One of the best hackers in the US is an AI bot
This is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne co-founder Michiel Prins. Now, the year-old startup has raised US$75mil (RM317.88mil) in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its valuation.
Security researchers and hackers have long automated parts of their work and AI has shown up as a key tool in the past two years, Prins said. Nearly all human hackers now augment their efforts with AI and there are a handful of firms trying to do what Xbow does – Prins calls them hackbot companies.
Xbow, founded in January 2024 by GitHub veteran Oege de Moor, automates penetration testing, where hackers try to find security flaws and break into corporate networks. Companies often hire or employ people to do that, called red teams, as a way of improving and protecting their network and software. But red teaming and penetration testing is costly – US$18,000 (RM76,292) on average and few weeks of work for a test on a single system, says de Moor – and so it often doesn't get done frequently enough. De Moor wants to sell his product to enable customers to go through the process continuously or at least more often, and before new products and systems go live.
"By automating this we can completely change the equation,' said de Moor, who formerly oversaw Microsoft Corp-owned GitHub's Copilot for AI code-generation.
The challenge is that well-financed hackers are also using AI algorithms to automate attacks and increase their frequency at a lower cost. Xbow has "something that works now and it's exciting, but also somewhat terrifying because we are now in the era of machines hacking machines,' said Nat Friedman of NFDG, and a former GitHub chief executive officer.
De Moor, who also spent two decades as a computer science professor at Oxford University, expects the balance of power to eventually favor defenders, using tools like Xbow. "There might be a period of chaos where not everybody gets ready for these AI-powered attacks,' he said. Now, "we can, for the first time, have a good hope that defenders can find and fix all the vulnerabilities before a system goes out.'
De Moor founded Semmle, a startup for finding security flaws in code that was acquired by GitHub in 2019. Microsoft had bought GitHub the previous year and named Friedman CEO. He wanted to make a series of acquisitions to add new products and entrepreneurial talent.
Friedman and Altimeter Capital partner Apoorv Agrawal said they were looking at ways AI could boost cybersecurity when de Moor began Xbow. "Cybersecurity is going through a credibility crisis. There are a lot of alerts,' Agrawal said. What chief information security officers "want is less, not more, they want simplicity and less alerts,' he added. "How do you make this work? AI can help.'
HackerOne offers a security platform where companies who want their software vetted can offer bounties for finding bugs. There are open programs and ones that are invitation-only. Xbow is active in both. When an AI like Xbow's finds a vulnerability, HackerOne requires a human at the company to vet it to filter out AI hallucinations. Then Xbow goes to the company whose product contains the supposed flaw. If it confirms the issue, Xbow earns reputation points – hackers get more points the more severe the issue.
As part of that work, the Xbow product successfully found and reported security bugs to more than a dozen well-known companies, according to de Moor. The list includes Amazon.com Inc, Walt Disney Co, PayPal Holdings Inc and Sony Group Corp. De Moor declined to name Xbow's current customers except to say they are large financial services and technology companies.
Xbow's team includes GitHub veterans like Nico Waisman, who served as chief information security officer at Lyft Inc, and is now Xbow head of security, and Albert Ziegler, Xbow's head of AI, who worked at GitHub and Semmle.
While Xbow's algorithm does well in finding things like common coding errors and security issues, it does poorly at realising when a flaw results from product design logic. For example, it needs to be explicitly told when looking at a medical web site that prescriptions should be kept private, de Moor said. And it won't understand that while a doctor or a pharmacist needs to be able to access the prescriptions of multiple patients, it's a security problem if one patient can see another's meds.
In the future, Xbow also wants to add the ability to tell customers how to correct the security flaws and make coding suggestions for those fixes.
Widespread adoption will also require getting customers to change how they work, Altimeter's Agrawal said.
"Whenever there's a sufficiently advanced technology, the last-mile adoption requires a change of workflows,' Agrawal said. "It requires a change of people's behaviors that they've been doing for years, sometimes decades." – Bloomberg
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Star
2 days ago
- The Star
YouTube turns to AI to spot children posing as adults
A version of AI referred to as machine learning will be used to estimate the age of users based on a variety of factors, including the kinds of videos watched and account longevity, according to James Beser. — Pixabay SAN FRANCISCO: YouTube has started using artificial intelligence (AI) to figure out when users are children pretending to be adults on the popular video-sharing platform amid pressure to protect minors from sensitive content. The new safeguard is being rolled out in the United States as Google-owned YouTube and social media platforms such as Instagram and TikTok are under scrutiny to shield children from content geared for grown-ups. A version of AI referred to as machine learning will be used to estimate the age of users based on a variety of factors, including the kinds of videos watched and account longevity, according to YouTube Youth director of product management James Beser. "This technology will allow us to infer a user's age and then use that signal, regardless of the birthday in the account, to deliver our age-appropriate product experiences and protections," Beser said. "We've used this approach in other markets for some time, where it is working well." The age-estimation model enhances technology already in place to deduce user age, according to YouTube. Users will be notified if YouTube believes them to be minors, giving them the option to verify their age with a credit card, selfie, or government ID, according to the tech firm. Social media platforms are regularly accused of failing to protect the well-being of children. Australia will soon use its landmark social media laws to ban children under 16 from YouTube, a top minister said late last month, stressing a need to shield them from "predatory algorithms." Communications Minister Anika Wells said four-in-ten Australian children had reported viewing harmful content on YouTube, one of the most visited websites in the world. Australia announced last year it was drafting laws that will ban children from social media sites such as Facebook, TikTok and Instagram until they turn 16. "Our position remains clear: YouTube is a video sharing platform with a library of free, high-quality content, increasingly viewed on TV screens," the company said in a statement at the time. "It's not social media." On paper, the ban is one of the strictest in the world. It is due to come into effect on December 10. The legislation has been closely monitored by other countries, with many weighing whether to implement similar bans. – AFP
Borneo Post
2 days ago
- Borneo Post
Paradise under pressure: Semporna's tourism boom bites back
The many water bungalows perched above turquoise waters have earned Semporna the nickname 'Maldives of Malaysia.' — Malay Mail photo SEMPORNA (Aug 15): Once a rugged coastal town, Semporna has transformed into a thriving hub for tourists, with thousands arriving daily to explore the pristine islands off Sabah's east coast. An estimated 2,000 visitors, mostly from mainland China, now arrive in Semporna each day, fuelling demand for services ranging from boat guides and accommodation to souvenir shops and seafood restaurants. Clusters of water bungalows, both on the mainland and nearby islands, have been sprouting up, earning Semporna the nickname 'Malaysia's Maldives' for its crystal-clear waters and picturesque beaches. Alongside the surge, however, come opportunities for locals as well as mounting concerns — from socio-economic pressures to environmental and infrastructure strain. Stalls selling tourist souvenirs line the busy Dragon Inn lane in Semporna. — Malay Mail photo Local businesses being squeezed out Many long-standing business owners say they are being edged out by tour operators and enterprises linked to China. These operators often control the entire tourist experience — from transport and meals to accommodation — leaving little room for local enterprises to tap into the spending. 'You see a lot of tourists. Maybe about half the people you see around town are tourists. But the income does not reflect a surge in business. 'Tourists are coming, yes, but they eat at their own restaurants, stay in their own hotels, buy souvenirs from their own shops,' said a local Chinese shop owner who only wanted to be known as Wong. By 'their', he meant Chinese-owned businesses. Locals claim the rapid proliferation of such outlets is reshaping the town's commercial identity and determining who profits. Fruit stands like this can be found every 50 metres in Semporna. — Malay Mail photo Government authorities, including the Ministry of Tourism, Culture and Environment and the local district office, insist no licences of any kind have been granted to foreign nationals, and on paper, the businesses are legitimate. According to locals, many Chinese owners operate through Malaysian 'partners' who serve as proxies, often in name only. The tourism boom has also driven up property prices, with rents at newer shoplots climbing sharply. In town, convenience stores, juice stalls, hotels, restaurants, and souvenir outlets — selling items such as bird's nest and dried seafood — now dominate the streetscape. Older parts of town still house sundry shops and local eateries such as mamaks. 'We just can't compete with the high rent and low margins. Some of the older restaurants and shops have already closed,' Wong said. Tiong joins enforcement officers on a sea patrol in Tawau to inspect boats for valid permits and safety compliance. — Photo from Facebook/Dato Seri Tiong King Sing Illegal operations uncovered in Tawau The issue of foreign-linked tourism businesses operating outside legal bounds isn't confined to Semporna. In nearby Tawau, a recent joint enforcement operation led by Tourism, Arts and Culture Minister Datuk Seri Tiong King Sing uncovered several tour companies — previously believed to be locally owned — that were in fact run by Chinese investors and linked to illegal activities. These included unlicensed overwater chalets, aquaculture farms without approval, and homestays built on agricultural or livestock land. 'I have received numerous complaints about irregularities and illegal activities at tourist sites, which are damaging the safety reputation of Malaysia's tourism industry,' Tiong said in a statement on Facebook. He warned that operating without proper certification posed serious safety and management risks, and could lead to tragedy if accidents occur. While welcoming foreign investment in tourism, he stressed it must be done legally and in full compliance with Malaysian laws. 'Welcoming investors does not mean turning a blind eye. Whether they are from China or anywhere else, those involved in illegal activities, malpractice or the misuse of rental licences to evade the law will not be tolerated,' he said. During the Tawau operation, enforcement teams inspected 30 buses and tourist vehicles, 15 tourism business premises, 40 boats and four jetties, issuing nine summonses. Sea patrols found some vessels over capacity, without valid permits or carrying unverified documents. Roadblocks were also set up to check bus permits and driving licences. Tiong has urged local authorities to act swiftly, investigate suspicious operations, and shut down businesses operating without valid licences. With no designated main jetty, boat operators use any available docking area. — Malay Mail photo Infrastructure falling behind Semporna's infrastructure, designed for a much smaller population, is struggling to cope. Power and water shortages occur, and rubbish piles up faster than it can be collected. 'The town just isn't ready for this many people every day,' said dive guide Tommy Abdullah. 'The rubbish is out of control, and the sewer smell is everywhere. The authorities can't keep up.' Locals say existing systems cannot sustain more development, even as new projects are planned. At a recent Sabah State Assembly sitting, Sulabayan assemblyman Datuk Jaujan Sambakong said Semporna lacks a proper tourist jetty despite its growing popularity. Without a proper tourism jetty, boats in Semporna dock haphazardly along the waterfront. — Malay Mail photo 'Semporna is already considered an international tourist attraction. But our tourism jetty is still made of wood. 'There's no proper platform and the boats are docking in disorganised spots. It's not just inconvenient but also poses safety risks,' he said. He also pointed to poor road conditions and clogged drains in the district. 'Jalan Masbah looks more like gravel than a paved road. 'Even the drains are clogged with grass cuttings and rubbish dumped by contractors,' he said. District office executive officer Ali Adam Hamzah said cleanliness has improved in recent years, though the rubbish load remains challenging. 'There have been more investors coming in over the last decade, and we are trying to keep up. 'At the moment it is manageable. We do get a lot of feedback about the rubbish — on land and at sea — and we have been doing our best,' he said. The district office recently bought three additional rubbish trucks, bringing the fleet to eight or nine. Waste management remains a major problem, particularly around local water villages. — Malay Mail photo But waste at sea, particularly around inhabited islands like Bum Bum, is harder to manage as they fall outside the council's jurisdiction. 'Most of the problems come from the islands. In the city, we have it under control. According to feedback from tourists, businesses, and residents, it is getting better, cleaner. We are trying, but it's hard to tackle it 100 per cent. 'Of course, with more businesses and hotels, as the local council we are in support, because it also means more revenue. And with more revenue, we will be able to provide better service to everyone,' he said. With limited rubbish collection at sea, waste from nearby islands often ends up floating into Semporna's waters. — Malay Mail photo Environmental toll Marine pollution is another growing concern, with reports of increased fish bombing and cyanide use by fishermen under pressure to meet seafood demand from tourists. With seafood a major draw for Chinese visitors, local conservationists say unsustainable fishing practices are becoming more common. 'Restaurant owners pay the Bajau Laut fishermen to use illegal methods like cyanide fishing or blast fishing to quickly secure large hauls. You can hear the fish bombs go off underwater if you're diving or snorkelling,' said Tommy. 'It's not just damaging to the reefs, but also to the people doing it. Tourists come for diving and snorkelling, but if the coral's destroyed, the marine life will eventually go too — then what will be left?' he said. Local businesswoman Noorlita says the town cannot sustain the tourism boom on its own. — Malay Mail photo Calls for responsible tourism and regulation Despite the challenges, many residents still welcome tourism — but say it must be managed responsibly. As Semporna becomes more reliant on the Chinese market, locals are calling for regulation and enforcement — from proper licensing of businesses to environmental protection and fairer distribution of benefits. 'The government needs to step in,' said Norlita Mohd Musa, who runs a shop selling local seafood specialities and general goods. 'We're not saying 'no tourists.' We want more tourists. We're saying 'let's do this in a way that helps our town, our people'… otherwise what is the point?' she said. 'This is our home,' said Hidayah Suhaimi, who runs a souvenir stall near Dragon Inn. 'We were here before the tourists, and we will be here for a long time. So we want it to grow, but not at the expense of everything else.' lead Semporna Tiong King Sing tourism boom
The Star
2 days ago
- The Star
SimeProp seeks loan to build data centre for Google
SimeProp is ramping up its presence in data centres to serve the boom in artificial intelligence. KUALA LUMPUR: Sime Darby Property Bhd (SimeProp) is in talks with banks for a loan of as much as RM3bil (US$714mil) to fund the building of a data centre that will be leased to Google, according to people familiar with the matter. The proposed loan will have a tenor of five years and carry an extension option of as long as two years, the people said. Discussions are ongoing and details could change, they added. SimeProp didn't respond to a request for comment. SimeProp, part of one of Malaysia's largest multinationals, is ramping up its presence in data centres to serve the boom in artificial intelligence (AI). The AI frenzy has fuelled demand for funding the centres in Asia, resulting in a series of record-breaking loans for operators. Bain Capital-owned Bridge Data Centres obtained a US$2.8bil facility earlier this year for operations in Malaysia. Google announced in 2024 plans to build the data centre at Sime Darby's Elmina Business Park near the Malaysian capital as part of a US$2bil investment. — Bloomberg Trading ideas: Chin Hin, Sime Property, Catcha, Aemulus, Bursa, Malakoff, JS Solar, Cuckoo, Keyfield, I-Bhd, MNRB, Swift, JPG, N2N
