— PROLOGUE —
JM:
There is a famous security researcher who goes by the nickname ‘The Grug Q’ and there’s a famous picture of him. He’s a South African living in Thailand and there was this picture of him wearing, remember that shoe that covered your toes that was popular about eight years ago?
Kristen:
What were those, those like-
JM:
The toe shoes?
Yeah, they wrapped around each toe, they were supposed to be good for running or something.
Kristen:
They’re called Vibram fivefingers. Thanks Google.
JM:
So there’s this picture of him in Thailand, sitting in a bar with a bag of cash. Cash. Like in the movies? Like you see the duffel bag full of like greenbacks, hundred dollar bills. That was him, the Grugq in Thailand wearing toe shoes, and a bag full of cash, selling Zero Days to like whatever oppressive government wanted to buy them.
Kristen:
That man that’s being described, ‘The Grugq’ is a hacker….
But not just any hacker, no. He’s the most important person in the hacking pipeline: a hack BROKER…. His hacker friends find hacks, sells them to him, and then he sells them to the highest bidder.
On this week’s show, we’re talking cybersecurity. Sure, cyber security is about code and exploits, but it’s also about incentives.
Because the reason guys like this exist is because his incentive to steal from you is greater than his incentive to keep you safe.
That’s why today, we’re talking about bug bounties – gig economy platforms that give hackers the incentive to do the right thing and give platforms and organizations an incentive to stop you from getting hacked.
— INTRO —
Hey- I’m Kristen Di Mercurio. Lately, so much of our work has gone online. So I’ve been thinking about freelancing, marketplaces and the future of work.
That’s what our new show, Geek Economy will help you understand. We’ll also show you how the gig economy moving forward, is going to change our lives and our culture.
I would say I know a thing or two about this industry. I’m a professional actress, singer, voice over artist, and I’ve been in my fair share of podcasts.
As an actress, I’ve had all kinds of survival jobs. I’ve worked for taskrabbit, postmates, event staffing, and temp agencies.
Basically, in my world, getting the next gig is the name of the game.
As more jobs go online GEEK ECONOMY will help guide you through…. We’ll explore freelancing, marketplaces, and the future of work. We’ll also show you how the gig economy will change our lives and our culture.
Geek Economy is brought to you by Bunny Studio. Trusted by more than 50,000 companies every year, Bunny Studio helps businesses scale their creative needs with a vetted crowd of freelancers.
— ACT ONE —
Kristen:
One of our guests this week is a cybersecurity journalist and comedian based in New York. His name is JM Porup and he knows how important cyber security is…
JM:
There are millions of developers around the world building the digital infrastructure of the internet-enabled world in which we live, and that code is also unintentionally full of bugs. And some of those mistakes, those bugs can be exploited as security flaws by bad people who want to do bad things, maybe they’re crooks, maybe they’re spies, maybe they’re gangsters, maybe they’re, you know, an unhappy employee.
And, what does software run today? Water purification plants, energy plants, you know, the telephone system, nine one one, triple zero in Australia. You know, like the world is built on top of the internet now today and it’s full of bugs. Cars are computers on wheels and they are full of security holes, you know, that could kill people, you know?
So this is a public safety issue, not just some sort of weird theoretical, Oh, those ‘computer people’, you know, this is a- this is a public safety issue!
Kristen:
And that hack broker wearing Vibram FiveFingers in a Thailand bar with a duffel bag full of cash? Since the world is such a small place now, you can’t get rid of him. You can only COMPETE with him. And that’s where a bug bounty program comes into it. You assemble a group of hackers, ask them to find bugs – VULNERABILITIES – in your software or website, and then pay them when they find information that’s helpful to you.
Big tech companies like Microsoft or Google would employ bug bounty programs… And in the last 10 years a bunch of companies have sprung up that will organize a bug bounty program for you and your company.
Rayna:
So a bug bounty is a continuous examination of security. That’s you know, what it does. How it works, is a different, matter. So imagine you are a company or a public administration, that doesn’t really matter, and you plan to put, I don’t know, a connected fridge on the market, right?
Kristen:
Rayna Stamboliyska is the VP Governance & Public Affairs at yeswehack. They’re the biggest bug bounty firm in Europe.
Rayna:
However, how do you ensure that, you know, your fridge that connects to the wifi, will not get taken over by some malicious person? You know , guys are out there, we hear about them every day. So what you can do is come to us and say, look, guys, I’m having this super product that goes on the market.
We connect you with well-meaning hackers or ethical hackers that we basically call ‘hunters’, because they will hunt for vulnerabilities. And so the advantage of this if you’re like pretty sure that your product is top notch, you can have, thousands of actual hackers, or hunters, looking at your product.
What happens there is that on one side you will only pay for vulnerabilities that are within the scope that you have defined. Anything that is outside, well, thank you but this wasn’t in the scope, right? And what the hunters do is basically they identify what we call attack vectors, meaning ways of inflicting harm on your fridge or product or service. And whenever they submit a report, a vulnerability reports that you accept as valid, they get paid.
Kristen:
So how do hackers feel about the bug bounty program? You’ll meet a hacker and find out for yourself, after the break…
Break:
Hey! If you’re liking what you hear and you have a minute, please subscribe, rate, and review on whatever app you’re using to listen. We are on Apple Podcast, Spotify, Google Podcasts, Amazon, and more! This helps us get the word out to other people so they can learn a bit more about how important the Gig Economy is for everyone. Thanks for listening.
— ACT TWO —
Kristen:
What makes bug bounties exceptional? And why are they so much better than just hiring a security expert to work on your platform? Well, to find out, we talked to an actual hacker.
But first I want you to meet Jon… He started working on Bug bounty projects a few years ago with his brother – who works as a professional security researcher – got him into it. We asked him, what was his favorite bug that he’s found…?
Jon:
But another one I’ve found recently was happy about it. Cause it was so simple is I found a website that just said, can you log in here and N G or username and password.
So I took the URL of that website and I put it in Google and the first. answer from Google was a hacker forum and inside the hacker, forum had the username and password. So, it was there for him since 2019. And, yeah, as soon as they, as soon as I reported that they took that website down, they just said, Oh, forget it. We have to do some work on this.
Kristen:
And this is a perfect example, because if you were to hire a security researcher to find bugs in your code, this is something they might not find becuase of how stupidly simple it is.
Now, to be clear, Jon spends most of his time catching bugs which are a lot more difficult to find then that, but it does illustrate the point that bug bounty programs, and gig economy platforms in general, work because of one thing: incentives.
If you’re paying someone to work by the hour, they’re going to work by the hour. If you’re paying them to find bugs, they’re going to find bugs. Jon agrees.
Jon:
I’ve heard about a bug that, required them to actually. Use their phone to order an Uber get in the Uber, take the ride. And then after they got out of that, they exploited some kind of vulnerability so they’re very complex and people really hard on bug bounties, but for penetration testing, like my brother, and I’ve done some, work with him too. it’s more simple. It’s kind of just like You a program to scan the website and it’ll tell you the very simple bugs, and then you take a look at it and you find some bugs, but since he’s already getting paid, he’s not going to break himself, trying to find bugs he knows he’s going to get money anyway, you know?
He doesn’t have to find such complex bugs if he doesn’t find it, it doesn’t matter. You know, he just has to prove that he’s tested the website, but the bug bounty people, they have to find bugs. So they will work really hard. They will try, very out of the box thinking to, find vulnerabilities.
I definitely think complex bugs will be found using bug bounties rather than penetration tests. even the, uh, department of defense, you know, the, US government, some of them use bug bounty programs
Kristen:
But this is where we can run into a big problem. Yes, it’s an incentive structure where hackers are being paid to find bugs. And the bugs they find are important. But that doesn’t actually make the companies more secure. To actually be more secure, you need to FIX the problems hackers are telling you about.
Here is Jason, another bug bounty hacker.
Jason:
It’s common and it’s super annoying. and a lot of times you spend time. I know I do as a researcher, I tell them, you know, this patch, this thing, this library, I try to get them to the solution as fast as I can.
Kristen:
I mean, It’s like picking and choosing how many locks on your door actually work, you know, work, right?
Jason:
Right. Yeah. And you should probably have a window next to it. That’s not broken.
Kristen:
JM says this is super common.
JM:
How many pen testers have told me as a journalist? Every year I go to the same client and I conduct a pen test and I find the exact same holes I found last year. And they have changed nothing. Probably 80% of every pen tester I’ve ever spoken to has told me that story. It’s so frustrating. You know, so, pen testing is important and bug bounty is like crowdsource pen testing in a way, but it’s still the icing on the cake.
Like it’s like that, like if you can’t fix the bugs you already know about, why are you asking for more. You know, fix your bug, fix the bugs you already know about. What good does it do you to pay people to tell you got more bugs if you’re not dealing with the bugs you already know about. How is that making anyone more secure?.
And it seems to me that, misplaced incentives are the biggest problem in cyber security. The big picture thing I would leave your listeners is that, offensive cybersecurity is a technical problem in defensive cybersecurity is a political and economic problem.
Trying to defend in a situation where, the attacker only has to be right once and I have to be right every single time, as you can imagine, is a very difficult and very expensive game.
And unless there are political and economic incentives to motivate people who make and deploy software to spend the extreme amounts of money and time required to achieve that goal.
— ACT THREE —
Kristen:
As JM is alluding to, cybersecurity isn’t just about stopping hackers. It’s implementing tight defenses, effective guidelines for organizations and platforms, and meaningful action from our policymakers.
With Cybersecurity, everyone is a stakeholder, so it’s everyone’s responsibility to take action, whether it’s using a password manager, using a bug bounty program, or passing bills about disclosing data breaches. Once again, we’re all in this together.
If there’s one thing bug bounties tell us, it’s that when it comes to the gig economy, incentives work. So it might be time to speak up, let your voice be heard, and send the message to policymakers, platforms, and organizations that our privacy is important. Rayna agrees.
Rayna:
That’s, we would hope to see, like 10 years um, more harmonized uh, you know, of accounting for of well, vendors accountable for you know, the products they put the markets and for what harm can come to end-users. uh, and those need special everywhere. not just in France, not just in Australia.
They need special attention all world because people’s lives actually depend on Right.
So what we would like and what we are again, working is to have those vital services and infrastructures, safer and more resilient. So that basically fewer lives are, in danger. So let’s, hope that 2030 will see us, much less vulnerable and, much less, running after the bad guys who, do harm to hospitals and, health infrastructures during, Worldwide pandemic.
— OUTRO —
Thanks for listening to Geek Economy: The show that helps you understand how the gig economy is going to change our lives and our culture.
Geek Economy is brought to you by Bunny Studio. Trusted by more than 50,000 companies every year, Bunny Studio helps businesses scale their creative needs with a vetted crowd of freelancers.
Find great video creators, voice over artists, designers, writers, and more at bunny studio dot com slash geek economy offer. The link is on the show notes.
If you liked this episode, please share this with someone that would find this of interest. And while you’re at it don’t forget to subscribe, rate, and review on whatever app you use to listen.
Enjoy the show? It’d mean the world to us if you follow the Podcast on Spotify, or your preferred app!
Credits
This episode was produced in collaboration with Bunny Studio and Pod Paste in Sydney, Australia.
- Executive Produced by Daren Lake
- Written and Produced by Aidan Molins
- Audio Production, Sound Design, and Engineering by Aemyn Connolly,
- Podcast management by Michelle Le
- Supervising Editor – Mike Williams
- Assistant Storywriter – Charles Montano
You can check out all of our amazing guests online who helped make this episode great:
- J.M. Porup, cybersecurity journalist
- Jon Nichols, bug bounty hacker
- Jason Kent, hacker in residence at Cequence Security
- Rayna Stamboliyska, VP Governance & Public Affairs at Yes We Hack