Open source veteran Mickos now gives bounties to hackers for identifying and helping fix security vulnerabilities.
The following transcript has been lightly edited and condensed for ease of reading.
Dan Costa: All right, Marten, thanks for coming today. I think maybe the place to start—this is a fairly technical audience, but let’s explain what bug bounties are, how they work, and how much money can be made on a single bounty.
Marten Mickos: Yes. Well, let’s start from the bad news. Nobody wants to get hacked and everybody gets hacked. Every consumer, every company, everybody gets hacked. But now, fortunately there are people who are fixing it, whether we are ask them to or not. We are asking them to do it, but they’ll do it anyhow. It’s the young generation, they are fixing it for all of us, because we are incapable, we bury our heads in the sand, we don’t know the crap we have created for the future generations. But they will fix it.
And bug bounty is based on the idea that if you have a web app or a mobile application, then if good guys can break in, then probably bad guys can too. And if good guys cannot break in, then probably bad guys can’t either. So let’s ask the good guys to try to break in. If they break in, you can fix it, and all is good. If they cannot break in, all is good. So that’s our business. We have today 400,000 freelance hackers, security experts, researchers, whatever you call them, finders who look for softer vulnerabilities in all your websites and mobile apps and report them to the companies. And then when they find something, we pay them a bounty.
Costa: So, and it’s almost—you’ve set up HackerOne to be, like, hacking as a service. So you can see all the vulnerabilities, your freelance hacker staff can log in, look for things they’re good at diagnosing and good at solving, and sort of pick jobs off the company. How do you find those hackers? How do you vet them?
Mickos: Well, it is hacking as a service, but everybody could do it themselves. You can have a neighborhood watch just with your neighbors, you don’t need a company to orchestrate it. It’s much easier with us, but you could do it yourselves. The wonderful thing is, we do not recruit hackers. It’s a little bit like NSA or MI6 in the U.K. They don’t have any job adverts, people just know how to sign up.
Costa: So let’s talk about Santiago Lopez.
Mickos: Yes. Try to Hack.
Costa: Yep. We covered him on PCMag a couple of months ago—the story blew up, an amazing story. Tell us about him.
Mickos: Yes, so we have 400,000 hackers. They are all amazing, but of course, some of them are more amazing than others, and the first one to earn $1 million on our platform was Try to Hack, or Santiago Lopez. He lives in Buenos Aires. He is all of 19 years old. What did you do when you were 19?
This guy has learned in a few years to break into every possible software system that all these amazing companies in the U.S. have built, and the DOD, and the Army, and the Air Force, and Goldman Sachs—whatever you have, he can break into them, and he is 19. And fortunately, he’s a good guy. Fortunately, we pay him money when he finds something, and he made a million. And he wants to start a business.
Costa: I’ve got the number here: 1,670 security flaws in products and services from Verizon, Twitter, WordPress, and government offices.
Mickos: Yes, there are more, but some of our programs are secret, so we can’t give you the names out.
Costa: So he’s made $1 million. Obviously, he’s got great prospects. How much does the average hacker make? Is it a way they can sustain themselves? It is a hobby they do at night?
Mickos: This is a mathematical question, because now I must respond by saying, it’s a power-law distributed set. It is like Hollywood or like a sports league. Everybody will play basketball after school, not everybody will get to the NBA. So it’s a very, very sharp pyramid, where at the top you make amazing money, at the bottom you make nothing, and in the middle you make a modest amount. But typically, these people—half of them are 24 or younger. Typically, they’re students, so they pay off some of their student debt or their living expenses by hacking in the weekends. Or if they are professional, they may be a security engineer at a very prestigious company, and then in the evenings and weekends, they do this extra work to find vulnerabilities.
Costa: So why can’t—these are big, successful companies with security staffs and developers on staff. Why can’t they do this for themselves? Why do they need an outside company to do penetration testing?
Mickos: DOD is a great example. They came to us three years ago and said, “Could you run a program called ‘Hack the Pentagon?’ We have unlimited budget, we have unlimited skills, we have the strongest weapons in the world, but we cannot find our security flaws.” And it has to do with the fact that software can be wrong in so many ways that nobody can hire all the people to find it. Except we, because we have 400,000 of them. But even DOD can’t hire 400,000 security people. But we have them, and we deploy them such that it’s the right skill for the right problem, and then we can all share. And it is the only way to deal with the cyber risk, because it’s an asymmetric threat. Those who do harm are very few, and they cause big damage to all of us. And the only way to defend ourselves is pooled defense, to bring all our defenses together and share the knowledge. And that’s what we do, essentially. So Santiago will use his same skill on tens of different companies. If one of them hired him, all the rest would lose his input.
Costa: There’s also something, that you’re tapping into a global workforce, a global distributed workforce in a way that a lot of companies don’t. And that’s something that I think gives HackerOne a lot of unique value.
Mickos: Yeah. It has been done before: it’s called open source software. It works. It is superior to all other software methods. And we are doing the same with security. And this is the sorry state of security. The world is spending $100 billion or $120 billion a year on cybersecurity, and those are defensive mechanisms where they’re trying to defend the perimeter and build stronger walls. Walls don’t work in a connected society. You have to build security in a different way, and that’s how this mechanism is so much more powerful than anything that has been invented before.
Costa: So how do you vet the hackers? Because obviously, when they’re applying for a job or trying to take work from HackerOne, they’re a white hat hacker. How do you know that they’re not going to, then, on the weekend, put on the black hat and use their knowledge and their expertise against those same companies?
Mickos: The press always asks about the sinister side of everything. But let me start by saying, there’s a 1,000 times more good people than bad people in the world, so to start with, there are very few criminals—very, very few. Second, we treat them so poorly, so they don’t sign up.
Costa: Paperwork is how you’re vetting—
Mickos: It’s a joke. But if you sign up with HackerOne, you get no particular benefit, no special access, no special tools. They only thing you can do is do good. So even if a criminal would sign up, the only way to make progress in our system is to deliver a vulnerability report to the owner of the system. And at that point, the criminal has become a noncriminal. So the only way to operate in our system is to be a good guy. A little bit like if you are a firefighter. Like, how do you know that firefighters are not pyromaniacs? Because who would go through all that training and that gruesome work.
Like, it’s much easier to just be a pyromaniac. So therefore we don’t get them into the system. But we do of course vet them. We track them, we know from what IP address they’ve signed up, we have their tax information when we pay them money, we do background checks. When we did Hack the Pentagon, the Pentagon said it has to be U.S. citizens and lawful—law-abiding citizens who pay their taxes, so we checked all of that for them. So we can do that. At the top of our pyramid, we have the most vetted, secure, special agent-like hackers who can hack anything you need.
Costa: So where do you see the security threats coming from? Is it broken software that just hasn’t been patched that has inherent vulnerabilities, is it malware and outside attacks, is it nation states that are just doing—you know, trying to do intellectual property theft? Where do you see the biggest threats coming from?
Mickos: It’s much worse. It’s you and me. The problem is not a tech problem, it’s a human problem. Human beings are not disciplined, they’re gullible, and they don’t like to admit their vulnerabilities. Those are the problems.
Costa: So give me specifics. What do most consumers do wrong that leaves them open to attack?
Mickos: I’m of the belief that we must—it’s upon us to build a society where consumers can be really stupid and sloppy. And sure, it’s great if they are not, but we cannot request or require them to be cybersecurity experts. That would not be a humane society. So we must build society such that a regular citizen doesn’t have to know much. But at the same time, we have learned in hospital hygiene—everybody knows, when you go to the hospital, you have to clean your hands. And we all do it, every time. And we need similar practices in cybersecurity. Or aviation—aircraft used to drop from the sky all the time. They don’t do it anymore. And it’s only because we have pooled defense and airlines share all the security, safety information with each other blamelessly and look for the root cause. So all we have to do in software is grow up and do the same, but we didn’t. And I know, because I was there developing all that software that doesn’t work today, so I’m sort of—I’m on the accused bench as much as I’m repenting for my sins.
Costa: Let me ask you a question we get all the time at PCMag. There’s a lot of stories out there about tech companies and nation states that are invested in tech companies that are building products that shouldn’t be trusted. Kaspersky—every couple of years, people question Kaspersky security software because they’re a Russian company and they’ve got ties to the Russian government. Huawei’s hardware and 5G infrastructure, the U.S. doesn’t want to buy it because it doesn’t trust it, and now the U.K. may do the same thing. How do you see those vulnerabilities? Are those real vulnerabilities or is that just companies trying to get a competitive advantage?
Mickos: Now you’ll get the second opposition from me today: don’t blame it on other countries. There are so many criminals in the U.S., we have enough of cyber problems in the U.S. even without any Russian, Chinese, Korean things. So sure, maybe there are some threats there, but that’s not the issue. The issue is that criminality does exist, and it takes just a small group to cause a lot of damage. And then there’s geopolitics, so if the U.S. will ban some Chinese company, then China will ban some American company. If you want to stay away from it, you can. It is not the essence of cybersecurity. The essence of cybersecurity is sharing information, collaborating, being disciplined, and managing to be blameless, although we need to hold each other accountable. And it is doable, but it’s difficult. And they do that in aviation—like, they never blame anybody, but they do hold each other accountable. That’s the key to cybersecurity as well.
Costa: Do you think there needs to be more oversight and cooperation among companies to sort of create those baselines and create that security infrastructure?
Mickos: Absolutely. And I think Capitol Hill is already taking action. NIST has a cybersecurity framework which is excellent, the U.K. has a similar one. DOJ is recommending hacker-powered security to everybody. DOD is doing it, DHS is doing it. So you’re seeing the government now taking action even before corporate America. It’s a very healthy sign. But of course, it’s a big ship, and we have a lot of problems. So even if I claim that cybersecurity is heading in the right direction, we will have even worse problems before we see the fruits of all those efforts.
Costa: Is there anything that you do personally that you would recommend other consumers do in order to make themselves safer on a day-to-day basis?
Mickos: I’ve become very disciplined with my passwords. I don’t use the same password twice, I don’t use any names of pets or anything like that, and I really confuse myself with my own passwords.
Costa: Do you use a password filling service like FastPass?
Mickos: Yeah, I do, but for some I don’t. My colleagues say I should just use a service, and there I’m a little bit more conservative, myself, so I’m thinking yes, but not for my banking accounts. There I will have this amazing long text that look like complete gibberish, and I hope they are gibberish.
Costa: It’s nice that you can use song lyrics and just use the first letters, that’s a good technique.
Mickos: Yeah, but too many people like songs. Be very unique, find something nobody else cares about.
Costa: And also, I mean, there’s AIs working on this—there’s algorithms that are working on breaking passwords all the time. So you almost have to outsmart them as well.
Mickos: Yes, but all good—like an online banking system will allow you to try a new password only at certain intervals and only a certain number of times, and it will lock the account, and it will have multifactor authentication. So actually, it’s not difficult to be safe in that particular segment anymore. And probably smart people will invest passwordless authentication at some point.
Costa: Yeah, I mean, we’ve done that story a number of times, saying, “It’s coming, it’s coming,” and then a year goes by and we’re still typing in passwords and having emails sent to us and text messages to our phones. Do you think we’re going to get to a no-password future any time soon?
Mickos: I’m an optimist. I think we’ll fix all problems; I just don’t know when. Like, another problem we have is we use identifiers as passwords. Like, the social security number should just be an identifier, it shouldn’t be secret. Like, my name is not secret. It’s an identifier so you know—you can point to me. And my social security number should also be just an identifier, not a key and not a password. But that’s a mistake that was made decades ago in the U.S., and it has to be fixed at some point, because society doesn’t function if what needs to be an identifier is used as a secret key.
Costa: So my last question: I have to know, is there any movie that has gotten hacking right?
Mickos: Well, “Sneakers” is an amazing movie, you should all watch it, and it is our business completely.
Costa: That was the one I was going to suggest was number one.
Mickos: But there’s another movie we must mention: “Hackers.” Why? Crappy movie.
But why is it important?
Costa: Angelina Jolie.
Mickos: Angelina Jolie. She is the role model for female hackers, and so many female hackers have told me when they saw that movie, that’s when they decided they can be a hacker, it’s not just for boys. So ignore the qualities of the movie and just admire Angelina Jolie for being such a role model.
Costa: That is some advice to live by. Marten Mickos, everybody.