India's Ethical Hackers Rewarded Abroad, Ignored at Home

An anonymous reader shares an article: Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free. It was a familiar tale for India's army of "ethical hackers," who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted. India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world. The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers. Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games. Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.

That is not what "ethical hacker" means

[gweihir]

An "ethical hacker" will only break in if given permission, either directly or via a bug-bounty program. Anybody hacking without a mandate is either grey-hat (if they do inform the target and do not try to extort them) or outright black-hat. That companies do not react friendly to people hacking them _without_ a mandate is not a surprise, as that happens to be a criminal act.

Re:That is not what "ethical hacker" means

[Zaelath]

Also, an ethical hacker will not start with insider information. I suspect a proportion of these are workers at outsourcing companies who are frustrated at the quality of code their organizations are shipping.

That's not necessarily the case at all; white box hacking starts with /all/ information available.

Re:That is not what "ethical hacker" means

[XparXnoiaX]

ethical and illegal are two very different things. An ethical person will do illegal things, if they are the right thing (like Snowden. Super illegal). Don't let the illegality of it confuse you. What they are doing is dangerous, but finding mistakes and letting the world know is the ethical thing to do.

The unethical ones in this situation are the companies who released their code without a security review. Those managers didn't give the programmers (or QA) extra time in the sprint to test for security bugs.

Re:"makes them uniquely gifted"

Isn't this basically "writing a mini-van?" ( http://dilbert.com/strip/1995-11-13 )
I mean, come on, they write the buggy code, so they know where the exploits
are - seems like a win-win scenario that they've built for themselves. Kudos.

CAP === 'queuing'

Contradictory news

[manu0601]

This is puzzling. One day we are told 95% of indian engineers cannot code, and the other day India has huge number of highly skilled hackers.

Re:Contradictory news

[CODiNE]

I know some bug bounty guys are making a good living off these programs. The majority however do not. Not everyone can spend days digging around hoping to get paid for something. It's unsurprising that a country with a much lower cost of living has a lot of guys willing to do this.

Re:Contradictory news

[AmiMoJo]

I'm British and don't want to be lumped in with all the other British people. I want to be evaluated as an individual. The last thing I want is for an employer to say "British people are on the whole dumb, their universities are mostly crap, therefore I'm not going to consider any British people or at least subject them to much harsher testing first".

"uniquely gifted"

[110010001000]

There is no unique gift to becoming a cracker (these aren't "hackers"). It is just a willingness to perpetuate destructive behavior. It is very easy to crack software and systems, I use to do it all the time. It is much harder to create.

That's why they are hackers

[gurps_npc]

If they were rewarded, they would end up with jobs. If they had jobs, they would not have enough time to do all of that hacking.

Their are only two ways you get hackers of this high quality:

1) They are not rewarded.
2) Their motivations outweigh their greed. Talking about religious extremism quality motivation.

Statistical fallacy

[SeattleLawGuy]

This is puzzling. One day we are told 95% of indian engineers cannot code, and the other day India has huge number of highly skilled hackers.

There is a Supreme Court Case where the court said traffic stops must be dangerous because a large number of police officers are injured every year while performing traffic stops. But the logic is bad. Without knowing how many total traffic stops there are you cannot really look at the risk of performing one.

Similarly, even if 95% of engineers cannot code, they can still have more good engineers if there are enough of them--or can have more decent engineers working on this particular set of problems.

It's also worth pointing out that (1) there are a lot of great Indian engineers who are not in India, (2) the 95% number you are pointing to was done by a company with an incentive to skew it one way, and (3) the people finding the bugs may not be a great match for the ideal job candidate but still have basic hacking skills.

Oh please

You're still talking criminal on a leash, no matter the brand of the perfume and the make-up you're adding.

That is not what "hacking" once was about, to the point that adding "ethical" to it makes no sense at all. Even the hats mean that you (in)security types have hopelessly confuddled everyone including yourself, with the result that "hacker", "ethical" or otherwise, means exactly nothing these days. And it shows.

S'kiddies, the lot of you.

And yes, your stolen terminology, now entirely empty, is quite related to your collective complete and utter failure to secure anything these last few decades. Your are the Emperor's new clothiers, it's the only explanation that actually makes any sense. So don't go complaining these cheap imitations from India aren't the real thing. They're about as functional and effective as everyone else in the industry, complete with getting the important bits hopelessly wrong.

Re:Oh please

[gweihir]

There are shades of grey here. A wish to protect your society when nobody else does is a valid concern. Sure, it is vigilantism, but besides regular law enforcement (which is conceptually unable to tolerate any competition), vigilantism is a "grey" thing to most people, not pure black or white as you suggest.

Re:Who is fooling who, if 95% of Indian coders unf

[MrLogic17]

>Didn't they launch some rocket to Mars at a much lesser cost as compared to the US recently?

They just barely got a small, proof-of-concept probe - and at that, it never got the desired orbit.
NASA, in around the same time frame, got a much larger, far far more complex research package in the proper orbit.
Good on India for pulling it off, but they were doing something vastly different than NASA.

TL;DR: apples & oranges

Stupid, and potentially sensitive question:

[Travelsonic]

Stupid, potentially sensitive question: How many of the vulnerabilities, do you think (if it can be ascertained) came from companies who outsourced their work to India-based companies?