When Khalil Shreateh hacked into Mark Zuckerberg’s Facebook page over the weekend, the company declined to pay him the reward it normally offers to those who find security vulnerabilities. Facebook (FB) apparently frowns on testing hacks on real people, including the chief executive.
Shreateh lost out on at least $500, but the attention he generated still resulted in a windfall. Marc Maiffret, another security researcher who got his start exposing flaws in tech companies’ software, started passing around the digital hat to make sure Shreateh got paid, setting up a fundraising campaign on GoFundMe to collect $10,000 as Shreateh’s reward. The campaign hit its goal on Tuesday afternoon, meaning the man who hacked Zuckerberg’s page will get paid after all.
Maiffret can identify with Shreateh. He cut his teeth hacking into government and corporate servers, including Microsoft’s (MSFT), as a teenager in the 1990s. When he was 17, Maiffret’s home was raided by the FBI—a much scarier ordeal than the one suffered by Shreateh, whose Facebook page was temporarily disabled. While Maiffret knew what he was doing was illegal, he says he’s still not quite sure what he did to inspire the raid. “I had honestly hacked everything from government systems to companies to you name it, a good three years of hacking,” he says.
But, as with many computer security experts, Maiffret’s illegal dalliances presaged a corporate career. He started eEye Digital, which analyzed companies’ networks and told them where they were vulnerable. The company drew major governmental and corporate clients and was acquired last year by BeyondTrust, another software firm. Maiffret is now its chief technical officer.
Technology companies have become increasingly open to help from independent hackers like Shreateh. Facebook actually encourages independent hacking more aggressively than most of its competitors, says Maiffret, and has paid out over $1 million for help exposing flaws. And Facebook is not alone. Even Maiffret’s old antagonist, Microsoft, has started a program to pay developers who tell it about security problems they’ve found.
But for skilled hackers, the incentives not to cooperate have also increased significantly. With more sensitive information available online, the market for information about corporate vulnerabilities is thriving. “These days there’s a much bigger allure, and if you’re getting into hacking and research, there are essentially two paths ahead of you,” says Maiffret.
In raising money for Shreateh’s high-profile Facebook stunt, Maiffret wanted to reward a hacker who had done the right thing. Getting the donations proved easier than finding out how to get it to Shreateh. The two men have never met, and almost immediately after the fundraising campaign’s start, a number of people emerged to falsely claim Shreateh’s mantle.
Now, Maiffret is confident he has found the right man, who is clearly more honest than many on the Internet. “That would be the worst outcome of all, to give it to someone posing as him,” he says.