WingNews

sellyme|5 years ago

> If this hack had been exploited

But that's the point. Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

Realistically there's only two types of people who would maliciously exploit something of this magnitude: the mentally unstable (people who just like to cause chaos), and state-sponsored actors attempting to disrupt other nations. Neither of those groups seem particularly likely to change their mind for an extra zero or two.

The "pay more than the black market will" model works for smaller bugs, but for ones like this that would immediately get every three letter agency on the planet trying to find you, the $50,000 isn't a valuation of the worth of that bug report, it's a gratuity. And for the average bug reporter, that's an extremely nice one.

Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

The solution to this is to have legal requirements for security, and extremely heavy fines for having released dangerous software (some portion of this fine financing a similar bug bounty program). Take the option of how much money to hand out away from the companies, and they'll be incentivised to take security much more seriously in the first place.

Of course, this requires lawmakers to have a basic understanding of technology, so we're at least 20 years and 3 major catastrophes away from getting anywhere near that actually occurring.

pydry|5 years ago

>Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

Yeah, they do. It's a self declared measure of how seriously they take their security. They valued avoiding the takeover of their fleet at 0.0000125% of their market cap.

The reason I left lastpass was because the bug bounty for a bug that could expose all of everybody's passwords just by visiting a website was, like, about $1k. The company became dead to me in a split second and I wanted out immediately.

....and it's not doing too well these days, from what I can tell.

donmcronald|5 years ago

> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

The article says the max bug bounty was increased to $15k eventually, so it was even less than that at the time even though they gave him $50k. Kudos to whoever at Tesla stepped up and gave him extra.

I'd seriously consider not reporting something like that for $15k unless I was worried about someone else exploiting it and having a trail of access logs lead back to me. People that discover bugs like that with massive destructive potential must be on every TLA list on the planet afterwards and I don't think that's worth $15k.

$1 million is life changing and puts you into a higher social class. IE: Poor == probably a criminal. Rich == probably not a criminal. It's sad, but that's the way it works and I'd rather be rich if I were on a short list of "dangerous" hackers.

ssss11|5 years ago

Surely there’s more than 2 types. Another off the top of my head - competitors.

paulannesley|5 years ago

> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000? […] people who just like to cause chaos, and state-sponsored actors […].

Makes me think of the recent Twitter account take-overs. The amateur attackers acquired access which could have caused enormous damage, and used it to scam ~$100,000. The difference between $50k and $1m in bounty could have turned them towards responsible disclosure.

(That said: they probably hoped to scam much more. And they got caught. And the way they obtained access was probably way out of the scope of a bug bounty program / the law.)

justinclift|5 years ago

Aren't there a lot of people shorting Tesla stock? Some of those would probably stand to receive a significant amount of $$$ if this were to happen.

That kind of incentive has led to underhanded behaviour in the past, so it wouldn't be surprising to see it happen again.

aristophenes|5 years ago

You don’t need to pay more than the black market would, but the more you pay the more time people can spend on it. If the bounties are high enough, you can attract more, and better, white hats to test your system for you. The black hats are out there anyway doing what they will do.

r77ruuddj|5 years ago

I agree to an extent. I think security obligations are good but they should be practical. I know the privacy activists will hate this, because it's something that works, but if we tracked users irl and if banks already have the ability to reverse transactions then the stakes are much lower (because they would be able to identify theft) than something like remotely updated cars or medical devices which can be patched but not before a lot of people have died. Software is advancing rapidly in a way that's valuable, the goal should be to preserve that except when it kills people in the real way.

mNovak|5 years ago

For a vulnerability of that scope, I assume selling it to a short-seller to publish in bad faith would be more valuable than selling on the actual black market anyway. Hell, the impression I get is that unless you're fairly well connected already, selling large $ value hacks on the black market isn't exactly easy (see Twitter hack).

I don't know if this is strictly legal either, but definitely more plausible deniability.

badrabbit|5 years ago

Are you kidding me? If money was my goal, 50k would be so insulting! A slightly more malicious person would brick the whole fleet as retribution.

oconnor663|5 years ago

I wonder if at some level of bounty payment, you run into the problem of encouraging people to introduce bugs to get a bounty. Probably no one with commit access in a major tech company would risk their career for a few months salary. But for ten years' salary...

brippalcharrid|5 years ago

It just needs to be a subtle bug designed by someone much smarter than the comitter, that's plausibly deniable. They certainly don't need to understand how it works, or how it's going to be used months or years later. And I understand that this sort of thing happens with governments, and TLAs, and the people leave after a few years to start their own gig with VC funding and subsequent acquisitions and no-one's the wiser.

tptacek|5 years ago

We probably need to stop having these threads, because they're repetitive, usually pretty ill-informed, and prevent us from having discussions about the vulnerabilities themselves. All we do is recapitulate the same tedious discussion about how bounty prices work. That's fine, but maybe we should only have those discussions on stories about bug bounties, not any story where a bounty makes an appearance.

For the moment, rather than re-having this discussion, we can just note that bounty prices are what they are, and that no tech firm pays "existential" rates for new vulnerabilities (except, perhaps, Uber, where literally everyone involved in that story is now in the federal criminal court system).

oska|5 years ago

Or you could just minimise this part of the discussion, which HN makes trivially easy to do.

dheera|5 years ago

They only need to pay out as much as is necessary to incentivize you to be upfront and report it in private rather than starting a media fuss around it (you get fame and $0) or exploiting the bug yourself (you might get a jail term). Compared to these alternatives, $50K and a clean record isn't a bad deal.

Aeolun|5 years ago

I think, if this had been abused, Tesla would be out of business.

But the fact that $50000 is chump change for Tesla does not mean it's chump change to the recipient.

falcolas|5 years ago

It's funny, we always talk about compensating leaders for the value they provide to the company. Yet when it comes to non-leaders, it's transforms into a question of "value relative to their current/recent income".

StillBored|5 years ago

How long do you think it takes for someone to find an exploit? Sure, a long time ago I found problems in web pages by clicking "view source" and going "I wonder what happens if.." and doing POST/GET with a huge buffer, or with "\");...." embedded in it.

These days companies that take their security seriously are hopefully harder to exploit. If it takes someone a couple months of slow fuzzing/etc to find an exploit that is probably below market for the persons skills here in the US.

Maybe a part of these bug bounties should be not only how critical the bug is, but some metric of how much work the individual put in before finding the problem.

unknown|5 years ago

[deleted]

filleduchaos|5 years ago

The bounty was $5,000 not fifty thousand. And frankly that would be chump change anywhere for the opportunity cost.

bookmarkable|5 years ago

I wonder why they aren’t paid in vesting stock. $50k in Tesla stock in 2017 would be a nice pay day.

It would also align hackers interest with the businesses they are helping secure.

everfree|5 years ago

I wouldn't necessarily want the stock of a company that I just found a critical vulnerability with.

dheera|5 years ago

You can always take the $50K and buy Tesla stock with it. How is it any different?

rtlfe|5 years ago

> I wonder why they aren’t paid in vesting stock.

Most people would far prefer cash

unknown|5 years ago

[deleted]

mmaunder|5 years ago

I’ll bet a few QA engineers would like to be paid based on how much a bug they reported would have cost the company if released into production.

simple_bot|5 years ago

"would have" is pretty hard to measure. I do admire the idea to incentivize QA engineers on discovery of niche bugs.

abnry|5 years ago

I get that it doesn't seem to make a lot of sense, but is there some market principle that can be used to explain why so many companies act as they do, and that it is in fact rational? Must it be a black swan fallacy?

perl4ever|5 years ago

I don't know, but it makes me think of how armored truck drivers aren't (as far as I know) paid in proportion to the money they're responsible for.

gorgoiler|5 years ago

When you sell to the bad guys you have to factor in the risk-price of 20 years in the US prison system.

Bounty payers enjoy a hefty discount when they waive their right to prosecute.

salty_biscuits|5 years ago

Maybe, maybe not. What happened to Garmin's share price?

bookshelf11|5 years ago

Great question. I think I'd say the big difference is that people, for the most part, aren't putting their/others lives in Garmin's hands when they use their devices.

That said, I think they have some hiking/trekking oriented products which could cause problems if you were relying on them.

The headline "electric car fleet hacked" is a lot scarier than "smart watches hacked".

Then again, maybe people really don't give a shit about this stuff, and these bounties are priced correctly.

amanzi|5 years ago

How is that even remotely similar?

cactus2093|5 years ago

Yet this person did the right thing anyway and reported the vulnerability responsibly. So seemingly the level of the bounty was reasonable enough that it worked as intended, and a much higher bounty would have been a waste of money for Tesla.

I think the high likelihood of being caught and going to prison is also already a pretty big deterrent for people. Just think of all the challenges of actually pulling a hack like this off without being caught. For one thing, just the poking around that led to the discovery of the vulnerability has probably already logged a bunch of potentially suspicious activity linked to this guy's VIN number. So even if he sold it to someone else who did the hack he could probably be caught already. If he tried to orchestrate the hack himself, not only does he need to not be caught directly, but he'd also have to make a very large, very suspicious short trade right before the hack without it being traced back to him. Plus there's always a possibility that Tesla would have been able to lock him out quickly anyway or had some other kind of rate-limiting or other measures in place to prevent significant damage, or that even if he pulled off the hack perfectly the stock price wouldn't drop as much as expected.

taneq|5 years ago

> So seemingly the level of the bounty was reasonable enough that it worked as intended, and a much higher bounty would have been a waste of money for Tesla.

I think it's more likely that the person who reported the vulnerability would have done the right thing regardless of any bounty.

kypro|5 years ago

What would be the legality of sharing the hack publicly and allowing someone else to exploit it while shorting the stock?

I also wonder when something becomes a "hack". Some systems are so insecure you can almost accidentally exploit them. In this case the API just required an ID for access. How would someone know if that was by design, or a mistake?