Freelance hacking site vows to clean up dodgy listings

The creator of Hacker's List says the site is a lower-cost way to bid for security projects

Jonathan Mayer, lawyer and doctoral candidate  at Stanford University

Jonathan Mayer, lawyer and doctoral candidate at Stanford University

Charles Tendell is trying to repair a reputation problem for his website, Hacker's List.

The site debuted in November and quickly drew high-profile attention, including a front-page story in the New York Times. It's an online marketplace where people can list computer-security related jobs for bidding and match them with the right "hacker."

It has been criticized as amateurish since forums where such deals are made are password-protected and generally hard to find for regular Internet users. It has also raised concern since many projects up for bidding appear illegal.

The latest criticism comes from Jonathan Mayer, a lawyer and doctoral candidate in computer science at Stanford University. He wrote a Web crawler that scanned 7,200 projects on the site and posted the results on Thursday on his blog.

"Here's the short version: most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal," Mayer wrote.

The majority of projects up for bidding involve compromising cloud services accounts, with Facebook and Google the most mentioned, he wrote. There are also a fair number of projects asking for help in artificially improving grades.

Tendell, the founder and CEO of Azorian Cyber Security based in Colorado Springs, Colorado, said on Thursday that he's seen Mayer's report.

"His report is accurate," Tendell said.

It's easy to register an account on Hacker's List -- the site lets people use their Facebook credentials to log in -- and see the projects up for bid. Tendell said Hacker's List lets people post any project they want to, which is the reason a high number of illegal ones appear, tainting the website.

But he says that the site's staff reviews pending deals and rejects ones that are illegal. Hacker's List notifies both the hacker and the employer prior to approving a job.

The notice requires identification and signed documentation from both parties attesting that their deal complies with Hacker's List terms of service, which forbids illegal activity.

"If you aren't able to provide that information, we will not complete your transaction, especially if it looks like on the surface it might be illegal," he said.

At one point after the New York Times story, Tendell said they took Hacker's List offline because of the high number of suspicious listings. The sudden attention that came as the result of the story, Tendell said, caught him completely off guard.

Later, they decided to put its content back online and rely on the site's community to flag suspect posts. If a job gets two flags, the staff of Hacker's List -- which is about five people -- will review the post and remove it if it violates the terms of service.

Mayer isn't convinced. "Given that the majority of users are soliciting federal crimes, I'm skeptical that this community would adequately police itself," he said via email.

Hacker's List used to charge a 15 percent commission but has changed its sale model. It charges hackers US$3 to bid on a project and every time they communicate with a potential employer. Employers are charged $0.75 per communication.

Mayer contended that he found only 21 jobs that had been completed, in contrast to the 250 jobs that Tendell told the New York Times had been done.

The calculation is incorrect, Tendell said, as there are many jobs that have been completed but were privately listed and not accessible by Mayer's crawler.

The Hacker's List success stories cited by Tendell revolve more around online reputation management and investigative services than computer security.

One deal involved a woman who needed help getting some negative photos removed from a website, Tendell said. Another involved cyberbullying, where someone wanted to find the identity of the harasser.

Tendell argued that online reputation services would charge far more for those kinds of services than putting a project out for bidding on Hacker's List.

That's actually a strong business case for the site, as there very well may be a need for such freelance services for Internet consumers. But the website's main problem may be how it clumsily presents itself.

It clearly isn't for businesses, as no company would trust people on the site to probe their networks. On the other end, average consumers also aren't going to be in the market for penetration tests or security audits, Mayer said via email.

"Given how lucrative security consulting is, I don't see why a talented white hat would seek sketchy, low-ball offers," he wrote.

And that may be how Hacker's List has ended up where it is today: a large collection of listings from people seeking to change their grades, snoop on an email account or modestly spy on other people, all low-hanging fruit for even an average hacker.

One new posting on Friday offered between $200 and $300 for a task. "Looking to see what someone is getting on his Facebook messages and see if he's cheating on me," it read.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacker's Listsecurity

More about FacebookGoogleStanford University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts