An article at darkreading.com caught my eye. It's about a 0day hacking contest named "Pwn2Own". The contest is a sandbox based system, where entrants are tasked with finding exploits and using them to gain unauthorized access to a system or its resources. Over the years there have been different criteria in the contest, but this time the task is to find exploits in browsers, and utilizing those exploits to somehow compromise the system. There is a cash reward involved. Reportedly 1st 2nd and 3rd prizes are a total of $105,000 US. Additionally, Google.com has a standing bounty for any exploits, and finding one in this contest not only grants points for the contest participant, but gets you the reward from Google.
This makes me happy. This really publicizes hacking in a positive 'white-hat' light. There are many misconceptions about the word 'hacker'. Many people automatically put this negative connotation on the word, and make it seem like all hackers are malicious in nature. The fact of the matter is, a hacker is generally someone that wants to figure out how things work, and figure out what will break them (exploits). The white-hats do this in order to fix the problems, while it's the black-hats that are malicious folk and use the exploits for their own gains, whether financial, ideological, personal etc.
This is exactly what the software and security engineering crowds need to focus on. Figure out what the inherent problems are and fix them, rather than acting under this shroud of secrecy and security through obfuscation, as I have mentioned before. This is the theory that "What they don't know won't hurt us" which, by nature, is a very vulnerable philosophy. In this age of technology where we can all de-compile software, sniff packets and network traffic, and even spoof these packets, with little knowledge and effort required, it makes this philosophy entirely too antiquated to be viable.
I think the industry needs to progress its thinking in a way much similar to this sandbox hacking contest, and promote the discovery of flaws in order to fix them, instead of hide them. It also gives me a sense of relief to know that these companies like Google are offering cash rewards to hackers for bringing exploits to light. This to me is a solid business model. I will be more comfortable using a companies' software, if I know that they are implementing these practices in order to better serve me and the public. Not to mention that maybe someday when I have the time, I can be a part of this white-hat hacking crowd and help improve a product, and increase the thickness of my wallet through dollar bills.
The ideology of paying hackers gives people an incentive and motivation to provide support, insight, and improvements to software that the public and private sector uses, making all of our technology experiences better. Also, one can find employment doing this, as I know that several famous hackers have gained employment in security firms for pointing out exploits, either implicitly or explicitly.
No comments:
Post a Comment