DHS Seeks "Ethical Hackers" To Protect Federal Net Infrastructure 133
Death Metal sends this excerpt from an AP report:
"General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011. With warnings that the US is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology (PDF) to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes. ... Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government."
From the article :) (Score:5, Funny)
How do you prove you're good enough?
There is a secret NSA computer somewhere for potentiial job applicants to leave their C.V. on.
Re:From the article :) (Score:4, Funny)
If you are good enough, they come to you.
Re:From the article :) (Score:4, Funny)
Well....
If you're good enough, they'll never come to you, because they'll never know you exist.
If you're not quite good enough, you've talked too much, or left a trail somewhere you shouldn't have.
Category 2 sucks. Category 1 is the happier place to be.
I fall more into Category 1. I may talk on here, but I don't say enough to show the difference between someone who's full of hot air, and someone who should have a desk in sub-basement 4. You know, the one down the broken stairs, with no lights, behind the door marked "Beware Of The Leopard". At least I get my tan from the warm glow of a half dozen monitors. Too bad they don't let me leave very often.
Re: (Score:2)
You have already said too much, and guys in dark glasses will be knocking on your door any moment. They will be escorting you to a different sort of interview at a "special" facility a nice beach.
Re: (Score:2)
Exactly. 20 monitors for one (huge?) person, in a sub-basement, give a very specific satellite signature. And if not, just follow the smell of bawls/sweat/pizza/hotpockets. ^^
Re: (Score:2)
Nah that means you are too good for them. They want controllable good.
Re: (Score:2)
Yeah, this article was mistagged. No "itsatrap" ;)
Re: (Score:2)
I'd pass any drug test. There's only a decent supply of ibuprofen in my system right now. :) But for 58K/yr, that's not worth it. To match my current pay, I'd have to go in as an O6. If I enlisted, the best I can hope for is an E3. I'm not sure I'd want to get shot at for $9.50/hr (assuming 40 hour weeks). I asked a few recruiters the pointed questions, "Is there any way my pay can match my civilian pay rate?" The lovely answer is always "no".
Re: (Score:2)
If you are good enough they won't come for you because you have hidden your tracks and possibly implicated someone else - hopefully someone that's guilty of something serious anyway.
So this leads to an interesting issue - if someone is pointed out as a hacker is that person really guilty or just a scapegoat?
Re: (Score:1)
Re: (Score:2)
Nah, you're only behind one proxy, and I run it.
Re: (Score:2)
Look into past and then meet and greet after soft approach from a tame academic advisor.
Actually (Score:3, Interesting)
an internal Microsoft job posting for a malware/security research position was done this way.
Hiring manager sends out an email, with an ip address, says there is a chat server listening on a port with a buffer overrun vuln in it. In n days he'll start reading over the resumes left in c:\ on the machine.
Re: (Score:3, Insightful)
Wouldn't people just start deleting the competition?
"Hey, only this one guy left a resume... also, he apparently installed SELinux and closed the buffer overrun vulnerability..."
Re:From the article :) (Score:4, Insightful)
I personally enjoy International Capture The Flag [ucsb.edu]
Re: (Score:2)
I can do electronic recon and intelligence. I don't do hits. Then again, for the right money, with government protection (like, if it's part of my job, so I won't go to prison forever), it's not very hard to make someone disappear.
[tappity][tappity] Inserted airline record for ticket booked to BOG (Bogotá, Colombia) on his credit card.
[tappity][tappity] Inserted boarding pass issued and used.
[tappity][tappity] Inserted customs & immigrat
A useless gesture (Score:2, Interesting)
The only black hats who would be interested in this type of work are script kiddies looking for a legal outlet for their elite skills.
But if these kids are the experts, who is going to develop the hacking tools?
Re:A useless gesture (Score:4, Interesting)
From what I gather the best ones now are the ones that skulk around bank computer networks legally, catch is, if they are any good that are way out of the professionally paranoid price range as well as being a poor psychological fit. Of course there are likely quite a few failures from that market, you know the ones that were quietly let go but still have an untarnished resume. I am sure there is an internal banking security clique that keeps track of these not quite so good.
So they can start their recruiting efforts there, ex-bank computer network almost security 'er' professionals, better 2nd rate than none at all ;D. As for "it's a trap", unless it's for prosecution, it is hardly worth while as one big 'payoff' and you end up with a gaping hole in your digital artery bleeding out secrets like there's no tomorrow. Best bet for finding security flaws, tasty irresistible honey pots http://en.wikipedia.org/wiki/Honeypot_(computing) [wikipedia.org] at every network location, ones with known live monitored states, misinformation and data that can be tracked to the end use location (flagged credit card details etc.), "minefield" ;D.
airline flight systems, and nuclear launch codes? (Score:5, Informative)
Why are those even remotely accessible?
While i see a need for networking ( at least in some cases ) they should be on their own completely dedicated line.
Re: (Score:2)
Re:airline flight systems, and nuclear launch code (Score:4, Funny)
So Obama can clear a runway and launch a nuke from his Blackberry.
Re:airline flight systems, and nuclear launch code (Score:5, Interesting)
Your question is your answer.
You'll find, even in the happiest secure network, there can be a security hole.
Think of this. It shouldn't happen, but I know it has. You have two networks jacks on your wall. One is green. One is red. Unclassified machines can be plugged into the green one. Classified machines an be plugged into the red one. A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.
Now, your nice secure network has a compromise. If that unclassified machine, on the unclassified network, becomes compromised, they have a nice portal into the classified network.
Just because your network doesn't have any connections to the outside world, doesn't mean you shouldn't treat it as if it has a public IP on the Internet.
What's happened more times than is funny is, some user decides he needs a wireless connection to his laptop, so he can put his laptop on another desk without an extra wire going to it. Since he's just a user, and picked up the AP at a retail store, he may not have set up security. "I'm 10 stories up in a secure building, I have nothing to worry about." Yup, nothing to worry about, until someone sits in the next building with a high gain antenna, and stumbles on the fact that there's an open AP begging for them to come in. Stores have been bitten by this. Schools have been bitten by this. Even banks have. Plenty of companies have had the same problem.
I found a school once that did this. I found their printers very quickly. I installed the drivers for the printer, and printed a simple note. "Your network has an unencrypted access point on it. It is allowing anyone to access your network. Please call your network security administrator to correct this."
I found a casino in Las Vegas did the same thing several years ago. I couldn't get in from outside, but from a legitimately purchased hotel room, I found I had access to every display board in the casino. I logged enough traffic to see how it worked. When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it. He said it was fixed within hours of my report. I'm sure it was an oversight when someone else did the install, and no one had ever looked at it as an outside hacker inside the building. Who would bother hack the casino network from a room in the hotel in Las Vegas. Oh ya, and DefCon was 3 months away. :) The only reason I was looking was, they didn't provide internet access in the rooms, and I was hoping to pick up an AP in the lobby or somewhere that was available for guests. Unfortunately, they didn't have one that I could reach the Internet with. No email for 3 days. :)
Always be a good guy. Never be a bad guy. If you find a problem, report it with details. Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.
Re: (Score:1)
Talking to the right guy (Score:1)
When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it.
You are very, very, very lucky that he did not report to his management.
The casino is very lucky to have a smart network administrator like him.
---
Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.
You are still very lucky that he didn't let anyone else know. He probably had Caller ID on his office phone. Also, he was able to retrieve Internet email from you.
My only questions: How did you manage to get through all the receptionists/secretaries, and how did you assess that he's smart and non-idiotic?
Re: (Score:2)
I didn't call. I did a whois on their domain. They were nice enough to have a legitimate address for their NOC. I emailed the NOC saying that there was a security problem with their network and that I would like their security admin to write to me. I received a response in about a day.
I did a little research on who had written to me, and confirmed that he appeared to actually be network security for them. He had a good background in network security, after I found his resu
Re: (Score:1)
Thank you for your reply. I'm humbled that you are so willing to help others in your personal and professional time. I'm learning so much from you and everyone else in Slashdot. I hope I can be qualified to pass on the favor one day to other people.
Re: (Score:2)
I salute you.
But what you did is a criminal offence in the US.
You were lucky.
Re: (Score:2)
And what if someone else had done something weird, and the IT guy needed a scapegoat?
What you did was nice, but it was also bloody stupid. Never, ever, ever let anyone know you know of a vulnerability on their network. Doing so is asking to become the scapegoat.
Re: (Score:2)
Re: (Score:2)
You did the right thing.
I did something similar. We were having a weird line problem, so I did a tcpdump connected directly to the uplink. I should have only seen myself. Instead, I saw all kinda of other customers. I was lucky that I had one of their techs on site trying to help with the problem. I was logging everything, so I could review the logs, rather than try to read the dump in real time. I went back through and evaluated it a few different ways with them. It was
Re: (Score:2)
Yeah, like if that hole had let you somehow win the jackpot at the progressive slots, you wouldn't have been seriously tempted to take the money and destroy the wireless card with the incriminating MAC address...
Re: (Score:2)
Nope.
Know why?
Because I'm not very good at being a bad guy. I know how to do it. I also know I'd get caught.
Re: (Score:2)
Actually, I know that.
A lot of computers come with a second NIC, so it's not inconceivable for a cable to be plugged in.
I'm sure they do plenty of proper security. But...... Do we all live in a perfect world? No.
I buy lots of used networking equipment. One piece of equipment in particular was still fully configured for a 3 letter agency. No, not an intelligence agency, a slightly more annoying and less dangerous one. I pulled the config, send
Re: (Score:2)
priorities, priorities... (Score:5, Insightful)
Re: (Score:1)
they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts" a year by 2011?
250 is plenty! I swear, if one more cyber- anything is created, I will rip off my fucking nose. Regular experts will do just fine thank you.
Re: (Score:2)
Re: (Score:2)
they're aiming to train only 250 "cyberexperts" a year by 2011? And this after all the "reports" about russia and china bullying the entire world,
Those "reports" are their primary means of funding these departments. Apparently the PR/FUD hasn't been working so much, probably because the nation's had bigger things on its collective mind for the last year or two.
Re: (Score:1)
Re: (Score:1)
and they're aiming to train only 250 "cyberexperts" a year by 2011?
Combined with the fact that they're probably going to get mostly script kiddies, they should seriously consider ramping their target number up to 640.
640Kiddies should be enough for any government.
Re: (Score:2)
...they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts"...
Everybody always points out that you need less *nix admins.
Re: (Score:2)
How about not cyber soldiers, but true IT professionals who know their field?
Security is not all about the technological side. A major part of security is dealing with social engineering. Another major part is dealing security needs of a department or organization. Security and infrastructure needs of a law firm with 5 workstations and a server are totally different from the security of a multi-location corporate environment. Security needs of a TS facility are absolutely different from an unclassified
Who wants the... (Score:2)
Who wants the politics?
Ooops, politics is the issue. Better shutup before they come and get me.
Civilans Need Not Apply. (Score:4, Interesting)
Too bad they don't provide a link of where to apply.
Worse for some of us is the typical stumbling block for us well skilled civilians who haven't worked for the government yet. I just skimmed through the GD listings for "Defense/Military Intelligence Analysis" and "Information Technology". They all require at least TS/SCI
Since I haven't worked for the government, nor for any company who would sponsor security clearance, I can't even apply for these jobs. It's not that would be excluded. Anything in my history is trivial at best. I've held many secrets. I've ensured privileged data has never been released. I've joked with friends about things I've told them. They say "You can't keep a secret", but I've always responded "Those are the secrets I could tell. You'll never know the secrets I can't."
Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs. This is a perfect example. I spent years intercepting, analyzing, and protecting against people doing "bad things". I'm well versed in what the "bad guys" can do, and used their own tools and methods against myself to ensure my defenses were up to par. For example, it's one thing to know my firewalls can block any unwanted traffic. It's another thing to poke a huge glaring hole in the firewall for myself to attack, and then proceed to attack.
I've posed as an inside attacker. I've posed as an outside attacker. I see what each can get away with, and protected against both.
I won't claim that I know everything. No one does. But people come to me asking "What the hell is this?" and I can give them a practical off-the-cuff response, and a detailed response after a good analysis. Most of the time, they match.
Without the clearance, I'd never be allowed to use these skills for a position like that. I know if I ever got my foot in the door, things would be different. Until then, I do my job well for civilian clients
Then again, none of you know me. Maybe I have TS/SCI with EBI and FSP. If I had it, would you know? :) Bragging rights aside, if I were to announce my clearance, that indicates that I may have access to information that someone may want, which could put myself, my family, my friends, and my neighbors at risk. Don't get too anxious, officially my clearance is "none" and my work history is "civilian". :) I'd like to correct that some day, so if any real recruiters read this, feel free to find me. It won't be hard for you. Check the file for "Smythe, JW (alias)"
Re: (Score:3, Interesting)
Bragging rights aside, if I were to announce my clearance, that indicates that I may have access to information that someone may want, which could put myself, my family, my friends, and my neighbors at risk.
The waters are muddier than that. More often the reasons for something/position being classified carry no such risks. They can, but those are in a minority.
Example:
1976-77 I worked at NASA's Goddard Space Flight Center, in the NTTF** building. I had to hold a Top Secret clearance while working there.
The reason? Some of the parts in my work area were classified.
I was a Logistics Technician, in the Logistics Dept., Yes, basically nothing more than a parts man working behind the parts counter.
The classified eq
Re: (Score:2)
They also get over paranoid about that kind of thing. I was chatting with a guy now working at Cisco who used to work for the CIA. He had Top Secret clearance, which of course made him valuable for Cisco since they could send him on contracting work to classified sites. At any rate he talked about his time at the CIA and how some of the classified documents he read were really stupid. He said that he saw nothing of any substance in the whole thing that he hadn't already heard on CNN. The reason it was class
Re: (Score:2)
Yes embassies around the world burn into stacks of one time pads sending back newspaper clippings. Why? To hide their interest in a topic.
Re: (Score:2)
I knew a lady with a similar situation. She did have security clearance. Why? Because she bolted seats down in fighter aircraft. Well, I'm sure she bolted other parts down too. She had no idea what they did, how the worked, or anything else. She knew to line the bolt holes up, and tighten them down properly. But, she was in a facility with classified stuff, so she needed it.
But, she got her clearance, and I still apply for a variety of positions and get nothing. Oh well
Re: (Score:2)
LOL!
Your point is made, and taken!
Some things have changed, and some haven't the past thirty-some years.
Good luck by the way.
Re:Civilans Need Not Apply. (Score:5, Informative)
Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs.
Your analysis is false. As someone who does not hold a clearance you have a slight handicap because it means that if they hire you, you won't get able to start on the "meat" of the work for a few months while your clearance is processed.. But if your skills are good, then they will hire you and put you on a desk in an unclassified area to get yourself up to speed on as much of the program as is unclassified. I know a lot of people who have done exactly that. You do not have to be ex-military to get a clearance.
Re: (Score:3, Informative)
You do not have to be ex-military to get a clearance.
But it sure as hell helps out.
If the GP has a resume that looks as good as he thinks, some hiring manager at some DOD contractor somewhere will find him a security eligible position while waiting for a TS/Q to come in.
Re:Civilans Need Not Apply. (Score:5, Informative)
Re: (Score:2)
It is quite rare for someone to fail - most people who might tend not to apply. If you do need to go through the process, then don't lie. They don't care if you're gay or smoked pot, but they do care if you have secrets that someone can blackmail you about.
+1 informative. If you fill out the paperwork, list all of your deep dark secrets. And know what you said. At some point you'll be interviewed, and they will ask about all of that stuff. The stories better line up.
Re: (Score:2)
I wouldn't need to lie on the app. The only questionable things on there, I know they already know about. There was some ... well ... annoyances with a foreign citizen in a foreign country. He was mistaken, but he reported me to the FBI. Nothing came of it. I couldn't even get the FBI to talk to me about it, so I know they weren't interested. :)
The rest of my file should be "FBI background check for this" "FBI background check for that". Not exciting stuff, but at least s
FYI (Score:3, Interesting)
Security clearances aren't classified. They are prerequisites to have access to classified material, but the clearances themselves aren't. So if you had a TS clearance, sure we could know. You'd be free to tell us if you liked. You couldn't tell us about the classified material you saw, of course, but the clearance itself would be no secret at all.
As a practical matter there's no way to keep such a thing a secret due to the nature of the SSBI. More or less what they do is talk to everyone you've ever known,
Re: (Score:2)
Re: (Score:2)
I already applied. No response. I have to wonder if it's for the same reason that Intelius wouldn't let me run a background on myself. There's something mysterious in my file(s) that make me either interesting to talk to, or too boring. I try not to think too much about it. :)
Re: (Score:2)
The question is, what is juicier in my opinion? Ok, I'll give one up. :) There is a stretch of road with a few traffic lights that I drive frequently. The speed limit is 45mph. If you leave the first one and get up to 55 pretty quick, you'll roll under the subsequent lights just before they turn yellow, and not stop. If you don't, you spend about 5 minutes going about a mile. :)
And you thought it would be like, former President Bush sleeps with a pink teddy bear. :) Nope
Ethical "Hackers".. of course (Score:5, Informative)
If you are old school, hacking IS ethical, and any damage/profit beyond learning is against the "code".
Amazing how powerful the media is in twisting definitions, public perception and alienating an entire culture.
Re: (Score:2, Funny)
If you to nit-pick, a hacker is a bad golf player.
Amazing how the internet twisted the definition.
Re: (Score:3, Informative)
umm the term hacker predates the commercial internet.
True it doesn't predate people that suck at golf however.
Re: (Score:1, Insightful)
Words, definitions and languages change, get over it.
It's been that way for 1000's of years. Long before the "media" took over.
Re: (Score:2)
I can still bitch about it. Now, get off my lawn!
Re: (Score:3, Interesting)
Beat me to it. However the blame for the misnomer lies not in the media. A benign exploit was called a hack, but a hack causing damage was called a crack. That meant those who performed cracks were initially called 'crackers', a term that already had a racial connotation. They couldn't call them 'crackheads' either. Both the media and 'crackers' adopted the next closest related term.
Kinda sad that it's difficult to find a derogatory name for something because all relevant options are already in widespr
Re: (Score:2)
Keep them Happy (Score:2, Informative)
During the Cold War certain 'Special Forces' were used to entice secrets from many using torture free and very 'personal' interrogation techniques in undisclosed hotel rooms. No amount of technology can stop that unless the hacker has a smart phone implanted to record and transmit everything.
This opens the question of whether there need to be several such persons in separate undisclosed loca
Outsource it . . . (Score:2)
. . . this would be much too expensive for folks in the US to do . . . outsource it to some place like China or Russia.
Re: (Score:2)
Well, if they outsource it to China they will already have experience.
It's a trap! (Score:2)
It's a trap, they just want to know who to watch.
Re: (Score:2)
They where interested in the Amber Chamber, stolen from Russia in WW2 and lost in Germany at wars end.
To flush out new information, a book was written about an out of hours search 'hobby' ie tracking down the Amber Chamber.
They got a huge letter flood back.
Talk of military transports and low rear axles at the end of the ww2 passing by your house in the area of interest?
You got a visit and a long detailed 'chat'.
So yes flushing out people is a very fun skill.
If the DHS is
Tin-foil hat time (Score:5, Insightful)
Has anyone considered this is just another version of the common ploy police use to round up criminals with outstanding warrants? They entice these people using false pretenses, then arrest them when they show up.
I'm not saying this is the case here, but what better way to build up a database of hackers (i.e., possible terrorists)?
its a trap! (Score:2)
who's the good guys? who are the bad ones?
are you sure?
will it be the same tomorrow?
don't trust the gov and DO NOT WORK FOR THEM. you will regret it, either now or later. time has proven that.
"its a trap!"
(sorry)
just get someone who will do it to getout of jail (Score:2)
just get someone who will do it to get out of having to go to jail for being a Hacker.
Re: (Score:2)
What the... (Score:2)
Written by a PHB (Score:4, Interesting)
Clearly written by a technologically illiterate PHB. Any good security person worth his/her salt can think like the bad guy and knows hackers tools. They also know the difference between what the term "hacker" really means and what the knucklehead who wrote this ad thinks it means.
Funny... (Score:2)
...they would be the only people with any ethics in the department. ^^
Quis custodiet ipsos custodes? (Score:3, Funny)
And the DHS will look up and shout "Save our Internets!"
And I'll look down and lol "QQ moar n00b."
Is it really that hard to essentially blacklist entire countries?
Do we really need remote access from .ru, .cn, and .ua? (just to name a few)
FedNet...would you like to know more?
Re: (Score:2)
Is it really that hard to essentially blacklist entire countries?
Technically, no. Politically...
Isn't this a little like... (Score:2)
Re: (Score:2)
It's important to remember that black hats are like gang members in many ways -- and the most important is that the financial motive is often a red herring. I am willing to bet that most black hats worth their salt in the US -- like most gang members -- are in it for the sense of community, the respect, and other non-financial motives. therefore, t
I see a SciFi Channel series in the offing (Score:3, Funny)
Or SeeFee or SuFu or whatever it's called now. Haxx0rz -- Elite hacker Jason St. Phibes and his crew of one rotund recluse, one hot babe genius, and one socially awkward but lovable nerd tackle laptop-wielding Muslims who would threaten our homeland's data and stuff.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
That already sounds too much like Chuck [hulu.com]:
[from the link]
FFS (Score:1, Flamebait)
BTW, if you mod this as troll you are one of the aforesaid wankers.
Hacker Honeypot (Score:2, Insightful)
They don't want to hire them, they want to catch them.
Anyone stupid enough to show an interest will be repaid by having their background and their "back" proctoscoped by the Feds.
Re: (Score:2)
No ethical hacker... (Score:2, Flamebait)
No ethical hacker would ever work for the DHS.
Because DHS ethics is... (Score:2)
... an obvious oxymoron.
Free Advice (Score:2)
You want to keep your system safe from hackers? Don't put it on the public internet. Problem solved.
But no, they'll waste millions on this. Some people will take advantage and build lucrative "careers" with it. Other snake oil salesmen will get their start in life.
We're SAVED!!! (Score:2)
Ten-Hut! (Score:2, Funny)
Linked pdf is not the result of the 60 day study (Score:2)
Watch for a report from Melissa Hathaway, who is leading the effort. The linked .pdf is from GAO and was published 10 March.
Etheical Hacker + DHS = int/0 (Score:1)
What's ethical? (Score:2)
Everyone is ethical, even investment bankers. What's important is are the ethical values a person has.
What they probably mean is they search for people who share their ethical values.
Besides the biggest threat to network security commonly are decisions made by non technical people. If somebody says they want a secure system, but still insists on having Star Office or Microsoft Office or any of those bloated error prone software packages which don't actually do anything for you, you cannot take him seriously
Pick Me Pick me (Score:1)
Ye Gads, (Score:1)
Uh oh... (Score:1)
It's a trap? (Score:2)
So let me get this straight. They want the best hackers in the country to walk right up to their front door and say, "here I am".
Over the last 10 years the tone has been if you even express knowledge in this area, let alone demonstrate capabilities, they do everything possible to lock you up. Considering the erratic and back-stabbing behavior of the current administration I can't imagine that this will be a good career move.
Even if it is a great move and they pay you big bucks, you can probably never leav