[Update: Corrected title per first comment. Also, should you find any kind of vulnerability with SoylentNews, please send a description to "dev" at "soylentnews.org" and we'll address it as soon as possible. --martyb]
Submitted via IRC for AndyTheAbsurd
Almost a quarter of hackers have not reported a vulnerability that they found because the company didn't have a channel to disclose it, according to a survey of the ethical hacking community.
With 1,698 respondents, the 2018 Hacker Report, conducted by the cybersecurity platform HackerOne, is the largest documented survey ever conducted of the ethical hacking community.
In the survey, HackerOne reports that nearly 1 in 4 hackers have not reported a vulnerability because the company in question lacks a vulnerability disclosure policy (VDP) or a formal method for receiving vulnerability submissions from the outside world.
Without a VDP, ethical, white-hat hackers are forced to go through other channels like social media or emailing personnel in the company, but, as the survey states, they are "frequently ignored or misunderstood".
But that means that three-quarters DO, which I guess is good news. Or at least not bad news.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @07:21PM (3 children)
> A Quarter of Ethical Hackers Don't Report Cybersecurity Concerns
> Almost a quarter of hackers have not reported a vulnerability that they found because the company didn't have a channel to disclose it
The title is immediately contradicted by the first sentence in the TFS quote.
A quarter of hackers *couldn't* report *a* vulnerability. That's very different from "don't report vulnerabilities". "Sometimes couldn't do" clickbaited to "never do".
Please, editors, change the title: "don't" should be "couldn't".
(Score: 2) by martyb on Thursday January 18 2018, @08:01PM (2 children)
Ugh. Original title from submission was too long to fit and it got truncated inappropriately. Thanks for pointing this out -- fixed!
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @08:06PM (1 child)
Thanks for fixing it!
And why does the the submission form allow titles that are too long to fit? It would seem worthwhile to limit it there.
(Score: 2) by martyb on Thursday January 18 2018, @08:48PM
Umm, that IS the problem... it was truncated before we received it. Scroll back to the story and see the Original Submission [soylentnews.org] link? Click that and you will see the linked story has this for its title:
It appears that the submitter just did a cut-and-paste into the title field... which truncated it to be:
The attempt to rectify *that* truncation resulted in the inadvertent change of meaning. We've been training up bots on IRC, but as you can see, MrPlow does not seem to be capable of making the same level of mistakes as has been perfected by us humans. =)
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @07:26PM (7 children)
Email albert at users.sf.net if you want to do this stuff for a living. You'll need to be a US citizen.
In case you aren't sure about your qualification: really it is just being able to work with low-level code. Being able to debug assembly code is good. People who write drivers, emulators, and compilers are probably suited to the work.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @07:42PM (2 children)
Fake job. Mod down.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @07:49PM (1 child)
My paycheck is real. I get full benefits, including 401K matching and fully paid health insurance.
Yes, you really can get paid for this stuff. OK, maybe not you, but it works for me and hundreds of others.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @09:40PM
Never stop buying lottery tickets. [xkcd.com]
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @08:19PM (1 child)
Didn't know this turned into a fake job board. Here's one for the road:
Ruby/PhP Server / Backend Engineer
Responsibilities:
-Write maintainable, scalable server code.
-Modify and extend our backend systems and technologies depending on business requirements
-Develop server side implementation of game features
-Work side by side with our Games client side team to test / develop features
-Work with Customer Support and Product departments in order to debug / fix production issues
-Work with QA department to address bugs and implementations of tools for testing
-Implement instrumentation of our different External and Internal Services
Requirements:
-3+ years of experience working with Ruby on Rails (Ruby), Laravel (PHP)
-Strong Knowledge of Software Design and Architecture Best Practices
-Experience writing RESTful services or APIs
-Strong knowledge and experience writing scalable SQL queries
-Basic to Intermediate experience deploying applications using:
---- Capistrano
---- Custom Capistrano Recipes
-Proven experience dealing with scaling issues at different infrastructure levels:
---- Application code
---- Server infrastructure / resources
---- Database
---- Networking
-Experience using source control (Git, SVN or Mercurial)
-Feels comfortable working in teams and is not afraid to ask questions
-Ability to communicate technical issues to a non technical audience
-Fast learner
Bonus (desirable to have but not required):
-(Huge Plus) Proven experience setting up and tuning the following technologies:
---- Apache + Phusion Passenger
---- MySQL
---- Memcached
---- Redis
---- Haproxy
-Familiarity with Sidekiq, Delayed Jobs, Resque or similar technologies
-Experience using Nginx
-Familiarity with Monit and Nagios
-Experience with any NoSQL database
-Basic C# knowledge
-Usage of Ant, Maven or similar technologies
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @08:40PM
Offering a 100% relevant job is quite different. It answers the question of "where to report".
(Score: 2) by tibman on Thursday January 18 2018, @09:18PM (1 child)
What about web stuff?
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @09:44AM
Partly, it is just expected that everybody can do web stuff. That could be a wrong assumption, but not seriously wrong.
Partly, web stuff is site-specific. You would probably need foreign-language skills and you would probably need to work in the DC area.
(Score: 3, Interesting) by DannyB on Thursday January 18 2018, @07:49PM (3 children)
Why should this be surprising when the parties guilty of having the vulnerability instantly take a "Shoot The Messenger" mentality.
For example AT&T or Apple had a problem that by changing a GET parameter, visible in the URL,
some type of, for example: &id=53782
to a different number, you can access a different customer or something you were not intended to see.
Try reporting that? Get called a hacker! They call the FBI.
No good deed goes unpunished.
So it is any wonder why ethical hackers aren't going to report vulnerabilities?
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @08:07PM
yes, it goes a little beyond "don't have formal reporting blah, blah". try "asshat windows users leave their front door wide open blowing in the wind and when you peak your head in to tell them their door is flapping about, they rat you out to some nearly equally stupid bastards for breaking in." screw these companies. they deserve to be attacked until they go out of business.
(Score: 2) by Grishnakh on Thursday January 18 2018, @09:17PM (1 child)
When ethical hackers are treated like that, I really have to wonder why there's any "ethical hackers" still left.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @12:36AM
Some people just like being ethical.
(Score: 2) by bzipitidoo on Thursday January 18 2018, @08:16PM (5 children)
Just add "on a computer" to so many actions, and that makes it a serious crime-- or a patentable invention.
The overkill with criminalization certainly pushed me away. I've been accused of hacking into accounts on computer systems I never even knew existed, just because they believed I might know how. They're so scared of hackers, think hacking is such an impenetrable mystery, they think we're the Unstoppable Force. Like in the bad movie Superman 3, a hacker reprograms weather satellites to cause terrible storms in Columbia and destroy their coffee crops.
Just for trying a doorknob on a door that was not even clearly marked "do not enter", isn't clearly not a public entrance, and discovering the door was not locked, you can be accused of hacking. Rather than face the embarrassment of admitting that they didn't give two shits about security, because that costs more money and slows down production and all that, they would rather gin up hysteria over superhumanly smart, evil hackers and tar and feather some poor programmer, to serve as an object lesson to anyone else who might have any curiosity. And then they complain about lack of initiative. DRM proponents are especially prone to that thinking, can't face the fact that DRM is a joke and the universe won't cooperate with their vision of ownership.
Heck, we had this fight over the Right to Repair your own tractors and cars. It was a completely ridiculous fight that should never have been an issue, if the world wasn't full of dim witted control freaks who hate education for the masses because it makes control harder.
(Score: 1) by tftp on Thursday January 18 2018, @09:19PM (3 children)
No sane person wants to wake up in the middle of the night every ten minutes from the rattling sound produced by yet another yahoo who "just tries the doorknob on your house's door". Unwanted portscanners are like thieves who are "casing the place" to prepare for a later break-in.
(Score: 2) by Grishnakh on Thursday January 18 2018, @09:31PM (2 children)
Bad analogy. It's more like some "yahoo" who uses a tricorder to scan all the doorknobs in his condo building to see who forgot to lock their door, and then politely informs them so some dangerous or deranged person doesn't barge into their house (which is something that actually happened to me when I was young). If your door is locked, and you don't have any devices looking for the tachyon emissions (or whatever) from the tricorder scan, you'll never know you're being scanned.
Now if your argument is that public-facing servers have to look at all network traffic because of security concerns, so my analogy is invalid and the rattling sound at night analogy is more correct, then that's just what you have to put up with when you put your systems on the internet and invite public access. So the analogy here is that you're being woken up from helpful doorknob-testers because you've decided to live in a dangerous ghetto where people are frequently home-invaded.
(Score: 1) by tftp on Thursday January 18 2018, @09:58PM (1 child)
In your analogy the life expectancy of such a tester is very, very short :-)
With regard to the facts of the matter, 99.999% of all portscans are initiated by script kiddies from their home IP, and everyone should have concerns about their ethic. If they discover a door open, chances of them kindly informing you are negative.
(Score: 2) by Grishnakh on Thursday January 18 2018, @11:06PM
With regard to the facts of the matter, 99.999% of all portscans are initiated by script kiddies from their home IP, and everyone should have concerns about their ethic. If they discover a door open, chances of them kindly informing you are negative.
If that's the case, then sysadmins should be happy for the rare person who portscans them with the intention of kindly informing them of vulnerabilities.
(Score: 2) by Grishnakh on Thursday January 18 2018, @09:20PM
Heck, we had this fight over the Right to Repair your own tractors and cars. It was a completely ridiculous fight that should never have been an issue, if the world wasn't full of dim witted control freaks who hate education for the masses because it makes control harder.
That's not exactly the same. The Right to Repair is about having the information and access to tools to repair your own tractor or car. It isn't opposed just because some evil people want "control" or power, it's because some evil people want more profit. It hurts corporate profits when people fix their own stuff.
That motivation really isn't there if you, for instance, find a security vulnerability in a University computer system.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @08:57PM (3 children)
What, bugtraq and other full disclosure lists suddenly disappeared?
Or is it trying to get *paid* for a vulnerability that this "quarter of ethical hackers" wasn't able to succeed in?
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @09:12PM (2 children)
Free reporting is too much bother.
Paid reporting is great, but to get a reliable paycheck you need a security clearance. (see downmodded post) Some people have issues with foreign family, drug use, mental illness, or serious debt. Without that clearance, the best you can do is the occasional awkwardly brokered sale. Nobody trusts you to deliver a real exploit, and you don't trust them to see it without prior payment. You won't be getting that 6-figure salary with full benefits.
(Score: 2) by Grishnakh on Thursday January 18 2018, @09:25PM
Some people have issues with foreign family, drug use, mental illness, or serious debt.
They don't do drug tests for clearances these days.
Foreign family shouldn't be a big problem, unless your foreign family is in/from a problematic country. Family living in Australia or something shouldn't be an issue.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @11:26PM
How that? If you care, tell the company first, then later post a writeup to Bugtraq. Can't get simpler than that.
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 18 2018, @09:04PM (1 child)
Those are OKish hackers.
The bad ones use the holes to make ransomware.
The good ones support America. They sell to the NSA, CIA, Army, and Air Force.
The really good ones, better than me, freely give to the NSA, CIA, Army, and Air Force.
(Score: 0) by Anonymous Coward on Thursday January 18 2018, @09:58PM
Lol, this guy patriots.
(Score: 3, Interesting) by nobu_the_bard on Thursday January 18 2018, @09:13PM (5 children)
I don't know if I qualify as a "hacker" but I have reported vulnerabilities in the past and gotten swept aside until something exploited it down the line or the thing collapsed, and THEN it was fixed. This showed my time was wasted since the result I wanted to avoid happened anyway.
(Score: 1) by tftp on Thursday January 18 2018, @09:22PM
(Score: 2) by RS3 on Thursday January 18 2018, @09:22PM (2 children)
I share your experience and sentiment, albeit mostly in the world of hardware. You, sir, are a nobleman. You sought improvement, you learned, and your intentions, values, ethics, motivations, curiosities, and rewards were all for the betterment of the world. Your time was not wasted, you've done well. That some company of fools ignored you only reflects on them. You did your part. Seek more fertile ground; IE: look for a better job / organization.
(Score: 2) by nobu_the_bard on Friday January 19 2018, @01:32PM (1 child)
They weren't in things that I owned or an org I worked for, though sometimes they were for vendors clients hired, but I appreciate the sentiment.
(Score: 2) by RS3 on Friday January 19 2018, @03:20PM
Yes, again, you tried and you deserve recognition. In life, in general, I wish more people cared to try to make the world better.
I've worked in and for, and been a highly integral part of companies and organizations where most of the time, if I tried to improve something, I was met with resistance, opposition, and all-out roadblocks. In my first job, pre-college, tiny company, one of my roles was final QC- test, calibration, etc. I would tell the bosses the thing was not ready to be shipped, but they would insist on shipping "on time". A week or two later I would be getting on a plane with tools. Not sure how profitable that could be.
(Score: 2, Interesting) by Anonymous Coward on Thursday January 18 2018, @09:45PM
Similar experience here, not a hacker or even much of a programmer. I have some Google Alerts set and every now and then my target appears in the website of a completely unrelated small business. It seems likely that someone has broken into the website (or database) and is using free storage for warez (or causing some other mayhem).
I used to look for webmaster@ or abuse@ email addresses and send a polite note with a link to the weird page, suggesting they might want to clean up the mess and change their passwords. A few times I had a nice exchange with the webmaster but that was years ago. I don't bother anymore, it's gotten too hard to find contact info and since no one emails back there's nothing in it for me.
Sad really, when no one is willing to listen to a good Samaritan.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @06:56AM
Giant megacorp whose software is used by millions of people don't care about the security and privacy of their customers. They plainly ignore reports and sit on them and might even sue whoever told them that there is some problem. The only way that improves things is full disclosure. That way people become aware of the issue and there is pressure on the vendor to act to correct the situation, instead of just hoarding the vulnerability in some NSA database that makes use all more vulnerable.
When you do full disclosure, do that responsibly, i.e. cover your tracks by using TOR. Otherwise you might get a visit from the nice FBI guys.