What's the best way to avoid getting hacked? Find the best hackers and get them on your payroll.
This would seem to be the credo of ridesharing company Uber, which is now onboarding the pair of automotive security researchers responsible for hacking a Jeep Cherokee this summer while a writer for Wired was at the car’s helm.
Winning a gig by exploiting holes in a company’s security system is surprisingly common. Who better to spot your next vulnerability than the person who located the last one? But not all companies jump at such an opportunity.
So, is hacking a good way to get hired? The answer depends on the context.
Hacking can launch a career...
Hacker hires can be roughly broken into two categories: hiring the person who hacked your system, and hiring the person who hacked some other company’s system. Either way, there are plenty of examples of hackers who built careers on cyber mischief.
Apple hired Peter Hajas, the creator of a notification system for jailbroken iOS devices. Messaging platform Yo hired a group of Georgia Tech students who gained unauthorized access to the application. The developer of Facebook's video application first connected with the company when he created a worm that made Facebook profiles look like MySpace profiles.
As for companies that poached the exploiters of other company’s products, there’s Microsoft, which hired Nintendo Wiimote hacker Johnny Chung Lee. Lee later went on to work at Google. Facebook and Twitter have also both hired hackers known for their finesse with Apple products.
Hiring someone who hacked another company might seem like a safe move – the company can benefit from the hacker’s skills without appearing to have been duped.
...but it can also derail one.
Shockingly, however, making a company look stupid doesn't always elicit a welcoming response. Twitter and Facebook have both occasionally made points of not condoning hacks of their products. Most recently, a Harvard student lost his Facebook internship over an application he developed that highlighted the incidence of location sharing through Facebook Messenger. Whether Aran Khanna’s application qualifies as a hack is up for debate – some assert that Facebook was well aware of location sharing and that the company was upset mostly by the press hype Khanna’s app created.
Before Facebook punished Khanna, the company refused to reward a hacker who had managed to hack Mark Zuckerberg’s private Facebook account and post a message on the CEO’s wall. Facebook’s Bug Bounty program pays hackers who expose software bugs to the company’s attention, but in this case the social network asserted it would not reward a anyone who tested a vulnerability on users’ actual accounts.
Twitter co-founder Biz Stone went even further once when he hinted at possible legal action against a 17-year-old who admitted he had hoped he might score some job offers after he created a worm that posted messages from user’s accounts without their permission.
In these cases, a few factors worked against the hackers: creating negative press around the targeted company, violating bounty payment rules and appearing immature. Conclusion: Hacking can lead to a job if the coder aims an attack somewhere in the fickle space of showing the company up without making it look bad.
So don't expect Ashley Madison to end up hiring the engineers of the adultery dating site's recent privacy meltdown.