Mårten Gustaf Mickos is among one of the most respected luminaries of the Open Source world. He served as the CEO of MySQL AB at its prime time, and today he serves as the CEO of HackerOne. I sat down with Mikos to understand the purpose of HackerOn and his perspective on the security of open source software.
“Sometimes we joke that if you are going to be hacked anyway, it’s better to get hacked by someone you can trust,” said Mikos.
HackerOne has built a community of white hat hackers who are incentivized by the bug bounty program. HackerOne connects organizations with cybersecurity researchers. They have brought the crowd-sourcing model to the security community, emerging as one of the biggest such firms of its kind.
HackerOne helps tech companies, the financial sector, government agencies like the Department of Defense, and more. “We work with them to find vulnerabilities in their systems. Every vulnerability we find and fix leaves fewer possibilities for criminals to break in. We are reducing the cyber risk with every step we take,” he said.
Today HackerOne has over 200,000 white hat hackers in its network. They have paid more than $31 million in bounties.
HackerOne is more critical today than ever. Security is becoming a serious concern within the open source world because it has become the de facto software development model.
People often say that Open Source is secure by design. But the fact is that no software, irrespective of whether it’s open or closed source is secure. In the past few years, we have seen a spike in vulnerabilities in Open Source software.
This is not because open source is becoming vulnerable, it’s because open source is becoming mainstream. There seem to be two factors that contribute to the surge in vulnerabilities: One is that open source technologies like Linux have grown beyond their niche and are being used in new markets; the second is that it has created a substantial user-base that creates a tempting target.
“The number of connected devices and servers has grown enormously in the past years,” said Mikos, “Criminals go where the attractive targets are. There is this old joke, ‘why do you rob banks?’ Well, that’s where the money is.”
Make no mistake, just because a product is based on open source technology doesn’t mean it is secure. In 2016 Mirai botnet took down a huge chunk of the internet in the US by using a Linux powered IoT device to launch DDoS attacks.
The open source community has started to feel the heat. At the previous LinuxCon, Linus Torvalds made a call to hackers to join the kernel community. “There are smart people doing bad things. I wish they were on our side, and they could help us,” he said, “I want us to get as many smart people as we can before they turn to the dark side.”
HackerOne is doing that job. It’s bringing those hackers to the good side. “HackerOne has built a community of white hat hackers who will come and hack your systems to find vulnerabilities and report them to so you can fix them before criminals could use them,” said Mikos.
There are people out there, some driven by their own motives, some state-sponsored, looking for security holes to exploit. HackerOne is trying to tip the balance in favor of good guys.
“There are many more good guys than bad guys. We are getting all the good guys to work together on defense, which leaves bad guys with no chance. The reason bad guys succeed is because good guys do nothing; we are often unprepared and they attack us where we are defenseless. If we would defend ourselves properly with all the resources we have, we can easily outpower them,” he said.
Nipping it in bud
As Torvalds once said, bugs are part of the software development process, and some bugs can become security issues. You just can’t get rid of bugs; they are part of the software development process.
“Mankind would love to find a way to eradicate software bugs, but it’s not possible. There will never be any code that’s completely bug-free,” said Mikos. “You should take all those precautions. You should try to reduce the number of bugs, but you can never get to zero.”
But focusing solely on bugs is detrimental. Not all security vulnerabilities are bugs. “The problem is not that the software has a bug, the problem is that the software does more than it was intended to do and that additional functionality gives rise to a security vulnerability,” explained Mikos.
People say security is not a one-time thing, it’s a process. It’s cat and mouse game where bad guys keep looking for holes and good guys keep trying to fix them. Can we ever reach an equilibrium where software becomes as secure as airlines, cars, and appliances?
Mikos is pragmatic. Security will never be perfect, it will never go down to zero, “but we can get it so close to zero that it becomes bearable,” he said. “It’s a matter of time, and software security will be in as good shape as airline safety is today. It may take 10, 20 or 30 years, but we will get there.”
All of these initiatives to find and patch vulnerabilities are useless if companies don’t patch their devices. HackerOne helps organizations who want to secure their systems, What about those who treat security as an afterthought? No amount of technology can secure their systems and their devices. There are so many examples of companies running unpatched software. That’s when security stops being a technology problem and becomes a people problem.
“My view is that there are no technology problems in the world. Every problem in the world is a human product,” he said.
People design systems with no means of automated updates. Many people frown at the idea of automatic updates and want to be able to run updates themselves, which they never do. There is this mentality of don’t fix it if it’s not broken. Once something is set-up and working, they don’t want to touch it fearing it may break something. All of this can be easily fixed by technology. There are automated updates with rollback features so you can go back to the previous working state if something breaks.
“We must make sure that every piece of code is in good shape and gets updated. But the way to handle it is not by freezing the code. It is by keeping track of the provenance of code. Where did it come from, who updated it, and when and which components are yet to be updated,” Mikos said.
New systems like Red Hat CoreOS, Ubuntu Core and Kubic are being created with the atomic or transactional update as the core. But none of this will work if you don’t want to implement it.
Mikos envisions a system where modules will get automatic security updates and we’ll make sure that the whole front is updated, eliminating instances like Equifax where they ran unpatched systems.
“I have no idea how long it will take but it’s so important that it doesn’t really matter how long it takes. What matters is that we have to do it if we want to operate this planet with computers connected to each other. We better figure out this problem,” he said.
Dealing with newer challenges
Security is going to be a much bigger challenge as we are surrounding ourselves with IoT devices; it’s going beyond thermostats. Soon we will be commuting in driverless cars, which is more or less IoT on wheels.
It’s new territory. While Tesla might be proactive about its cars, not every smart device maker out there cares about updates. Do you know for how long your smart fridge or smart TV will get software updates?
Last year when my family was planning to buy a new fridge, none of the smart refrigerators had any mention or clear-cut policies around software updates. An unpatched refrigerator, connected to my local network, makes every device on that network vulnerable to an attack.
Most vendors in the IoT space survive on thin margins, their business model is around selling more devices than supporting them. Most Chinese vendors sell one version of the device and move to the next version, without any mechanism for the previous devices to be updated. Lack of any business incentive leaves these companies with no reason to support or update these devices. No matter how many technologies solutions are available to these companies they won’t use them, leaving us all vulnerable.
“This is where we need government intervention. We need legislators to stipulate laws that put requirements on consumer products. If you are shipping a consumer product, you must have a way of patching of software, of receiving vulnerabilities and you must give firm guarantees on the lifespan of support,” he said.
Public awareness can also play a role, where well-informed consumers will refrain from buying the cheapest wifi camera on Amazon.com.
“I think the problem is so central and so important that we must try every possible avenue we have. We must ask Congress to legislate this. We must ask standards bodies to standardize. We must ask companies to do the right thing. We, as consumers, must demand it and we must march in the streets and do whatever we need to do. It doesn’t matter whether we’d have to do 12 different things because it is so important for the survival of mankind,” said Mikos, “We will do everything we need to do to bring ourselves to a level where we can produce secure software that doesn’t immediately break when somebody is poking at it.”