Doesn't anyone hack things just for the love of it?

I am not going to lie I like getting paid for my work, but that doesn’t mean I don’t hack things just because I love it and know there isn’t any money being paid by the company. I heard about a product for kids that sounded extremely insecure, so I bought it to explore on the side for fun. If I own something I test it to see how secure it is. If I visit a site, I quickly test it to see how secure it is to use. If I use the site often then I test it often. Am I the only one left with the passion to explore things just for fun? I was inspired to write this off of the payouts: what’s a bug actually worth these days thread and some of the responses.

You can explore a product just for fun and make money on other things… I know I’ve spent years on one pet project that I work on now and then that hasn’t reaped a dime. I am planning to show off another side project in vegas during defcon. I’d love to hear from others to see if anyone else still just tests things for the fun of it…

2 Likes

I definitely do. I love web and mobile hacking. In fact when I was at HP I tried to get to number #1 on the leaderboard just to see if I could do it, it was never about the money. I love the charity bounties and also submit bugs to many indie game devs for free. If I was stuck in some other career I’d still do this for fun. You can ask my wife, I try to break everything electronic in our house just for the fun of it =P

Luckily I don’t have to split time between my passion and job, they dovetail nicely.

3 Likes

Also, a reason I came to Bugcrowd was that @caseyjohnellis is a hacker at heart. He’s cut his teeth doing the same things and dealing with the same problems I have. I want someone like that steering the ship I’m on.

4 Likes

Count me in.

I consider hacking a bit a bit more then just about finding security flaws and hence yes i do keep fiddling around with as many systems as i can. However when i started in the security space the whole online world was filled with horror stories of people getting police cases and simmilar stuff coz of hacking in the systems. So I started following an ethical approach when it came to online sites.

However devices and stuff on my system are still a go for me. Although i can never say that i have read all the code that runs on my system but fiddling around, is something i have done so many times. Starting with compiling my own OS to understand how OS works (read following LFS guide) to compiling my own kernel, creating my own live Linux distribution (androidtamer.com). To trying to understand how automated code review tools work by reinventing the wheel in order to learn about it (read codevigilant.com).

RANTMODE ON
Personally i still feel asking money for just about every bug that you found and comparing payouts crying over less payout is something which is just killing the spirit of research and fiddling around. People are so concerned about finding bug and reporting then that a lot of them sometimes fail to remember the actual motive of the exercise i.e. to patch the flaws. I have read a large number of bounty disclosures either they don’t talk about solutions or they talk about solutions that are so weak it will not take much time to break them or they are not at all feasible from usability and implementation standpoint.

I personally suggest the bug bounty hunters to walk in shows of a developer or a site administrators. Just have your own VPS box and setup your own blog or website and ensure that its not hacked. The moment they start doing that is the moment they start realizing how it is to be on the other side of the spectrum

RANTMODE OFF

The only time they don’t dovetail nicely is when you have a toddler around a lot and you decided to buy a toy meant for kids to test it. The toddler will dominate the toy when they are there, thus making it near impossible to test it. I have found plenty of glitches in it though. it’s like they’re doing their alpha testing on the world.

1 Like

@zombiehacker Toddlers tend to have a lot of bugs :wink:

1 Like

omg… yes… i felt like a was sick for the whole year when my kids 1st went to school lol

haha yes, a few an iphone lock screen bypasses has been done by youngins messing around with buttons.

Yeah, toddlers can be one of the biggest insider threats a company could face. Employees at every company should be trained about the Annoying Persistent Toddler also known as an APT and ways to mitigate the insider threat. If you aren’t careful they’ll delete all your work, email people nonsense, etc.

Totally agree. I think most people are here for the love of it. Most of the products I end up testing I don’t pick because of the particular bounty program a company has. Most of the CVE’s I’ve declared were either because I happened to be using that particular app/software/thing or I just decided “Hey, I haven’t really ever messed around with X”… In the end if a reward exists it’s just a plus.