Introduction:
1、Episode #2: Why should you hire a hacker bug bounty?
2、Experts Weigh In On How U.S. Should Respond To Massive Computer Hack
Episode #2: Why should you hire a hacker bug bounty? ♂
— PROLOGUE —
JM:
There is a famous security researcher who goes by the nickname ‘The Grug Q’ and there’s a famous picture of him. He’s a South African living in Thailand and there was this picture of him wearing, remember that shoe that covered your toes that was popular about eight years ago?
Kristen:
What were those, those like-
The toe shoes?
Yeah, they wrapped around each toe, they were supposed to be good for running or something.
They’re called Vibram fivefingers. Thanks Google.
So there’s this picture of him in Thailand, sitting in a bar with a bag of cash. Cash. Like in the movies? Like you see the duffel bag full of like greenbacks, hundred dollar bills. That was him, the Grugq in Thailand wearing toe shoes, and a bag full of cash, selling Zero Days to like whatever oppressive government wanted to buy them.
That man that’s being described, ‘The Grugq’ is a hacker….
But not just any hacker, no. He’s the most important person in the hacking pipeline: a hack BROKER…. His hacker friends find hacks, sells them to him, and then he sells them to the highest bidder.
On this week’s show, we’re talking cybersecurity. Sure, cyber security is about code and exploits, but it’s also about incentives.
Because the reason guys like this exist is because his incentive to steal from you is greater than his incentive to keep you safe.
That’s why today, we’re talking about bug bounties – gig economy platforms that give hackers the incentive to do the right thing and give platforms and organizations an incentive to stop you from getting hacked.— INTRO —
Hey- I’m Kristen Di Mercurio. Lately, so much of our work has gone online. So I’ve been thinking about freelancing, marketplaces and the future of work.
That’s what our new show, Geek Economy will help you understand. We’ll also show you how the gig economy moving forward, is going to change our lives and our culture.
I would say I know a thing or two about this industry. I’m a professional actress, singer, voice over artist, and I’ve been in my fair share of podcasts.
As an actress, I’ve had all kinds of survival jobs. I’ve worked for taskrabbit, postmates, event staffing, and temp agencies.
Basically, in my world, getting the next gig is the name of the game.
As more jobs go online GEEK ECONOMY will help guide you through…. We’ll explore freelancing, marketplaces, and the future of work. We’ll also show you how the gig economy will change our lives and our culture.
Geek Economy is brought to you by Bunny Studio. Trusted by more than 50,000 companies every year, Bunny Studio helps businesses scale their creative needs with a vetted crowd of freelancers.
— ACT ONE —
One of our guests this week is a cybersecurity journalist and comedian based in New York. His name is JM Porup and he knows how important cyber security is…
There are millions of developers around the world building the digital infrastructure of the internet-enabled world in which we live, and that code is also unintentionally full of bugs. And some of those mistakes, those bugs can be exploited as security flaws by bad people who want to do bad things, maybe they’re crooks, maybe they’re spies, maybe they’re gangsters, maybe they’re, you know, an unhappy employee.
And, what does software run today? Water purification plants, energy plants, you know, the telephone system, nine one one, triple zero in Australia. You know, like the world is built on top of the internet now today and it’s full of bugs. Cars are computers on wheels and they are full of security holes, you know, that could kill people, you know?
So this is a public safety issue, not just some sort of weird theoretical, Oh, those ‘computer people’, you know, this is a- this is a public safety issue!
And that hack broker wearing Vibram FiveFingers in a Thailand bar with a duffel bag full of cash? Since the world is such a small place now, you can’t get rid of him. You can only COMPETE with him. And that’s where a bug bounty program comes into it. You assemble a group of hackers, ask them to find bugs – VULNERABILITIES – in your software or website, and then pay them when they find information that’s helpful to you.
Big tech companies like Microsoft or Google would employ bug bounty programs… And in the last 10 years a bunch of companies have sprung up that will organize a bug bounty program for you and your company.
Rayna:
So a bug bounty is a continuous examination of security. That’s you know, what it does. How it works, is a different, matter. So imagine you are a company or a public administration, that doesn’t really matter, and you plan to put, I don’t know, a connected fridge on the market, right?
Rayna Stamboliyska is the VP Governance & Public Affairs at yeswehack. They’re the biggest bug bounty firm in Europe.
However, how do you ensure that, you know, your fridge that connects to the wifi, will not get taken over by some malicious person? You know , guys are out there, we hear about them every day. So what you can do is come to us and say, look, guys, I’m having this super product that goes on the market.
We connect you with well-meaning hackers or ethical hackers that we basically call ‘hunters’, because they will hunt for vulnerabilities. And so the advantage of this if you’re like pretty sure that your product is top notch, you can have, thousands of actual hackers, or hunters, looking at your product.
What happens there is that on one side you will only pay for vulnerabilities that are within the scope that you have defined. Anything that is outside, well, thank you but this wasn’t in the scope, right? And what the hunters do is basically they identify what we call attack vectors, meaning ways of inflicting harm on your fridge or product or service. And whenever they submit a report, a vulnerability reports that you accept as valid, they get paid.
So how do hackers feel about the bug bounty program? You’ll meet a hacker and find out for yourself, after the break…
Break:
Hey! If you’re liking what you hear and you have a minute, please subscribe, rate, and review on whatever app you’re using to listen. We are on Apple Podcast, Spotify, Google Podcasts, Amazon, and more! This helps us get the word out to other people so they can learn a bit more about how important the Gig Economy is for everyone. Thanks for listening.— ACT TWO —
What makes bug bounties exceptional? And why are they so much better than just hiring a security expert to work on your platform? Well, to find out, we talked to an actual hacker.
But first I want you to meet Jon… He started working on Bug bounty projects a few years ago with his brother – who works as a professional security researcher – got him into it. We asked him, what was his favorite bug that he’s found…?
Jon:
But another one I’ve found recently was happy about it. Cause it was so simple is I found a website that just said, can you log in here and N G or username and password.
So I took the URL of that website and I put it in Google and the first. answer from Google was a hacker forum and inside the hacker, forum had the username and password. So, it was there for him since 2019. And, yeah, as soon as they, as soon as I reported that they took that website down, they just said, Oh, forget it. We have to do some work on this.
And this is a perfect example, because if you were to hire a security researcher to find bugs in your code, this is something they might not find becuase of how stupidly simple it is.
Now, to be clear, Jon spends most of his time catching bugs which are a lot more difficult to find then that, but it does illustrate the point that bug bounty programs, and gig economy platforms in general, work because of one thing: incentives.
If you’re paying someone to work by the hour, they’re going to work by the hour. If you’re paying them to find bugs, they’re going to find bugs. Jon agrees.
I’ve heard about a bug that, required them to actually. Use their phone to order an Uber get in the Uber, take the ride. And then after they got out of that, they exploited some kind of vulnerability so they’re very complex and people really hard on bug bounties, but for penetration testing, like my brother, and I’ve done some, work with him too. it’s more simple. It’s kind of just like You a program to scan the website and it’ll tell you the very simple bugs, and then you take a look at it and you find some bugs, but since he’s already getting paid, he’s not going to break himself, trying to find bugs he knows he’s going to get money anyway, you know?
He doesn’t have to find such complex bugs if he doesn’t find it, it doesn’t matter. You know, he just has to prove that he’s tested the website, but the bug bounty people, they have to find bugs. So they will work really hard. They will try, very out of the box thinking to, find vulnerabilities.
I definitely think complex bugs will be found using bug bounties rather than penetration tests. even the, uh, department of defense, you know, the, US government, some of them use bug bounty programs
But this is where we can run into a big problem. Yes, it’s an incentive structure where hackers are being paid to find bugs. And the bugs they find are important. But that doesn’t actually make the companies more secure. To actually be more secure, you need to FIX the problems hackers are telling you about.
Here is Jason, another bug bounty hacker.
Jason:
It’s common and it’s super annoying. and a lot of times you spend time. I know I do as a researcher, I tell them, you know, this patch, this thing, this library, I try to get them to the solution as fast as I can.
I mean, It’s like picking and choosing how many locks on your door actually work, you know, work, right?
Right. Yeah. And you should probably have a window next to it. That’s not broken.
JM says this is super common.
How many pen testers have told me as a journalist? Every year I go to the same client and I conduct a pen test and I find the exact same holes I found last year. And they have changed nothing. Probably 80% of every pen tester I’ve ever spoken to has told me that story. It’s so frustrating. You know, so, pen testing is important and bug bounty is like crowdsource pen testing in a way, but it’s still the icing on the cake.
Like it’s like that, like if you can’t fix the bugs you already know about, why are you asking for more. You know, fix your bug, fix the bugs you already know about. What good does it do you to pay people to tell you got more bugs if you’re not dealing with the bugs you already know about. How is that making anyone more secure?.
And it seems to me that, misplaced incentives are the biggest problem in cyber security. The big picture thing I would leave your listeners is that, offensive cybersecurity is a technical problem in defensive cybersecurity is a political and economic problem.
Trying to defend in a situation where, the attacker only has to be right once and I have to be right every single time, as you can imagine, is a very difficult and very expensive game.
And unless there are political and economic incentives to motivate people who make and deploy software to spend the extreme amounts of money and time required to achieve that goal.— ACT THREE —
As JM is alluding to, cybersecurity isn’t just about stopping hackers. It’s implementing tight defenses, effective guidelines for organizations and platforms, and meaningful action from our policymakers.
With Cybersecurity, everyone is a stakeholder, so it’s everyone’s responsibility to take action, whether it’s using a password manager, using a bug bounty program, or passing bills about disclosing data breaches. Once again, we’re all in this together.
If there’s one thing bug bounties tell us, it’s that when it comes to the gig economy, incentives work. So it might be time to speak up, let your voice be heard, and send the message to policymakers, platforms, and organizations that our privacy is important. Rayna agrees.
That’s, we would hope to see, like 10 years um, more harmonized uh, you know, of accounting for of well, vendors accountable for you know, the products they put the markets and for what harm can come to end-users. uh, and those need special everywhere. not just in France, not just in Australia.
They need special attention all world because people’s lives actually depend on Right.
So what we would like and what we are again, working is to have those vital services and infrastructures, safer and more resilient. So that basically fewer lives are, in danger. So let’s, hope that 2030 will see us, much less vulnerable and, much less, running after the bad guys who, do harm to hospitals and, health infrastructures during, Worldwide pandemic.— OUTRO —
Thanks for listening to Geek Economy: The show that helps you understand how the gig economy is going to change our lives and our culture.
Find great video creators, voice over artists, designers, writers, and more at bunny studio dot com slash geek economy offer. The link is on the show notes.
If you liked this episode, please share this with someone that would find this of interest. And while you’re at it don’t forget to subscribe, rate, and review on whatever app you use to listen.
Enjoy the show? It’d mean the world to us if you follow the Podcast on Spotify, or your preferred app!
This episode was produced in collaboration with Bunny Studio and Pod Paste in Sydney, Australia.Executive Produced by Daren LakeWritten and Produced by Aidan MolinsAudio Production, Sound Design, and Engineering by Aemyn Connolly,Podcast management by Michelle LeSupervising Editor – Mike WilliamsAssistant Storywriter – Charles Montano
You can check out all of our amazing guests online who helped make this episode great:J.M. Porup, cybersecurity journalistJon Nichols, bug bounty hackerJason Kent, hacker in residence at Cequence SecurityRayna Stamboliyska, VP Governance & Public Affairs at Yes We Hack
Experts Weigh In On How U.S. Should Respond To Massive Computer Hack ♂
NOEL KING, HOST:
How should the U.S. government respond to a computer hack that breached both government networks and private companies? Most cybersecurity experts think Russia is responsible for the hack. And NPR's national security correspondent Greg Myre has been talking to some of them. Good morning, Greg.
GREG MYRE, BYLINE: Good morning, Noel.
KING: Perhaps most importantly, is the hack over?
MYRE: Absolutely not. It's still ongoing, and we're continuing to learn details. We've heard now that the Treasury Department hack occurred in July. And, like other government departments, this was just uncovered in recent days. The email of top officials was hacked, though apparently not the account of Treasury Secretary Steve Mnuchin - also, no evidence that classified systems were breached. This information has come from Democratic Senator Ron Wyden, who was briefed on the matter.
And we can expect this kind of information to sort of dribble out in the weeks and months ahead as government agencies and private companies go through their computer networks. But clearly, much of this is going to fall on the Biden administration to make sure the hack inside government computer networks is over, that there's clear attribution on who did it and then to decide how to respond.
KING: These major breaches have happened before. Does the government have a strategy to deal with them?
MYRE: No, absolutely not. Again, there are no rules or red lines or clear consequences for adversaries who get caught. Now, to date, what we end up seeing is lots of hand-wringing and ultimately some sort of limited responses. Right now with this current hack, we're seeing wrestling over the definition. Some members of Congress call this an act of war. Now, cyber experts in the intelligence community do see it as a big deal but more along the lines of traditional espionage, albeit on a massive scale. I spoke about this with P.W. Singer, a cyber expert at the New America think tank.
P W SINGER: This was not an act of war. This is more Cold War-style back-and-forth espionage, stealing of secrets. That's why you've seen the reaction from the intelligence community to be a mix of, oh, my God - what just happened? - and, gosh, we've got to tip the hat to them; what a coup for them.
KING: So if there is no clear way to respond, Greg, what are the range of options here?
MYRE: Well, traditional spying might generate public criticism, kicking out suspected spies or perhaps some sanctions. But when this has happened, it really hasn't changed the behavior of Russia or any other adversaries. They still see hacking as a low-cost, high-return proposition. Singer says the U.S. can and needs to do much more and should create deterrence in two ways, gave a boxing analogy, saying the U.S. needs to punch back harder and also develop more resiliency to absorb the growing number of cyber blows.
SINGER: I make the parallel to Mike Tyson - you don't hit him 'cause he'll punch you back in the face - versus Muhammad Ali - rope-a-dope, right? - through resilience, where you don't hit me because it just won't work out for you.
KING: What else do we know? So we know that the government and private companies were both hacked. What do we know about the private companies? We haven't heard that much from them. Have we?
MYRE: No, that's right, but we are hearing more. The hackers clearly targeted many tech companies, and this makes a lot of sense. They - the hackers clearly want these cutting-edge cybertools that these companies have so, presumably, the hackers can use them themselves. And the first organization to detect this hack two weeks ago was FireEye, a prominent cybersecurity firm.
FireEye CEO Kevin Mandia spoke with NPR's All Things Considered yesterday, and he said these hackers were extremely sophisticated, and once they got into the system, they carried out an operation that was specifically designed to attack FireEye. He realized very early on, as they launched their own investigation, that this was a level of tradecraft he'd never seen before. And he said the scale of this hack really drives home the need for a strong national cyber policy.
(SOUNDBITE OF ARCHIVED NPR BROADCAST)
KEVIN MANDIA: It's time this nation comes up with some doctrine on what we expect nations' rules of engagement to be, and what will our policy or proportional response be to folks who violate that doctrine? Because right now there's absolutely an escalation in cyberspace.
KING: It just seems astonishing that we don't yet have the doctrine in the year 2020. The U.S., however, does have a lot of cybersecurity might. What is preventing us from using it more effectively?
MYRE: Noel, you're still seeing a lot of things that are in the works. Homeland Security's cyber agency was just launched in 2018. It focused on the elections this year and, by all accounts, did a good job. Right now, there's the military authorization bill on the president's desk waiting to be signed. It has money for additional cyber upgrades. And by all accounts, you're seeing a lot more cooperation between the government and private tech companies.
But this country is losing huge sums of money due to these cyberattacks. And a couple years ago, the NSA director, Paul Nakasone, was at his confirmation hearing, and he was asked if adversaries fear the U.S. in cyberspace. He said, the answer is absolutely not.
KING: NPR's Greg Myre. Thanks so much, Greg.
MYRE: My pleasure.
评论已关闭