20.5k unique visitors in the last 3 days

Crowdsourcing Security

The old proverb says that "if you want a thing done well, do it yourself". Rubbish. If you want a thing done well, get a few thousand other people to do it for you. No matter how good you are, the combined efforts of a few thousand other people is going to be better. Take security as an example. The reason why businesses keep getting hacked is because 10,000 hackers will always trump 100 code testers and auditors. Whatever loophole is missed by your people, the black hat hackers will have the motivation and the manpower to find it and exploit it. So how do you beat those 10,000 black hat hackers, wanting to steal your secrets and/or money?Facebook have a solution that is on the right lines, with crowdsourcing as the key component. They do as much as they can internally, but then they also engage thousands of white hat hackers on their side. Facebook proved the worth of this approach in 2010, by adopting a policy which clarified how users should report security issues, and which gave users the assurance that they would not be held legally liable...

The old proverb says that “if you want a thing done well, do it yourself”. Rubbish. If you want a thing done well, get a few thousand other people to do it for you. No matter how good you are, the combined efforts of a few thousand other people is going to be better. Take security as an example. The reason why businesses keep getting hacked is because 10,000 hackers will always trump 100 code testers and auditors. Whatever loophole is missed by your people, the black hat hackers will have the motivation and the manpower to find it and exploit it. So how do you beat those 10,000 black hat hackers, wanting to steal your secrets and/or money?

Facebook have a solution that is on the right lines, with crowdsourcing as the key component. They do as much as they can internally, but then they also engage thousands of white hat hackers on their side. Facebook proved the worth of this approach in 2010, by adopting a policy which clarified how users should report security issues, and which gave users the assurance that they would not be held legally liable for the consequences of their research. This generated a lot of kudos for the oft-maligned social network; The Electronic Frontier Foundation went as far as applauding Facebook for their transparent stance on vulnerability disclosure. But the policy did more than earn kudos for Facebook. It rewarded Facebook, as white hat hackers found and disclosed previously unknown weaknesses, giving Facebook the chance to fix them. Now Facebook has taken the next logical step, by paying money to those who notify them of security bugs; you can read about Facebook’s ‘security bug bounty’ here. Bounties for individual bugs range from USD500 to USD5,000, and they have proven to be an enormous success. According to Facebook’s security blog, the bounty program paid out USD40,000 during its first three weeks. One person earned USD7,000 for the six issues he identified. It shows that Facebook is backing the intelligence of the social network, using the wisdom of crowds to shore up its defences. In a world where many security experts aim to promote themselves and earn revenues by publicly demonstrating the exploits they have devised, it makes perfect sense to use the internet to create a rapid-fire marketplace, with minimal middle-men and the fastest possible exchange of information. It is better to buy the knowledge of security flaws as quickly as possible, than do nothing and allow that knowledge to be sold through a market run by the black hat hackers and criminals. Expect other joined-up internet firms to follow Facebook’s lead.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email