Facebook is encouraging hackers to try hacking its security systems to find weaknesses, as reported late last week.
Could hacking Mark Zuckerberg's social-media giant lead to a fruitful career?
(Credit: Hegemony77 doll clothes)
Given the ongoing unrest about Facebook, and its associated privacy issues, some may see Facebook's "White Hats" scheme as a cynical ploy to improve public relations.
But there are other, more practical, reasons.
Hacking to help
We often differentiate "black-hat" hackers (those seeking to do harm) from "white-hat" hackers (those probing systems to discover and repair unknown problems).
While white-hat hackers occasionally get bad press, the work they do is often important in keeping software and systems safe from those with more malicious goals.
The concept of employing third parties to attack a network, system or software is not new. Microsoft has a similar system for its software, while open-source software developers depend heavily on reports from users to identify and address potential problems.
The practice is so commonplace that companies, including BT Managed Security Solutions, led by chief security technology officer Bruce Schneier, offer a service whereby customers can contract them to have their systems monitored and "attacked" by experts.
Problems with white-hat hackers can arise when they attempt to probe systems uninvited, as is often the case. It's easy to claim to be a white hat, even though one's actions might not necessarily be seen as such.
Fortunately, this grey area is often protected by legal provisions that can punish unauthorised "visitors" with criminal penalties.
Let me know
As is typical with white-hat programs, reported faults found by Facebook white-hat hackers will not be immediately publicised. This allows time for flaws to be confirmed and corrected, before becoming public knowledge.
Indeed, Facebook makes it clear that to be eligible for a reward, hackers must "give us reasonable time to respond to your report, before making any information public".
And, as is often the case with white-hat programs, Facebook has added the proviso that attackers must behave ethically, in not stealing private information, nor attempting to cause harm.
The novelty of Facebook's approach is both the opening-up of the program to the general public, and the offer of rewards.
The company's executives doubtlessly realise that with the amount of personal data being stored, they are a tempting target. Rewarding people who behave ethically might minimise that risk.
It remains to be seen how successful this strategy will be — particularly if some black-hat hackers get caught, and then claim they were probing the system, as per the current initiative.
But the move may inspire other companies to take a similar approach. In an article in The Guardian, British military cybersecurity chief, Major General Jonathan Shaw, suggests that the military might adopt a similar program.
What's in it for me?
Other than the monetary reward, and fleeting recognition, why might Facebook's initiative appeal to your friendly neighbourhood hacker?
Well, Facebook hasn't said it'll be hiring anyone from the White Hats program, but, if they did, it wouldn't be the first time it's employed a hacker.
At first glance, it doesn't seem to make sense for such companies to advertise that they have hired people who once committed a crime. But if security is important to these companies — and we know it is — it makes sense to hire people with the best skills. And those people might well be hackers.
So far, the list of contributors to Facebook's White Hat program stands at 115, but, with the promise of financial reward, international recognition and even the smallest chance of being hired for one's exploits, that list looks certain to grow.
The Role of White Hat Hackers in Information Security — Amit Anand Jagnarine, Pace University