The Biggest Thing That Yo Has Got Right is Hiring Hackers

By Kate Knibbs on at

Yo is a borderline offensively useless (if amusing) app, but its founder Or Arbel made a shrewd decision by hiring one of the Georgia Tech students who last week hacked into the absurdly simple service.

Arbel's dumbass novelty app should never be replicated, but it'd be a boon for everyone if his attitude towards hackers spread. Snapchat, a far superior social tool, is hampered by how its team treats (or mistreats) its hackers.

Last year, Snapchat repeatedly ignored warnings about a security loophole, and hackers who tried to warn them about the eventual leak of 4.6 million user names, among other security failings, expressed frustration at the way they were treated. Instead of owning up to their failings and asking the people who uncovered them for help, the Snapchat team brushed them aside. The disappearing-photo app has since made security hires and pledged to take leaks more seriously, but it still doesn't have a bounty programme to reward security researchers who poke around for holes.

This might be the only instance where Snapchat and other mobile services and social networks can learn from Yo: they should be hiring their hackers.

A few tech companies have programmes to reward white-hat hackers when they discover bugs and glitches, like Facebook and Google. Google gave Swiss developer Florian Rohrweck a gig even after he posted about Google+ features he'd discovered through hacking into the source code. Secret is a good example of a newer company smart enough to make efforts to reach out to hackers, since the anonymous posting app has already established a hacker bounty programme.

These bounty programmes are good, but most of these companies could take it a few steps further, and use them as security recruiting tools. Facebook, in particular, could step up its hacker-hiring game. The company hired high-profile iPhone hacker George Holtz back in 2011, but it refused to pay its $500 bounty to hacker Khalil Shreateh after he found a Facebook bug that allowed him to post on Zuckerberg's wall. This sent a clear message: yeah, we'll pay you bug bounties, but only if you follow the rules.

Facebook also hasn't displayed much interest in trying to get its hackers on payroll instead of simply giving them a payout—the decision to award a Brazilian engineer named Reginaldo Silva who discovered a major vulnerability $33,500 underscored that the company understood it needs to treat people who voluntarily help uncover security flaws fairly, but it would've been smarter to give Silva a salary in addition to his bounty.

Hiring hackers is a risky business, because they know how to break in and mess around and cause mayhem. It's like when the FBI hired Frank Abagnale because he was super good at committing felony fraud all the time (or like the more recent time the FBI used hacker Sabu to rat out his buds). It's probably scary to hire the people who used to have dubious intentions, who are the best at potentially hoodwinking and destroying you. It's also the smartest thing to do. Even the ones who hacked their founder's wall posts. Even the ones who smoke weed. Yes, they know how to bring the ruckus. That also means they often know the software better than anyone else. They're deeply familiar with specific programs in ways that other security experts might not be.

The hackers who manage to exploit security loopholes and break through barriers set up by a service's creators often understand how the programme works even better than the people who work there. This perspective is valuable. Think about who would be able to tell you about the least secure spots in your apartment building or neighbourhood. Is it going to be a security guard counting down the hours until he can clock out? Or the horny, determined teenage girl who sneaks out of her parents' place to see her boyfriend? Deviance and competence sometimes go hand in hand. Obviously not every hacker is worth a hire. Some are straight-up malevolent shit-disturbers who aren't worth much of anything. But many are worth a closer look, and they aren't getting taken as seriously as they should be.

Start-ups like Snapchat and other social apps are seeing explosive user growth in small slots of time, and what slides for a rinkydink operation is a total nightmare for a legit company. Making sure users are secure often comes in a distant second (or third, or fourth) to ensuring that those users' data is secure. Companies that are up front about their potential failings and quick to work with and incentivise hackers, like Yo, are more likely to ramp up their security in shorter periods of time.