Nearly every edition of the New York Times this week has featured a lengthy article about hacking or hackers. None of them do much for the cause of civic hacking for social good, like this excellent portrait of Hack Cleveland’s Fix 216. Rather, they emphasize how the fear and anxiety around hackers who are out to exploit problems rather than solve them, can also incentivize positive market trends. Let’s explore:
Monday’s NYT article, Hacking, Responsibly, sounds as if it’s about civic hacking for social good. Instead, it’s about HackerOne, a startup that helps hackers make money by getting them bounties from the entities whose systems they’ve hacked. They swap money for information on the vulnerabilities the hacker uncovered. Here’s how it works (bolding added):
Mr. Prins and Mr. Abma started HackerOne with Merijn Terheggen, a Dutch entrepreneur living in Silicon Valley. The three met their fourth co-founder through the Hack 100 effort [in which they sought to and did in fact hack 100 high-tech companies] when they sent an email alerting Sheryl Sandberg, Facebook’s chief operating officer, of a vulnerability in Facebook’s systems. Ms. Sandberg didn’t just thank them, she printed out their message, handed it to Alex Rice, Facebook’s product security guru at the time, and told him to fix it. Mr. Rice invited the hackers to lunch, worked with them to fix the issue, paid them a $4,000 bounty and joined them a year later.
What’s the alternative to paying a bounty? The hacker puts the vulnerability on the black market or gets a t-shirt from the ones who’ve been hacked, according to the article. HackerOne believes swag doesn’t cut it anymore for hackers who’ve identified potentially costly security holes. And according to the article, corporations tend to agree.
Tech companies began rewarding hackers five years ago when Google started paying hackers $3,133.70 for bugs (31337 is hacker code for “elite”). Since then, Google has paid as much as $150,000 for a single bounty and doled out more than $4 million to hackers. Mr. Rice and Ms. Moussouris helped pioneer the bounty programs at Facebook and Microsoft.
Then, on Wednesday, the Times ran a story about how Goldman Sachs execs took three days before they’d take off their ties during a hackathon with startup data analytics company, Kensho. Why did they even bother with the upstart?
…there is a growing recognition across Wall Street that the old habit of ignoring the upstarts may be foolhardy in an era when many of the best young talents are going to Silicon Valley and not New York City.
“There’s a certain cultural moment now that is quite palpable,” Daniel J. Nadler, the 32-year-old chief executive of Kensho, said about the hackathon and the broader engagement with start-ups like his.
Then, today, data, open data and big data drive an entire section of the paper, Tipping Point in Transit, focused on technology in the transit world. My favorites are, A Dialogue of Car and Highway which highlights the Internet of Things as it applies to improving traffic (we’ve been arguing for the application of IoT to government and public infrastructure for a while now) and Traffic Hacking: Caution Light Is On, which highlights the security risks when you’ve got a smart city.
“Every day, cities incorporate a new ‘smart’ technology, without any testing,” [Cesar Cerrudo, an Argentine security researcher] said. “What they don’t realize is that they are putting citizens and businesses at risk. If that technology is not protected, people will suffer the consequences.”
To which I’d say, let’s get HackerOne to start a municipal division. Talk about spurring economic growth and jobs.