Moderator: John Graham-Cumming, CTO, Cloudflare
JGC: We’re going to talk about hacking
Katie Moussouris helps people how to work around security vulnerabilities.
Ben Sadeghipour is a technical account manager at HackerOne, and a hacker at night
JGC: Ben, you say you’re a hacker by night. Tell us about this.
BS: It depends who you ask: if they encourage it; or, we do it for a good reason. “Ethical hacker” - we do it for a good reason. Hacking can be illegal if you’re hacking without permission; but that’s not what we do.
JGC: You stay up all night
BS: I lock myself in the basement
JGC: Tell us about your company.
KM: I was invited to brief Pentagon when I worked at Microsoft; The pentagon was interested in the implementation of this idea in a large corporation like Microsoft.
“Hacking the pentagon”
The adoption of Bug Bounty has been slow. We were interested in working with a very large company like Microsoft. There was interest in implementing ideas from private sector at Pentagon. I helped the internal team at the Pentagon ask a bunch of questions. I told them “You’re already receiving a free pen test. You’re just not receiving the report.”
Trying to engage with the hacker community and provide a legal avenue to report to the Department of Defense.
It was important for largest military organization in the world to admit that it didn’t identify all the bugs.
BS: Two years ago, no one would admit they hacked the government. Now it’s an important conversation to have.
JGC: Has the navy done it yet?
BS: That’s something we don’t know yet.
JGC: What you’re doing is not illegal, but there are some laws. What is the grey area? How are you not breaking the law?
BS: You’re okay as long as you’re following the policies.
JGC: Is this typical?
KM: When you get to potential impact, your well-meaning hacker will start to create some conflict.
They’ll say: describe the vulnerability steps you’re reproducing and the potential impact. We have opportunities to “clarify” the scoping rules.
Nation-states are different than private companies.
You’re giving permission to a hacker when you’re setting up a bug program; but there’s a fine line; it’s still a possible felony. When you’re thinking about it from the perspective of the DoD, you need to preserve the ability to go after a nation state, criminal actor, or any bad actor. So it’s a different kind of equity when you are creating the legalese.
I do this now with UK govt, mapping to specific laws: preserving litigative power while giving permission.
JGC: let’s talk about bug bounties themselves. What is it / how doe sit work?
BS: In short: allowing hackers to hack programs and having open communication line with them. Taking the step to allow hackers to be able to enter an application.
JGC: And you get paid… so there’s a market for this stuff out there. Who is competing in this market?
KM: I prefer to think of it as “offense market”. The highest prices are usually here. They are paying for both expertise and longevity of the bug.
Not about selling to highest bidder. It’s about compensation, recognition, and pursuit of intellectual happiness is why many hackers pursue this. The defensive market is lower paid. Price is not the competition factor. You will create a situation where you cannot eventually employ your engineers.
So I look at: how do you find other levers than price?
JGC: What was your motivation for getting into hacking?
BS: First, curiosity. Then, to be able to help, knowing that i could make a difference. Third: the money aspect.
JGC: How do we create right Bug Bounty program for a company looking for it?
KM: My company prevents premature bountification; organizations come to me and say they’e never had a bug reported.
I make sure that companies have enough automation on back end; there are more efficient ways than starting a bug bounty program to discover vulnerabilities.
This is much more than how you found out about the bug.
JGC: How do you find and motivate the right hackers? Don’t you get a lot of low-hanging fruit?
KM: There are good examples of open source. how do you explain Heartbleed, a bug that has been sitting in such a popular codebase for two years? How do you attract skilled eyes and focus them where you want them? Microsoft was receiving 200,000 non-spam e-mails about bugs. It is about understanding behavioral economics at play as opposed to gauging how much a project was worth and setting a price tag.
JGC: Ben, what do you think about recent Equifax breach? What can companies like that do to protect themselves from people like you?
BS: That’s a broad question. For me, I look for default settings.
Having a process of keeping these things updated.
Changing settings from default.
JGC: A lot of things get broken into; it’s not necessarily a sophisticated hack; it’s that the software wasn’t updated, and so on. Do bug bounties help with that? Or are there better ways?
Do bug bounties help with that?
BS: Yes; but they aren't’ the only solution. Maybe the default password has been sitting there for years and no one has changed them. When Bug Bounties find those things, we fix them, but not the only solution
JGC: How else can hackers help me get stronger?
KM: No matter how you find out about the bug, that’s not the problem to be solved.
Wherever you learn about the vulnerability is not the problem to be solved.
A bug bounty is one approach; but if a bug bounty shows a ton of low-hanging fruit, you could have found an intern to do that work.
There are more efficient things that you can do. A bug bounty is useful in giving a quick snapshot of the system. It’s useful in proving a point and showing for sure that vulnerabilities exist.
Even as consumers, there is an inundation of bugs that we all have to deal with even if we don't’ create software. There will be bugs that affect us as consumers. How do you as a consumer make a risk-based decision? Corporations make those same decisions; bug bounty help focus on what is most likely to get triggered and reconfigure.
JGC: During the presidential debates last year, Trump said that the hackings could be a guy in his basement. So who is hacking things?
KM: “Everybody is hacking everything.” We got the word espionage from the French; so “Hacking is just a new tool in the toolbox.”
We just happen to have our own equities that we need to protect along with our allies.
JGC: there is an informational imbalance between countries. When we think about spying as second oldest profession, seems like hacking must have been around for a long time.
What would be your advice about protecting myself as a business from a hacker?
KM: “Nail the basics.” We keep talking about vulnerability coordination, and a bug being found and a vendor fixing that bug. What about fix deployment? How do we deal with that? Figure out patch management, your risks and tradeoffs, and your regulatory environment. What are mitigations?
You should deploy a number of tests before you’re allowed to deploy that test.
JGC: What does it feel like to hack into something?
BS: it feels great. It’s great to be able to figure something out blindly.
Q: When I buy a car, I can look at safety ratings. A 5 star rating means you’re less likely to get killed in a crash.
Is there a way of ensuring computer security in this way?
KM: Gosh, wouldn't that be great! There’s been some talk about cyber UL - consumer type ratings; but it gets very complicated very quickly. Just counting bugs, for example. Do you count a root bug cause as one bug? Taxonomy is complicated; rating is complicated.
How do you count and rate? What does it mean once you rate? As new vulnerabilities are found, how do you deal with 5-star product? When we do have smart toasters, my plan is to have a dumb toaster.
Q: Can you re-explain “offensive vs. defensive market”?
KM: offense market is the purchasing of vulnerabilities or exploits in order to use them for an attack, defense market are things like bug bounty programs or third party vulnerability acquisition services.
I define it by: what are you buying a vulnerability for?
Q: In terms of policy decisions, what should voters be looking out for?
KM: there was a recent proposed bill that DHS should run a bug bounty. I am opposed; you should be too. You cannot legislate a smoothly-run bug bounty program.
I worry about alliterative marketing: popularizing one method.
What i worry about are these regulators thinking that everything is now a hammer that can be hit by a bug bounty nail.
Also, there is proposed legislation about wanting to know ingredient list of all software before fed govt buys it.
Now take that to its logical conclusion. A manufacturer of a submarine will now not just have to know the ingredient list of every component, but…
Important to keep congress in tune with smart new tech policy choices, not just what’s trendy or in the latest news.
All our sessions will be streamed live! If you can't make it to Summit, here's the link: cloudflare.com/summit17