Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Programming

Corporate Hackathons: the Fine Line Between Engaging and Exploiting 64

Posted by Soulskill
from the now-announcing-a-hackathon-to-make-me-a-sammich dept.
New submitter dasacc22 writes "Campbell is inviting developers to hack the kitchen with their recipe API. But wait — the API is private, so first you need to submit an idea. If they like the idea, you'll be given access to develop the app. If they like the app, they may give you some money. Otherwise, you can expect to have an app that connects to an API you no longer have access to. The author of this article covers his recent experiences after engaging with Campbell's Adam Kmiec to try and answer the following: '... my question to software developers out there who are thinking of devoting any real effort to a corporate hackathon like this is: "Why?"'"
This discussion has been archived. No new comments can be posted.

Corporate Hackathons: the Fine Line Between Engaging and Exploiting

Comments Filter:
  • by tommeke100 (755660) on Saturday January 19, 2013 @01:17PM (#42634397)
    ...That way we don't have to invest > 1M$ in R&D to do it ourselves!
  • by lucm (889690) on Saturday January 19, 2013 @01:18PM (#42634405)

    From a probability point of view, here is the true value of that thing:

    (Total prize: $50,000 + $10,000) / (Number of challengers: 30) = $2,000

    The access to the API is limited to 3 weeks. This means that what they offer is the privilege of working for $16 per hour as long as you initially provided a good idea for free.

    Financially speaking, one is better off working at Mikee Dees for 3 weeks and using the wages to buy lottery tickets (you also get free soft drinks while you work if I'm not mistaken).

  • Well, I'm sure the folks writing the code that talks to the API will have to sign a Non Disclosure Agreement. Such an agreement states that the if you let slip the information under any means that you agree you've irreparably harmed the discloser of information. That's the most damaging kind of harm there is, which may even be on the same level as a murder if you think about it, esp. considering the amount of money the disclosee risks forfeiting.

    The state of computer security and information security security in general is so ridiculously near non-existent in any sense of the word that it would be foolish to sign any NDA, not just one for an eKitchenSink API. There is not a single common desktop or server OS that can not be readily breached by someone of with sufficient knowledge; Indeed the NSA and even China's Cyber Army has asserted they hold 0-day expolits for every OS. Do you think there's a super intelligent breed of hacker they've developed to obtain this power, or do you think that there are crackers & hackers with such skills that they happened to recruit? If the latter do you think they've recruited them ALL? -or- even a significant percentage?

    So, here we have a situation where I can not in good faith sign a contract saying essentially that I won't ever disclose information to 3rd parties while there are more 3rd parties every day who can just reach into my systems and take that data at any time. These are not hypothetical statements, my security has been breached before. Now I only use Linux and use MS Win via VM; However even these precautions aren't enough to prevent a diligent hacker from discovering an exploit or a cracker with a few thousand dollars from buying said exploit... Not that I'm saying I live in constant fear of being compromised, on the contrary, I most assuredly do not fear because I don't sign that type of NDA and take on such risks. I need not fear, only keep backups in case a compromise occurs. When faced with eating a fish that may or may not be deathly poisonous vs one that is known not to be fatally dangerous, I choose the latter.

    I always refuse to sign those sorts of contracts and instead propose that any disclosure by me to a 3rd party has to be proven beyond a reasonable doubt to have been a willful disclosure, and that unwillful disclosures include but are not limited to having my own security breached. It's worth noting that many companies will not agree to such terms, and in such cases I simply move along to another bid. In other words, I've naturally gravitated toward working predominantly on (improving) open source software to add a feature that a business needs/wants because a simple risk analysis prevents me from signing most any proprietary NDA. What of the company's own employees? Do they bear such risk of irreparable harm to their business and sign away right to defend themselves against such claims where information leakage has occurred if their workstation is targeted by crackers?

    Also, If I've got to disclose my Application Idea prior to accessing the API then I'm at a severe disadvantage. This is the Information Age, you'd do well to learn a bit of information politics. I'm doing the work to come up with an Idea that may or may not even be possible via their API, and giving that work to them for free for the CHANCE that I might be ALLOWED to benefit from the idea? Say they turn down the idea, can they not simply run off and create the app themselves now? If not, if the NDA is bidirectional and they will not disclose my Idea, then they are doomed. I will simply propose hundreds of ideas under that contract, and drag them into court as soon as another app implements the features I've described... I don't even have to develop anything! If the risk is not bidirectional, then it's not worth the chance to take considering the market share, and that other markets for ideas exist.

    Finally, If you want to prevent unlicensed 3rd party API usage then implement a secure code signing chain and make the API

System going down in 5 minutes.

Working...