What the World Needs Now is More Hackers

Got a great program? Yes? Will it open Pandora's Box? No? Are you sure? Is it going to bankrupt you to hire someone to find out?

Smalltown USA -- A SWAT team descend on a sleepy suburban house in the wee hours of the morning and crash in, their high powered weapons at the ready, and within seconds everyone is up against the wall, assuming the position.

Months later there's a trial and a hacker gets sent down for two to ten. Ignominy.

But patience: just wait! For in two to ten - more likely one - the hacker will be free again and the NSA will come calling. And offer that heinous criminal an eight figure salary. Go to work hacking for the government. Getting busted was the best thing that could have ever happened.

Governments who have to 'play for keeps' understand this far better than commercial software houses: there's no such thing as secure software - there are only hackers.

And what the world needs now is more hackers.

You can always claim your software is bug (and exploit) free but you never really know. But by having hackers on the payroll you can at least feel more confident that if an exploit were to rear its ugly head, your own people would find it first. Which is why you'd task salaried help to look for these bugs and exploits midnight to midnight every day of the week, holidays included.

Software developers often live in a rose (pink) coloured world. They presume their software is going to be used the way they intended. They find it difficult to think outside the bun.

Hackers aren't like that: they live and breathe exploit. That's their raison d'etre, their nourishment.

By keeping several hackers well paid and totally isolated from each other, a software company can control security and at the same time (hopefully) get advance warning on anything untoward in the code. If one hacker comes up with absolutely nothing for the longest time, well... If one hacker gets a cute idea to sell an exploit to a foreign power, the other hackers on the payroll might come up with the exploit first. There's a certain security in numbers.

And who's going to freelance (and spy) when there are companies paying rich rewards for legitimate work? Anyone can hack into a bank account for a 'quick buck' - and then get out of Dodge quick and stay out. Forever. But how does that compare to doing the same thing legitimately and getting the dental plan, the medical plan, the leasing contract on a BMW with the option to buy, the house in Poshville and/or the penthouse suite, and Visa and Mastercard falling over each other to get in your door?

Not to say major corporations aren't employing hackers for this purpose already, but it's not a common practice. Corporations are often interested in auditing their online networks in times of major upheavals such as mergers, and black hat hackers know to watch for mergers in the news as they normally spell 'electronic chaos' for the foreseeable future.

But there's a lot of software out there that should be properly audited and isn't. Rixstep products - the ACP, the AWS, CLIX, Tracker, Undercover - won't normally run the same security gamut as operating system or antivirus software, but the need to get people to focus on at least trying to find bugs and exploits is obvious. And the more sensitive the application domain the more obvious the need.

How much money - and face - would Sony BMG have saved if they'd employed the services of Ed Felten and his crew at Princeton before coming out with their DRM rootkit? How much embarrassment would Microsoft have saved in any one of hundreds of different situations if they'd done the same?

There's a kind of unspoken assumption in software houses that what people are doing is innocent and wonderful - and to a certain extent this is true, but think about it: if you're the CIA and you're recruiting, do you just pull in anyone off the street because they dress well? Isn't there a process known as 'vetting'? Even if you're totally enthusiastic about a recruit you do a background check anyway.

Everyone knows that. Not only in the spook sector but anywhere. And that 'anywhere' should apply to software as well. Got a great program? Yes? Will it open Pandora's Box? No? Are you sure? Is it going to bankrupt you to hire someone to find out?