Monthly Archives: May 2018

An Exchange with HackerOne

Posted on by
Reply

In a recent episode I rambled about a system that pays good guys for finding and reporting security holes in the software we rely on every day. Fired up with enthusiasm for the cause, I sent this message to HackerOne:

I appreciate what you are doing here, and would love if there were a tip jar where I could contribute to the rewards you give out for making the world a better place. Like Zaphod, I’m just a guy, you know? But I’d happily pitch a little bit each month to promote what you do here, and to support the people who actually make the Internet less unsecure.

I debated “insecure” versus “unsecure”, and went with “un” for reasons I don’t exactly recall. Beer may have been a factor.

I got a very nice letter back.

Thank you so much for reaching out to us with this feedback on what we are doing. We appreciate you taking the time to reach out to speak with us about what you think of the program and how you would like to participate it make HackerOne a success.

You are correct about us not having a tip jar, however, our community can support us by word of mouth let others know what we do and what our goal is and if you are a hacker or know any white hat hackers we encourage you all to use our platform and help us with making the internet safer.

We really do appreciate you reaching out and I am going to share your message with the rest of the company.

Best,
Shay | HackerOne Support

The missing word and tough-to-parse sentence make me think that this was a hand-typed response. I am happy to contribute to their word-of-mouth buzz. I do not fit the profile of the geek HackerOne is looking for, and I suspect no one who will ever read these words is pondering the question “How can I break things and still be a good guy?” But if that’s you, head to HackerOne.

On the other hand, If you own a commercial Web site and want to get a major security audit, consider posting a bounty at HackerOne. You’ll get some really skilled people trying to break in, only in this case they won’t rob you blind if they get in.

3

Thanks!

A Set of Facts That Might be an Opportunity for the Right Person

Posted on by
Reply

A simple, unordered (perhaps obfuscated-ordered) list:

  • I tried to read Feeding the Eels on this site from start to finish but I could not.
  • I am growing seriously tired of spending my weekends fiddling with code
  • At this time, I have only indirect influence on hiring php programmers at my company—I can recommend, but there are no openings in my group.
  • At this time
  • I know php upside-down and sideways
  • I have decided that this is a year for finishing things.
  • I like to teach
  • I seriously don’t want to dig into the guts of my WordPress theme to figure out why I can’t read all of Feeding the Eels
  • I write software for a living
  • There are a lot of punk kids out there who can dance with WordPress and php even though only grandads seriously think php is cool
  • Feeding the Eels has been dangling, almost-finished, for years.
  • I would never ask a kid to work for free
1

Thanks!

Maybe this is Why Americans Celebrate Cinco de Mayo

Posted on by
2

The Battle of Puebla occurred on May 5, 1862. It was an unexpected victory for about 4,000 Mexican soldiers facing about 8,000 well-equipped French troops. Although it was a stirring victory, the outclassed Mexicans were eventually overwhelmed, and the French installed a new government in Mexico a few months later.

So… let’s climb on the alternate history bus and wonder what would have happened if the French had won at Puebla. Without that crucial lift to morale and Mexican national pride, would the French have won more easily? Would Emperor Maximillian have been able to hold his seat more comfortably for a couple of years?

A couple of years is all it would have taken. The Americans were slaughtering each other in their own civil war. Given a little breathing room, an enterprising European colonial power might have found it worthwhile to aid the southern states, and in return have a friendlier partner on Mexico’s northern border.

But, in part emboldened by their success at Puebla, the Mexicans never let Maximillian get too comfortable in Mexico City. As the US Civil war drew to a close, with France dealing with Prussia back in Old Europe and the Mexican Guerrilla warfare gaining intensity, Napoleon III bid adieu to Maximillian, and not long after that the emperor was executed.

Honestly, I don’t think for a minute that the French would ever have held Mexico with or without the Battle of Puebla. The colonization was a doomed endeavor from the start, and turned out to be a costly mistake for France.

So the Battle of Puebla may not have turned Mexican history that much. Maybe the Emperor would have lasted a couple more years, but that’s about it. That couple of years, though, may have been HUGELY significant to the United States.

So if you’re hoisting one tonight to celebrate Drinko-de-Mayo, stop for a minute and consider: about 4,000 hungry, ill-equipped Mexicans may have saved our nation. Now that’s something to celebrate.

3

Thanks!

The Best Friend You Didn’t Know You Had

Posted on by
4

I was reading the other day about how some hackers found a serious security flaw in php. php is a language used on Web servers to deliver content to your browsers; WordPress is written in php and thus every time you load a page here at MR&HI, code written in php is being run.

A LOT of the Web is written in php, so finding a security issue in that language is significant, but this episode is not so much about one particular flaw as it is about the constant battle between good and evil. This article gets technical fast, but there are a couple of important takeaways that you don’t need to be a geek to understand.

Pornhub offered $20,000 to anyone who could hack them, via the site HackerOne. This was a big enough incentive for a group of hackers to really go after them. They discovered one questionable practice by the programmers of that site, but it took a lot of long, hard work for them to turn that into an actual hack, digging through the source code of php itself until they managed to create an attack that could load and run code on the server.

Immediately they disclosed the vulnerability through responsible channels, earned their reward, and both Pornhub and the wardens of php moved to close the bug. Pornhub paid up the $20K, and HackerOne threw in a bonus.

And even shorter version: Pornhub paid some real dollars and made the Web safer for all of us.

You and I are fantastically lucky that there are people out there who will use their skills for a low-five-figure payoff, rather than exploiting that weakness for potentially millions. These are the white-hat hackers, incredibly skilled people who can write php-unserialize fuzzers to discover “unexpected” responses, but use their skills to make the world a better place.

Eventually these guys will have the hacking weapons that our own government lost control of, and when that happens, the Internet will become far more secure. In fact, if I were king of this country I’d give the good guys those tools right now. It can’t be only the Russians using that stuff. Worth noting: our government has discovered many security holes in the software that makes the world run, and they didn’t report those discoveries, leaving the holes wide open for them (and everyone else) to exploit. Our own government is not White Hat.

When you hear about a new terrible hole in security, remember: that’s when honest people found the hole. It’s geeks like Evonide that found it, and reported it. Often they chased that hole because some site like Pornhub gave them a reason to. So let’s stop and appreciate what the unsung good guys have done for us.

3

Thanks!