Friday

Who wants to be a hacking millionaire¿


Who wants to be a hacking millionaire? For most technically competent folk starting on a cybersecurity career path the pull of a million-dollar hacking payday is tempered by the threat of a lengthy spell in jail should they get caught. Or at least it is if your idea of a hacker is someone who breaks into stuff illegally. I call those people criminals, threat actors and, to be honest, pretty dumb. After all, there’s plenty of money to be made uncovering vulnerabilities and generally making the data-driven world we live in a little bit safer, all without breaking the law. Apple has offered $1 million (£820,000) to anyone who can hack the iOS kernel of an iPhone without requiring any clicks by the user. Exploit acquisition platform Zerodium, meanwhile, is offering $2 million (£1.6 million) for anyone who can pull of a “zero-click” remote jailbreak of an iPhone. In the meantime, six hackers on the HackerOne bug bounty platform have now made more than $1 million each. Here’s how they did it. The hacker-powered bug bounty platform HackerOne announced on August 29 that six hackers signed up to the bug bounty platform have earned more than $1 million each. HackerOne operates as the conduit between nearly 1,500 organizations, including the likes of General Motors, Goldman Sachs, Google, Intel, Microsoft, Spotify, Starbucks, Twitter and even the U.S. Department of Defense, and the hackers who can find the vulnerabilities in their systems and services before malicious threat actors can exploit them. “HackerOne has half a million registered hackers, and 600 new people join every day,” says Laurie Mercer, a security engineer at HackerOne, “and they have discovered over 130,000 vulnerabilities so far.” The idea of offering bounties for vulnerabilities is far from being a new one. Mercer reckons that the first bug bounty was launched some 30 years ago when a reward of $1,000 (£820) was offered for anyone who could find flaws in the operating system that powered the Hubble telescope. Things have moved on somewhat since then, with HackerOne having paid out nearly $65 million (£53 million) in bounties to hackers from 150 different countries according to Mercer. The single top reward paid so far, Mercer says, was $100,000 (£82,000) which is more than 200 times the value of the first bounty HackerOne paid back in 2013. By the end of 2020, HackerOne CEO, Marten Mickos, predicted that “hackers will earn $100 million (£82 million),” and he hopes that HackerOne will have “1 million ethical hackers signed up.” If you need any more convincing that hacking can be a very profitable career path, then you only have to look at the Hacker Summer Camp this year. This is the name given to the week in August that sees both Black Hat USA and DEF CON hacker conferences happening in Las Vegas. At the live “H1-702” hacking event, around 100 hackers got together for three days of vulnerability hunting; a total of $1.9 million (£1.5 million) was shared out between the hackers for finding more than 1,000 bugs. Attending the H1-702 event, unsurprisingly, were those six hacking millionaires. Meet the six hacking millionaires Santiago Lopez, just 19 and from Argentina, was the first of the HackerOne hackers to make a million dollars in bounties. Did he ever dream he could make that kind of money from hacking? “When I first got into hacking, I had no idea how much money could be made,” Lopez admits, “I am incredibly proud to see that my work is recognized and valued.” His route into hacking was inspired by watching the Hackers movie as a kid. In 2015 Lopez signed up with the HackerOne platform and realized he could make some money from his skills. “I am a completely self-taught hacker,” Lopez says, “and learned through the internet, online tutorials and by reading books.” His first bounty was just $50 (£40) in 2016 when he was 16. “It took me a long time to find my first vulnerability,” Lopez recalls, “but with patience and effort it was achieved, and it was really worth it.” Mark Litchfield from the U.K. is a lot older than Lopez and is referred to by HackerOne as the industry veteran. “Before 1999, I was selling computers out of my own little shop on a Scottish high street,” he says, adding: “it became apparent there was no money in selling computers, especially on the scale I was dealing at.” Litchfield followed the example of his brother David, who was already working in the security space and who suggested that Mark passed a Windows Server NT4 course. “I did, then three days later ended up in London,” Litchfield says, “and so began my career in security.” David and Mark started an information security company together, focused heavily on uncovering as many security vulnerabilities as they could. When that company was acquired in 2000, the brothers waited a year and started another. That was acquired after another eight years. In 2013, Litchfield became interested in penetration testing, and to supplement his income, “I thought I would try my hand at a bug bounty,” he says. Litchfield has never looked back. “It’s somewhat like a gauntlet being thrown down,” he explains, “begging the question: can you break it? And I try to. A lot of the time I do.” Tommy DeVoss, a 35-year-old American, started his hacking career on the wrong side of the tracks. He was convicted in 2000 for stealing AOL accounts to use them for breaking into military computers. After his second spell in prison, and faced with the threat of a third term being life, DeVoss turned his life around by working in a straight IT job. When he discovered HackerOne he also found that it was possible to make more money than ever, all entirely legally. During the H1-702 event alone, DeVoss earned a staggering $130,000 (£106,500) in bounties. Ron Chan, a 28-year-old Hong Kong national, has a passion for “big tech.” Which is probably why he spends his time breaking into Airbnb, GitLab, PayPal and Uber. “Hacking can open doors to anyone with a laptop and curiosity about how to break things,” Chan says. He hopes the achievements of the six millionaires will “encourage other hackers to test their skills, become part of our supportive community and make the internet a much safer place.” And if those hackers get as good as Chan, they too might be able to earn $75,000 (£61,500) in just a single month as he did in July 2019. Nathaniel Wakelam is a 24-year-old Australian, also known as Naffy. According to HackerOne he never stays in one place for longer than 30 days at a time, although currently considers Thailand his home base. Having found his first bug while still in elementary school, he has gone on to uncover more than 700 vulnerabilities which makes him one of the top three HackerOne hackers. When not hacking, traveling or partying, Naffy can be found contributing to the Hackers Helping Hackers charity which mentors tech-savvy kids for a career in the world of the bug bounty hunter or being instrumental in running Gravity, a security consultancy where he is chief information security officer. Frans Rosen is Swedish, and hunts bugs as well as running his own very successful cybersecurity business. He’s a believer in the notion of hacking for humanity, giving back to the community, and apparently pours his bug bounty rewards into charitable ventures. The lure of ethical hacking It may seem that these six hackers are the exception to the rule, and the real money is being made by those who simply chase the biggest paydays with no regard for the law. However, that’s not how HackerOne’s Laurie Mercer sees it. “The incentive to sell bugs illegally is not worth it at all for serious security researchers,” Mercer says, “the route to riches lies in having a public reputation so that you are invited to more and more interesting programs, to find more and more bugs, to do what you love and to make money whilst making the internet a safer place.” One thing is for sure; these six hackers are great role models for anyone thinking about how they can best monetize their hacking skills. “Security experts can now earn over 40 times the median salary of software engineers through bug hunting,” Mercer concludes, “and thus a new profession has been born: one where hackers can be paid handsomely for helping to create a safer digital world, one bug at a time.” Follow me on Twitter or LinkedIn@prbxselfnetwork***prbxselfnetwork***

No comments:

Featured post

Becoming a SOFTWARE ENGINEER

As technology evolves and becomes a bigger part of everyday life, so too does the need for technology professionals. Software engineers desi...