yesAdam JanofskyNone
×

Get access to Protocol

I’ve already subscribed

Will be used in accordance with our Privacy Policy

Power

Scoring $200K at the hacking event that almost didn’t happen

How HackerOne and Verizon Media pulled off a virtual event for 50 hackers from 13 countries.

HackerOne neon

HackerOne has put together 20 in-person hacking events over the last five years, but when coronavirus disrupted its plans for a Verizon Media event, they took it virtual.

Photo: Courtesy of HackerOne

The beginning of March for Jon Colston, like for many, was looking grim. The 44-year-old entrepreneur had to close down the mortgage startup he was developing as the economy took a beating from the coronavirus pandemic.

Fortunately, he had a side gig that was about to earn him a six-figure payday. Colston, who has a background in data analytics, taught himself the ins and outs of cybersecurity through videos and other online resources, and since late 2018, he had been moonlighting as an ethical hacker, helping companies find bugs in their code.

With other distractions gone, he quickly found himself doing freelance cybersecurity work at all hours of the day, up from about 10% of his time before the coronavirus outbreak began.

"My ritual for the last few weeks has been: wake up, roll out of bed and onto the computer, hack until I can't stay awake anymore, go to bed and repeat," Colston told Protocol last week. As a hacker he goes by nickname @mayonaise, and he lives in Las Vegas with his wife.

In early April, his dedication was rewarded. Verizon Media, which for the last several years has focused on building relationships with the ethical hacker community, held its live hacking event in partnership with bug bounty platform HackerOne. It was the first such virtual event for both organizations who decided to experiment with the new format due to the coronavirus pandemic. Verizon gave 50 hand-picked hackers from 13 countries access to some of its closely guarded code and paid them generously for any bugs they found.

"It was a playground," said Colston, who earned more than $200,000 from the event after reporting about 30 bugs. In total, Verizon Media paid out $673,988 in bounties. Colston credits about half of his success to a single, critical issue that he found on several servers. He declined to elaborate on the bug's details, but he said he's seen it affect several organizations since last May.

"I call it the MOAB, the mother of all bugs. It's everywhere, it's high in critical impact, it's across technologies," he said.

The weeklong virtual event was an "incredible success," said Luke Tucker, senior director of community at HackerOne.

And it almost didn't happen.

The event was originally scheduled to be in-person based around the Black Hat Asia cybersecurity conference at the beginning of April. Fifty of the top security researchers on HackerOne's platform would be flown to Singapore, where they would meet with Verizon Media's security team and prod part of its Yahoo product line. Verizon acquired most of Yahoo's internet business in 2017.

But by late February, with the RSA cybersecurity conference barely going off as planned, organizers from Verizon Media and HackerOne decided to pull the plug on an in-person event in Singapore.

"I remember we were on the curb at RSA, and we were talking about the current situation, where the virus was going, and we decided we didn't want to put any of the researchers or our employees at risk," said Sean Poris, director of product security at Verizon Media. "So we agreed at that moment we were going to have a zero-travel policy on our event."

"It was obviously the right decision to cancel the Singapore event," Tucker said. "And the second good decision was to make it virtual."

Making virtual lemonade

HackerOne has put together 20 in-person hacking events over the last five years with more than a dozen organizations, including Dropbox, Shopify and the U.S. Air Force. Live bug-hunting events have become an important way for companies to entice independent security researchers to help find problems in systems before criminal hackers do. Like many other organizations with in-person gatherings planned for this year, HackerOne was forced to completely rethink its playbook. Tucker said that HackerOne had brainstormed what adding a virtual element to its events would look like, partly inspired by esport competitions, but it didn't have plans to try it out anytime soon.

"We were trying to crack that nut and figure out the right way to roll out a live event experience that would be really dynamic and interesting, and then COVID-19 happened, and we were able to take the lemons of not going to Singapore and make lemonade," he said.

Pulling off a virtual hacking event poses unique technical challenges, unlike other virtual conferences or events. Organizers used a wide range of tools to make sure that the security researchers were able to collaborate with each other, share bugs with Verizon Media, and do everything in a way that would keep all the information confidential and out-of-reach from criminal hackers.

Verizon Media declined to provide details on the scope of the event, citing confidentiality, but the company informed the hackers of the specific products they would probe about two weeks before the event took place. During that gap, the hackers were encouraged to perform reconnaissance and testing in the same way that a criminal group might extensively surveil a network before trying to breach it.

"I was so excited about the targets we were given; it was a very rare opportunity that was provided to us, and I wanted to make the most of it," Colston said.

Hackers communicate on zoom Hackers communicate on Zoom during Verizon Media's virtual hacking event.Screenshot: Courtesy of HackerOne

For the event itself, organizers made use of a smorgasbord of remote work tools. Hackers used Slack, Zoom and Google Hangouts to communicate with each other and Verizon Media's security team. Organizers used Discord and Twitter to broadcast leaderboard positions and answer spectator questions about how to start a career in cybersecurity. At one point, hackers used the drawing website skribbl.io to take a break and play a mass game of Pictionary.

Although the event wasn't originally planned to be virtual, Verizon Media would consider doing similar competitions in the future, according to Poris. "It built a foundation we can launch from for future events," he said.

Another HackerOne customer has already signed up to hold a virtual live-hacking event in June, Tucker said, though he declined to name the company due to customer confidentiality agreements.

Pros: More participation, more concentration

Thanks to going virtual, organizers were also able to open the event up to many more people. Thousands of spectators — many of them students stuck at home — were able to watch the hackers and ask them questions through Twitch livestreams and YouTube videos. In-person events typically have educational workshops, Tucker said, but they're generally reserved to about 20 to 50 people invited from nearby schools.

"Where we really spent a lot of time was asking how do we open up the opportunity and provide a social experience to as many people as possible," he said.

Verizon Media was also interested in expanding the event's reach, in part to attract new employees, Poris said, adding that he's hired ethical hackers in the past. "There are way more openings in the security field than we have people. The more we can mentor and educate and get people pumped into the field to reduce that pressure overtime, [the better]," he said. He also wanted to "share our brand to researchers and have folks understand how important security is to us."

From the hackers' perspective, participating in a virtual event likely makes it easier to find bugs, Colston said. He was able to work from the comfort of his home, on his own workstation, and didn't have to deal with travel hassles or distractions.

"I'm one of those people that needs complete focus," he said. "I say I'm going into my hacker hole — time slips away, and I'm completely focused on what I want to achieve. That definitely helped out in submitting more reports."


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


Cons: Outages, time zones and canceled karaoke

The event would end up having some unique challenges: A bug show-and-tell during the closing ceremony livestream, for example, was briefly knocked offline because the person hosting it from her home in Indiana had her power knocked out by a nearby tornado. Time zones were also difficult; participants came from 13 countries, including Argentina, Germany, Russia and New Zealand, so some hackers had to keep odd hours to take part in question-and-answer sessions and daily updates.

"One thing you lose in a virtual event is that there's something special about the concentration of security researchers, the HackerOne folks, and us all coming together physically and being able to break bread, chat, and argue about the merits of a given finding. That's just facilitated so much more in person. We really spent a lot of time thinking about how to create as close as possible that community feeling," Poris said.

Not everything could be re-created: Poris said he especially missed not being able to go out to karaoke with the hackers at the end of the event.

"It's become a tradition, and we missed that this year," he said. "But the closing ceremonies were really strong, and we recorded the show-and-tell sessions, which will help us understand what's going on in the minds of security researchers."

People

Beeper built the universal messaging app the world needed

It's an app for all your social apps. And part of an entirely new way to think about chat.

Beeper is an app for all your messaging apps, including the hard-to-access ones.

Image: Beeper

Eric Migicovsky likes to tinker. And the former CEO of Pebble — he's now a partner at Y Combinator — knows a thing or two about messaging. "You remember on the Pebble," he asked me, "how we had this microphone, and on Android you could reply to all kinds of messages?" Migicovsky liked that feature, and he especially liked that it didn't care which app you used. Android-using Pebble wearers could speak their replies to texts, Messenger chats, almost any notification that popped up.

That kind of universal, non-siloed approach to messaging appealed to Migicovsky, and it didn't really exist anywhere else. "Remember Trillian from back in the day?" he asked, somewhat wistfully. "Or Adium?" They were the gold-standard of universal messaging apps; users could log in to their AIM, MSN, GChat and Yahoo accounts, and chat with everyone in one place.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Protocol | Enterprise

Don’t worry about the cybersecurity fallout of the Capitol breach

Members of Congress can't access classified information on their work computers, and the chances that Wednesday's mob contained a few moonlighting cyberspies are slim.

Any lasting cybersecurity damage from the breach is likely to be limited.

Photo: Louis Velazquez/Unsplash

Among the disasters that visited Capitol Hill on Wednesday, the fact that the people who infiltrated Congressional offices had unfettered access to IT assets for several hours ranks rather low.

One of the most iconic images of Wednesday's events was a picture of the home screen of Speaker Nancy Pelosi's office computer, abandoned in haste after a mob broke into the Capitol building, forcing Congress and staffers to retreat to safer locations. By design, nothing on Pelosi's computer was classified: Members of Congress have to enter a protected area room in the building to view secret documents, as you'll recall from last year's impeachment proceedings when several House Republicans stormed into such a room in protest because they were denied access to documents their leaders could access.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.

Politics

In 2020, COVID-19 derailed the privacy debate

From biometric monitoring to unregulated contact tracing, the crisis opened up new privacy vulnerabilities that regulators did little to address.

Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, says the COVID-19 pandemic has become a "cash grab" for surveillance tech companies.

Photo: Lianhao Qu/Unsplash

As the coronavirus began its inexorable spread across the United States last spring, Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, worried the virus would bring with it another scourge: mass surveillance.

"A lot of really bad ideas were being advanced here in the U.S. and a lot of really bad ideas were being actually implemented in foreign countries," Schwartz said.

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
People

The year our personal lives took center stage at work

2020's blurring of professional and personal boundaries exacerbated disparities, humanized leaders and put personal values front and center.

In 2020, the personal and the professional became inextricable at work.

Photo: Tom Werner/Getty Images

For those of us lucky enough to keep our jobs and privileged enough to be able to work from home, our whole selves were bared at work this year. Our homes and faces were blown up for virtual inspection. Our children's demands and crises filled our working hours, and our working mothers became schoolteachers and housewives, whether they wanted to or not. Our illnesses became vital public information, and our tragedies shared. Our work lives ate into our social lives until there was no boundary between them.

In 2020, the personal and the professional became inextricable at work. Remote work might be the most sexy 2020 trend, but for the CEOs and leaders I spoke with, the de-professionalization of work could be the most important effect on a personal level. It's the one that has caused the most harm to women in the workplace and destroyed work-life balance for basically everyone. It's also what has contributed to the majority of work-from-home Americans being more satisfied with their work lives than they were before, mostly because they feel more connected to their families, they're able to set their own schedules and they're more comfortable at home, according to a Morning Consult poll. While we can't know exactly how many and who will be going back to the office just yet, as long as there is some kind of flexible work schedule, people's personal lives will be part of their work lives and vice versa.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (@ anna_c_kramer), where she helps write and produce Source Code, Protocol's daily newsletter. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

Protocol | Enterprise

How Christian Klein’s reboot of SAP’s strategy is working out

The pandemic wasn't kind to the company. But the way it's working with the major COVID-19 vaccine makers is a model for what comes next.

Christian Klein became SAP's sole CEO in April.

Photo: Picture Alliance/Getty Images

Christian Klein took over as SAP's sole CEO in April. It wasn't an ideal time to take the helm of an organization that sells expensive enterprise software.

As the spread of COVID-19 forced corporations everywhere to cut costs, one of the first places they looked was IT budgets. Specifically, companies around the world trimmed spending on back-end products, such as those offered by SAP, many of which still run via on-premise data centers.

Keep Reading Show less
Joe Williams

Joe Williams is a senior reporter at Protocol covering enterprise software, including industry giants like Salesforce, Microsoft, IBM and Oracle. He previously covered emerging technology for Business Insider. Joe can be reached at JWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Latest Stories