Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

India's Ethical Hackers Rewarded Abroad, Ignored at Home (yahoo.com) 82

An anonymous reader shares an article: Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free. It was a familiar tale for India's army of "ethical hackers," who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted. India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world. The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers. Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games. Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.
This discussion has been archived. No new comments can be posted.

India's Ethical Hackers Rewarded Abroad, Ignored at Home

Comments Filter:
  • by gweihir ( 88907 ) on Monday May 29, 2017 @06:05PM (#54507723)

    An "ethical hacker" will only break in if given permission, either directly or via a bug-bounty program. Anybody hacking without a mandate is either grey-hat (if they do inform the target and do not try to extort them) or outright black-hat. That companies do not react friendly to people hacking them _without_ a mandate is not a surprise, as that happens to be a criminal act.

    • no, I bet there are plenty of bumbling IT guys asleep at the switch that let the systems they are supposed to be on their toes competently managing their systems and are in desperate need of a wakeup call
    • by Anonymous Coward

      You're still talking criminal on a leash, no matter the brand of the perfume and the make-up you're adding.

      That is not what "hacking" once was about, to the point that adding "ethical" to it makes no sense at all. Even the hats mean that you (in)security types have hopelessly confuddled everyone including yourself, with the result that "hacker", "ethical" or otherwise, means exactly nothing these days. And it shows.

      S'kiddies, the lot of you.

      And yes, your stolen terminology, now entirely empty, is quite rela

      • by gweihir ( 88907 )

        I do know the traditional meaning. But sticking to a traditional meaning that is not used anymore by almost everybody just makes you sound like a prick that claims to be superior for knowing the "true meaning". I prefer to be able to communicate, even if language is alive and words lose their former meaning and get different ones. These days I do not even wince when somebody says "cyber", even is that is a newer development on my side.

      • by Megol ( 3135005 )

        So what was hacking once about? Horse riding? No, of course not. Being a hack? Nah. Doing something clever? Perhaps. Doing a thing that is clever, never breaking laws, rules or entering a grey-zone while doing that thing? Have _never_ been. Ditto but not disturb, destroy or cause problems? Perhaps but even that is doubtful.

        Being a script-kiddie implies not needing to know how to do the work instead relying on pre-packaged tools (but even that can require skills) however someone that circumvent security in o

    • Re: (Score:2, Interesting)

      by XparXnoiaX ( 4714613 )
      ethical and illegal are two very different things. An ethical person will do illegal things, if they are the right thing (like Snowden. Super illegal). Don't let the illegality of it confuse you. What they are doing is dangerous, but finding mistakes and letting the world know is the ethical thing to do.

      The unethical ones in this situation are the companies who released their code without a security review. Those managers didn't give the programmers (or QA) extra time in the sprint to test for security b
      • by Bert64 ( 520050 )

        Capitalism is inherently unethical...
        Why would these companies perform a security review (which costs money and reduces profit) unless they are forced to?
        Clients don't demand it, laws don't mandate it, its just a cost with no benefit. It's much cheaper to threaten anyone who finds and exploits the holes, as the enforcement of those threats will be carried out by the police who aren't on your payrole.

        • by gweihir ( 88907 )

          Why would these companies perform a security review (which costs money and reduces profit) unless they are forced to?

          Long-term economic survival. The problem is mostly not that these companies are profit-oriented, the problem is the incredible short-term focus used so often today. And, of course, the problem is people (like the typical CEO) only looking out for their own economic well-being but have zero loyalty to the company they are supposed to be serving.

        • It's unethical to trade goods and services? What is ethical to you? Where you work for your lord and master (excuse me - well, meaning government servant) and the lords of the manner get to dole out what they think is good for you.

          Nah man. I'll keep my unethical capitalism.
      • by gweihir ( 88907 )

        You miss the point. "Ethical hacker" is a term with a defined meaning. It is not a "hacker" that simply behaves "ethical". A synonym for "ethical hacker" is "white hat hacker" and that does not involve hats of a white color either.

        That said, I do agree that "legal" and "ethical" are often only loosely connected and sometimes they are not connected at all. The latter does not even need a totalitarian state where the law is mostly or only a tool for oppression. People that mistake "legal" for "ethical" do not

    • by Anonymous Coward

      Anybody hacking without a mandate is either grey-hat (if they do inform the target and do not try to extort them) or outright black-hat.

      These are Indians. They're diaper hats.

  • Even if bug bounties values sound impressive, if you start thinking about it as salary it often isn't worth it for developers in the west to work on. You can spend a lot of time to maybe find a vulnerability which has a variable pay-out depending on the severity and someone else might submit first leaving you with nothing. Sorry but no thanks.
  • Contradictory news (Score:3, Informative)

    by manu0601 ( 2221348 ) on Monday May 29, 2017 @06:45PM (#54507859)
    This is puzzling. One day we are told 95% of indian engineers cannot code [gadgetsnow.com], and the other day India has huge number of highly skilled hackers.
    • Those are two different skills, you know. Programmers construct software. Hackers look for ways to break software.

    • Statistical fallacy (Score:5, Interesting)

      by SeattleLawGuy ( 4561077 ) on Monday May 29, 2017 @07:50PM (#54508075)

      This is puzzling. One day we are told 95% of indian engineers cannot code [gadgetsnow.com], and the other day India has huge number of highly skilled hackers.

      There is a Supreme Court Case where the court said traffic stops must be dangerous because a large number of police officers are injured every year while performing traffic stops. But the logic is bad. Without knowing how many total traffic stops there are you cannot really look at the risk of performing one.

      Similarly, even if 95% of engineers cannot code, they can still have more good engineers if there are enough of them--or can have more decent engineers working on this particular set of problems.

      It's also worth pointing out that (1) there are a lot of great Indian engineers who are not in India, (2) the 95% number you are pointing to was done by a company with an incentive to skew it one way, and (3) the people finding the bugs may not be a great match for the ideal job candidate but still have basic hacking skills.

    • India has a large population. 5% of a large number is still a large number.

      What's happening in India right now is what happens when you push everyone into IT or to be a programmer. (Just like the skilled trade shortage in the US is what happens when you push everyone to college for 'anything').

      For 90% of my tasks that my company wants to outsource to India I would rather just have a high school student with some Python classes. At least with the high school student I can occasionally look over their shoulde

    • by Sabriel ( 134364 )

      Five percent of a sufficiently large group can still be a huge number. As of 2012, the Indian IT sector was estimated to directly employ 2.8 million people and indirectly employ another 8.9 million, and the country itself to have a population of 1.264 _billion_ people with an unemployment rate of 5.20 percent. That's potentially a LOT of hackers looking for work...

    • by CODiNE ( 27417 )

      I know some bug bounty guys are making a good living off these programs. The majority however do not. Not everyone can spend days digging around hoping to get paid for something. It's unsurprising that a country with a much lower cost of living has a lot of guys willing to do this.

    • by AmiMoJo ( 196126 )

      That was just some racist clickbait designed to cash in on the current rage against Indian H1B workers and offshoring.

      • This may be true, but I find the "racist" adjective disturbing. It suggests it would be unethical to study workers performance by nation in a given field: is it racist to publish bad numbers?
        • by AmiMoJo ( 196126 )

          I'm British and don't want to be lumped in with all the other British people. I want to be evaluated as an individual. The last thing I want is for an employer to say "British people are on the whole dumb, their universities are mostly crap, therefore I'm not going to consider any British people or at least subject them to much harsher testing first".

          • I understand your concern, but if I push your logic, employers should not even look at diplomas, and have exams for applicants. Some companies do that.
    • by zifn4b ( 1040588 )

      This is puzzling. One day we are told 95% of indian engineers cannot code [gadgetsnow.com], and the other day India has huge number of highly skilled hackers.

      They are actually not highly skilled. They are slightly elevated from "script kiddies". It's just that the rest of us are too stupid to take security seriously. Who is more foolish? The fool or the fool that follows him?

  • I ask because just last month, Slashdot ran a story that 95% Engineers in India Unfit For Software Development Jobs... [slashdot.org]

    I am personally proud of India. Didn't they launch some rocket to Mars at a much lesser cost as compared to the US recently?

  • "uniquely gifted" (Score:5, Insightful)

    by 110010001000 ( 697113 ) on Monday May 29, 2017 @07:00PM (#54507917) Homepage Journal
    There is no unique gift to becoming a cracker (these aren't "hackers"). It is just a willingness to perpetuate destructive behavior. It is very easy to crack software and systems, I use to do it all the time. It is much harder to create.
    • by Anonymous Coward

      If creation is easier, why do security people get paid more?

      There is no unique gift to becoming a cracker (these aren't "hackers"). It is just a willingness to perpetuate destructive behavior.

      Ahh, 20 years out-of-touch with the industry and can't tell the difference between DoS and, well, everything else.

      • by Cederic ( 9623 )

        If creation is easier

        Erm. 110010001000 stated that it's "much harder to create."

        So your if clause returns false and we ignore the rest of your query.

  • kudos to India's ethical hackers, and all ethical hackers around the world
  • by gurps_npc ( 621217 ) on Monday May 29, 2017 @07:22PM (#54507987) Homepage

    If they were rewarded, they would end up with jobs. If they had jobs, they would not have enough time to do all of that hacking.

    Their are only two ways you get hackers of this high quality:

    1) They are not rewarded.
    2) Their motivations outweigh their greed. Talking about religious extremism quality motivation.

  • amazing, companies don't thank criminals for criminal acts, will wonders never cease. FYI they are NOT ethical hackers when hacking a site without permission.
  • And We still say it's AChe Din!!
  • Stupid, potentially sensitive question: How many of the vulnerabilities, do you think (if it can be ascertained) came from companies who outsourced their work to India-based companies?

  • 1. Get a job with an outsourcing firm

    2. Work on IT project for major international company

    3. Purposefully introduce bugs into the software

    4. Report (or have a friend report) said bugs

    5. Profit!

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...