Crider 1

Adam Crider Dr. Harris Composition II 20 September 2013 Should Hacking be Encouraged?

Traditionally it has been thought that hacking is a crime. The term hacker has serious negative connotations to it, but it was originally just a term for someone who liked to tinker with things, physical or digital, and make them do things that they werent intentionally designed for. Now the term is used more in the light of crimes committed against large companies and governments. Hackers can have a traditional profession, known as penetration testers, that help websites determine how secure they are in the digital space. I am a computer science major that is going to be minoring in computer security, so this issue is a big topic for my minor as it could be a potential job that I could get in the future. Sites like Google and Facebook give out rewards for people finding vulnerabilities in their sites, from Facebooks minimum of $500 a bug all the way to Google having a $1 Million dollar bounty up for anyone who could find a certain vulnerability in their new Chrome OS. The people who take up these bounties can be anyone, an average joe to a security researcher, but it doesnt matter who finds the bugs and vulnerabilities. Facebook and Google care about is fixing them for their mainstream users. They also dont want these types of bugs and vulnerabilities to end up in the wrong hands or being sold to people that use them for malicious uses. It is common place now for people who have hacked large companies to actually get hired by the companies that they launched their attacks against. Some of these people are the ones

Crider 2

who worked on the iOS 5 jailbreak, a popular way to hack an iPhone and put unofficial software on it, and others who made software for the jailbreak are now working at Apple implementing their jailbroken features into iOS itself. Should white hat hacking be encouraged, and what types of policies should be in place to encourage safe and ethical hacking?

RedHat.com, the website for a company that specializes in creating a very secure operating system for enterprise businesses, explains the different types of hackers. This way we can find out how we know if someone is a good guy, one who speaks with the companies privately about these vulnerabilities, or a bad guy, someone who just tells everyone about it as soon as they find a vulnerability. We can classify these type of hackers by what is called white hat and black hat. White hat hackers are people who are either employed by a company to find, test, and fix security issues, or they are academic researchers. Grey hat hackers are people who work on their own accord, they may be white hat hackers by trade but go into some grey areas in terms of legality at times. Black hat hackers are the group that everyone hears about in the news, they are the ones who find vulnerabilities and exploit those in a malicious manner. Viruses and malware are all examples of black hat hackers building software to steal personal information like credit cards, bank account passwords, and other sensitive data. (RedHat.com) So why do large companies like Facebook and Google allow any of these 3 types of people to try and find bugs and vulnerabilities in their site?

CNN had an interview with Khalil Shreateh, a free lance security researcher that made headlines recently when he publicly used a vulnerability that he found on the

Crider 3

Facebook website to post on Mark Zuckerbergs wall. In the interview he explained some of the reasoning behind why Facebook or Google might use this kind of program. I could sell (information about the flaw) on the black (hat) hackers' websites and I could make more money than Facebook could pay me, said Shreateh in the interview. This is one of Facebooks goals with their White Hat program, to keep these types of vulnerabilities out of the hands of black hat hackers websites and give the independent researcher compensation for what theyve found so that they wont try to sell the vulnerability. Facebook and Googles bounty program is very strict on disclosure of information. Users have to follow their reporting guidelines and stay within the law when finding a bug or they won't not receive any reward or compensation from them. Facebook has been known to withhold rewards, even for large vulnerabilities, just because they didnt follow the guidelines. Shreateh, frustrated with the way Facebook was handling his security report, exploited the bug to post on a public users wall, who happened to be Mark Zuckerberg. He thought the security team at Facebook was not taking him seriously enough and was taking too much time to handle the report. (Gross) Posting to a public users wall is against the guidelines for Facebooks White Hat program, which provides users with a test account so that any vulnerabilities that are found have no impact on a public user. Shreatehs violation of these guidelines voided him from the reward for such a bug which would have likely had a very large bounty reward for the severity of it. These strict guidelines encourage hacking which is used to make facebook a more secure site.

These kind of programs has led to people getting jobs at these large companies. Facebook has hired two full time employees from their white hat program and has paid

Crider 4

out over a million dollars in bounties. Over 300 people have found a bug, and received a bounty for it and the youngest person to receive a bounty was just 13 years old. These people come from all over the world, citizens from over 50 different countries have participated in the White Hat program from Facebook. (An Update on Our) This kind of program has enabled talented people who otherwise wouldnt have a job, to show their skills and help Facebook in the process. The impact of these bugs is very wide-spread. From simple problems aesthetically wrong with a website to being able to make wall posts publicly to any users wall that you want, these bugs have a assortment of different ways that the user can be effected.

Facebook is encouraging hacking, but in a safe way. They are making people follow their very strict guidelines and rewarding them with money if they do find a bug or vulnerability. Other companies are starting to do the same, even large companies like Google have started to reward people for finding vulnerabilities in any of their services (Program Rules). They have a strict set of guidelines as well that you have to follow in order to receive compensation for what someone finds. Chromium, the open source project behind the popular Google Chrome browser, has a hall of fame that has all the top bugs and rewards that people have received from their bounty program as well (Security Hall of Fame). This encourages people to find more important bugs so that they can reach the top of this hall of fame. Some very important bugs in Chrome have gotten fixed through this kind of reporting bugs for Chromium.

Should hacking be encouraged? If people are going to hack websites on their own, they might as well be encouraged to do it safely and be rewarded for finding any

Crider 5

large vulnerabilities that they find. Companies like Facebook and Google have provided a way for people to these things in a safe way that helps everyone out. Facebook and Google get to make their site more secure, and independent researcher or just a normal person gets compensated for what they find. The policies that these companies provide helps to keep everyone in a legal spectrum of what they are doing and provides a better way for people to go about hacking in a legal way.

Crider 6

Works Cited "Chapter 2. Attackers and Vulnerabilities." Attackers and Vulnerabilities. Web. 13 Sept. 2013. <https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Security_Guide/ch-risk.html>. Gross, Doug, and CNN International's Jim Clancy. "Zuckerberg's Facebook Page Hacked to Prove Security Flaw." CNN. Cable News Network, 20 Aug. 2013. Web. 13 Sept. 2013. <http://edition.cnn.com/2013/08/19/tech/social-media/zuckerberg-facebook-hack>. "Program Rules - Application Security - Google." Program Rules - Application Security - Google. Web. 13 Sept. 2013. <http://www.google.com/about/appsecurity/reward-program/>. "Security Hall of Fame - The Chromium Projects." Security Hall of Fame - The Chromium Projects. Web. 13 Sept. 2013. <http://www.chromium.org/Home/chromiumsecurity/hall-of-fame>. "An Update on Our Bug Bounty Program." An Update on Our Bug Bounty Program. 2 Aug. 2013. Web. 13 Sept. 2013. <https://www.facebook.com/notes/facebooksecurity/an-update-on-our-bug-bounty-program/10151508163265766>.