This should go in your next hiring post. "Who we're looking for: Somebody with the chops to dig into code that has passed professional inspection and do horrible, horrible things to it. Someone who can find a stack overflow in document.write. Someone like you, because if you can program we will teach you these and other dark arts. The last stack overflow in Firefox was found by a 12 year old. Are you going to let yourself lose to a 12 year old?"
Sidenote: I think I have a guess based on a prior conversation, but for the edification of HNers: $3,000 is how many orders of magnitude below the market worth of that vulnerability?
Assuming it is reliably exploitable and packaged with the exploit, $3,000 is substantially less than what that vulnerability is worth. As with everything, it depends on how aggressively you sell it, and whether you believe in an immortal soul.
I can't tell you exactly how much though because I'm busy tracking down his email address so we can be his 8th grade internship.
publicity for this boy is far more valuable than any money he could make out of this. he doesn't even know what to spend $3,000 on and it doesn't surprise me at all.
I remember when I was a teenager making more than my parents (dot-com boom) and money I was making was just piling up. I had virtually no goals that would require money back then... of course now as I get older, it's exactly the opposite, plenty of goals, no money :)
Everyone has a story about a friend who sold a vuln for X. At least one case though has been documented in an academic paper by a well respected researcher [1]. (That would put the cheque at < 10%)
These stories always make me think of another bug that is unbelievable.
The bug is in Binary Search - one of the most fundamental algorithms in programming. It's been around in a published implementation of Binary Search since 1986, and the implementation of Binary Search for the JDK was broken for 9 years. This bug was only discovered in 2006, when someone's program broke.
Quick Summary - to get the "middle" element of the array, the line is this: int mid = (low + high) / 2;. This overflows when low + high is larger than MAX_INT, causing havoc.
For those who don't know: early phone hackers (phreaks/phreakers) discovered that a 2600hz tone would indicate a trunk was idle, reset and listen for a new call. Since the line was not actually hung up the billing system wouldn't activate leading to free phone calls.
Some people learned to whistle the tone, while others used bird calls, and even a whistle given free by Captain Crunch (the cereal).
I'm actually even quite positive I remember hearing Mitnick wasn't allowed to use the phone in prison for some time because they were concerned he could initiate some sort of military attack by whistling into the phone.
I heard this around the age of 14 though- so it's possible my memory is foggy.
Don't think the number of clever kids changed much over the year. It's just much harder to spot them, because everyone and their dog is "doing computers" now.
I don't think the time-warp is so much the clever kid, as the fact that this is a 1970s vulnerability: an exploitable buffer overflow in a print statement. You'd think we would have solved that problem by now!
It's amazing what the Internet has done for child geeks. Now they can find out about, interact with, and do useful things rather than hack alone in a vacuum.
My biggest child tech achievement was finding the word C--T in a data file for a text adventure when I was 10 (I was trying to cheat at the game). I casually asked my parents what it meant and my parents wrote in and complained and we got a free copy of the then-new Wing Commander by way of apology <g> (Happily, I didn't learn what C--T meant till I was about 14..)
Looks like a fairly default Ubuntu install in the picture. I remember playing with Linux at that age.. fun times. He probably had a better time of it than me struggling with Redhat 6.3 from my local bookstore though...
Well, bookstores around me had the $40 to $50 behemoth tech books with an installer in the back. Redhat looked the simplest, or it the cheapest.. I don't recall which.
Oh I remember at his age I was playing with the latest versions of Slackware, and I could never get the damn thing online, since I had some crappy Packard Bell hardware. I then switch to Mandrake, went back to Slackware in the early 2000's and never looked back... Until Arch off course. Screw this Ubuntu fad.
I don't think that's the case. As an 80s home computing revolution kid, quite a lot of kids were into BASIC etc. To a certain extent we've lost that now.
We grew up in a time where you could buy a computer and you pretty much had to learn how to program it. Now, you can get away without needing to learn.
I agree, with technology becoming so simple to use these days, it empowers people to do a lot more than they were able to do in the 80s. On the other hand, I feel that as the cost of creating a company decreases, and as more younger people learn about entrepreneurship, more of them are getting interested in creating stuff at an early age.
I'm sorry, but I can't help but see this and think of all the kids around this age who are prevented from earning money by child labor laws, and the idea that this kid is a "Slave" because he's "too young to make decisions for himself. It may sound like this is a ridiculous thing to say, but just yesterday someone was making this claim in another forum.
I was busy writing a game at that age with the intent to sell it. Unfortunately, at that time there were no good distribution methods for independant games.
But I think the desire of some people who are well meaning but narrow in their worldview to "protect" children really prevents a lot of children from achieving as much as they would like, and are capable of.
When I finally was allowed to work, I remember several years where I had to work part time, even during the summers, because of these laws. One of my first jobs was a programming job, and I learned a whole lot from a senior programmer. I was 14 or 15, he was mid 20s. I wonder how much more I would have learned if I hadn't been prevented from working as much as I wanted because of state mandated limits on the number of hours. I can recall many times when he was explaining something to me, and it was getting really good, but I had to leave.
No, but most people from both political parties support the laws that prevent people from hiring kids his age. I think he was only able to get the $3,000 because it was a bounty or a "Contest", and not a "job" or "employment".
I think bug bounties shouldn't be the only way this kid is allowed to earn money. He's proven himself to have discipline and some responsibility. He should be allowed to go work for a startup, if he wants (at least during the summers when he's off from school, anyway.)
Child labor laws are made to avoid having 6 year olds asking for money on the streets and 10 year olds swinging crates at the dock when they should be in school. If a kid want's to work, social/child services approve the motion after interviewing the parents, and does well in school for a trial period, he should be let to do so. Hell kid actors do it all the time!
That's exactly the point, if a kid actor can be excepted, why can't a kid programmer (or bug hunter) be allowed to do so? I placed some conditions on this because it really comes down to if the kid wants to work, if the kid's parents are encouraging and not forcing his behavior, and if it will not affect his studies and development.
MOD consisted mainly of poor Brooklyn kids; in fact, some of them were members of street gangs, and taught themselves to hack on school computers. From nowhere to the cover of magazines ..
The wikipedia article sucks, but the lore is out there and well known:
And good on them, for making the most of what they had. I'm pretty sure I made the most of what I had, I just didn't grow up in a situation that encouraged hacking. At the age this kid (in the original story) is fixing bugs, I was experiencing the internet for the first time. I didn't grow up with computers at my disposal. My grade school used Apple IIe's, over 10 years after they came out. I didn't grow up around other kids who were interested in computers. I didn't even grow up around adults who were interested in computers. I didn't know that there was such a thing as being interested in computers until I was about this kid's age.
Rest assured, I started tinkering in 8th grade, and taught myself various programming languages all through high school. At this point, I made the most of what I had. I just didn't get the ridiculous head start that some kids are allowed.
This isn't to say that I'm not satisfied with the way my situation played out. I could have never used a computer until college, and I'd be going for a degree in History or something. It's so ingrained in my mind that I want to do this for the rest of my life that I can't imagine what I would do if I hadn't been interested in computers and programming. And I'm glad for this. And I'm glad that there are kids in high school who know way more than I do.
So when I say it makes me bitter, it is solely a cathartic response to something that doesn't really concern me. Would I like to have grown up in a better scenario? You bet your ass. Does it matter now? No. It's not a damn race.
To be fair, you can get a pretty decent computer today for < $500. That is still quite a bit of money if you're poor, but its a far reach from the $2000 you might have paid several years ago.
I bought the laptop that I am using now, the one I have used for the last three years, and earned with all my income during that time .. I bought it for $300, in 2007.
