USA TODAY International Edition
‘ Bug bounties’ reward hackers
‘ White hats’ expose flaws
SEATTLE Known as “white hats,” ethical hackers are the indispensable ground troops in the back- and- forth battle to make the Internet safer.
White hats devote countless hours and intense brain power to discovering security holes in popular apps and platforms. By flushing these bugs out into public light, they compel the good guys to fix the flaws before the bad guys can discover them first, and take advantage.
Microsoft and Facebook last week announced they will begin paying bounties to ethical hackers for discovering vulnerabilities, not just in their own products, but in software systems that make up the Internet infrastructure, as well.
This quiet endorsement is a huge step forward. “A lot of hidden bugs survive in very important code,” says Dan Kaminsky, co- founder and chief scientist at fraud- prevention company White Ops. Incentivizing white hats to scrutinize infrastructure code “is a game changer for protecting users,” he says.
White hats have steadily gained mainstream acceptance. Google and Facebook have spent millions paying hackers “bug bounties” to point out fresh flaws, known as zero- day vulnerabilities, in their respective products. Even Microsoft, long opposed to paying bounties, began paying such bounties earlier this year.
Now Microsoft and Facebook will support a panel of experts assigned to issue awards of $ 5,000 or even more to hackers who flush out serious vulnerabilities in development tools and Web server operating systems that make up the Internet.
That move follows an extraordinary development that highlights the independent, altruistic mindset of the hacking community.
It unfolded after Khalil Shreateh, a self- taught coder from a Palestinian village, discovered a major Facebook security flaw that enables anyone to post anything on anyone else’s wall.
Facebook’s security team disputed his findings. So Shreateh posted a notice on Facebook CEO Mark Zuckerberg’s wall to validate his find. Still, the company refused to pay him.
“I felt frustrated to find a big glitch in a website like Facebook, and all the replies said it was not a bug,” Shreateh told Cyber Truth, adding that his big concern was the “negative effect on any hacker or security researcher.” Facebook’s Matt Jones said in a Hacker News chat session that Shreateh wasn’t explicit in his initial report. Facebook fixed the bug.
The episode caught the attention of pioneering white hat hacker Marc Maiffret, who discovered the infamous Code Red vulnerability that plagued Microsoft Windows users in the mid- 2000s. Maiffret, now CTO at security firm BeyondTrust, put up $ 3,000 of his own to kick- start a $ 10,000 bounty for Shreateh. He raised $ 13,000, mostly in contributions from individuals, which he per- sonally delivered to the hacker.
“I really wanted to make a statement for the larger community, that we need to take care of researchers like this to make sure they continue to want to report things like this to companies like Facebook,” Maiffret says. “Otherwise, it’s going to end up in the underground being used to break into companies.”
Shreateh, who comes from a town where electricity outages are common, told Cyber Truth he plans to continue hacking — for the good guys. “I would like to get a good job to have a good life,” says Shreateh, adding that he is grateful to Maiffret and all who donated. “We can make the world secure and a safe place to live beside each other, with love.”