Hatforce: your friendly crowd of hackersNovember 17th, 2011 by Tommaso De Benetti
Hackers: ruthless cyber-villains out to steal and defraud, or virtual heroes fearlessly battling the security systems of evil corporations? Love them or hate them, hackers have always been around. They’re an inevitable online hazard – like trolls, 404 pages and inappropriate Nazi analogies.
Take the international “hactivism” group Anonymous (these guys are like WikiLeaks’ crazy kid brother). Back in April, Anonymous successfully obtained the credit card numbers of over 70 million Playstation users, exposing major security flaws at Sony. Just a few days ago, the same thing happened to gaming distribution platform Steam. Details are still emerging but Gabe Newell, Steam co-founder and beloved guru of the gaming industry, gave this not-very-reassuring advice: “watch your credit card.”
Clearly, the gaming industry has serious security issues. So, will we gamers soon be forced to abandon our consoles and (shock horror) face reality? Luckily, there may be a less drastic solution. Question: what’s the best way to make your system hack-proof? Answer: get a crowd of hackers to test it out, of course.
Welcome to Hatforce a “crowdsourcing security testing service” complete with its own crowd of expert hackers. Just to be clear, these guys are white hats – good hackers (as opposed to the “bad” black hats like Anonymous).
As Hatforce CEO Arthur Gervais (who is still just 24 years old) explained to me: “we want to answer the question: how’s your security?”. The idea is simple. Clients set the Hatforce testers challenges and rewards – say €80 for every security vulnerability found in a system. To take part, wannabe testers have to register and sign an NDA. Legal stuff completed, the official hacking begins. All testing is done on a “no bugs no fee” basis (so if your system is secure, you get to save money and be smug).
A black and white issue?
So, I asked, surely the big question for Hatforce is: how do you make sure that the (1000s of) testers have good intentions? “There’s no guarantee,” Arthur says, “but we are running black box tests, which means no tester has the source code of the website at his or her disposal. Effectively, we don’t need to trust the hackers. Why would malicious hackers bother to sign a contract and NDA if they could attack you right away?”
According to Arthur, the real issue is people’s perception (let’s face it, hackers do have a bit of an image problem). To reassure clients, Hatforce is now offering a “Trusted Tester” service, where smaller groups of Hatforce testers are handpicked and have their identities verified. But, Arthur insists, while this might feel more secure, it’s actually “illogical to let fewer testers test your product, because the probability of finding flaws is smaller. So we want to keep the main idea: the crowd is the best tester for finding flaws in your application.”
Hatforce is a smart crowdsourced re-imagining of online security testing. Can the rest of the world be persuaded that the hacking crowd is actually a force for good? For the sake of Sony, Steam and gamers everywhere, I very much hope so.