Menu Close

Month: March 2016 (page 1 of 4)

Anti-Nausea Luxury Engineering

Photo by JD Hancock.

Photo by JD Hancock.

A human is a complex and finicky device. You can’t just buy one and let it be. They need daily care and maintenance. A responsible owner also has to keep an eye out for patches — security updates and plugins for boosted functionality are available frequently. It’s important to stay current! Listen, I’m not trying to discourage you. Just consider your level of commitment before making a purchase. These are very special gadgets.

You’re visiting us for the first time today, right? We encourage first-time companion buyers to start with a basic model. Don’t worry, you can always trade it in for credit when you’re ready to upgrade to one of the high-spec humans! Get your sea legs, so to speak. No, really, we’ve engineered nausea out of the latest genomic algorithm. Many of our clients take their humans sailing. We’re even considering a communal cruise! Let me know if you’re acquainted with any good yacht brokers.

My apologies, sir, I’m getting off-topic. Tell me what features you’re looking for.

Ahh, that’s a common request. Yes, we have a variety of decorative options. But we can’t replicate your dead wife! Ha! Strictly joking, of course. I’ve been skimming a history module about proto-human marriage rituals. Norms were very much changing before we came along and upended their world. Poor little guys.

Do you want to tour the showroom? We’ve got some real beauties in the shop right now! Don’t take what I said about starting with a basic model too seriously — as long as you’re willing to put in the time… It’s very rewarding! I can show you a few testimonials from our other clients. They’re very pleased with their humans.

A Hard Day’s Night of Fake Work

Playing video games. Original photo by R Pollard.

Original photo by R Pollard.

I’ve been playing a lot of Game Dev Tycoon, a business simulator in which you start and build a game development company. (Hat tip to Way Spurr-Chen!)

Sonya: “This game is so addictive.”
Alex: “That’s how you know it’s good!”

It is bizarre that I come home after work, usually drained from relating to people all day, and I want to pretend to go right back to work. A business simulator is most compelling when it mimics real professional stress. Game Dev Tycoon‘s appeal is the edge-of-your-seat anxiety that arises from owning a hypothetical small-to-medium business. You have to watch your revenue like a hawk, balance decisions about future investment against the necessity of meeting payroll, and respond to the vagaries of the market.

In his book Play Money, journalist and MMORPG expert Julian Dibbell talks about this trend — the convergence of work and play — in what you might call “post-developed” countries. He hypothesizes that it’s a condition of late capitalism. When your daily tasks consist of manipulating symbols on a computer screen, the content of work starts to closely resemble the content of recreation. Or vice versa?

Facebook, Tinder, and their ilk bring everyone’s social life into the fold as well. Your entire experience of the world can be directed through a carefully designed software interface, constructed to guide you toward certain actions and away from others.

For the most part, none of this is new. Board games and card games are also best when they involve resource management and strategic goal attainment. But the internet and ubiquitous computing greatly increase the scale of our reliance on interactive Platforms™ for employment, entertainment, and community.

Software Meets Capitalism: Interview with Steve Klabnik

Old woman working at a loom. Photo by silas8six.

Old woman working at a loom. Photo by silas8six.

I interviewed Steve Klabnik via email. If you’re part of the open-source world, you might recognize his name. Otherwise I’ll let him introduce himself. We discussed economics, technological unemployment, and software.

Exolymph: The initial reason I reached out is that you’re a technologist who tweets about labor exploitation and other class issues. I’m currently fascinated by how tech and society influence each other, and I’m particularly interested in the power jockeying within open-source communities. You seem uniquely situated to comment on these issues.

Originally I planned to launch right into questions in this email, but then I start opening your blog posts in new tabs, and now I need a little more time still. But! Here’s a softball one for starters: How would you introduce yourself to an oddball group of futurists (which is my readership)?

Steve Klabnik: It’s funny that you describe this one as a softball, because it should be, yet I think it’s actually really tough. I find it really difficult to sum up a person in a few words; there’s just so much you miss out on. Identity is a precarious and complex topic.

I generally see myself as someone who’s fundamentally interdisciplinary. I’m more about the in-betweens than I am about any specific thing. The discipline that I’m most trained in is software; it’s something I’ve done for virtually my entire life, and I have a degree in it. But software by itself is not that interesting to me. It’s the stuff that you can do with software, the impact that it has on our world, questions of ethics, of social interaction. This draws a connection to my second favorite thing: philosophy. I’m an amateur here, unfortunately. I almost got a higher degree in this stuff, but life has a way of happening. More specifically, I’m deeply enthralled with the family of philosophy that is colloquially referred to as “continental” philosophy, though I’m not sure I find that distinction useful. My favorites in this realm are Spinoza, Nietzsche, Marx, and Deleuze. I find that their philosophical ideas can have deep implications for software, its place in the world, and society at large.

Since we live under capitalism, “who are you” is often conflated with “what do you do for work”. As far as that goes, I work for Mozilla, the company that makes Firefox. More specifically, I write documentation for Rust, a programming language that we and a broader community have developed. I literally wrote the book on it 🙂 Mozilla has a strong open-source ethic, and that’s one of the reasons I’ve ended up working there; I do a lot of open-source work. On GitHub, a place where open-source developers share their code, this metric says that I’m the twenty-ninth most active contributor, with 4,362 contributions in the last 365 days. Before Rust, I was heavily involved with the Ruby on Rails community, and the broader Ruby community at large. I still maintain a few packages in Ruby.

Exolymph: To be fair, I described it as a softball question precisely because of the capitalist shortcut you mentioned, although I’m not sure I would have articulated it like that. Darn predictable social conditioning.

What appeals to you about open source? What frustrates you about open source?

Steve Klabnik: I love the idea of working towards a commons. I’d prefer to write software that helps as many people as possible.

What frustrates me is how many people can’t be paid to do this kind of work. I’ve been lucky to been able to feed myself while working on open source. Very, very lucky. But for most, it’s doing your job without pay. If we truly want a commons, we have to figure out how to fund it.

Exolymph: I’ve been reading a bunch of your blog posts. I’m curious about how you feel about working in an industry — and perhaps doing work personally — that obviates older jobs that people used to count on.

Steve Klabnik: It is something that I think about a lot. This is something that’s a fundamental aspect of capitalism, and has always haunted it: see the Luddites, for example. This problem is very complex, but here’s one aspect of it: workers don’t get to capture the benefits of increased productivity, at least not directly. Let’s dig into an example to make this more clear.

Let’s say that I’m a textile worker, like the Luddite. Let’s make up some numbers to make the math easy: I can make one yard of fabric per hour with my loom. But here’s the catch: I’m paid by the hour, not by the amount of fabric I make. This is because I don’t own the loom; I just work here. So, over the course of a ten hour day, I make ten yards of fabric, and am paid a dollar for this work.

Next week, when I come to work, a new Loom++ has been installed in my workstation. I do the same amount of work, but can produce two yards of fabric now. At the end of my ten hour day, I’ve made twenty yards of fabric: a 2x increase! But I’m still only being paid my dollar. In other words, the owner of the factory gets twice as much fabric for the same price, but I haven’t seen any gain here.

(Sidebar: There’s some complexity in this that does matter, but this is an interview, not a book 🙂 So for example, yes, the capitalist had to pay for the Loom++ in the first place. This is a concept Marx calls “fixed versus variable capital”, and this is a long enough answer already, so I’ll just leave it at that.)

Now, the idea here is that the other factories will also install Loom++s as well, and at least one of the people who’s selling the cloth will decide that 1.75x as much profit is better, so they’ll undercut the others, and eventually, the price of cloth will fall in half, to match the new productivity level. Now, as a worker, I have access to cheaper cloth. But until that happens, I’m not seeing a benefit, yet the capitalist is collecting theirs. Until they invest in a Loom2DX, with double the productivity of the Loom++, and the cycle starts anew.

Yet we, as workers, haven’t actually seen the benefits work out the way they should. There’s nothing that guarantees that it will, other than the religion of economists. And the working class has seen their wages stagnate, while productivity soars, especially recently. Here is a study that gets cited a lot, in articles like this one.

“From 1973 to 2013, hourly compensation of a typical (production/nonsupervisory) worker rose just 9 percent while productivity increased 74 percent. This breakdown of pay growth has been especially evident in the last decade, affecting both college- and non-college-educated workers as well as blue- and white-collar workers. This means that workers have been producing far more than they receive in their paychecks and benefit packages from their employers.”

We haven’t been really getting our side of the deal.

Anyway.

So, this is a futurist blog, yet I’ve just been talking about looms. Why? Well, two reasons: First, technologists are the R&D department that takes the loom, looks at it, and makes the Loom++. It’s important to understand this, and to know in our heart of hearts that under capitalism, yes, our role is to automate people out of jobs. Understanding a problem is the first step towards solving it. But second, it’s to emphasize that this isn’t something that’s specific to computing or anything. It’s the fundamental role of technology. We like to focus on the immediate benefit (“We have Loom++es now!!!”) and skip over the societal effects (“Some people are going to make piles of money from this and others may lose their jobs”). Technologists need to start taking the societal effects more seriously. After all, we’re workers too.

I’m at a technology conference in Europe right now, and on the way here, I watched a movie, The Intern. The idea of the movie is basically, “Anne Hathaway runs Etsy (called About the Fit in the movie), and starts an internship program for senior citizens. Robert De Niro signs up because he’s bored with retirement, and surprise! Culture clash.” It was an okay movie. But one small bit of backstory of De Niro’s character really struck me. It’s revealed that before he retired, he used to work in literally the same building as About the Fit is in now. He worked for a phone book company. It’s pretty obvious why he had to retire. The movie is basically a tale of what we’re talking about here.

Exolymph: I’m also curious about what you’d propose to help society through the Computing Revolution (if you will) and its effect on “gainful employment” opportunities.

Steve Klabnik: Okay, so, I’m not saying that we need to keep phone books around so that De Niro can keep his job. I’m also not saying that we need to smash the looms. What I am saying is that in a society which is built around the idea that you have to work to live, and that also rapidly makes people’s jobs obsolete, is a society in which a lot of people are going to be in a lot of pain. We could be taking those productivity benefits and using them to invest back in people. It might be leisure time, it might be re-training; it could be a number of things. But it’s not something that’s going to go away. It’s a question that we as society have to deal with.

I don’t think the pursuit of profits over people is the answer.


Go follow Steve on Twitter and check out his website.

Surveillance Status Quo

“Every country knows [that telecoms networks are] vulnerable, but no one wants to fix the problem — because they exploit that vulnerability, too.” — Robert Kolker in a Bloomberg article about StingRays

Here we’re confronted with the problem of incentives. Police are incentivized to spy on citizens, whether innocent or guilty. The success of law enforcement is measured by arrests, not by the population’s peace and happiness. Definitely not by how well civil liberties have been protected. None of that fits in a spreadsheet! Nation-states are incentivized to spy on each other, for the sake of regular ol’ espionage as well as obtaining commercial secrets. It’s desirable to keep an eye on the neighbors. What are they up to? When and where are they going to sell their newest invention?

Photo via Thierry Ehrmann. War logs!

Photo via Thierry Ehrmann.

Maybe this sounds paranoid, but it’s not. The US increasingly relies on its information economy, which means that data and insight are both especially valuable. Other developed countries are similarly beholden to ideas and intellectual property. One of the profound dangers posed by China is its disregard for patents and copyrights, and its subsequent explosion of innovation. Being surpassed is America’s direst fear. We need to make ourselves great again, right?!

I’ve written about apathy before. It’s the enemy of the entrepreneur and the activist. In a world full or products and causes, it’s tough to cajole someone into caring. Who has the time? And, more crucially, who has the correct incentive structure? Mister Average Joe doesn’t need to worry about surveillance — it doesn’t impact him immediately or concretely — and consequently he simply doesn’t bother himself with the subject.

Every time I say something like this, I’m accused on complacency. And I guess that’s fair. I’m resigned to reality, and I don’t try to agitate against the status quo. Selfishness makes me more interested in surviving and excelling than in overturning power structures.

“I said yes to the mandatory government implants […] because I, like everybody else, just wanted to be safe.” — short story by Maverix75

Mad Max but Computers Instead of Cars

Mad Max 2: The Road Warrior

Tonight I watched Mad Max 2: The Road Warrior (1981). The Mad Max world is dystopian, but not at all cyberpunk. As you may know if you watched 2015’s blockbuster Fury Road, the series postulates a universe — confined to the Australian Outback — where some kind of apocalypse has taken place and both gasoline and water are incredibly scarce resources. Especially gas.

The Outback — rechristened the Wasteland — is ruled by the equivalent of motorcycle gangs, who appear to be on meth all the time. (In the case of The Road Warrior, vaguely sadomasochistic motorcycle gangs, but that’s beside the point.) A few communities that actually deserve the label “community” have popped up, and they’re targeted by the psycho gangs.

Even though Mad Max is the opposite of a hyper-networked cybersphere, it poses some interesting questions for those of us who are fascinated by an oppressive computer-mediated future. As I see it, these are the issues to ponder:

  • What’s the scarce resource? Possible answers: attention, privacy, solitude.
  • Who are the strongman groups? Possible answers: law enforcement, hackers, corporations (especially corporations).
  • How can the genuine communities protect themselves? Possible answers: I’m really not sure.

I know it’s futile to end anything with a question, but I’d genuinely like to know what you think. I’m keen on protecting the communities that I participate in, but I guess I’m not feeling optimistic tonight. Email me?

Tay.ai, Speculative Comics, & Dentistry

Girly teenage robots? Photo by elkbuntu.

Girly teenage robots? Photo by elkbuntu.

There are three things I want to talk about today:

  1. Microsoft’s inadvertently racist Twitter bot, Tay.ai / @TayandYou.
  2. A comic that a-u-t-o-x is releasing soon.
  3. My visit to the dentist today (I swear I have a reason to bring it up).

Unless you’ve been off the internet for a few days, you ran into Tay, a Twitter bot that Microsoft released as PR (?!?!) for their in-house machine learning capabilities. This was an utterly predictable catastrophe. Tay processed the text people tweeted at her and mimicked it back. Trolls quickly figured out the mechanism and made her say a bunch of neo-Nazi nonsense.

“What Tay reminds us: AI may or may not be scary. Humans who train AI are terrifying. Or, humans in general are terrifying.” — Hugh McGuire

Usually I try to stay away from posting a bunch of links, but other people have already said all the smart things. These articles overview the facts:

Wisdom from people who have dealt with systems like this before:

And then Allison Parrish commented in the #botALLY Slack group:

“re: tay, yesterday before any of the really bad stuff went down, I quote-retweeted something that mentioned the account and then the account @-replied me… so I blocked it, thinking how annoying it was that this bot that has Twitter verified status isn’t complying with the letter or the spirit of the API ToS

like, many people must have been involved in decisions to get this bot live, on the part of the group at microsoft AND at twitter

and the fact that no one involved apparently thought of these obvious ways in which it would be a disruptive negative experience for people just… seems unfathomable

we have YEARS of precedents for applications of the Twitter API like this and even the greenest botmaker among us has a better grasp of the issues at stake than the people involved in this project”

So, that’s a whole big thing. In other news, a-u-t-o-x is releasing a comic, which will be available on his website. He told me: “it is titled WORLD L.S.D and ties in Cyberpunk aesthetics & Science Fiction themes. […] the story is simultaneously set in a futuristic city ‘Neo-F’ and outback Australia, as Neo-F is prone to jump through time sporadically.” Here is the title image:

virtualmech.info
And lastly, I went to the dentist today. (Shocker: I’m apparently brushing and flossing wrong! What a new thing to hear from a dental hygienist!) But seriously, it made me further contemplate what I said yesterday: “The future is beyond bodies. A few decades from now — and during some parts of the present — we will not be confined to flesh, nor even to brains.”

I was definitely exaggerating. It’s going to take a helluva lot longer than that. My gums are receding (see: brushing wrong, also possibly genetics) and that is a thing that I have to worry about. We live in an absurd world where the random flesh accident that you’re born into has a huge effect on your quality of life. I admit it, but I’m not pleased.

Gender =/= Genitalia

As was reported in The New York Times (as well as other media outlets) and decried on Twitter:

“North Carolina legislators, in a whirlwind special session on Wednesday, passed a wide-ranging bill barring transgender people from bathrooms and locker rooms that do not match the gender on their birth certificates. […] The bill also prohibits local governments from raising minimum wage levels above the state level — something a number of cities in other states have done.”

Perhaps you’ll be unsurprised to hear that this was a Republican initiative. It’s telling that the bill reinforces poverty in the same breath as criminalizing free gender expression. If you want an overview of why this law is not only bigoted but impracticable, I recommend Andi McClure’s tweets on the topics.

So how does transphobic legislation tie into cyberpunk? The genre is about straining against a technologically mediated dystopia. You can’t necessarily jam every type of oppression into that framework. But gender typifies how the analogue world has been bounded in a way that the digital world can’t be.

Our binary gender system is nominally based on reproductive phenotypes. It’s full of contradictions. If genitalia is what defines womanhood, then how does a cliterodectomy affect things? Or a hysterectomy? Is a post-op trans woman okay, even if her birth certificate lists her as male? What about intersex people, or those with three sex chromosomes? Why are we so beholden to this outdated set of assumptions? Why does it matter?

Mainstream opinion often conflates gender with reproductive capabilities, boiling identity down to our basic animal urges. I’m not anti-sex, but I do believe that we’re capable of acting on more than our primal mating impulse. The future is beyond bodies. A few decades from now — and during some parts of the present — we will not be confined to flesh, nor even to brains. It’s that old New Yorker joke: “On the Internet, nobody knows you’re a dog.” On the Internet, speech is an act, and you can create yourself anew with words and pixels.

I wish meatspace operated by the same principles. If you find the situation in North Carolina as appalling as I do, please join me in donating to Lambda Legal.

Cricket Compliance: Producing Food without the Humans Who Eat It

Photo by _paVan_.

Photo by _paVan_.

Lacy was bored. She was proud to work in food production — Mama’s reaction made the drudgery feel worth it when Lacy got home — but the low buzz of the drone and the sameness of the landscape lulled her toward sleep. She was sure that some of her colleagues gave up and drowsed. Lacy wasn’t sure yet how she felt about the group. It was a mixed bag — of races, genders, and hygiene standards — but at least a couple of them seemed nice. Lacy didn’t mind the diversity, per se, but she was uncomfortable around strangers and their strange habits. On the first day another girl had said, “You’ll be broken in quick,” but the routine still felt unfamiliar.

Lacy glanced out the drone’s windshield at the cricket fields in front on her. The creatures teemed on the ground, bouncing and burrowing and fucking and killing each other and feeding voraciously on their synthetic pasture. She looked back over her shoulder to check that the pheromone broadcast was working. A swarm of late-stage adult crickets rolled forward in the wake of the drone.

Lacy gripped her knees and swallowed nausea. She hated the insects. The protein was vital, of course. Mama wouldn’t have brought them to the city otherwise. Accessing the resource density of the metropolis changed their survival baseline. Lacy had gained fifteen pounds in a couple of months. Her little sister’s teeth were sound in her gums, and she could run so far on the game tread. Sometimes when Lacy got home from work, she loaded up Cath’s saved worlds, wandering through fairylands that were like hyper-saturated versions of the home she remembered as a little kid.

They had lived by a river.

Crickets didn’t need rivers. They just needed space, sprinklers, and miscellaneous food stuffs hauled in from other fields where other workers got bored in the drones. Or did anyone watch those farms? Lacy wasn’t stupid. She knew that this job was provisional — it would only last until the FDA regulation changed in a matter of months. Lacy was a Compliance Technician, according to her contract. When her supervisor interviewed Lacy for the position, he explained that a remote observer system was being put in place. He went over the automated footage analysis (assigned to a certified third party) that would ensure production was up to code. Then he sighed and admitted that he didn’t know where the company was going to move him after there weren’t any workers to interview, train, fire, interview, train, and fire again.

Lacy’s drone beeped softly and the computer’s androgynous voice intoned, “We are approaching the docking station. Initiate the checklist process.” Lacy leaned forward in her seat and started reviewing the figures on the dashboard screen. Number of crickets. Estimated protein values — both nutritional and market. Toxicity and contamination. The numbers always hit their targets.

Hacking as a Business: Interview with Sean Roesner

Sean Roesner describes himself on Twitter as a “web application penetration tester.” I asked him a bunch of questions about what that entails. Sean answered in great depth, so I redacted my boring questions, lightly edited Sean’s answers, and made it into an essay. Take a tour through the 2000s-era internet as well as a crash course in how an independent hacker makes money. Without any further ado, Sean Roesner…


Origin Story

I got into my line of work when I was thirteen, playing the game StarCraft. I saw people cheating to get to the top and I wanted to know how they did it. At first I wasn’t that interested in programming, purely because I didn’t understand it. I moved my gaming to Xbox (the original!) shortly thereafter and was a massive fan of Halo 2. Again, I saw people cheating (modding, standbying, level boosting) and instantly thought, “I want to do this!” I learned how people were making mods and took my Xbox apart to start mucking with things.

I moved away from Xbox and back to the computer (I can never multitask). Bebo was just popping up. With an intro to coding already, I saw that you could send people “luv”. Based on my mentality from the last two games I played… I wanted the most luv and to be rank #1. I joined a forum called “AciidForums” and went by the names “DCH SlayeR” and “SlayeR”. Suddenly I was surrounded by people who shared my interests. I started to code bots for Bebo to send myself luv. My coding got a lot better and so did my thinking path. I’d come home from school and instantly go on my computer — it was a whole new world to me. I still have old screenshots of myself with seventy-six million luv.

76,000,000 luv.

Bebo screenshot from back in the day — check out the luv stats.

As my coding came along I met a lot of different types of people. Some couldn’t code but had ideas for bots; some couldn’t code but knew how to break code. We all shared information and formed a team. Suddenly I became the main coder and my friends would tell me about exploits they found. We got noticed. I’m not sure how, or why, but I seem to always get in with the right people. Perhaps it’s the way I talk or act — who knows. I made friends with a couple of Bebo employees, “Andy Cutright” and “Brian” (never did know his last name). They were interested in how I was doing what I was doing.

This was my introduction to hacking and exploiting. I moved on from Bebo after coming to an agreement with the company that I’d leave them alone. Sadly my friends and I all lost contact, and it was time to move on.

Next came Facebook. At this point I already knew how to code and exploit. I instantly found exploits on Facebook and started again, getting up to mischief. Along the way I meet James Jeffery and we became best friends because we share the same ideas and interests. Two years passed and again, my mischief went a bit far, so I got in trouble with Facebook. We resolved the issue and I vowed to never touch Facebook again.

I guess three times lucky, hey? I moved my exploiting to porn sites. After a year I was finally forced to make peace with the porn site I was targeting. I was getting fed up with always having to stop… but I was also getting annoyed at how easy it was to exploit. I needed a challenge.

I took a year off from exploiting to focus on improving my coding skills. I worked for a few people and also on some of my own personal projects, but it got repetitive and I needed a change. At this point, I was actually arrested by the eCrime Unit for apparently being “in^sane” from TeaMp0isoN. The charges were dropped since I was innocent. My former friend James Jeffery was in prison for hacking (a quick Google search will yield you results) so I was feeling quite lonely and not sure what to do. I’ll be honest, he had become like a brother to me.

I kept on coding for a bit, feeling too scared to even look for exploits after what happened to James Jeffery. (A few years have passed since then — James is out and he’s learned his lesson.) I knew that hacking was illegal and bad. I’d just like to note that I’ve never once maliciously hacked a site or stolen data, in case you think I was a super blackhat hacker, but the James incident also scared me. Especially since I got arrested too.

Because of this and through other life changes, I knew I wanted to help people. I took my exploiting skills and starting looking. I found some exploits instantly and started reporting them to companies to let them know, and to also help fix them. 99% of the companies replied and were extremely thankful. Some even sent me T-shirts, etc.

I started targeting a few sites (I can’t name which because we have NDAs now; I’m still actively helping many). By using my words right, I managed to get in with a few people. I start reporting vulnerabilities and helping many companies. Months passed and one company showed a lot of interest in what I was doing. I got invited to fly over to meet them. I knew something was going right at this point, so I knuckled down and put all of my focus on finding vulnerabilities and reporting them to this company. Things were going great and I soon overloaded their team with more than they could handle. I started looking further afield at more sites, and suddenly I was introduced to HackerOne. I saw that LOADS of sites had bounties and paid for vulnerabilities. I instantly knew that this was where I wanted to stay. To this day I am still active on HackerOne, but normally I run in private programs now (better payouts).

Fast forward through a year of exploiting and helping companies and now we’re here. I’ve been a nerd for ten years. Eight years coding, and around seven years exploiting.

Business Practices

For companies that don’t have a bug bounty, I tend to spend thirty minutes to an hour finding simple bugs such as XSS (cross-site scripting) or CSRF (cross-site request forgery). I’ll try find a contact email and send them a nice detailed email about what I’ve found and what the impact is. I also supply them with information about how they can fix it. I never ask for money or anything over the first few emails — I tend to get their attention first, get them to acknowledge what I’ve found, and get them to agree that I can look for more. At that point I’ll ask if they offer any type of reward for helping them. The majority reply that they are up for rewarding me, due to the amount of help I’ve given them.

After I’ve helped the company for a while and they’ve rewarded me, etc, I usually suggest that they join HackerOne for a much cleaner process of reporting bugs and rewarding me (it also helps my rep on HackerOne). So far two have joined and one started their own private bounty system.

To sum it up, I’ll start of with basic bugs to get their attention, then once I’ve gotten the green light to dig deeper, I’ll go and find the bigger bugs. This helps me not waste my time on companies who don’t care about security. (Trust me, I’ve reported bugs and gotten no reply, or a very rude response!) I like to build a good relationship with companies before putting a lot of hours into looking for bugs. A good relationship with companies is a win-win situation for everyone — they get told about vulnerabilities on their site, and I get rewarded. Perfect.

In case you wanted to know, I’ve helped around ten companies who didn’t have a bug bounty. Nine of them have rewarded me (with either money, swag, or recognition on their website). Only one has told me they don’t offer any type of reward, but welcomed me to look for bugs to help them (pfft, who works for free?). Out of the nine who rewarded me, I’ve built a VERY close relationship with three of them. (Met with one company in January, and meeting with another in June.)

There are two types of companies. Those who simply can’t afford to reward researchers and those who think, “Well, no one has hacked us yet, so why bother paying someone to find bugs?” AutoTrader is probably the worst company I’ve dealt with after reporting a few critical bugs. They rarely reply to bugs, let alone fix them. It took an email letting them know that I was disclosing one bug to the public, to warn users that their information on AutoTrader was at risk. After that they finally replied and fixed it.

100% of companies should change their perspectives. Again I’ll use AutoTrader as an example. I only really look at their site when I’m bored (which is rarely) and I’ve uncovered a ton of vulns. I wonder what I could find if I spent a week looking for bugs (and if they rewarded me). Companies need to stop thinking, “No one has hacked us yet, so we’re good.”

If a company can’t afford to pay researchers to find bugs, then they should reconsider their business. Hacking is on the rise and it’s not going anywhere anytime soon (if ever). If you honestly can’t afford it, though, then my suggestion (if I was the CEO of a company that couldn’t afford security) would be to run a hackathon within the company. Let the devs go look for bugs and run a competition in-house. Your devs not only learn about writing secure code, but it’s fun too!


Many thanks to Sean Roesner for writing great answers to my questions. Follow him on Twitter and hire him to hack your website 🙂

This post has been edited on 11/17/2016 to reflect than Roesner and James Jeffery are no longer friends.

© 2017 Exolymph. All rights reserved.

Theme by Anders Norén.