Ethical 'white hat' hackers play vital security role

Byron Acohido | USA TODAY

Show Caption Hide Caption Ethical hackers reward one of their own BeyondTrust researcher Marc Maiffret kicked started a $13,0000 crowd-sourced reward to Khalil Shreateh, who hacked Marc Zuckerberg's Facebook page to make a point.

SEATTLE — Known as "white hats," ethical hackers are the indispensable ground troops in the back-and-forth battle to make the Internet safer.

White hats devote countless hours and intense brain power to discovering security holes in popular apps and platforms. By flushing these bugs out into public light, they compel the good guys to fix the flaws before the bad guys can discover them first, and take advantage.

Microsoft and Facebook last week announced they will begin paying bounties to ethical hackers for discovering vulnerabilities, not just in their own products, but in software systems that make up the Internet infrastructure, as well.

This quiet endorsement is a huge step forward. "A lot of hidden bugs survive in very important code," says Dan Kaminsky, co-founder and chief scientist at fraud-prevention company White Ops. Incentivizing white hats to scrutinize infrastructure code "is a game changer for protecting users," he says.

Back in 2008, Kaminsky made a name for himself by discovering and disclosing a massive security hole in the way some Internet Service Providers handled mistyped website names. The hole was quickly patched, cutting off what might have been a huge new avenue for cyberscammers to more easily distribute malicious code.

White hats have steadily gained mainstream acceptance. Google and Facebook have spent millions the past few years paying hackers "bug bounties" to point out fresh flaws, known as zero-day vulnerabilities, in their respective products. Even Microsoft, long opposed to paying bounties, began paying such bounties earlier this year.

Now Microsoft and Facebook will support a panel of experts assigned to issue awards of $5,000 or even more to hackers who flush out serious vulnerabilities in the system of development tools and Web server operating systems that make up the Internet.

That move follows an extraordinary development that highlights the independent, altruistic mindset of the hacking community.

It unfolded after Khalil Shreateh, a self-taught coder from a tiny village in Palestine, discovered a major Facebook security flaw that enables anyone to post anything on anyone else's wall.

Facebook's security team disputed his findings. So Shreateh posted a notice on Facebook CEO Mark Zuckerberg's wall to validate his discovery. Still, the company refused to pay him a bounty.

"I felt frustrated to find a big glitch in a website like Facebook, and all the replies said it was not a bug," Shreateh told CyberTruth, adding that his big concern was the "negative effect on any hacker or security researcher."

Facebook security team member Matt Jones said in a Hacker News chat session that Shreateh wasn't explicit in his initial report, and that demonstrating the bug by hacking Zuckerberg's account wasn't acceptable. Facebook promptly fixed the bug.

The episode caught the attention of pioneering white hat hacker Marc Maiffret, who discovered the infamous Code Red vulnerability that plagued Microsoft Windows users in the mid-2000s.

Maiffret, now CTO at security firm BeyondTrust, put up $3,000 of his own cash to kick-start a $10,000 bounty for Shreateh. He eventually raised $13,000, mostly in small contributions from individuals, which he personally delivered to the young hacker.

"I really wanted to make a statement for the larger community, that we need to take care of researchers like this to make sure they continue to want to report things like this to companies like Facebook," Maiffret says. "Otherwise, it's going to end up in the underground being used to break into companies."

Shreateh, who comes from a town where electricity outages are common told CyberTruth he plans to continue hacking — for the good guys.

"I would like to get a good job to have a good life," says Shreateh, adding that he is grateful to Maiffret and all who donated. "We can make the world secure and a safe place to live beside each other, with love."