Today we publish an article from Cristiana Falcone‘s blog, who since 2006 has been CEO and a member of the Board of Directors of the JMCMRJ Sorrell Foundation, which promotes innovative global initiatives in health, education and poverty reduction to achieve the UNSDG goals.

The Internet will soon be the protagonist of a new revolution: Web 3.0. 

Like Bitcoin and NFTs, the next big step in the network’s evolution will come through blockchain, an innovative technology that makes hacking and stealing personal information especially complex. 

The innovations will mainly involve the ability of websites and Internet pages to collect data on each specific user in order to create a personalized experience with each access.

Web 3.0: will be the next chapter of the Internet really in the hands of users?

The differences between the Web 3.0 and its predecessors

The basic version of the Internet, the so-called Web 1.0, consisted of a one-sided interaction between user and content provider by virtue of which the user could only view content published by the provider, but could not change either its status or information, operations that were the sole responsibility of the page administrator. 

This type of setup resulted in a static experience, whereby users could view images and content but could not interact with them dynamically.

In the current version- the Web 2.0, also called Dynamic Web-users can, on the other hand, interact dynamically with Internet applications and pages, creating a more immersive experience that, most importantly, allows them to relate to Web content creators. 

Web sites in the Dynamic Web era are, moreover, constantly updated through user feedback, which allows site administrators to correct any problems related to every aspect of a page, from graphics to interactivity to security.

Web 3.0 will be the most advanced form, both in terms of connectivity and the ability to interact with other users through augmented reality, but there are many questions. 

While it is true that the use of blockchain will ensure a personalized and, above all, more secure experience for users (thanks to this technology, used by most cryptos, it will be essentially impossible for hackers and tech giants to access users’ personal information), there are many who wonder what the actual use of virtual reality will be. 

After months of propaganda by social giant Mark Zuckerberg, the idea of the “Metaverse” (a virtual universe where users can interact with each other via avatars) has quickly become a reality, and real are also the expenditures that have been made on the metaverse via cryptocurrencies: from the $650’000 virtual yacht to online “real estate” land worth millions of dollars.

What future lies ahead?

It is undeniable that thanks to blockchain, a “decentralized” web will emerge, putting the virtual experience back into the hands of the multitude of users, creating a more democratic, secure and, in particular, desirable web. 

The other side of the coin, however, is an innovation in the name of virtual reality that seems aimed at creating a virtual copy of the human experience, inviting millions of people to invest in an online universe that seems to be just yet another face of a consumerism aimed at excess and, above all, devoid of real benefits. 

Is this really the future that big tech companies hope for?

Bug hunting: how to learn it and make it a profession

Myths and truths about bug hunting, one of the most mysterious and fascinating specializations in the world of cyber security. All that glitters is not gold, but fun is guaranteed.

The field of cyber security is large and very heterogeneous. A set of specializations and skills of the most diverse, so much so that to speak of “cyber security” alluding to a single occupation is misleading.

Within this varied world of professions and activities, in addition to the more celebrated ones such as penetration testing, monitoring, awareness, and so on, there are some somewhat less trumpeted ones that enjoy the respect that is paid to what one knows little or nothing about. Among these, for sure, is bug hunting.

What is bug hunting

Of course, it is not a mysterious object. More or less everyone knows, in fact, that bug hunting refers to an activity in which software and hardware are analyzed to hunt for vulnerabilities that could be exploited maliciously by cybercriminals who appropriate them.

Depending on the type of vulnerability detected, the technology where it is present, and the respective manufacturer, the bug hunter is then remunerated more or less substantially. It all creates a virtuous circle in which there are very specialized professionals who spend their working days analyzing code, devices, developing exploits, and attempting to apply them to find confirmation of their insights. 

And in case everything works out perfectly, so to speak, here comes the lavish compensation. Which hopefully comes from those who have an interest in fixing that given vulnerability, although things do not always work out that way.

Going straight to the hunt

Referring of course to ethical bug hunting, let us start by saying that there are several career options. The simplest is to enroll in bug hunting programs and start working right away.

The level of expertise required, however, is medium to high: bug hunting programs attract some of the best talent on the market, and the risk is that they will get there first to unearth the best-paying vulnerabilities.

The concept, in fact, for the uninitiated, is that those who organize bug hunting campaigns draw up a sort of fee schedule with rewards, which vary greatly depending on the level of the vulnerability uncovered.

For example, Apple Security Bounty is one of the best paid campaigns, with rewards as high as one million dollars.

Google is less generous, perhaps because it offers many more services than the Cupertino giant and, therefore, the potential number of vulnerabilities is greater. Here, the rewards can touch 30’000 dollars, although in some cases you can strike a bargain and tick off much larger sums. Microsoft? It contends for the best bug hunters with rival Apple, and even then it goes up to 1 million dollars.

Bug hunting: what there is to learn

It should be made clear, however, that unearthing these vulnerabilities is a real undertaking, requiring months, if not years, of hard work, and very high-level skills. Reason why, unless bug hunting is one’s hobby and reason for living, and one devotes a lot of time to it, it is better to cut one’s teeth with a more structured career. A career that, ça va sans dire, starts with ad hoc training.

In fact, the skills for approaching the world of bug hunting start from rather classic basics, for the cybersecurity industry. Linux, and in-depth knowledge of it, is a prerequisite, as is network architecture, with particular reference to the protocols of the various layers of the OSI model, and then moving on to in-depth knowledge of web and web apps.

Unless you also want to consider hardware bug hunting, which, however, requires much more preparation, at this point it is good to learn programming at a good level, unless you already know how to do it.

Opinions here are divided on which language is best, but for beginners the advice is to aim for Python and Go, which can rely on simple semantics, a huge amount of libraries, and a certain vocation precisely for ethical hacking, which after all is the principle on which it is based in bug hunting. For those with more courage and will, Perl, C and assembly represent a plus that repays the effort.

Having structured a solid foundation with these skills, the next step is to tackle the art of bug hunting head-on. There are excellent books that explain it, and among the best are worth mentioning Bug Hunting for Penetration Testers by Joseph Marshall, and Real-World Bug Hunting by Peter Yaworski.

Of course, there is no shortage of dedicated YouTube channels, but the only one that shows every aspect of bug hunting as a profession, with all its pros and cons, is that of the excellent Farah Hawa.

The importance of practice

Bug hunting, even more than other cybersecurity specializations, requires lots and lots of practice. While it is true that the basics must be solid and understood in every detail, it is equally true that bug hunting requires experimentation, resourcefulness, and patience, because it happens very often to “chase” a bug, only to realize that it is a flash in the pan, or that someone, in the meantime, has already discovered it.

For this reason, it is essential to learn quickly to make economic evaluations of one’s own activity: it is often better to aim for the search for many small vulnerabilities, than for the million-dollar one. And in the meantime gain experience.

How much do you earn

Speaking of earnings: what are those to which one can really aspire? The figures vary greatly depending on the subjects, commitment and, why not, even luck.

There is no shortage, however, of professionals ready to share their numbers. One of the most famous is Anton “Skavans” Subbotin, who tells of having earned, in the last three years of work, 558.000 dollars. Respectively 91.000 in 2019, 229.000 in 2020, and 252.000 in 2021.

Subbotin himself, concludes Cristiana Falcone, is keen to point out that he does not enter this field just because of a financial issue: doing so without having any real interest inevitably turns into a disastrous experience.

To be successful, in bug hunting as in any other profession, you need to have fun and be passionate about it.