Freelance hacking site vows to clean up dodgy listings

The site debuted in November and quickly drew high-profile attention, including a front-page story in the New York Times. It's an online marketplace where people can list computer-security related jobs for bidding and match them with the right "hacker."

It has been criticized as amateurish since forums where such deals are made are password-protected and generally hard to find for regular Internet users. It has also raised concern since many projects up for bidding appear illegal.

The latest criticism comes from Jonathan Mayer, a lawyer and doctoral candidate in computer science at Stanford University. He wrote a Web crawler that scanned 7,200 projects on the site and posted the results on Thursday on his blog.

"Here's the short version: most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal," Mayer wrote.

The majority of projects up for bidding involve compromising cloud services accounts, with Facebook and Google the most mentioned, he wrote. There are also a fair number of projects asking for help in artificially improving grades.

Tendell, the founder and CEO of Azorian Cyber Security based in Colorado Springs, Colorado, said on Thursday that he's seen Mayer's report.

"His report is accurate," Tendell said.

It's easy to register an account on Hacker's List -- the site lets people use their Facebook credentials to log in -- and see the projects up for bid. Tendell said Hacker's List lets people post any project they want to, which is the reason a high number of illegal ones appear, tainting the website.

But he says that the site's staff reviews pending deals and rejects ones that are illegal. Hacker's List notifies both the hacker and the employer prior to approving a job.

The notice requires identification and signed documentation from both parties attesting that their deal complies with Hacker's List terms of service, which forbids illegal activity.

"If you aren't able to provide that information, we will not complete your transaction, especially if it looks like on the surface it might be illegal," he said.

At one point after the New York Times story, Tendell said they took Hacker's List offline because of the high number of suspicious listings. The sudden attention that came as the result of the story, Tendell said, caught him completely off guard.

Later, they decided to put its content back online and rely on the site's community to flag suspect posts. If a job gets two flags, the staff of Hacker's List -- which is about five people -- will review the post and remove it if it violates the terms of service.

Mayer isn't convinced. "Given that the majority of users are soliciting federal crimes, I'm skeptical that this community would adequately police itself," he said via email.

Hacker's List used to charge a 15 percent commission but has changed its sale model. It charges hackers US$3 to bid on a project and every time they communicate with a potential employer. Employers are charged $0.75 per communication.

Mayer contended that he found only 21 jobs that had been completed, in contrast to the 250 jobs that Tendell told the New York Times had been done.

The calculation is incorrect, Tendell said, as there are many jobs that have been completed but were privately listed and not accessible by Mayer's crawler.

The Hacker's List success stories cited by Tendell revolve more around online reputation management and investigative services than computer security.

One deal involved a woman who needed help getting some negative photos removed from a website, Tendell said. Another involved cyberbullying, where someone wanted to find the identity of the harasser.

Tendell argued that online reputation services would charge far more for those kinds of services than putting a project out for bidding on Hacker's List.

That's actually a strong business case for the site, as there very well may be a need for such freelance services for Internet consumers. But the website's main problem may be how it clumsily presents itself.

It clearly isn't for businesses, as no company would trust people on the site to probe their networks. On the other end, average consumers also aren't going to be in the market for penetration tests or security audits, Mayer said via email.

"Given how lucrative security consulting is, I don't see why a talented white hat would seek sketchy, low-ball offers," he wrote.

And that may be how Hacker's List has ended up where it is today: a large collection of listings from people seeking to change their grades, snoop on an email account or modestly spy on other people, all low-hanging fruit for even an average hacker.

One new posting on Friday offered between $200 and $300 for a task. "Looking to see what someone is getting on his Facebook messages and see if he's cheating on me," it read.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk