossible to anyone else. That is why we get paid. Don't forget or you will get a paycut with the veiled threat "What you do is pretty basic, anyone could do it. You said it yourself."

  7. It's like a neighborhood watch ? by BESTouff · · Score: 1

    So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch.

    More like mafia watch. If you just invite them for help, you will always be safe. Otherwise ...

  8. Wrong Solution by Anonymous Coward · · Score: 1

    How about we get ethical management instead so developers and IT staff are trained in security and given the resources to properly develop secure systems? Secure enough* system are possible. The entire software security industry doesn't need to exist if developers were better.

    *Excluding spy level stuff like scanning the monitor's emissions to read the display.

  9. Money does not match by s.petry · · Score: 1

    Sure, people like you and I can save companies money. The problem is that companies don't pay millions to fix bugs, and don't generally pay penalties for bugs. Large companies can look at the trade off and see ROI and even immediate value to adding security staff to all phases of development, but small companies don't get the same bang for the buck as it were. Established companies have a potential to lose millions in revenue, small companies don't have the same amount of risk and startups have virtually none.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  10. Oh really? by symes · · Score: 1

    I've just checked. My ZX Spectrum, which is in a box under the stairs, is still secure. Never been hacked. Take that black hat hackers.

  11. Meanwhile unhackable code confirmed by CaptainStumpy · · Score: 1

    I would love him to address this news: https://www.quantamagazine.org...

    --
    It will be better to purchase from an owner who is a good farmer and a good builder.
  12. Unless you've put your entire life savings into it by raymorris · · Score: 1

    In terms of dollar amounts, larger companies obviously work on a larger scale.

    On the other hand, "mom and pop" businesses often have their whole life invested in their business.The server being out of commission for two weeks while you both secure it and clean up the mess from the hackers means they can't make their personal mortgage payment. The smallest companies have been my best customers. Of course my business is designed for small companies - low-priced, high value per dollar offerings, simple web ordering rather than spending time (money) in meetings and writing proposals, etc. A couple hundred bucks for a professional grade offsite backup can largely secure their personal livelihood.

  13. Another item on the list by raymorris · · Score: 1

    I wouldn't say it's "different than", I'd say it's another item on the check list:

    a) Ensure security updates are installed in a systematic way
    b) Ensure up firewalls are set up and regularly reviewed
    c) Review configuration port forwarding, NAT, VPN, etc annually
    d) Annual security review by objective third-party security professional

    We can also help you with A, AB, and C. Updates, for example, are important for confidentiality and integrity, but some upgrades can create problems for availability - they can break things. How can you ensure *all* systems are updated regularly and frequently, while at the same time ensuring that updates don't break important functionality, and if something does break, you can quickly identify the cause? A security professional can help answer that, or whatever other issues that come up as you security matures.

  14. In other news by bravecanadian · · Score: 1

    water is wet.

  15. Re:Unless you've put your entire life savings into by s.petry · · Score: 1

    There is a massive amount of business between the two ends of the spectrum. Save the appeals to emotion because I agree with the premise, but not the statement that everyone justifies (or can justify) the costs. There is no legal requirement in almost all cases for them to do so, so they don't.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  16. Hal and half. SQL expert, UI expert, security expe by raymorris · · Score: 1

    Agreed, it would be a great help if developers in general switched from thinking in terms of "how can this work" to "how can this be broken". That's the topic of the next OWASP meeting I plan to attend - how can we help developers become more security aware and develop more secure systems, given all the demands on them, deadlines, etc. Security is just one of many things developers need to think about. They need to learn security, but they also need to learn the Next Big Thing - another language, framework, whatever. How can we help them be secure in the limited time they have for training? More focused training? Knowing what they can do themselves and when to ask for help from a security professional?

    On the other hand, your development team probably isn't a bunch of people with the exact same skills. You probably have someone who is good at databases, another who is good at GUI design, a software architect thinking about the big picture, maybe a scrum master or other lead person who is skilled at teamwork skills and facilitating work between people. Security is another specialty, like database design, GUI design, or leading a team.

    Also, just as you may need a database *designed* very well once, then maintained by someone else, you can take advantage of security professional as-needed, they don't always have to be a full-time member of each team. At my last job, I was regularly called to join meetings of other teams, when security considerations were discussed. They might use me one or two hours per month, which was enough to prevwnt a lot of major mistakes and make their system more robust, both when under attack and when not under attack.

  17. 70,000 white hat hackers? by Anonymous Coward · · Score: 0

    He assembled a team of 70,000 white hat hackers? That seems like a lot...

    1. Re:70,000 white hat hackers? by Anonymous Coward · · Score: 0

      They will hack the IRS DB mainframe and bring about the singularity.

    2. Re:70,000 white hat hackers? by martenmickos · · Score: 1

      Yep, 70,000 is a lot! The number keeps growing, and we hope to get to a million. To serve all companies and government organizations worldwide who will be needing bug bounty programs, we need a lot of excellent hackers.

      It should also be noted that it takes a lot of hacking to find even a simple vulnerability. Of the 70,000 hacker accounts we have, about 1 in 6 have filed an actual vulnerability report. To help them get going, we have an ebook on hacking that we give to new hackers. Once new hackers get the hang of bug hunting they can advance fast, earning more and more reputation points. When you sign up at HackerOne, you start at 100 points. Our most prolific hackers have reached 10,000 points. You can do it, too!

  18. Cost is a big consideration. Every business needs by raymorris · · Score: 1

    Cost is certainly a big consideration. As I said in my post, one reason that the smallest companies were my best customers was because I designed low-price offerings specific for their needs and budget - and I told them what to NOT buy from us, because it wasn't worth it for them.

    One example of something that most any full-time business should have is backups. If the business is your sole source of income, you should probably spend a couple hundred bucks for serious offsite backups. Larger companies, with bigger budgets, will spend more to prevent the *need* to ever use backups, for those with a very small budget we can inexpensively make sure that backups are really solid, preventing many types of catastrophic loss.

    > Save the appeals to emotion

    It's interesting that you say that because I find my customers ARE often buying emotion. They are scared because their last hosting company went out of business overnight, leaving them high and dry, or hackers completely f*cked up their web site, which is their income. They want to rest easy knowing that their company won't be destroyed by the next event, but they have a very limited budget. Good offsite backups provide them the confidence that no matter what happens in terms of IT, things can be back to normal within a few hours. There is a big emotional component there - they are worried. My job is therefore threefold - a) provide solutions that *actually* protect them from disaster, b) provide visibility so they can see that they are protected and they don't need to worry c) do so at a low price point, so the cost of protection isn't causing them stress.

  19. Re:Cost is a big consideration. Every business nee by s.petry · · Score: 1

    My point in saving the appeal to emotion arguments is because I have worked extensively in security and compliance in both the private and government (defense) sectors for over 25 years. Selling me on security is like selling a fish on water.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  20. Snake oil salesman by Anonymous Coward · · Score: 0

    CEO: let me sell you snakeoil!

    Company: We got hacked using your snake oil

    CEO: let me sell you some more snakeoil! I'm such a douche!

    1. Re:Snake oil salesman by martenmickos · · Score: 1

      Ha ha. That's a common joke about the security industry. There is some truth to it.

      What's great with bug bounty programs is that customers pay for results. You pay for valid and useful vulnerability reports. You don't pay for reports that are not useful. For hackers to make money (and the best ones make a lot of money), they must produce useful and relevant vulnerability reports.

      That's a HUGE difference compared to traditional security products and services and it explains why bug bounty programs are becoming so popular. They are much more effective than any other method of finding vulns in live software.

  21. Most Ethical hackers use linux, so they can fix. by Anonymous Coward · · Score: 0

    Yes, every system has breaches, but not all you can fix by yourself.

  22. And after half an hour of probing their website by Khyber · · Score: 1

    I spy so much shitty code. Most of the site doesn't even serve static content from a cookieless domain, and most of the site itself is scripting/code instead of media/text.

    Exploitable from the bottom up.

    Turn your own people against your site first before advertising out to others, eh?

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.