Can you hack? Here’s a way to make a buck – and it’s legal
WASHINGTON – In the lingo of computer hacking, “black hat” hackers are the creeps. They steal your credit card data, hack into your email account, and take over your home router for malicious mayhem. Think Bonnie and Clyde.
Companies hate “black hat” hackers, worried that they will penetrate corporate servers and steal proprietary secrets or create turmoil.
But the global hacker community is big, and some companies are finding ways to appeal to hackers displaying certain qualities – curiosity, a tendency to want to break things apart, and a natural trespassing instinct – but without blatant outlaw practices.
Called “white hat” hackers, they are being drawn to programs that invite hackers to search for, and disclose, flaws in software, helping corporations patch network vulnerabilities and fend off hostile digital intruders.
The programs to lure the hackers are called “bug bounties,” and they are going mainstream. Big companies that pay hackers to find flaws in their software include everyday names like Apple, Instagram, Facebook, Google, United Airlines, Uber and Western Union. A handful of startups, like HackerOne, BugCrowd and Synack, provide contracts or on-demand platforms for companies or government entities that want skilled hackers to test their networks for vulnerabilities in a secure fashion.
Such programs bridge the long, jagged chasm between corporations and the global hacker community, and are finding some common ground.
Hardened “black hat” hackers aren’t attracted by such programs, and may never be, said hackers who take part in bug bounty programs.
“Ask yourself the question: Will there still be robbers even if you offer them jobs as lock pickers?” said a 28-year-old Dutch hacker who goes by the name Hackdwerg, or “hack dwarf” in Dutch.
Speaking via Skype, the Dutch hacker said he’s found more than 260 vulnerabilities or holes in servers and programs and collected numerous bounties.
Hackdwerg, whose contacts were provided by a Europe-based cybersecurity expert, declined to identify himself further, but his thinking illuminates a bit about the world of underground hackers.
“I’m one of the white hat hackers who’s been a black hat hacker,” he said. Asked what illegal hacking he had done, the Dutchman said, “I do not want to answer that question.”
For corporations looking to improve digital security, the idea of flinging network gates open to hackers, some of whom won’t even identify themselves, can be nerve-jangling.
“When you talk to customers, ‘hackers’ can sometimes be a little bit scary,” acknowledged Jay Kaplan, chief executive of Synack, a Redwood City, California, company that crowdsources vulnerability for clients. Instead of the term “hackers,” Synack refers to its penetration testers as white hat security researchers.
“It’s kind of a risk for companies in that you’re paying people to find flaws in your system,” said Katrina Timlin, who works in the strategic technologies program of the Center for Strategic and International Studies, a Washington think tank. “If you don’t pay them enough, there’s the fear they could go rogue.”
Even if they don’t prove to be scoundrels, she said, a concern is that they may have “contacts on hacker forums who might not be on the right side of the law.”
Jobert Abma is a co-founder of HackerOne, a bug bounty marketplace that brings together experienced hackers and companies willing to pay them to look for vulnerabilities. He said one of the only ways to become a skilled hacker is to break into computer systems.
“A lot of the people who are currently in (computer) security have done things that they shouldn’t have done, legal-wise, but never with the wrong intention,” Abma said. When they find flaws in computer systems, “they don’t sell it on the black market,” he added.
HackerOne, which started in 2012 in San Francisco, now has a stable of 3,500 white hat hackers each of whom has found at least one bug, Abma said. The company says its hackers, who come from 70 different countries, with India in the top spot ahead of the United States, have fixed more than 35,200 bugs.
A few are superstars, such as Mark Litchfield, who is based in Las Vegas.
“He’s the best paid. He recently hit a half-million (dollars) and he made that half-million in about two and a half years,” Abma said.
Another hacker who has seen his life transformed is Manish Bhattacharya, from a “very humble background” in the state of Bihar in India. He discovered his first vulnerability in 2012, winning recognition from Microsoft. He’s been on a roll ever since.”
Now, he wrote in an email, he is “making more than average MBAs from top B (business) schools in India. Initially ‘no money’ was the issue, now taxes are the pain. My father often complains, ‘you pay double (just in) taxes (of) my yearly income.’”
He recalled how he got his first payout – a mere $100 – but how it changed his life: “That month, my pocket money was 6,000 Indian rupees instead of 150 rupees.” – TNS