Pentagon Seeks a New Generation of Hackers 134
Hugh Pickens writes "Forbes reports on a new military-funded program aimed at leveraging an untapped resource: the population of geeky high school and college students in the US. The Cyber Challenge will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. 'The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it. [...] The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources. In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data. Talented entrants may be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.'"
Re:Foreigners?? (Score:2, Interesting)
Re:And remember folks. (Score:3, Interesting)
And good luck denying cyber-attacks against other countries with a publicly announced program like that.
Re:And remember folks. (Score:3, Interesting)
When they work for you, they're "freedom fighters".
When they work for the other guys, they're "terrorists".
You could also say that When they SAY they work for the other guys, they're "terrorists."
This news isn't very surprising considering that the The National Research Council [blacklistednews.com] is pushing for the offensive use of âoecyberattackâ against enemies foreign and domestic.
It isn't very hard to imagine that they may commit attacks on our own infrastructure in order to get more power and money. Our government has a proven track record of using false flag attacks (see Operation Ajax or the Northwoods documents) or exaggerating attacks on us (Gulf of Tonkin). This is even more plausible considering there would probably be no loss of life.
I'm not saying this is happening but given knowledge of previous examples it would be best to be skeptical of the governments claims.
Re:I have to say I'm a little frustrated.... (Score:2, Interesting)
Re:I have to say I'm a little frustrated.... (Score:5, Interesting)
It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".
You're looking at a field here that reinvents itself every other month. What you knew 2 years ago is outdated and very near worthless today. 2 years ago, the big craze in security were bogus browser plugins and runtime packers. Nobody does it anymore, all security tools can easily identify and depack them. The thing now is the transition to true P2P updatable malware with digital signatures. Once this is achived, conficker will look like a toy.
Personally, I give it 3-6 months.
So it's not a matter of mindset. It's a matter of being outdated by the time you learned it.
Re:A recruiting aid for unclearable personnel (Score:4, Interesting)
They don't want black hats. They're unreliable. Above skill comes the problem that they will deal with sensitive data which must not fall into the wrong hands. Their worst fear is to make the fox guard the chicken pen.
I hear you, though. It's an old joke in the biz, there's good people, there's clean people and there's available people. You may pick two of the list.
Re:Culture vs Goals (Score:2, Interesting)
I think you are playing to some stereotypes of the DoD. Although there are some inefficiently run programs in the DoO (obviously), there are also very efficient and fun programs as well. You'll be surprised how smart and young many managers are in divisions such as these and also where they came from.
There are good reasons to get into the field in DoD like steady pay, good benefits, the feeling of serving your country (for what that's worth anymore) and lastly the resources. I doubt many security firms have a thousandth the resources of various DoD departments. Some server farms were build for simulation or something like that, and instead of getting rid of them when the program is over, they just give the rights to the whole farm to other programs. So in the end you get some ridiculous power for really zero cost.
Granted I don't know how well these programs will work. Everyone I know in the field in the black world got there through word of mouth ("so... I know this guy" sort of stuff).
Gays?? (Score:3, Interesting)
Will they accept homosexuals?
Or is "deviant sexual behavior" only acceptable when done as part of an "enhanced interrogation"?
You're describing education (Score:3, Interesting)
It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".
There's nothing specific to computer security here. In nearly every field, by the time you graduate what you've learned is outdated. The methods have changed, the accepted views and interpretations have changed, the tools have changed. Education isn't about learning the specifics of particular topics, it's about learning how to intelligently and rationally deal with a specific topic.
A computer security course of study could contain examples, such as browser exploits and conficker, but the focus should be on the more abstract concepts. Ideally, if you understand computer security, you will be able to deal with whatever the current craze is.
Re:This is hilarious! (Score:3, Interesting)
To a large extent I agree with you, but, some courses to give you some of the real basics, history of exploits, tools currently used on both sides, and all, would go a long way in giving you a head start over someone that had to search, research and find out everything till they got to the stage of trying new things.
I'd think formal teaching of many things and basics could shortcut some of the early grind work,and get you on the productive path a bit quicker, no? At least unless you are one of the super elite that borders on genius and can learn everything VERy quickly, etc.
Re:You're describing education (Score:3, Interesting)
Basically I have a degree in CS. Science, that is, not security. Security came on top of it. Or next to it, depending on how you want to look at it.
I don't know if it would make sense to "teach" IT-Sec in a normal, classroom-style way. A lot of it is tinker and toy, try and error. There's very little in the sense of true and tried, established ways. Mostly becaues as soon as it's true and tried, it's no longer a security concern. It's known, it's established, it's fixed, it's no longer a security issue. Of course there are perpetual security problems like social engineering and users (and their "human" shortcomings), but you'd probably be learning more from a psychology or (don't laugh) marketing course (seriously, it's all about "motivating" people to do what you want). On a technical side, most of what you need to know can be taken from computer science classes. You need some understanding of protocols and computer architecture, you probably should know a bit assembler, the rest is mostly coming up with ideas.
And reading the papers others publish. Reading. Reading more. Reading a lot more. Understanding them (which in turn requires little more than what's taught in CS classes). Repeating their steps. Gaining more insight. Building on top of it. Sometimes you get an idea, you look at it from an angle that the original writer didn't have in mind, you come up with something new, you publish it as well, you build a reputation.
Which leads to another aspect, being able to get into contact with others who do the same. Being in a company that deals with IT security can help but can just as well be a huge burden (because, for obvious reasons, a lot of people won't want to talk with you anymore if it gets out). Mostly it depends on what path you want to take.
From my point of view, half of that can't be taught in a standard classroom environment, the other half doesn't really need it. What makes IT security so interesting and so hard to teach at the same time is that it's mostly a matter of inspiration and ideas, not so much of standard approaches to a problem. If there was a standard approach, it would have been eliminated ages ago.
Re:Agree to disagree (Score:4, Interesting)
Sounds like someone is in love with mythical hackers that don't truly exist or are an extreme rarity.
The idea that the coding and all the underlying skills necessary to "hack" into any system is not teachable is what is laughable. You clearly weren't involved in 2600 if you think there weren't any professors involved. It's mostly academia where all of these people came from. They learned the computing skills in school and took the material above and beyond to try different tasks with the same tools.
My 2600 chapter was full of people from varying backgrounds and professions with a common interest in learning how to do things that others didn't know how to do.
If you know an infosec guy that doesn't know about hacking techniques then I pray for anyone that hires them as they will not be affective at all in their job. How are you supposed to guard against something you know nothing about? The term hacker existed before security researcher because hacker became stigmatized for the few like Kevin Mitnick who caused a lot of havoc and exposed a lot of utter stupidity.
The government is having a hard time finding hackers because most hackers are performing tasks which the government has deemed illegal. This does not a good relationship make. Combine this with the secret nature of a lot of hackers work and they simply don't want to be around authority unless they have just started out. Competitions like this are a way to attempt to change that image but unfortunately with the state of laws nothing will change especially with hackers that try to do the right thing by informing private parties of security vulnerabilities ending up in jail.
Millions of wannabe kids have other interests than computers. The people with the necessary OCD to take it to a level of interest is a very small number of people who tend to be withdrawn from the mainstream making them hard to find and more importantly volunteer to have your background checked.
I was part of Infragard in college until 9/11 happened it was mostly free to all who wanted to learn about infosec from a private infrastructure security standpoint and it was very eye opening. That is until the FBI did a background check after 9/11 and apparently I failed as they asked me not to come back until I had a job in the field even though I had contributed heavily with designing secure networks.
There are tons of books that "hackers" read to learn what they know and the rest is left up to creativity. Make no mistake, the vast majority of skills can and often are taught. My college degree back in 2004 had a network security major along with network engineer and both required a certain amount of programming so you understand what you're trying to manage. Many of those classes were very enlightening even though the real world was dramatically different it still gave me the tools to understand what was happening in real time.
Re:I have to say I'm a little frustrated.... (Score:2, Interesting)
So what should be taught in a computer security course?
You're assuming that we're only talking about breaking computer security. How about:
-Security models, such as the reference monitor concept and access control methods.
-Formal methods for verification.
-The history of computer security development, so you don't reinvent the wheel (happens all the time).
-Risk assessment and mitigation.
-Legal and policy frameworks.
-Methodologies for reverse engineering and disassembly.
-Proper implementation of cryptology (hint: anyone who writes their own crypto module is either an idiot or a genius).
-Managing and training end users.
-Secure lifecycle management.
As you stated, all of these elements build on the more general CS fundamentals, but we can't assume that they will be automatically inferred by students. This is where education should introduce us to ideas that we may not encounter or generate on our own. There is more to computer security than just blocking ports and running signature-based detection software.