Don’t be evil: Alejandro Caceres and Amanda Towler are not in this business for the money
Hacker culture is dying. A scene that used to be replete with anti-corporate sentiment and pro-freedom ideals is being sold out by cybersecurity capitalists more concerned with making a quick buck selling ways to exploit websites and phones than actually protecting Web denizens. That, at least, is how Alejandro Caceres sees it. Caceres is the 30-year-old co-founder of a software firm called Hyperion Gray, which he started with his girlfriend and business development partner, Amanda Towler, in their poky Arlington, Virginia, apartment.
Caceres’s opinion wouldn’t be all that influential but for the fact that Towler and he have unleashed an epic feat of revenge against hackers out to make a quick buck. It’s called PunkSPIDER, a remarkably simple search engine that scans the whole web for vulnerabilities that snoops and crooks might exploit to steal data, and makes these exploits accessible to anyone—for free. Call it the Google for the broken web.
Because of the time and cost constraints of running constant scans, PunkSPIDER has been limited to one scan a year (though that’s set to change this year). During the last scan in May 2014, PunkSPIDER’s code ran for four days on cloud servers to test, or “fuzz”, more than 98 million websites by firing junk data at them to see if errors occurred, the first sign of a potential weakness. That first fuzz, Caceres says, turned up a large yet “depressingly predictable” number of vulnerabilities, 3.4 million in total.
The next scan, which will run in late May, will be bigger and badder than the last, covering more sites and additional varieties of web vulnerabilities. It will even extend into sites hosted on the so-called “dark web,” where drug dealers and human rights activists alike use the Tor network to anonymise their identities by routing them through layers of servers. There are plans to have the scanner running daily, too, which will keep the data up to date.
Spreading the knowledge that a vulnerability exists is leaps away from teaching people how to use it to break into a Web app. (The real cybercriminals are already using more sophisticated tech to scan for weaknesses, albeit on a much smaller scale.) Nevertheless, PunkSPIDER initially spooked the security police. Just before their February 2013 $10,000 Kickstarter campaign to fund the search tool’s development, Caceres and Towler presented their baby at the SchmooCon security conference in Washington, DC. Caceres opened the floor to questions, and, halfway through, one of the attendees told him to get a lawyer. Without proper authorisation from website administrators, such scans can potentially breach the US Computer Fraud and Abuse Act, as security researchers have frequently warned. Just weeks after the SchmooCon unveiling, Caceres was contacted via email by a member of the UK government team responsible for securing a number of its web domains. They warned of “exposing yourself to a huge amount of risk for a relatively minor reward. Please be careful as there are some very legally hostile sites you will be probing”. One company that owns proxy servers through which the PunkSPIDER crawler has travelled claimed to have been contacted by federal authorities about the suspicious activity.
Towler admits they were scared. “We ended up talking to the Electronic Frontier Foundation (EFF) about it, how best to manage this, how not to get arrested,” adds Caceres. The EFF, an advocacy group for an open web, offered some advice on how to stay within the confines of the law. It appears to have worked, as Caceres has had no serious legal threats since the launch.
PunkSPIDER is part of a broader “mass-scanning” movement that includes tools such as Masscan, Shodan and Critical.io that use brute force to peel away the facade of security across the web. Meanwhile, Google, Facebook and others have set up sizeable bug bounty programmes, with prizes as high as $33,000 at Facebook and $20,000 at Google. Caceres is also hopeful that PunkSPIDER, by turning these flaws up for free, will be an even better deterrent to the vulnerability black market, where researchers are selling previously unknown exploits to the highest bidder (sometimes crooks, sometimes law enforcement) at prices as high as $100,000.
Over the last two years, Caceres and Towler have worked to improve on PunkSPIDER’s rough, early appearance. The web page, punkspider.org, is now as clean-looking as Google’s search page, with a bar for whole addresses or just part of the URL.
If you want to refine your results, there are buttons to specify a range of common web vulnerabilities to search for. Sites are given a ranking from 0 to 5. Caceres says you shouldn’t visit a site with a score of 2 and above. A search for Ebay.com, for instance, with all buttons clicked, brings up two pages of results for various apparent flaws across the site. Prior to PunkSPIDER, a business could get this kind of security assessment only by paying tens of thousands of dollars to a professional firm as part of a wider penetration test. “Security should not be just for the upper echelons. We really believe this information should be made freely available,” says Towler.
Even as some government and law enforcement agencies look askance at the duo behind PunkSPIDER, others have been keen to avail themselves of their skills. Caceres’s crew won a role on the Memex programme funded by the Pentagon’s Defense Advanced Research Project Agency (DARPA). Memex produces highly customisable search tools to better illuminate both the dark and standard web, and led to convictions last fall of human traﬃckers by studying their activities online. Hyperion Gray has been adding doses of artificial intelligence to Memex so it can mimic human interactions with websites, such as opening drop-down menus or hovering over interactive elements. Memex has been getting contracts from police forces, though they can’t say which, who want better search tools to help catch “the most heinous” criminals, says Caceres.
Towler and her partner, who now work out of Concord, North Carolina, know they could make a bundle in search. “We just don’t care. We’d rather keep this project as something we enjoy, something that isn’t sleazy and provides an important service for the community,” Caceres says.