Hacker Code Example

[Su Mcdowall]

Myhope in sharing The Hacker Ethic here is to give you a deeper understanding of how hackers think. One day you may hire a hacker, work with one, or wish to become one yourself. In that case, consider this your first step into their culture. These are the top four principles of The Hacker Ethic.

One of the most meaningful outcomes is the Free and Open Source Software movement. Started by Richard Stallman in 1985, the free software movement encourages millions of people to share, copy, and remix code.

Today 80% of smartphones, and 80% of websites run on free software (aka. Linux, the most famous open source operating system). In addition, WordPress, Wikipedia, and nearly all programming languages are all free! All thanks to The Hacker Ethic.

One way hackers promote decentralization is by building tools. Bitcoin is a tool that was created by Satoshi Nakamoto that completely removes the authority (and thus power) of banks. Bitcoin allows individuals to manage, send and receive money in a decentralized manner.

Coming up next: The incident that spread The Hacker Ethic from the halls of academia and out into the rest of the world. And if you missed part one you can read it now at The History of the Internet.

Very special thanks to Pippa Biddle, and Alexis Rondeau for reading early drafts and providing countless insights. The Secret Hacker Code was originally published at One Month: Learn to code in 30 Days.

If you want to share code between examples, use a file name prefix followed by .. Namespaces are generated based on the first name component, so foo.x.hack and foo.y.hack will have the same namespace.

The build script will insert the necessary initialization code automaticallyinto any function, so it is OK to rely on definitions fromother examples inside any function or functions called by it,but not elsewhere.

For example, HHVM can never successfully run a file containing e.g. a classdefinition that references a parent class or other definition from another file(this is not a limitation specific to the docs site).

In practice, this is fine because running a file containing a class definitionis generally not needed. However, it does mean that trying to add an function to example_hierarchy.child.hack won't work,because HHVM will fail with an "Undefined class Parent" error before it evenreaches it.

Each example is structured to be run with the HHVM test runner. We use the test runner internally to ensure that any changes made to HHVM do not cause a regression. The examples in the documentation here can be used for that purpose as well.

Normally you will use our test suite described above to test any changes you make (because it tests our examples as well). However, sometimes it is actually faster and more explicit to test one example directly with the HHVM test runner.

The problem is, at the bottom of each email he says he "expects a bounty to be paid". Is this black mail? Is this his way of saying you'd better pay me or I'm going to wreak havoc? Or is this a typical and legitimate method for people to make a living without any nefarious intentions?

EDIT: For more clarification: He gave me two examples of vulnerabilities with screenshots and clear instructions on how to fix those vulnerabilities. One was to change the "?all" part of my SPF record to "-all" to block all other domains from sending emails for my domain. In the other email he explained how my site was able to be shown inside an iframe (enabling a technique called "clickjacking") and he also included an example of the code and instructions on how to prevent it.

A true "ethical hacker" would tell you what issue (s)he found in your system, not ask money for that; (s)he could offer to fix it as a contractor, but that would be after telling you what the actual problem is; and in any case, it's a completely different thing from just trying to scare you into paying.

While this might be blackmail, there are many possibilities for genuine good intents, too. Therefore, here's some more comprehensive thoughts on how one might handle unsolicited vulnerability reports. In short: you have every reason to be cautious, but you do not have to be rude.

Ethical hackers perform their analysis based on a contract typically with predefined targets and limitations. These might be ordered assignments or more loosely defined bug bounty programs, either directly or through a platform like HackerOne. In any case, an ethical hacker (or a white hat hacker) always has an explicit permission.

I have found several vulnerabilities by accident, without an intention to poke the system in any way. These cases are usually rather harsh, and I do hesitate whether not to report it at all, report it anonymously, or report it with my name, which would give me the possibility to help them with further questions. The reality is that because I did not have a permission, the receiver may interpret or handle my report with unexpected ways, possibly causing me legal charges or other problems. So far, they have been sympathetic towards me.

You are asked to pay for the findings, but without knowing the details you cannot be sure whether they are worth paying at all. Vulnerabilities comes in all shapes and sizes. Some of them are critical, and some are minor. Some may also seem problematic from outside, but are completely irrelevant to you, or within your accepted risk. One simply cannot sell vulnerabilities in pieces, bundles, kilograms, or liters.

A message suggested a reward for finding a web page protected by HTTP basic authentication, which indeed is not a secure authentication method. However, as it was only an extra layer of security before an actual login page, and not protecting any critical system anyway, it was not really a vulnerability at all. Therefore, the finding had zero value for the company.

A report of a missing SPF record. The explanation was correct and all, but the record was not missing! Instead of querying from DNS, the "bug bounty hunter" had used a web-based SPF lookup tool but used instead of example.com. Due to this syntax error it did not show the record.

Therefore, in order to judge the value, some details of the vulnerability must be disclosed. If someone who has found the vulnerability thinks giving out these details may result in losing the reward, the vulnerability may actually be worthless: known, easy to spot with automated tools, within accepted risk, too minor, or otherwise irrelevant. On the other hand, if the vulnerability is severe, it is often also so complex that giving some proof of concept will not completely help fixing it. The additional work required to describe and address the vulnerability is valuable and will be paid.

It's not unusual for someone who discovers a security vulnerability to be paid a bounty for their discovery. A lot of prominent open source projects and web sites have policies of paying a bounty for responsible disclosure of a vulnerability. I don't know how common it is for companies to pay a bounty without having some sort of bounty program set up in advance though.

How much should you pay? That's up to you. In my case, the vendor rated the bug as "critical" then it was patched. It could have led to serious compromise, but would have been difficult to do. I was paid a little under $5k for my efforts, which was near the top end of the range quoted on their web site.

Also, if they're just telling you about a known security vulnerability in a bit of third party software that's probably not worth much. e.g. if you were running an old version of WordPress and the bug was a known WordPress vulnerability.

A proper ethical hacker isn't trying to wreak havoc. Nor will they be selling the vulnerability to someone else if you don't pay. But that assumes you're dealing with a legit ethical hacker, not some troublemaker who's trying to rip you off or cause trouble.

After I earned my bounty, I did the maths, and figured I could potentially earn a living collecting bounties. It is possible. Whether that's what your guy is up to, who knows. Trying to collect bounties from companies that don't have formal bounty programs is a pretty risky way to go about it though, which counts against your guy IMHO.

Considering hiring a security person (not this "hacker") to evaluate your systems. Whatever form that takes, a one-off engagement to do a security assessment, a bounty, or a migration to a hosted platform to outsource operations to someone else.

Even if the "vulnerabilities" are real, you should not assume they areuseful unless you understand them in context yourself. For example, isthere any actual way to cause harm by embedding your site in aniframe? I get these spam "vulnerability" emails all the time, but thesite in question is a static marketing page with no user logincapability, so there is no possible use in performing a clickjackingattack on it. These people just run "vulnerability scanners" againstyour site, then ask you for money. They don't actually understand theoutput of the tools.

To say it more pointedly: given the two security issues mentioned by the "hacker" (SPF ?all and clickjacking), it is most likely that the hacker has not spent any significant time or effort specifically examining OP's site.

You may also feel that you do not care about security - this is perfectly fine assuming that you are aware of the consequences. Since you run an internet based business I think this is not an option.

If they don't react the proper way in a timely fasion, the hacker, the other security experts or the media involved may publicly disclose the bug, the failure of the bug bounty program and/or other details.

I have read computer law in graduate school, but speaking as an ethical hacker and bug bounty hunter myself, I never try to find vulnerabilities (known as pentesting) on websites I do not own or have express permission to test.

Bug bounty programs are there for a reason - to give hackers an avenue to find vulnerabilities and earn money for it. Testing without permission, or without a bug bounty program that automatically grants permission based on certain conditions, like what the so called 'ethical hacker' has done, can be reported to the police as it is a cyber crime - no different from a malicious hacker.

3a8082e126