Slashdot Log In
Pentagon Seeks a New Generation of Hackers
Posted by
ScuttleMonkey
on Fri May 22, 2009 01:49 PM
from the just-give-them-places-to-play dept.
from the just-give-them-places-to-play dept.
Hugh Pickens writes "Forbes reports on a new military-funded program aimed at leveraging an untapped resource: the population of geeky high school and college students in the US. The Cyber Challenge will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. 'The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it. [...] The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources. In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data. Talented entrants may be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.'"
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Foreigners?? (Score:3, Insightful)
Re:Foreigners?? (Score:4, Insightful)
Parent
Re: (Score:2, Interesting)
Re:Foreigners?? (Score:5, Insightful)
Probably not. There are quite a few talented people out there who spent already years to get into "it". Why bother training someone for 2-4 years if you can get someone who already has the skill?
Part of being a hacker is being able to find the resources. So if you want to learn, just do it.
Parent
Re: (Score:3, Informative)
Literally any governmental or military job that involves dealing with classified information, requires you to be a US citizen. I imagine this would be no different.
They can't legally accept foreigners (Score:3, Informative)
To work on these systems you'd need to hold a security clearance. It is not prima facie absurd to say that some restrictions could be lifted for Secret-classified networks, but you'd never get them to do Top Secret and Top Secret/SCI because of how incredibly sensitive the data is on those networks.
Gays?? (Score:3, Interesting)
Will they accept homosexuals?
Or is "deviant sexual behavior" only acceptable when done as part of an "enhanced interrogation"?
The fine print (Score:2)
And the winner does not pass "Go", does not collect $200, and goes straight to jail.
Re:Do Not Pass Go (Score:3, Funny)
Thank you. Finally someone with some caution.
"Hey, we'll interrogate Terrorists."
"But we aren't getting any hits sir."
"Okay. Let's hold a contest to find some."
Finally.... (Score:4, Funny)
Angelina Jolie has a legitimate excuse to stop posturing as an actress and can pursue her true destiny... [imdb.com]
Re:Finally.... (Score:4, Insightful)
Parent
And remember folks. (Score:5, Insightful)
When they work for you, they're "freedom fighters".
When they work for the other guys, they're "terrorists".
Re: (Score:3, Interesting)
And good luck denying cyber-attacks against other countries with a publicly announced program like that.
Re: (Score:3, Interesting)
When they work for you, they're "freedom fighters".
When they work for the other guys, they're "terrorists".
You could also say that When they SAY they work for the other guys, they're "terrorists."
This news isn't very surprising considering that the The National Research Council [blacklistednews.com] is pushing for the offensive use of âoecyberattackâ against enemies foreign and domestic.
It isn't very hard to imagine that they may commit attacks on our own infrastructure in order to get more power and money. Our government has a proven track record of using false flag attacks (see Operation Ajax or the Northwoods documents)
Cybersecurity (Score:4, Insightful)
... a young generation of cybersecurity researchers ... attacking and defending digital targets, stealing data ...
Isn't it funny that whenever there is talk about security it generally means the opposite?
Re: (Score:2, Informative)
Isn't it funny that whenever there is talk about security it generally means the opposite?
Well, it makes sense. In order to defend a secure system/network, you must first know multiple ways to break into that secure system/network. Posers doing "IT security" jobs that don't know what they're doing are for sure going to drop the ball and get pwned.
outsource it to china and russia (Score:5, Funny)
they seem to have thousands of enthusiastic youngsters who are already hard at work in this very field
I have to say I'm a little frustrated.... (Score:5, Insightful)
I went all the way through a MS CS looking for any opportunity to study computing security and drew nothing but shrugs from my professors when I inquired about seriously studying the subject.
If they really want to produce cybersecurity experts, forget the competitions - you have to make training available. Forget all of the hand waving talk about academics not "having the right mindset". I have found that the kind of people who say such things just don't want to share their knowledge.
Re: (Score:3, Informative)
This is hilarious! (Score:3, Insightful)
The idea that there is "hacking training" or even college is hilarious! Hacking, by definition, means you do things that were not designed to be done. IOW, you hacked them to make them work together. It could be computers...or it could be stereo speakers. They only differ in form.
Things like this can not be taught by books or professors. They are learned by experience and tinkering. There are no shortcuts to b
Re:This is hilarious! (Score:4, Informative)
Things like this can be taught by books or professors.
You start off with ground work on information security, networking, and penetration testing. You learn how things are being protected, how known flaws were exploited in the past, and what traces were left behind.
It's the same steps as being a programmer. The great ones love it, understand it, and spend their free time doing it. The average ones just tread where the great ones have gone before.
Parent
Agree to disagree (Score:5, Insightful)
I mean, think about it....many hackers know more about the equipment than the people who actually designed and built it. And you think books are going to teach them to hack it? C'mon....
Methinks you are confusing "security professional" with "hacker". Sometimes they overlap, but not always. I know plenty of INFOSEC guys who don't know a damn thing about hacking. If you were to put them into a room with a real hacker, you would quickly see the hacker run circles around the pro. Now, why would that be?
Riddle me this: IF what you say is true, then why aren't we swimming in hackers all around us? Why is the govt having such a hard time finding qualified applicants? Why aren't there more uber hackers "out there"? After all, if I want to be 1337, all I have to do is go to the right classes and have an active interest. So what is stopping millions of wannabe kids from doing just that?
Parent
Re:Agree to disagree (Score:4, Interesting)
Sounds like someone is in love with mythical hackers that don't truly exist or are an extreme rarity.
The idea that the coding and all the underlying skills necessary to "hack" into any system is not teachable is what is laughable. You clearly weren't involved in 2600 if you think there weren't any professors involved. It's mostly academia where all of these people came from. They learned the computing skills in school and took the material above and beyond to try different tasks with the same tools.
My 2600 chapter was full of people from varying backgrounds and professions with a common interest in learning how to do things that others didn't know how to do.
If you know an infosec guy that doesn't know about hacking techniques then I pray for anyone that hires them as they will not be affective at all in their job. How are you supposed to guard against something you know nothing about? The term hacker existed before security researcher because hacker became stigmatized for the few like Kevin Mitnick who caused a lot of havoc and exposed a lot of utter stupidity.
The government is having a hard time finding hackers because most hackers are performing tasks which the government has deemed illegal. This does not a good relationship make. Combine this with the secret nature of a lot of hackers work and they simply don't want to be around authority unless they have just started out. Competitions like this are a way to attempt to change that image but unfortunately with the state of laws nothing will change especially with hackers that try to do the right thing by informing private parties of security vulnerabilities ending up in jail.
Millions of wannabe kids have other interests than computers. The people with the necessary OCD to take it to a level of interest is a very small number of people who tend to be withdrawn from the mainstream making them hard to find and more importantly volunteer to have your background checked.
I was part of Infragard in college until 9/11 happened it was mostly free to all who wanted to learn about infosec from a private infrastructure security standpoint and it was very eye opening. That is until the FBI did a background check after 9/11 and apparently I failed as they asked me not to come back until I had a job in the field even though I had contributed heavily with designing secure networks.
There are tons of books that "hackers" read to learn what they know and the rest is left up to creativity. Make no mistake, the vast majority of skills can and often are taught. My college degree back in 2004 had a network security major along with network engineer and both required a certain amount of programming so you understand what you're trying to manage. Many of those classes were very enlightening even though the real world was dramatically different it still gave me the tools to understand what was happening in real time.
Parent
Re: (Score:3, Interesting)
To a large extent I agree with you, but, some courses to give you some of the real basics, history of exploits, tools currently used on both sides, and all, would go a long way in giving you a head start over someone that had
Re: (Score:2, Interesting)
Re:I have to say I'm a little frustrated.... (Score:5, Interesting)
It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".
You're looking at a field here that reinvents itself every other month. What you knew 2 years ago is outdated and very near worthless today. 2 years ago, the big craze in security were bogus browser plugins and runtime packers. Nobody does it anymore, all security tools can easily identify and depack them. The thing now is the transition to true P2P updatable malware with digital signatures. Once this is achived, conficker will look like a toy.
Personally, I give it 3-6 months.
So it's not a matter of mindset. It's a matter of being outdated by the time you learned it.
Parent
You're describing education (Score:3, Interesting)
It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".
There's nothing specific to computer security here. In nearly every field, by the time you graduate what you've learned is outdated. The methods have changed, the accepted views and interpretations have changed, the tools have changed. Education isn't about learning the specifics of particular topics, it's about learning how to intelligently and rationally deal with a specific topic.
A computer security course of study could contain examples, such as browser exploits and conficker, but the focus should be o
Re: (Score:3, Insightful)
So, essentially, you say people should learn computer theory, programming (and the pitfalls like memory leaks and bogus data input), assembler language and processor architecture, logic and various tools associated with it?
Gee, I wonder why there's no branch of study for that...
Re: (Score:3, Interesting)
Basically I have a degree in CS. Science, that is, not security. Security came on top of it. Or next to it, depending on how you want to look at it.
I don't know if it would make sense to "teach" IT-Sec in a normal, classroom-style way. A lot of it is tinker and toy, try and error. There's very little in the sense of true and tried, established ways. Mostly becaues as soon as it's true and tried, it's no longer a security concern. It's known, it's established, it's fixed, it's no longer a security issue. Of
Re: (Score:3, Insightful)
I can understand your frustration, but I hope I can offer some encouragement, too.
Yes, there is a significant difference between the academic and practical sides of things, and they each have their place. I may be biased here, but I feel that the best position is to have one foot firmly in each realm. I work full-time in infosec and I am a part-time university professor (with a Ph.D. in infosec), so I bridge that gap, bringing my practical real-world experience to my students and bringing the benefits of th
Re: (Score:3, Insightful)
A recruiting aid for unclearable personnel (Score:4, Insightful)
When you consider that only a lily-white goody twoshoes can pass the lifestyle polygraph it's no wonder they can't find enough people. They figure if you've ever tried to access any system without the Proper Authority, ever, you're a bad risk. So if you've ever held down two buttons at once on a vending machine to see what happens, you need not apply.
That makes about as much sense as refusing to recruit people into the army because they were in a fight, once.
There is no shortage of people with black hat skills. The problem is that the government does not want all but a handful of those few who are willing to work a job where a routine fuckup can be prosecuted as a felony.
Re: (Score:2)
Um, so what happens? I am feeling a bit peckish...
Re: (Score:2)
Um, so what happens? I am feeling a bit peckish...
The same thing that happens if you try to ssh to whitehouse.gov. Which is to say, nothing, if the system under test was properly designed and constructed.
Re:A recruiting aid for unclearable personnel (Score:4, Interesting)
They don't want black hats. They're unreliable. Above skill comes the problem that they will deal with sensitive data which must not fall into the wrong hands. Their worst fear is to make the fox guard the chicken pen.
I hear you, though. It's an old joke in the biz, there's good people, there's clean people and there's available people. You may pick two of the list.
Parent
Re: (Score:3, Informative)
The purpose of the polygraph isn't to find out if you are lily-white. It is largely to determine if you can be blackmailed. If you are truthful about your "indiscretions", you can't be blackmailed. On the other hand, someone who is willing to lie on a polygraph clearly has some shame issues that could be exploited by a hostile agent. Obviously, admitting to a felony or intent to subvert the government isn't going to get you anywhere.
Game time (Score:3, Funny)
Finally, all those years of watching "War Games" might pay off.
Culture vs Goals (Score:5, Insightful)
What's the hook? What I mean is: why would some high schooler join this program vs the alternatives? -which by the way....are way more fun. Would you really want to hack for some PHB who has TPS Cover Sheets to fill out? I can't imagine a less rewarding situation
This seems like wishful thinking to me. How many "hacker recruiting" programs have we seen/heard about now? I can count 3 or 4 off the top of my head. Methinks they are not having much success finding good hackers.
Re: (Score:2, Interesting)
I think you are playing to some stereotypes of the DoD. Although there are some inefficiently run programs in the DoO (obviously), there are also very efficient and fun programs as well. You'll be surprised how smart and young many managers are in divisions such as these and also where they came from.
There are good reasons to get into the field in DoD like steady pay, good benefits, the feeling of serving your country (for what that's worth anymore) and lastly the resources. I doubt many security firms
Re: (Score:3, Informative)
You're forgetting a few details:
First, there's military contractors to work for, which have a more 'pleasant' attitude. On top of that, the DoD folks in this area aren't exactly your normal "grunt".
Second, the level of challenges are going to be extremely high. You're not trying to break in to some web server set up by a marginally-competent IT guy. You're working against (and with) the best on the planet.
Third, you put a few years in at the DoD, and you come out with a security clearance and very attrac
good identifier of both sides (Score:5, Insightful)
Quite an ingenious move.
While the initiative may seem to foster and legalize what previously have been considered acts of malevolence, it also helps the government to identify and build a register of possible future trouble makers with skills.
This will get them both a great recruitment program, but it will also give them a a great monitoring tool.
I'm not pro nor con, just saying. Nice Database of profiles. Do you bite?
Re:good identifier of both sides (Score:4, Funny)
I'm not pro nor con, just saying. Nice Database of profiles. Do you bite?
Bite? You nuts? I'll hack it, that info is juicy!
Parent
Nothing new.... (Score:2)
Yeah - they had this back when I was in high school.
Only, instead of a prize; I got an F in my programming class, threats of expulsion, and had to promise never to use one of the "school's" computers again.
Endless Cycle (Score:3, Insightful)
And so continues the cycle of Slashdot stories of "$ARMED_FORCE is starting a new elite CyberSecurityDefenderProtectUsFromBadGuysSuperForce" and:
1. Former IT folks in the $ARMED_FORCE ranting on Slashdot about how $ARMED_FORCE did nearly everything in their power to make competent IT people leave.
2. $ARMED_FORCE continuing to disqualify those who are over 30 or who have a pasty-faced a complexion unbecoming to G.I. Joe.
3. $ARMED_FORCE not wanting to stop using Windows for anything secure.
4. More Chinese hackers putting stupid stuff on $ARMED_FORCE's IIS servers.
Obligator Good Will Hunting quote... (Score:3, Insightful)
"Why shouldn't I work for the N.S.A.? That's a tough one, but I'll take a shot. Say I'm working at N.S.A. Somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it and maybe I break it. And I'm real happy with myself, 'cause I did my job well. But maybe that code was the location of some rebel army in North Africa or the Middle East. Once they have that location, they bomb the village where the rebels were hiding and fifteen hundred people I never met, never had no problem with, get killed. Now the politicians are sayin', "Oh, send in the Marines to secure the area" 'cause they don't give a shit. It won't be their kid over there, gettin' shot. Just like it wasn't them when their number got called, 'cause they were pullin' a tour in the National Guard. It'll be some kid from Southie takin' shrapnel in the ass. And he comes back to find that the plant he used to work at got exported to the country he just got back from. And the guy who put the shrapnel in his ass got his old job, 'cause he'll work for fifteen cents a day and no bathroom breaks. Meanwhile, he realizes the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And, of course, the oil companies used the skirmish over there to scare up domestic oil prices. A cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon. And they're takin' their sweet time bringin' the oil back, of course, and maybe even took the liberty of hiring an alcoholic skipper who likes to drink martinis and fuckin' play slalom with the icebergs, and it ain't too long 'til he hits one, spills the oil and kills all the sea life in the North Atlantic. So now my buddy's out of work and he can't afford to drive, so he's got to walk to the fuckin' job interviews, which sucks 'cause the shrapnel in his ass is givin' him chronic hemorrhoids. And meanwhile he's starvin', 'cause every time he tries to get a bite to eat, the only blue plate special they're servin' is North Atlantic scrod with Quaker State. So what did I think? I'm holdin' out for somethin' better. I figure fuck it, while I'm at it why not just shoot my buddy, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard? I could be elected president. "
Re: (Score:3, Funny)
Doubt it will work (Score:3, Insightful)
If you read through the hacker ethic, you will find that it's completely incompatible to the values enforced by any military institution.
Re:Awesome! (Score:5, Funny)
Parent
Re:Awesome! (Score:5, Funny)
>If you are asking, you don't qualify.
Exactly. In fact, if you're any damn good, just break into the HR system, insert yourself, and tell the front desk you forgot your badge when you show up for work the tomorrow morning.
This now concludes your interview.
Parent
Re: (Score:3, Funny)
And if you're the best, you simply give yourself a pension and numerous titles/awards/etc..