India's Ethical Hackers Rewarded Abroad, Ignored at Home

An anonymous reader shares an article: Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free. It was a familiar tale for India's army of "ethical hackers," who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted. India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world. The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers. Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games. Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.

That is not what "ethical hacker" means

[gweihir]

An "ethical hacker" will only break in if given permission, either directly or via a bug-bounty program. Anybody hacking without a mandate is either grey-hat (if they do inform the target and do not try to extort them) or outright black-hat. That companies do not react friendly to people hacking them _without_ a mandate is not a surprise, as that happens to be a criminal act.

Re:

[Zaelath]

Also, an ethical hacker will not start with insider information. I suspect a proportion of these are workers at outsourcing companies who are frustrated at the quality of code their organizations are shipping.

That's not necessarily the case at all; white box hacking starts with /all/ information available.

Re:

[gweihir]

Well, in theory. In practice you never have "everything" and often you are missing important things, like source-code. But a white-hat hacker may well do a black-box pen-test. (Not that these make much sense, but if the customer asks for it...)

But note that "insider information" is not "insider information" anymore for the purpose of an authorized attack if given to the hacker voluntarily, because a hacker is always an "outsider", even if simulating being an insider.

Re:

[Bert64]

On the contrary, you use whatever information you have available to you and white hats are more likely to be *given* information as part of a legitimate sanctioned pentest.

When an organisation is paying for someone's time, its pointless paying them to spend time finding out information you could just have given them. Insider threats can and do happen, information does become available, and by giving that information to your paid testers you make better use of the available resources.

Information about your n

Re:

[gweihir]

Information about your network or code should not result in it being compromised, and won't unless there are serious flaws lurking somewhere.

Indeed. In actual reality that unfortunately is often not true. Keeping information secret (besides crypto keys and similar things like passwords) should always only be regarded as an additional layer of security, but quite often it is all that keeps attackers out. For a while.

Re:

[FudRucker]

no, I bet there are plenty of bumbling IT guys asleep at the switch that let the systems they are supposed to be on their toes competently managing their systems and are in desperate need of a wakeup call

Oh please

[Anonymous Coward]

You're still talking criminal on a leash, no matter the brand of the perfume and the make-up you're adding.

That is not what "hacking" once was about, to the point that adding "ethical" to it makes no sense at all. Even the hats mean that you (in)security types have hopelessly confuddled everyone including yourself, with the result that "hacker", "ethical" or otherwise, means exactly nothing these days. And it shows.

S'kiddies, the lot of you.

And yes, your stolen terminology, now entirely empty, is quite rela

Re:

[gweihir]

There are shades of grey here. A wish to protect your society when nobody else does is a valid concern. Sure, it is vigilantism, but besides regular law enforcement (which is conceptually unable to tolerate any competition), vigilantism is a "grey" thing to most people, not pure black or white as you suggest.

Re:

[gweihir]

I do know the traditional meaning. But sticking to a traditional meaning that is not used anymore by almost everybody just makes you sound like a prick that claims to be superior for knowing the "true meaning". I prefer to be able to communicate, even if language is alive and words lose their former meaning and get different ones. These days I do not even wince when somebody says "cyber", even is that is a newer development on my side.

Re:

[Megol]

So what was hacking once about? Horse riding? No, of course not. Being a hack? Nah. Doing something clever? Perhaps. Doing a thing that is clever, never breaking laws, rules or entering a grey-zone while doing that thing? Have _never_ been. Ditto but not disturb, destroy or cause problems? Perhaps but even that is doubtful.

Being a script-kiddie implies not needing to know how to do the work instead relying on pre-packaged tools (but even that can require skills) however someone that circumvent security in o

Re:

[XparXnoiaX]

ethical and illegal are two very different things. An ethical person will do illegal things, if they are the right thing (like Snowden. Super illegal). Don't let the illegality of it confuse you. What they are doing is dangerous, but finding mistakes and letting the world know is the ethical thing to do.

The unethical ones in this situation are the companies who released their code without a security review. Those managers didn't give the programmers (or QA) extra time in the sprint to test for security b

Re:

[Bert64]

Capitalism is inherently unethical...
Why would these companies perform a security review (which costs money and reduces profit) unless they are forced to?
Clients don't demand it, laws don't mandate it, its just a cost with no benefit. It's much cheaper to threaten anyone who finds and exploits the holes, as the enforcement of those threats will be carried out by the police who aren't on your payrole.

Re:

[gweihir]

Why would these companies perform a security review (which costs money and reduces profit) unless they are forced to?

Long-term economic survival. The problem is mostly not that these companies are profit-oriented, the problem is the incredible short-term focus used so often today. And, of course, the problem is people (like the typical CEO) only looking out for their own economic well-being but have zero loyalty to the company they are supposed to be serving.

Re:

[GLMDesigns]

It's unethical to trade goods and services? What is ethical to you? Where you work for your lord and master (excuse me - well, meaning government servant) and the lords of the manner get to dole out what they think is good for you.

Nah man. I'll keep my unethical capitalism.

Re:

[gweihir]

You miss the point. "Ethical hacker" is a term with a defined meaning. It is not a "hacker" that simply behaves "ethical". A synonym for "ethical hacker" is "white hat hacker" and that does not involve hats of a white color either.

That said, I do agree that "legal" and "ethical" are often only loosely connected and sometimes they are not connected at all. The latter does not even need a totalitarian state where the law is mostly or only a tool for oppression. People that mistake "legal" for "ethical" do not

Re:

[Anonymous Coward]

Anybody hacking without a mandate is either grey-hat (if they do inform the target and do not try to extort them) or outright black-hat.

These are Indians. They're diaper hats.

Re:

[Anonymous Coward]

Isn't this basically "writing a mini-van?" ( http://dilbert.com/strip/1995-11-13 )
I mean, come on, they write the buggy code, so they know where the exploits
are - seems like a win-win scenario that they've built for themselves. Kudos.

CAP === 'queuing'

Matter of Money

[Luthair]

Even if bug bounties values sound impressive, if you start thinking about it as salary it often isn't worth it for developers in the west to work on. You can spend a lot of time to maybe find a vulnerability which has a variable pay-out depending on the severity and someone else might submit first leaving you with nothing. Sorry but no thanks.

Contradictory news

[manu0601]

This is puzzling. One day we are told 95% of indian engineers cannot code [gadgetsnow.com], and the other day India has huge number of highly skilled hackers.

Re:

[Dutch Gun]

Those are two different skills, you know. Programmers construct software. Hackers look for ways to break software.

Re:

[Dutch Gun]

I'm guessing you don't know what hackers actually do.

Yeah, that's because I'm a programmer, not a hacker.

Statistical fallacy

[SeattleLawGuy]

This is puzzling. One day we are told 95% of indian engineers cannot code [gadgetsnow.com], and the other day India has huge number of highly skilled hackers.

There is a Supreme Court Case where the court said traffic stops must be dangerous because a large number of police officers are injured every year while performing traffic stops. But the logic is bad. Without knowing how many total traffic stops there are you cannot really look at the risk of performing one.

Similarly, even if 95% of engineers cannot code, they can still have more good engineers if there are enough of them--or can have more decent engineers working on this particular set of problems.

It's also worth pointing out that (1) there are a lot of great Indian engineers who are not in India, (2) the 95% number you are pointing to was done by a company with an incentive to skew it one way, and (3) the people finding the bugs may not be a great match for the ideal job candidate but still have basic hacking skills.

Re:

[0100010001010011]

India has a large population. 5% of a large number is still a large number.

What's happening in India right now is what happens when you push everyone into IT or to be a programmer. (Just like the skilled trade shortage in the US is what happens when you push everyone to college for 'anything').

For 90% of my tasks that my company wants to outsource to India I would rather just have a high school student with some Python classes. At least with the high school student I can occasionally look over their shoulde

Re:

[Sabriel]

Five percent of a sufficiently large group can still be a huge number. As of 2012, the Indian IT sector was estimated to directly employ 2.8 million people and indirectly employ another 8.9 million, and the country itself to have a population of 1.264 _billion_ people with an unemployment rate of 5.20 percent. That's potentially a LOT of hackers looking for work...

Re:

[CODiNE]

I know some bug bounty guys are making a good living off these programs. The majority however do not. Not everyone can spend days digging around hoping to get paid for something. It's unsurprising that a country with a much lower cost of living has a lot of guys willing to do this.

Re:

[AmiMoJo]

That was just some racist clickbait designed to cash in on the current rage against Indian H1B workers and offshoring.

Re:

[manu0601]

This may be true, but I find the "racist" adjective disturbing. It suggests it would be unethical to study workers performance by nation in a given field: is it racist to publish bad numbers?

Re:

[AmiMoJo]

I'm British and don't want to be lumped in with all the other British people. I want to be evaluated as an individual. The last thing I want is for an employer to say "British people are on the whole dumb, their universities are mostly crap, therefore I'm not going to consider any British people or at least subject them to much harsher testing first".

Re:

[manu0601]

I understand your concern, but if I push your logic, employers should not even look at diplomas, and have exams for applicants. Some companies do that.

Re:

[zifn4b]

This is puzzling. One day we are told 95% of indian engineers cannot code [gadgetsnow.com], and the other day India has huge number of highly skilled hackers.

They are actually not highly skilled. They are slightly elevated from "script kiddies". It's just that the rest of us are too stupid to take security seriously. Who is more foolish? The fool or the fool that follows him?

Who is fooling who, if 95% of Indian coders unfit?

[bogaboga]

I ask because just last month, Slashdot ran a story that 95% Engineers in India Unfit For Software Development Jobs... [slashdot.org]

I am personally proud of India. Didn't they launch some rocket to Mars at a much lesser cost as compared to the US recently?

Re:

[Zaelath]

Cost is a metric.

Re:Who is fooling who, if 95% of Indian coders unf

[MrLogic17]

>Didn't they launch some rocket to Mars at a much lesser cost as compared to the US recently?

They just barely got a small, proof-of-concept probe - and at that, it never got the desired orbit.
NASA, in around the same time frame, got a much larger, far far more complex research package in the proper orbit.
Good on India for pulling it off, but they were doing something vastly different than NASA.

TL;DR: apples & oranges

"uniquely gifted"

[110010001000]

There is no unique gift to becoming a cracker (these aren't "hackers"). It is just a willingness to perpetuate destructive behavior. It is very easy to crack software and systems, I use to do it all the time. It is much harder to create.

Re:

[Anonymous Coward]

If creation is easier, why do security people get paid more?

There is no unique gift to becoming a cracker (these aren't "hackers"). It is just a willingness to perpetuate destructive behavior.

Ahh, 20 years out-of-touch with the industry and can't tell the difference between DoS and, well, everything else.

Re:

[Cederic]

If creation is easier

Erm. 110010001000 stated that it's "much harder to create."

So your if clause returns false and we ignore the rest of your query.

that is totally good

[FudRucker]

kudos to India's ethical hackers, and all ethical hackers around the world

That's why they are hackers

[gurps_npc]

If they were rewarded, they would end up with jobs. If they had jobs, they would not have enough time to do all of that hacking.

Their are only two ways you get hackers of this high quality:

1) They are not rewarded.
2) Their motivations outweigh their greed. Talking about religious extremism quality motivation.

shock horror

[gravewax]

amazing, companies don't thank criminals for criminal acts, will wonders never cease. FYI they are NOT ethical hackers when hacking a site without permission.

Re:

[xvan]

Just like anything else, because in the short term they're cheaper, and in the long term if your high risk strategy didn't pay out you had enough time to get another job before the shit hits the fan.

AcheDin

[NetTech India]

And We still say it's AChe Din!!

Stupid, and potentially sensitive question:

[Travelsonic]

Stupid, potentially sensitive question: How many of the vulnerabilities, do you think (if it can be ascertained) came from companies who outsourced their work to India-based companies?

I found #4!

[Nidi62]

1. Get a job with an outsourcing firm

2. Work on IT project for major international company

3. Purposefully introduce bugs into the software

4. Report (or have a friend report) said bugs

5. Profit!