The practice of turning to end users not only to beta test but also to reengineer products -- something once widely criticized -- has reached historic levels in IT. The trend even has a new, far more benign name: crowdsourcing.
Within an organization, it has resulted in new types of employment for software developers with a talent for hacking. For actual hackers, this kind of beta testing has formed its own career path.
Take Pinkie Pie, a teenage hacker who has yet to be identified in the news media by anything other than an online handle. This year alone, this hacker has earned a healthy $120,000 from Google as a result of winning two competitions.
The first was the Pwnium competition in March. Pinkie Pie took the $60,000 first prize by stringing together six vulnerabilities that allowed the hacker to create malware that could break out of Chrome's sandbox and attack the base operating system. Last month at the Pwnium 2 hackathon in Kuala Lumpur, Malaysia, Pinkie Pie took home another $60,000 by achieving a full Chrome exploit again.
According to published reports, Google has set aside $2 million in prize money for hackers like Pinkie Pie who find and report vulnerabilities to the company. Other vendors, including Hewlett-Packard, are setting aside funds for hackers who find and exploit vulnerabilities and then provide the vendors with the methodology. Given all this activity, it's no surprise that new kinds of development jobs related to hacking are popping up in IT, such as quality assurance engineer and software development engineer in test (commonly abbreviated as SDET).
Ray Zambroski, a senior technical recruiter with Rooster Park Consulting in Seattle, told me in an email about the various kinds of skills required for these posts.
The QA engineer will have a "How can I break this?" way of looking at the world, with an ability to document and communicate well. These guys certainly find flaws, but you wouldn't ordinarily expect them to find the type a good hacker would find. They just aren't typically focused on penetration testing.
SDETs, on the other hand, are actually true developers. Typically, they are building (coding) tools and test harnesses designed to automate the testing of something, which would have the potential of finding dozens or even hundreds of flaws in a very short period of time. They might also design penetration tests, of the type aforementioned hacker may have used (although these types of SDETs are very specialized).
The salary for this type of QA engineer is approximately $60,000 for someone with one to four years of experience, depending on their level and quality of college education, Zambroski said. But SDETs command a salary similar to that for software developers: $80,000 for someone at the junior level with a computer science degree from an average school, or more than $100,000 for someone with a few years of experience and a degree from one of the top 20 computer science schools.
Even SDETs with a top salary may not be as skilled as black hat hackers, Zambroski said.
The best of those care less about breaking something and much more about "getting in." There is a subtle, but very important difference. It actually takes years of "training" to think and act like a hacker, and not many SDETs care to undertake it.
In paying Pinkie Pie, "Google certainly got a deal, and the hacker did also: a paycheck, and Google-caliber notoriety," Zambroski said. In this case, crowdsourcing produced the best beta of all.
Agreed, which is why I've ranted against premature beta releases for years. Unfortunately, many companies find it cost-effective to give away beta software and let their customers test it rather than actually engineering and testing a solid product. If software was better tested before it shipped -- and more effectively tested against other modules in the same product -- users would have many fewer problems. However, testing takes time and money, so I suppose we are stuck with the new crowdsourced development scheme for a while.
Finding security flaws in this way seems like it should be done *before* commercial software is released... and then there'd be litte need for antivirus software to exist.
Thanks for this blog, Stephen. I knew that companies were using white hat hackers, who aren't prone to moving into corporate roles by themselves. But it's interesting to see how other kinds of "hacking" are being channeled for use in more staid jobs.
Interesting that hacking is still viewed as something beyond the norm, though, that talented IT folk still can't duplicate the hacker mentality.
I'm not sure why that's the case; perhaps you'd have to be totally rebellious to really be driven to break code in the extreme ways hackers do.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Debates rage over how complex a password should be, but today some are questioning if passwords themselves are obsolete. Security consultants tell us that the longer the password and more complex it is, the harder it is to compromise. This might well be true against an attacker who is trying to break a password by hand, but against technological powerhouses, keyboard-based passwords may be insufficient.
Companies need to take advantage of new technologies to simplify interfaces, improve capabilities, and enhance back-office processes. But they can't upgrade their Websites too often.
A survey by JD Powers found that customer interest in product features is lessening as phones evolve. Rather than features, price is driving purchases, and that change could have a dramatic impact on how IT departments secure these devices.
A recent release of the popular TweetDeck app for Twitter power-users gives new life to software that had previously taken a wrong turn. Here's a quick walk-through of the new TweetDeck, to show you why it should be at the top of your Twitter toolkit.
The decision could discourage innovators looking to the past, and require companies to build from the ground up, leading to a new generation of stagnation in the IT world.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
Showing results is the best way to win over social business doubters, according to Mary Maida, Medtronic lead information solutions manager. Internet Evolution's Mitch Wagner interviewed Maida at the E2 Innovate conference.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
