Facebook rescinds internship to aspiring security hacker - enterprises take note

Profile picture for user jreed By Jon Reed August 13, 2015
An aspiring developer and security hacker learned some hard career lessons this week - courtesy Facebook. But the more interesting part is how crowdsourced security is affecting the enterprise.

It's been a tumultuous PR week for Facebook on the security hacking front, with news that a Harvard student lost an internship with Facebook after pointing out security flaws. Actually, he did a wee bit more than point them out, but more on him in a sec.

Enterprises are not immune from these misadventures, with Oracle having an unfortunate misstep via a now-deleted blog from their Chief Security Officer, with the requisite apologies issued (to be fair, it's a reasonable apology).

Taken on their own, these gotchas might be minimized as lunch break reading. But there's a bigger story here: changes are underfoot in the treatment of hackers that enterprises are wise to take note of.

Three months ago, life was peachy keen for Harvard student Aran Khanna, who landed a sought-after internship at Facebook. But he put a wrench in his own plans by launching an application called Maurader's Map. Built as a Chrome extension, Marauder's Map was not for the innocent - it pulled Facebook Messenger data to provided scarily precise locations from users. As per Boston.com:

The app also showed the locations, which were accurate to within three feet, in a group chat with people [Khanna] barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms.

Khanna tweeted the app on May 26, posting on Reddit and Medium as well. The app went viral: before it was neutered, it was downloaded more than 85,000+ times. For their part, Facebook says they've known about this privacy flaw for three years. By default, the desktop and mobile versions of Messenger shared users' locations with all people they messaged.

Three days after Khanna issued the app, Facebook asked him to disable it. Facebook also got rid of location sharing from desktops, effectively clipping the app. As for phones, a mobile Messenger update should address the issue once it's installed. As per Facebook, “With this update, you have full control over when and how you share your location information.”

I don't know anything about Khanna's motivations, but his explanation on Medium pushes for privacy transparency:

I decided to write this extension, because we are constantly being told how we are losing privacy with the increasing digitization of our lives, however the consequences never seem tangible. With this code you can see for yourself the potentially invasive usage of the information you share, and decide for yourself if this is something you should worry about.

I'm not going to belabor the details of the subsequent fallout, but suffice it to say that Facebook rescinded Khanna's internship. Barista time perhaps?

On the enterprisey front, Oracle's PR awkwardness stemmed from a now-deleted post by CSO Mary Ann Davidson which essentially gave Oracle customers a strong scolding/warning not to reverse engineer Oracle's code.

What's interesting is how many companies are moving in a new direction, rewarding hackers for finding flaws. It's now a relatively common practice for companies to credit researchers/hackers who report a software vulnerability - or even pay them a bounty.

In 2012, Wired reported on Google's bug reward contests, which had already paid more than $1.2 million in bug-finding bounties. Facebook has paid bounties as well, and non-tech companies are getting in on the act, with Tesla announcing in June a bug bounty program with more modest payouts ($1,000 max), managed through the bugcrowd.com platform.

On July 14, two months after announcing their bug-bounty program to find flaws in its web site and apps, United Airlines paid out their first prize: one million air miles. As a United Airlines detractor, I'd call that more of a prison sentence than reward, but nevertheless... Hopefully United Airlines will pay out more bounties soon, as they had two massive technology-related outages this summer.

Are bug bounty programs appropriate to the enterprise?

Given the track record of crowdsourced security, it seems a no-brainer to recommend that enterprises use them. But in a laudably contrarian post, Tim Erlin attempts to make a case for Davidson's position by stripping the questionable tone of the original post in search of a more neutral message:

The counter-argument put forth by Davidson is that Oracle does this [security research] already, and that only Oracle can do it effectively because of their inside knowledge of the code. I actually really like this point. It’s true that the original vendor can perform more effective software assurance than an outsider. The problem is that most simply don’t.

Erlin goes on to recommend that customers take advantage of such software assurance programs, and insert language in every RFP to learn how the vendor protects the security of their developed code. Writing for SearchSecurity, Michael Cobb argues that bounties can be an asset for enterprise security, particularly if companies are tight on internal resources:

Complete security is only achieved when software does what it is expected to do in all conditions. Rewarding people to actively create unexpected conditions provides a way to harness the collective intelligence and capabilities of security researchers around the world and help further improve the quality of code and protect users' data and privacy.

My take

Bug bounties are not a cure-all. But it's naive to assert that internal security teams have the bandwidth to address and test all vulnerabilities. Some type of program to solicit external security input is called for. This could mean addressing concerns about exposing some IP, or overcoming the perception that all hackers have bad intentions.

It may also mean re-assessing license agreements to ensure that white hat hackers aren't punished. As some snarkers tweeted, "outlawing reverse engineering means only outlaws will reverse engineer." Tweeters also made the point that threats of contractual breach mean nothing to cyber-criminals.

As for Khanna, as much as I'd like to throw Facebook under the bus, I don't know enough about his situation to say definitively what I would have done in their shoes. From a career advice perspective, I'd definitely advise not to release apps that might expose your future employer. Maybe wait until you're hired, then broach the issue a tad more discreetly. I was kidding about the barista thing though; I'll be surprised if Khanna doesn't get a good job offer in the tech field sooner than later.

But white hat hacking requires its own set of communications protocols - particularly if you want to ensure the goodwill of said company. That's a lesson better learned when a job isn't on the line.

Image credit: a safe place to work © olly - Fotolia.com

Disclosure: Oracle is a diginomica premier partner as of this writing.