In November, Uber disclosed 12 months earlier, in 2016, hackers stole 57 million driver and rider accounts and that it paid them a $100,000 ransom to delete the data. The breach was reportedly a part of Uber’s bug bounty program, whereby it pays hackers to check its software program for vulnerabilities. However the quantity was exorbitant by typical requirements, and the episode has fueled criticism over the bug bounty observe, which is seen by some as funding prison exercise.
At an trade occasion in San Francisco this week, Marten Mickos, the CEO of HackerOne — which runs Uber’s bug bounty program — answered questions on Uber’s hacking, which is now the topic of no less than 4 lawsuits. His interviewer, cybersecurity reporter Kate Conger, additionally pressed him on the definition of a superb versus dangerous hacker — and whether or not there’s a lot of a distinction.
Excerpts from their sit-down comply with, edited for size.
KC: For many who don’t know, what does HackerOne do?
MM: The straightforward fact in the present day is that each single system will get hacked. And the one query is, who do you wish to get hacked by? Folks you belief or criminals? Should you select the previous, you swallow that tablet, you come to us. Now we have 160,000 moral hackers in our community who will hack you inside 24 hours. They’ll let you know how they broke in and also you’ll pay them some huge cash, but it surely’s a lot, a lot lower than if you happen to swallow the opposite tablet.
KC: You have been within the information not too long ago and possibly not for essentially the most constructive causes: You administered Uber’s bug bounty program and it bought wrist-slapped for [losing the data] of 57 million individuals and paying out $100,000 to the hacker to maintain him quiet. Do you suppose that habits muddies the water between moral hackers and bug bounty applications and bribery?
MM: I’m not right here to touch upon any specific case. I can notice, nevertheless, that it hasn’t been proven than 57 million information have been misplaced perpetually. They may have been misplaced for a short while solely, however we’ll depart that to others to determine. However it’s clear that on the earth of hacking, if there may be intrusion and knowledge exfiltration or extortion, it has nothing to do with moral hacking or bug bounty applications.
The road there may be very clear. We’re very lucky to run Uber’s bug bounty program and lots of different actually massive applications [including for the U.S.] Air Pressure, Military and Pentagon. So positive, with know-how at all times, it’s the identical know-how used for good and dangerous functions, and know-how itself doesn’t have an opinion about what it’s getting used for.
KC: So is that the moral line between a superb and dangerous hacker — knowledge exfiltration? You’ll be able to break in so long as you don’t take something?
MM: The distinction between the hacker and the prison is intent. Should you’re an moral hacker and also you’re on the lookout for vulnerabilities with the intention to report them, you should break in. When you have a neighborhood watch and also you ask your neighbors to see if they’ll break into your home, they’ve to interrupt in to point out you that they’ll do it. As soon as inside the home, they shouldn’t take something, although.
The identical concept applies [with bounty programs]. [Hackers] have to point out that it’s attainable to interrupt in. That’s the place you get to the query of approved versus unauthorized conduct, after which once more, it’s the proprietor of the home who decides which is which. If you break into the home, how a lot do you want to do? Do you want to convey one thing outdoors to point out it was attainable or not? And that’s a person resolution for each buyer of ours, who determines what they want as proof. The extra proof you want, the deeper the hackers have to go to search out it.
KC: Within the safety trade specifically, numerous issues which are thought-about greatest practices appear from the skin sketchy, for lack of a greater phrase. After we have been speaking earlier in regards to the Uber scenario [before the event], you stated you felt like Uber averted numerous danger. Are you able to speak about what you meant by that?
MM: If you say issues look sketchy, issues look sketchy once we are fearful, and we’re fearful when we’ve too little info. When you perceive one thing, it doesn’t look sketchy anymore.
We signify a brand new mannequin that hasn’t been finished, so many individuals on first blush suppose that it’s harmful when it’s truly the alternative. There’s an actual analogy to immunization and vaccines and the way they work. The moral hacking and bug bounty work is the immune system of the web, so it’s important to create a few of the dangerous stuff with the intention to create the protection.
It’s comparable right here. So if you truly do a bug bounty program, you may have conditions the place it may well escalate or de-escalate. A few of these hackers are not any older than 15 . . . [and] there may be pleasure within the second. These are hunters; they’re looking for a trophy. And once they discover it, they get very excited. They usually might within the pleasure say one thing, do one thing or ask for one thing that the opposite facet finds problematic. Should you then have the power to de-escalate the scenario, everyone shall be joyful and step-by-step, everyone will be taught the right conduct. There are various conditions the place correctly managed bug bounty applications will diffuse conditions that in any other case may have gotten out of hand.
KC: You latterly testified earlier than the Senate. What was that like?
MM: It was implausible truly. I’ve by no means finished it earlier than, and I’m not even from this nation, so it had particular that means for me.
The Senate requested us to testify for them two weeks in the past to inform them what bug bounty and vulnerability disclosure applications are. So on the highest degree of laws on this nation now, they’ve an understanding of the significance of hackers, [and know] we’d like them. We’d like hackers greater than anything.
However seeing the senators and their workers, the individuals working there [who are] seemingly underpaid and overworked are so sharp. I despatched them one night most likely 20 URLs [along with] all our white papers and research and literature — every part — and by the morning they’d learn it they usually had superb questions. And within the listening to, each senator who spoke up stated they believed in moral hacking. They suppose bug bounty applications are an important a part of safety in in the present day’s society.
KC: One of many cool issues in regards to the final 12 months, between Russia and these hacking tales, is individuals lastly care about hacking.
Some [of the hackers we work with] are teenage girls and boys in the present day, they usually’ll write us and say their life has modified. They purchased an residence for his or her mom, or they purchased a bike for themselves. They present up on social media of their HackerOne hoodies. That’s their id. It’s shaping them into respectable, contributing residents who take accountability for the world. It’s superb to see how these younger individuals rise up once we adults have been screwing up this world.
KC: You’ve informed me you attempt to be frugal. If you’re elevating all this cash (roughly $75 million so far), the place does frugality enter the image?
MM: Not if you end up elevating cash. No, no. If you end up elevating cash, you discuss in regards to the largest numbers you’ve heard anyone utter. [Laughs.]
You must keep in mind if you construct an organization to by no means imagine your individual PR and by no means to imagine that it’s important to spend the cash you get from VCs. You’ll be able to increase some huge cash, however you don’t must spend it — even once they say you must, which has occurred in my profession, in an organization that went bankrupt.
VCs don’t take as a lot accountability for his or her dollars as they take for his or her time. In order a CEO, it’s important to deal with it as your individual cash and spend it correctly.
The world says it’s so cheap in the present day to do a startup in the present day and to make use of open-source software program and to run what you are promoting within the cloud, and naturally you may. But you find yourself paying for all types of extra providers. We’re paying for 150 completely different software program or SaaS packages proper now. So it’s important to be careful who has an account and who can use it for what. You’ll be able to simply spend all of your cash with out noticing, so that you wish to watch out — until you might be considered one of our rivals, through which case, do spend your cash. Should you run out of money, that’s high quality with me.
Featured Picture: Dani Padgett