The first bug (“Bug” or, in computer science, “error”) of information was found in 1947, when a moth was trapped in a component of the electromechanical computer, the Harvard Mark II (the term was already used before to discuss an error on a device). In the 67 years since that dead insect was found, computers have changed much, but the bugs remain entangled in them.
The bad news is that, in these days of rampant cyber crime, these errors can provide attackers easy access to a machine. The good news is that finding these holes in the software that slip can be a lucrative business for the good guys. Big mistakes are usually found when programs are about to be launched. However, the number of experts that software makers can go to verify what kind of hole in the software enjoys preference cyber thieves is limited, even for larger companies.
No wonder then that more and more software vendors are offering rewards to people, especially independent security researchers to detect these security holes and other vulnerabilities. The rewards can range from a shirt or free software to sometimes a laptop. But increasingly, says Casey Ellis, founder of the web-Bug Crowed reward is hard cash.
“As soon as this kind of incentive is presented, called the attention of more people and research is also better”, he said. “Everyone should have a rewards program of some kind”.
Crowed Bug has 6,000 members and acts as a center for seekers of errors and for companies that need sevicios of these people. Provides a list of rewards programs and benefits and helps normalize the ways in which digital problems are reported.
Who are seekers bugs? “There are two different groups”, Ellis said. “Those who focus on the search for problems with a very technical approach, and then there are those who try to think like the bad guys”.
James Forshaw of Context security firm is in the first group. “I have specialized in finding logic errors”, he said. “It’s not about the exploits of a piece of code, but a whole chain of logical operations to get an unexpected result”.
This may involve a thorough job to track the way in which the processes and functions interact in software. It can be especially tough on Microsoft products because relatively little of its source code is available. Instead, safety engineers, and Forshaw, use tools that work in an abstract version of the software code. Sometimes the final result of careful analysis is nothing.
In October last year, Microsoft Forshaw received a reward of $ 100,000 to find a security hole in Windows 8.1 that, if exploited, would have allowed attackers to bypass protection systems.
Many other errors seekers have used their ability to take advantage of the opportunity. This is because software companies are not the only ones who pay to learn these glitches. The cyber thieves also offer money to know that they can exploit vulnerabilities to viruses and other malicious programs.
But the biggest buyers of fault reports are governments, and the potential rewards are huge. Documents leaked by Edward Snowden suggest that the National Security Agency U.S. U.S. spends $ 25 million a year in purchasing data errors. Companies have emerged that act as intermediaries between researchers and buyers and there are anecdotal reports of people who are enriched by these offers.
So is there any hope for the youth of more than six years without a deep technical knowledge of software? Can you do any? Yes, says Casey Ellis Bug Crowed, while adding that many of its members began as teenage rookies, but they are now doing well. There are others too.
“I started at age 14 with finding vulnerabilities in web applications simple”, says Robert Kugler German teenager, who is now 17. “Safety has always been a fascinating subject for me, so I autoenseñé fundamentals of information security and continued studying further”.
Since then, he has managed to find errors for Mozilla, Avast, PayPal, Yahoo, Microsoft, the Dutch government and military intelligence in Belgium. It has received about $ 5,000 for his work.
But he admits it is not easy. “It is necessary to have good analytical skills and must be able to understand the coherences”, he said. “Finally, and equally important, patience and creativity are very important skills”.
Another example of how easy this can be found in Chris Wysopal a former member of the famous group of hackers hacking Lopht. In May 1998, the group told the U.S. Congress Internet could close in 30 minutes. Wysopal now helps run the security firm Veracode, which produces automated tools that look for vulnerabilities and other bugs in the code.
“These tools can find a code that is vulnerable to known attacks or report places the security functions such as encryption, are weak. Going further requires persons who may have a vision of how a higher level of fit between the codes if”, says Wysopal.
However, he adds that these people do not necessarily have the technical skill. The Wysopal daughter, Renee, received a reward of U.S. $ 2500 for discovering that your Facebook privacy module failed several times in blocking access to his pages by others.
Despite being a graduate of arts, Renee found the bug after getting guidance from his father about how to view the source code of a web page and use a proxy to change the data passed to it. It is unlikely that your experience is unique, Wysopal said. “I do not think it’s that hard to find fault in many products”, he said. “Just look”.