"Hey I hacked you, want me to fix it?"

20 replies
Ok, the title is on the blunt side. But if you soften it up a bit, is this a viable way to get clients for IT/web security work? This is a field I'm quite interested in, only thing is all work I do must be remote/off-premise.

It seems like quite a severe pain point for firms, but on the other side the reply may come from the person's lawyer and not be a warning but a demand for compensation or jail. Curious if anyone into IT/web security has done anything like this and what you would recommend.
Avatar of Unregistered
  • Profile picture of the author dilipcybex
    Bad idea, don't try.

    With Ransomware already going rounds, they will see you no different.
    {{ DiscussionBoard.errors[11365716].message }}
  • Profile picture of the author seomike
    The most stupid clickbait ever...

    Do it and you end in jail.
    Signature
    {{ DiscussionBoard.errors[11365812].message }}
  • Profile picture of the author laurencewins
    Honestly, if I read this anywhere and there was an easy way to file a complaint, I would! As has been said, it sounds like ransomware, spammers, scammers or real hacking. If you offer a genuine service, there are much better ways to market your business than skating on thin ice while holding a blow torch.
    Signature

    Cheers, Laurence. Writer/Editor/Proofreader.
    Website / Blog for more info.

    {{ DiscussionBoard.errors[11366108].message }}
  • Profile picture of the author yukon
    Originally Posted by Delta223 View Post

    Ok, the title is on the blunt side. But if you soften it up a bit, is this a viable way to get clients for IT/web security work? This is a field I'm quite interested in, only thing is all work I do must be remote/off-premise.

    It seems like quite a severe pain point for firms, but on the other side the reply may come from the person's lawyer and not be a warning but a demand for compensation or jail. Curious if anyone into IT/web security has done anything like this and what you would recommend.

    Lol, don't do that.

    Search Google for bug bounties, solving those white hat problems will put you in front of businesses (publicity & $$) that want security help.

    https://hackerone.com/bug-bounty-programs
    Signature
    Hi
    {{ DiscussionBoard.errors[11366119].message }}
  • Profile picture of the author dilipcybex
    Agree with the above. Bounties are good way to earn money and fame if you are skilled enough to break things. You get a decent background, you will receive calls from people who afraid of hackers as well.
    {{ DiscussionBoard.errors[11366297].message }}
  • The people who posted here are dumb, honestly. I've got a pretty big background in cybersec/infosec and the likes, have done some wargames, CTFs, and bug bounties (small ones, but bounties nonetheless.) You can very well do this, but there is a process to doing it.

    You can do this. It's a field of grey-hat hacking, basically doing stuff that's technically illegal while maintaining good intentions. The trick is you need to know how to actually go about doing it.

    First of all, if you're going to attempt anything remotely like this, check to see if the site has a bug bounty open. Use that to your advantage. Read their terms carefully, make sure you know what you're getting into. If there isn't anything you do, make sure you have two skillsets down: OPSEC/Anonymity, and your actual technical fundamental know-how when actually attempting the hack. These are for your own security, as well as the company.

    The next part is to watch your limits. Find a vulnerability, try to leverage it if you really want (remember your OPSEC) but above all, report to the website owner that you found a vulnerability, no matter how small. Add some details on what the vulnerability is, how ti can be leveraged, this is where your marketing and communication skills are going to shine. Maybe make the vulnerability appear worse by giving the absolute worst-case scenario. Do whatever.

    For legality, as long as you don't actually exploit the vulnerability, you're fine. But if you do, first notify the site owner, give them a response period of a few days to get back to you before you leverage the attack. 48-72hrs is usually pretty standard, but wait up to a week for the maximum security. If they respond, they might tell you to try and leverage the attack (with specific terms/conditions) as well as make you sign an NDA. If they don't, have a legal friend or come up with your own contract that will protect you in any case that you do try to leverage the attack, or that you won't disclose anything unless you can't leverage the vuln, etc. Protect yourself before screwing with someone's site.

    If the site owner deems it's not serious enough to fix (say, a simple reflected XSS vuln on a site that doesn't even have a login, so no cookies to steal,) then don't touch it, respect their wishes, and move on.
    {{ DiscussionBoard.errors[11367636].message }}
  • I say definitely a bad idea. Business owners react adversely to internet hacking treats and you are likely to be spammed!
    {{ DiscussionBoard.errors[11367964].message }}
  • Profile picture of the author JohnVianny
    Of course it's a bad idea: will you let everyone who could force your door and come in your house to do it in exchange of a new door and also pay it?

    You better go to upwork and post your expertise there, providing IT security services.
    {{ DiscussionBoard.errors[11368073].message }}
    • False equivalency. Finding a vulnerability is not the same as breaking down a door. Your analogy is garbage.

      The house in this analogy is the website, the valuables in the house can be databases or other information, the backend, etc. The family living in the house are the owners. So far so good, right? The door is the frontend of the website, ie. the parts that people see when they look at the site, and that's the same with the exterior walls. The first room in the house when you open the door is what the people see as a regular registered user logging into the site (if the site allows that.)

      You're getting breaking mixed up with noticing. No one breaks a door, that's bad practice. It's also illegal. But let's say, someone goes up to the door of the house, knocks on the door a few times and notices a hinge is a bit loose. They might strike it as odd, and after more analysis, find out the lock is also broken. They don't break anything, just examine things. When the owner finally comes out, opens the door to talk to them, the person might mention ('hey, I noticed your door is broken in these places, and I've got a two-year degree in carpentry, so maybe I can help you fix it?"

      The owner can either say "Well, how bad is it, really? Try to see what you can do that will completely mess up the site." Or, they might say "Oh sure, how much?" Or maybe they'll say "Yeah, we know, but we've already asserted it's not a big deal." Or, they might even tell you to go away for a day, think it over, then tell you to come over one more time and then tell you that they've talked to other experts who claim it's not a huge issue with security.

      The important part is maintaining the ethics when doing something. Finding a vulnerability, or noticing it passively isn't a crime in and of itself. Actively trying to find something that's even minutely broken is (unless there's a bug bounty open, in which case you need to read the terms and conditions of the bounty, and with a few other exceptions. Fuzzing is a no-no, but maybe trying to input lt/gt/quote characters into a GET parameter is fine.)

      Something's telling me that you're not actually knowledgeable in this field if you think that noticing something wrong is a crime.
      {{ DiscussionBoard.errors[11368116].message }}
      • Profile picture of the author Michael D Price
        Originally Posted by conradfitzgerald View Post

        False equivalency. Finding a vulnerability is not the same as breaking down a door. Your analogy is garbage.

        The house in this analogy is the website, the valuables in the house can be databases or other information, the backend, etc. The family living in the house are the owners. So far so good, right? The door is the frontend of the website, ie. the parts that people see when they look at the site, and that's the same with the exterior walls. The first room in the house when you open the door is what the people see as a regular registered user logging into the site (if the site allows that.)

        You're getting breaking mixed up with noticing. No one breaks a door, that's bad practice. It's also illegal. But let's say, someone goes up to the door of the house, knocks on the door a few times and notices a hinge is a bit loose. They might strike it as odd, and after more analysis, find out the lock is also broken. They don't break anything, just examine things. When the owner finally comes out, opens the door to talk to them, the person might mention ('hey, I noticed your door is broken in these places, and I've got a two-year degree in carpentry, so maybe I can help you fix it?"

        The owner can either say "Well, how bad is it, really? Try to see what you can do that will completely mess up the site." Or, they might say "Oh sure, how much?" Or maybe they'll say "Yeah, we know, but we've already asserted it's not a big deal." Or, they might even tell you to go away for a day, think it over, then tell you to come over one more time and then tell you that they've talked to other experts who claim it's not a huge issue with security.

        The important part is maintaining the ethics when doing something. Finding a vulnerability, or noticing it passively isn't a crime in and of itself. Actively trying to find something that's even minutely broken is (unless there's a bug bounty open, in which case you need to read the terms and conditions of the bounty, and with a few other exceptions. Fuzzing is a no-no, but maybe trying to input lt/gt/quote characters into a GET parameter is fine.)

        Something's telling me that you're not actually knowledgeable in this field if you think that noticing something wrong is a crime.
        There are ways of noticing vulnerabilities in websites, in the same manner as the door, except your looking through binoculars ....

        Simple google searches can tell you if a site is vulnerable. It's certainly not against the law to search google, at least not in any country where you can access this forum.
        {{ DiscussionBoard.errors[11410885].message }}
  • Profile picture of the author DABK
    Is it a bad idea still if you do it this way:


    Hey, I will hack your site. If I can get it, anyone can. If I can get it, I can stop others from doing so. If you're interested in finding out if you're at risk, I will proceed. If not, I wish you luck...


    Get them interested in the idea, then hack?
    {{ DiscussionBoard.errors[11368107].message }}
    • Saying 'Hey, I'm going to hack you' is really bad practice. Doesn't matter what you say after, the first sentence implies that you're blackmailing the person, and you can get screwed over by CFAA or other blackmailing laws. Especially since it's almost like extortion. Word it differently, don't be an idiot and you'll find yourself clients.
      {{ DiscussionBoard.errors[11368118].message }}
  • Profile picture of the author Kemist
    You can tell them you found a vulnerability, but with all the scamming going on in this sector... It will be a hard sell
    {{ DiscussionBoard.errors[11368234].message }}
  • Profile picture of the author PrincePatridge
    This is an interesting post...?

    Is this real...?
    Signature

    Secrets to making money online revealed!
    Click here to download YOUR free report now!

    {{ DiscussionBoard.errors[11368242].message }}
  • Profile picture of the author squeebo
    So you're sitting at home alone in your underwear watching your favorite anime porn in the living room with a bag of cheese doodles leaving orange dust all over your clothes.

    A smiling man comes up behind you, pats you on the shoulder, startling you so bad you scream and jump to your feet, knocking your cheese doodles everywhere and looking like a disgusting slob.

    But no worries! He's here to help! He just picked your front door lock and snuck in, and he's offering to sell you a better lock. You thank him for helping you out and purchase his services, right?
    {{ DiscussionBoard.errors[11370051].message }}
  • Profile picture of the author Chris30K
    Seems like you're trying to sell an anti-virus software? Something better would be:

    "Detect the Undetectable." I mean, I'm not sure, but I know it's better than the one that's about to be attempted lol. You don't want to brag about hacking people, they'll either get mad at you or call the cops or both.
    Signature

    Chic Fil A > McDonald's

    {{ DiscussionBoard.errors[11372324].message }}
  • Profile picture of the author ryanbiddulph
    Good God please do not do this. Quickest way to either wind up in junk folders, killing your business, or to lose your reputation. Offer services not from fear or desperation but by being honest, genuine and high energy.
    Signature
    Ryan Biddulph, Blogger, Author, World Traveling Digital Nomad
    If you want to become a full time blogger you can buy my eBook here
    {{ DiscussionBoard.errors[11376187].message }}
  • Profile picture of the author blues1143
    Bad idea!!
    {{ DiscussionBoard.errors[11398950].message }}
  • Profile picture of the author Michael D Price
    I will chime in on this topic!

    The way that you worded this post, would make it illegal, and unethical hacking ...
    There is a way around this, and I will get to that in a minute.

    This is a VERY VERY common sales tactic, used in various industries, and has been for a very long time.

    Create the problem, and offer the solution.
    One example for the digital world ...

    This tactic was used when paypal first came out, and they had flaws in their button code.
    Some people picked up on this, and was able to gain access to your products, no matter the price, for only a penny!

    That's when the first paypal payment protection script hit the market, and ofcourse it was open to affiliates.

    So anyone who figured out how to "hack" the paypal button code, was now doing this, and sending out emails to the product owners stating they stole their products ...

    Than offered the solution, the paypal protection software!

    So yes, this has been done.

    I mentioned it is illegal right?

    So you have some hacking skills, that's good.
    Remember I said, I had a way around those pesky laws that prevent you from doing this?
    It's real simple....

    ASK PERMISSION

    That's contact the owner of the website, and inform that you are a website security expert and pentester, and believe their site probably has some vulnerabilities, and ask for permission to prove it to them, informing them that they can prevent this from happening.

    Once you have their permission to pentest their system, it becomes completely legal, and ethical hacking.

    Another example of an Industry doing this ...
    Look into Halliburton and the Gulf oil spill!!!
    {{ DiscussionBoard.errors[11410882].message }}
  • Profile picture of the author falco80
    Your idea is great, it just needs some tunning.

    You can find flaws in systems but without actually exploiting them (only with the adequate permission), then present a report to the company, with info on the risks.

    It's a great way to create the necessity in your potential client to later make a sale on correcting the flaws.

    But never hack and then explaing because you could get into trouble.
    {{ DiscussionBoard.errors[11412045].message }}
Avatar of Unregistered

Trending Topics