I mentioned in How Do Hackers Live on $53.57? (‘Hack the Air Force’) that only hackers in Australia, Cananda, New Zealand, the United Kingdom and United States can participate in ‘Hack the Air Force.’
For a rough count of those excluded, let’s limit hackers to being between the ages of 15 and 64. The World Bank puts that as 66% of the total population as of 2015.
OK, the World Population Clock gives a world population as of 28 April 2017 as 7,500,889,628.
Consulting the table for population by country, we find: Australia (25M), Cananda (37M), New Zealand (5M), the United Kingdom (66M) and United States (326M), for a total of 459 million.
Rounding the world’s population to 7,501,000,000, 66% of that population is 4,950,660,000 potential hackers world-wide, and from Australia, Cananda, New Zealand, the United Kingdom and United States, 283,140,000 potential hackers.
Not everyone between the ages of 15 and 64 is a hacker but raw numbers indicate a weakness in the US Air Force approach.
If ‘Hack the Air Force’ attracts any participants at all (participation is a bad idea, damages the cybersecurity labor market), those participants will be very similar to those who wrote the insecure systems for the Air Force.
The few participants will find undiscovered weaknesses. But the weaknesses they find will be those anyone similar to them would find. A lack of diversity in security testing is as serious a flaw as standard root passwords.
If you need evidence for the need for diversity in security testing, consider any of the bugs that are found post-appearance of any major software release. One assume that Microsoft, Oracle, Cisco, etc., don’t deliberately ignore major security flaws. Yet the headlines are filled with news of such flaws.
My explanation is that different people look for vulnerabilities differently and hence discover different vulnerabilities.
As far as the ‘Hack the Air Force’ contest, my counsel is to boycott it along with all those forcibly excluded from participating.
The extreme lack of diversity in the hacking pool is a guarantee that post-contest, the public web systems of the US Air Force will remain insecure.
Moreover, it’s not in the interest of the cybersecurity defense community to encourage practices that damage the chances cybersecurity defense will become a viable occupation.
PS: Appeals to patriotism are amusing. The Air Force spent $billions constructing insecure systems. The people who built and maintain these insecure systems were/are paid a living wage. Having bought damaged goods, repeatedly and likely from the same people, what basis does the Air Force have to seek free advice and labor on its problems?