Netizens Think MINDEF’s Hacker Bounty Of S$19,480 Was Insufficient And “Cheap”
In 2017, MINDEF unfortunately became the victim of a hacking attack which made away with the private details of 850 personnel.
In December, they became the first Singapore Government agency to engage white hat hackers to test their systems’ defences.
The 3 types of hackers: white hat, black hat & dope grey hoodie.
White hat hackers are computer security specialists who try to break into protected networks.
They conduct penetration tests to find vulnerabilities in systems before they can be exploited by malicious, or black hat hackers.
Around 60% of the 264 hackers who involved in the 3-week long programme were international participants.
They hailed from a diverse host of countries, including the United States, India, Canada, Russia and Egypt.
A total payout of US$14,750 (S$19,465) was given to 17 hackers. Their rewards ranged from US$250 to US$2,000.
By far the biggest winner of the programme was one Darrel. Darrel Shivadagger.
Not quite as snappy as James Bond, but a pretty cool name nonetheless.
He was able to unearth as much as 9 unique vulnerabilities in MINDEF’s systems, netting himself a loot box containing a cool US$5,000 (S$6,606) cash prize.
No disappointment in this box.
The size of MINDEF’s bounty has become a point of contention for netizens, who have labelled the Ministry’s efforts as “cheap”.
The online furore
A constant bugbear among online responses has been the sum of money awarded to the top hacker.
Netizens fearlessly stood up for Darrel’s pockets by reacting with indignation.
Take this guy, who pointed out that Darrel could have turned black hat for the sake of cash.
A Redditor alleged that MINDEF was paying below the market rate for penetration testing services.
This guy landed a particularly painful blow, referencing the $880,000 bin centre build by the National Arts Council. Ouch.
A slightly more rational explanation was made by a Redditor, highlighting the importance of providing attractive rates for systems testing.
One Facebook user appeared to see the big picture, as he outlined the perks that come with being first, and what they could entail for Darrel.
So the common consensus seems to be that MINDEF is paying too little.
Apparently, as much as S$100,000 was catered for the initiative, as they were going by previous payments made by companies.
Let’s take a look at a similar initiative taken by MINDEF’s American counterpart, the Pentagon.
The grass on the other side
One could argue that the Pentagon is a much more juicy target for hackers compared to MINDEF.
Let’s take a look at a similar programme undertaken by the Americans.
In 2016, the United States Department of Defense (DoD) ran a pilot programme that was given the moniker “Hack The Pentagon.”
The payouts for the American programme ranged from US$100 – US$15,000, and was said to cost the DoD US$150,000.
Over the course of about three weeks, 1,400 invitees discovered 138 “bounty-eligible” bugs.
MINDEF is far from vulnerable
Although Darrel found about a quarter of all the bugs discovered by the hacker collective, it should not be taken as a sign that MINDEF’s cybersecurity systems are vulnerable.
Speaking to Channel NewsAsia, he said that MINDEF had systems that were “actually quite sensitive”, adding that those systems “warded off very intrusive attempts from me”.
Darrel also stated that he was not able to find anything major or server-side related.
In other words, MINDEF’s defences are working well.
Should the Ministry start dishing out more in terms of monetary rewards in order to maintain loyalty, or should they continue with their current payment scheme, which has showed results thus far?
Certainly food for thought.
Featured image from Facebook.