The title makes it seem as if he was accessing these sites without the government expecting him to. In reality, this was a federal program called "Hack the Pentagon": https://hackerone.com/hackthepentagon
While I do have a bit of experience with it, I still try to remain casual about it. Not by any means the only thing I do (Heading out hiking on the appalachian trail tomorrow!) so I try not to take it seriously. Thanks though!
Yeah, very misleading title. If he were just doing this on a whim, even if it were for 100% white hat purposes, he'd almost definitely have been arrested.
The most severe vulnerability submitted and the highest awarded was a SQL Injection.
Can someone explain why this is still in existence? With the plethora of web frameworks and built in parameterization and ORM abstraction, I don't understand how this can still be exploited. Especially when we're talking about the Pentagon of all places.
Practically every framework gives a developer the capability to run raw SQL queries on a database. The latest version of the popular PHP framework Laravel still has DB::raw. Express in NodeJS uses the NPM MySQL client that offers connection.query for raw SQL. Python's Flask framework uses SQLAlchemy and gives a developer db.engine.execute access. And so on for every language people make database driven websites in.
Using a framework well stops SQL injection attacks dead in their tracks. Using one badly though, and they're still just as dangerous.
Although we can agree we should be sanitizing inputs, I haven't seen a consensus on the use of ORM as a best practice and wouldn't say its employment is inherent in using a framework well. There's nothing wrong with writing SQL queries if everything leading up to that point is handled correctly.
1. You need a query that can't be handled by your ORM, since in general ORMs can't expose all functions of a database. (This condition is also met if you have no ORM.)
2. You need a query that is going to have a varying number of parameters, so you need to manually assemble the query.
When that happens, there's a temptation in almost all systems to try to write the moral equivalent of:
and so on and so on. This is where I see most of the SQL injection, even in language communities that have otherwise thoroughly internalized the need for query parameters (for example, perhaps surprisingly, the Perl community for a very long time).
Programmers who are not really fluent yet and are still having to think about every line either don't think about, or are trying to avoid the complexity of,
sql_query = "WHERE condition = ?"
params.append(param1)
if something:
sql_query += " AND other_thing = ? "
params.append(param2)
are the source. This pattern is, broadly speaking, safe. But it has just that extra bit of the sort of complexity that a lot of programmers shy away from. (As opposed to the sorts that programmers almost seem to chase, like "adding 15 boolean parameters to a function over the course of a year".)
There's also usually a library in the target language that is a pretty good reflection of SQL that avoids this problem (such as SQLAlchemy in Python), but I think that most people consider this "too complicated".
From what I have found, these places either have 1) No programming resource internally. 2) Some programming resource internally, but they're so swamped with other, poorly managed timeframes and projects, there's no extra resources.
So Light to Medium sized projects get outsourced - but if the delivered product "works" (at least visually) then who is going to QA the code? In fact, go one step back -- who is even going to think that the code needs to be checked? The management who chose the vendor? Hell no, that would look bad for them. The programmers who are swamped on other projects? Hell no, they're so busy they dont even want to talk to you.
So management takes one glance at it, see's that it works, and it gets thrown into production. The first time it's security is tested, is when the international hackers come knocking...
I'm not defending these actions in any way - I think it's a goddamn joke - but this is the reality
"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," ...
It seems like a a pretty small sum to me. They paid out amount between $100-15000 for the bounties with a total of $75000. Gauging that one of the bounties at $15K sucked up around 20% of the overall budget and there were 137 other reports - it's literally the equivalent of paying outsourced-ODesk rates for security testing in time/value.
What reason would anyone have for wanting to actively participate (not just poke-around like I'm sure quite a few employed professionals did) vs selling the exploits off on the dark web or just working in security for a company that pays a reasonable rate?
>> "What reason would anyone have for wanting to actively participate (not just poke-around like I'm sure quite a few employed professionals did) vs selling the exploits off on the dark web or just working in security for a company that pays a reasonable rate?"
The answer the your first alternative is pretty obvious: morals. That and not wanting to do jail time. To the second alternative I'm sure the people participating mostly have jobs or other commitments are are doing it for reasons other than the money.
The kids will find some low hanging fruit for cheap. It's a quick smoke test. After they get done fixing those, one would hope they still hire the pros.
For many people, "internship" means unpaid, that might be the source of the insult.
I remember trying to recruit javascript programmers from the local maker/artist community, offering an internship that paid, I forget exactly, but something around $35/hour, which I thought was reasonable for an entry-level programmer. I got no responses, and later learned that my call was widely talked about as a scam, since everyone knew internships were unpaid or at best carried an honorarium.
I don't know how you learned that, but it's not the real reason you got no responses. It simply can't be. Programming internships universally pay. It might not be that way in other fields, but it's well known to be the case in tech.
This sounds like a large reason we have employment problems in the US, and frankly it stinks of the "old scouts" in the book+movie "Moneyball". Engineers aren't known for their social networking and sales prowess. IMHO, engineers are among the most likely population to undervalue themselves in their early career.
It's difficult and time-consuming to on-board and train a programmer / developer / software engineer, but every programmer needs to start somewhere. I consider myself lucky in that I worked my way through college as a web developer for companies in Silicon Valley. If I didn't have my social network of other local engineering students, I would probably have started my career around $70k-$80k. I suspect that programmers in extremely rural parts of the US (like Alabama, West Virginia, Wyoming) would be lucky to find $70k/year.
Seriously, I've got 5 years experience and I'm making $86/K per year. Granted it's a startup, but where I live the market is pretty depressed. Anytime you see a Bay Area company relocate or open an office here you can guarantee it's to pay low wages, and they usually try lower than market.
Well, I have a higher cost-of-living than Atlanta but could probably make $20k more by moving there. Then again I can go to the beach at 13.00 on any given day of the week so I guess I'm paying the coastal tax. Life's full of compromises I suppose.
That seems like an unreasonable expectation, considering he's still in full-time education - so he wouldn't be likely to accept a job offer in any case.
It sounds like he only found XSS, which isn't exactly worthy of a job offer anyway.
