A recent incident highlights just how the security industry could well be pushing legitimate researchers into being black hat hackers.
The security industry is always telling us that there is a shortage of people being recruited into the sector. What’s more, it admits it is fighting a battle with the ‘dark side’ when many talented researchers end up joining criminal endeavours that can offer the lure of making more money, and making it fast. While money, and excitement, are usually considered the main drivers creating black hat hackers, I’d like to put forward another: the way that people trying to help are often still treated by the companies whose security shortcomings they uncover.
Take the case of an 18 year old, who wishes to remain anonymous, and his discovery and responsible disclosure of a pretty simple yet severe vulnerability. The guy was looking at the website of the Budapest transport authority, Budapesti Közlekedési Központ (BKK), which allows you to buy tickets for travel online.