Slashdot Mirror
U.S. Gov't Sponsors InfoSec Defense Training
Anomolous Cow Herd writes: "CNN is reporting that the U.S. government is awarding scholarships to a select few computer science students to study information security, with the caveat that they must agree to work for a government agency for at least two years afterwards. This is in response to the general state of paranoia that has ensued since 9/11, with 'cybersecurity' as a high priority. Considering that a vast majority of government agencies run on Windows NT and derivatives, it's no wonder that they consider the eventual graduating class of 180 'doesn't have a chance.'"
but I don't know if this is a good idea. Should we really have the LINUX using 14 yr old hackers working with Government secrets like this? Can you really trust illegal hackers like this?
Greetings, for free software!
that usually, many of the most brilliant people aren't that interested in school.
I'd rather see people get scholarships for IT security than for the ability to run fast with an oblong ball.
Granted, the US government runs mainly under Windows systems, but if these students are getting good educations in computer security and are supposedly going to be an influential voice in what the government buys as far as new equipment and such, do you think this will help Linux to be used more in government? I think if this were to happen, it would, consequently, generate great PR among other copmanies that are concerned with keeping their information secure.
could NT
would NT
should NT
even in severely depressed times in the tech industry security guys can get sh*t loads more money in the private sector.
You can request free computer security training information (mostly on CD) from DISA.
http://iase.disa.mil/eta/index.html
Old news.
, 00 .html
http://www.wired.com/news/politics/0,1283,46567
Yeah, because if they were running some UNIX flavor, their systems would be more secure ah? Just subscibe to some security mailing lists and try to filter out Windows*/UNIX vulnerabilities/exploits.
Quite amazingly you will realise that most of them are UNIX (vast majority Linux, then some HPUX/Solaris/IRIX).
Not a flamebait, but really disguss me all these creeps that try to bash Microsoft at the first chance.
Kisses.
two years and one month after the first class graduates a new consulting firm will be organized because these programers will realize that they can make 100 times as much by getting hired as outside consultants doing the same job. I don't think that in two years the government is going to get their moneys worth. Are they tring to make life time employees of the state? It won't work. On the plus side their will be a few happy students with scholarships
Business News and Resources: www.usasource.net
Couldn't tell whether this was supposed to be an April Fool's joke or not...
SpamNet - a spam blocker that really works
Hi!
My name is Osama Ben Logan and I would like to apply for a scholarship and two years employment managing computer security in a sensitive government facility.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
While the VERY FIRST PARAGRAPH of the article reads:
Ya know what? Other than putting some additional paranoia in the public (and management) mind, infosec has little to do with terrorism. Sure, the politicians like the run around screaming "digital pearl harbor". But the general state of most organizations' infosec stance has been in shambles well before 9/11. And those vulnerabilities mean that these organizations are much more likely to be attacked by a random attack-of-opportunity than a coordinated terrorist activity.
And that includes the US Government. It might go especially for the US Government where "security" is usually dealt with a Cold War mentality. One that has little to do with the current state of information security. Instead, government agencies tend to rely heavily on prosecution (which kicks in well after the damage has been done). Change to this mindset is hampered by limited budgets which make hiring experts (or retaining anyone with the appropriate skillset) difficult. A couple years ago, the FBI even complained to congress that they could not attract experts in the field due to their uncompetative pay.
So to wrap it all up. Government computer systems tend to make suprisingly easy targets. This program is part of the awakening and catch-up the government is undergoing on this issue. It has very little to do with terrorism and 9/11. And even the very article referred to states that.
Just thought I'd point out that the NSA has been running similar programs for a while. I actually looked into them when I was in college, but then I realized I was looking at Big Brother and asking for a part in the book 1984... on the wrong side.
On a lighter note, after hearing that Intel is trying to claim the word 'inside' as its own, I decided to do a little investigating as to exactly what is inside. Take a look.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
God slashdot is slow, shacknews had a story on this yesterday morning...
With security, a hole is a hole is a hole.
You can't take back security breaches after the fact.
The best (and unfixed) MS exploits are now played close.
If a bright graduate says 'be different, pick something less popular' who will heed this advice?
Like enron, you can add window dressing to foll the masses, and have well paid experts saying safe as houses, but even cartman knows the real substance of brown stuff.
Here in the link, for example, to the CIA College Intern Page.
so basically, sounds like non news item.
Maybe these are the guys who bugged a student press office at Quaker Campus a while back? Although i mention this with a something of a tongue in cheek spirit, to be serious, that incident does seem to be more of a local job using radio shack parts.
"It is a greater offense to steal men's labor, than their clothes"
/start tangent
Yes, I do believe some terrorists use this so called "interweb" to communicate. I do not believe we are going to be having cyber terrorists hacking into the pentagon. If they hack into it via the web, well, shame on them for even putting any sort of outside access.
If a cyber terrorist hacks into our missile control system and has it launch missiles at ourselves, we deserve it, because if there is anyway for a terrorist to log onto the missile launch programs from their terrorist hide out we should be bombed for our stupidity.
/end tangent
-- Goto Blasto.Net for GOOD, FREE E-Mail, with many names to choose! Really! GO!
I work for the government, and in these times when the economy is still on shaky ground, the job security alone enough was enough to get me to take the position.
The fact is that IT positions in the government actually pay quite well. Considering the area I live in, my starting salary was quite competetive with what the private sector was willing to pay. Not to mention the famous government benefits packages.
The U.S. government does indeed have alot of NT servers. The Powers That Be (TM) understand the vulnerability, and apparently are willing to pay handsomely to fix it. In a time of a job market that's uncertain at best, I can think of worse situations than a free education and a 2-yr. job guarantee.
"Ask not what your country can do for you." --John F. Kennedy
It's:
Four years without a remote hole in the default install!
Which is rather awesome for anyone just trying to mess around with BSD or get into the UNIX-variant world. You can just shove in a boot disk, set up your system, install with the default config, and you have an up and secure system. Just add some ip forwarding and whatnot and you already have a personal gateway/firewall for your household.
I completely agree. call it selling out, but I think working for the SS, FBI, or CIA would be a kickass job. Sure you'd have to "straighten up," but there's job security, and you'd be ~in the know~.
Think about all the gov't secrets you'd have access to!
First time I got to meet the president, I'd go into work wearing this shirt.
Looking for Book Reviews? Check out Literary Escapism.
In other news, Jraxis confesses! He was Wipo all along!!!!1
"Machine code? Huh? Direct memory access? Programs can't do any of that!"
Java is the blue pill
Choose the red pill
Yeah, but the problem with a government job is that the rate of advancement is kinda slow and you'll never get to be head of the company through competence or technical ability.
When I was in college, I found that the overall grade for a course was usually about 50% exams and 50% coursework. The coursework usually invovled applying some basic elements of the class that were usually identifiable from the syllabus or the first day's class outline lecture.
The exams were usually well over 80% based on the course lectures, which tended to be an overview of the reading. The better professors threw in some easy nuggets that were never discussed in class, only in the readings. The weaker ones lectured basically the books plus some fill-in material, but the fill in was just glue to give the course some coherency.
I found that I could ace most classes if I wrote an A paper and scored an A on the exam. The work it took to do this involved light reading of research material and great class notes. The actual assigned reading I generally just skimmed to make sure there was no great deviation from the lectures. I seldom if ever actually "read" it, except for literature assignments. Just going to class, writing notes and doing the paper was all it took.
I discussed this with a friend who is a history professor and he said that undergrad land its pretty difficult to have significant test material on assigned readings without 2/3s of the class getting Ds or Fs -- even if he announces on day 1 that 50% of the exams will be taken exclusively from readings not lectured in class. He thinks its legit to do this, but hes gotten flak from department people who say its beyond the scope of the average undergrad to assimilate meaning from academic readings.
I would assume at serious classes at high-end academic places like Harvard would have lectures that didn't cover the readings AND readings not included in the lectures, making it impossible (without notes from somebody who WAS there) to get more than C if you skipped lectures.
At other schools (mine was a big 10 university), skipping lectures was suicide but skipping the reading was not.
We should not ask whether UNIX is or is not more or less secure than Windows NT, we should ask whether a specific derivate of UNIX can be made more secure than Windows NT can be made.
...be locked down into sendmail's compartment ...probably lose all of sendmails privileges when exec()'ing another binary, because the other binary does not have these privileges in its proxy privilege set ...not be able to access configuration files, because they are probably protected by an integrity label ...not be able to read secret information, because MAC's sensivity label would not allow it ...not be able to gain any further privileges, even if he/she could exploit highly privileges binaries, because these privileges are not in the session's limiting privilege set
You are all mainly talking about application level security.
How many exploits are there on Windows NT - for IIS, for LANServer, for other NT services, for hacking the registry?
How many exploits are there for Linux - for Sendmail, for BIND, for telnet and even for SSH?
You mentioned OpenBSD, so let's take some look at OpenBSD. Its DEFAULT install is secure.
What about adding third-party software? What happens, when you've got Sendmail installed, and someone manages to hack uid 0 by exploiting some vulnerability in the Sendmail daemon?
All of these exploits are application level vulnerabilities.
The real problem with operating systems is, that they highly depend on application level security. Even OpenBSD is NOT really a secure Operating System - it's just a really secure software distribution.
OSes themselves may not be vulnerable - but their highly privileged application make them vulnerable.
However, for some derivates of Unix and specific setups of Unices, this is no longer true, while for Windows NT/2000/XP it is still true - and that is, why some Unices actually are more secure than NT, because their OS Kernels offer really strong security below the application level (user space).
Did you ever take a look at Trusted Solaris, at AIX/CMW, or at Argus' Pitbull for Solaris or AIX?
Sure, if some application is vulnerable to being exploited, it will still be vulnerable when running on one of these OSes - but it doesn't matter that much, because these Operating Systems are locked up from inside the OS kernel.
On 'normal' Unices, you simply attack some process, which has root privileges, and all system security is gone because of root's omnipotent superuser privileges.
On the OSes mentioned above, you do not run any process with root-like privileges, because you simply don't need to - instead, you've got a large set of privileges to allow some very specific privileged operations (like using a restricted port or changing the root directory), so what do you want to attack in order to get access to the Operating system itself?
On an Argus-enhanced Solaris box, for example, Sendmail would be running in its own compartment and with the PV_ASN_PORT privilege in it's effective privilege set.
If someone would successfully attack Sendmail, he/she would...
a)
b)
c)
d)
e)
Provided that these Trusted Operating Systems are correctly configured, the only way to hack into one of them is to attack the OS kernel itself.
So, how many exploits can you find for the Pitbull-enhanced AIX kernel?
More information:
Trusted Solaris
Argus Systems
kind regards from Austria,
octogen
The CERIAS program at Purdue University is one of the recipients of this NSF grant. Other recipients include: CMU, and the Naval Post Graduate School. But this isn't necessarily a slam dunk, you still have to be admitted to the program at the school you apply to.
A free education is nothing to sneeze at. Talk to a current grad student who is either teaching a class or picking up his prof's dry cleaning to pay the bills and they will tell you how they wish they could find a funding source like this.
The institutions that received this grant do cutting-edge research in security that will influence the field for years to come. Heck, I'd do it just to go and study w/Spaf.
it's not going to stop until you wise up, no it's not going to stop. so just give up.
Another myth, at least when it applies to government IT jobs.
If I were so motivated to take advantage of it(and I will eventually), there's a government internship program that will pay for most of my MS (as opposed to M$ of course) after 3 years, and would double my salary to a more-than-comfortable level.
The opportunities in the government are there, though sometimes you have to dig for them.
"Ask not what your country can do for you." --John F. Kennedy
Considering the fact that the DOD is a monster beauracracy with more security holes that swiss cheese, the task of pinning down info sec is monumental. The manpower required to really get the job would be 10 fold the proposed graduating class. As a former member of Air Force communications squadron, I cringe when thinking about the lack of sophistication involved in managing their networks. NT is embraced as the desktop OS of choice but so is it amongst a majority of large corporations. The difference is the backend, also NT based couple with Novell, or so it was 5 years ago. Network outages were common place, I remember one time email and internet access being down the entire day! I wasn't behind the scenes to give actual specifics, but I was close enough to say it was a two bit operation. Take into account that this sort of operation is found in every squadron (20 or so) on each base and we at the communication squadron were supposed to be the experts. Now take this scenario and apply it to the rest of the bases throughout the world and don't forget to factor in the Army, Navy, Marines, and you end up with a nightmare of a situation.
You can't realistically expect the government to be able to attract top of the line talent in IT security with their traditional job structure.
You know: come in from 9 to 5, have a GS rating with plodding single digit percentage raises each year, put up with a few petty bureaucrats, slug it out for several decades and finally retire well off.
The people they're after are young and don't care about retirement plans, but do care they get paid what they're worth on the open market and don't want supervisors having a cow if they come in 8:05 am.
I think any plan, like this one, that helps to get those talented people into government service is just what the government desperately needs.
It reminds me of people going to medical school on military scholarships and serving a while after their schooling is finished.
"Provided by the management for your protection."
The program only accepts U.S. born applicants; more information on the Iowa State fellowships is available as is information on the program as a whole. Most of the core training at Iowa State is in Computer Engineering classes: CprE530(protocols), CprE531(security), CprE532(warfare/hacking), CprE533(crypto) and CprE534(ethics). If you take a look at the ISU fellowship specs, I think you'll agree that this is a decent way of paying for school and serving your country at the same time. I agree with the previous post that this is basically ROTC for geeks. ;-)
We had the security emphasis full paid scholarship last spring BEFORE 9/11 happened. It's been available for about a year now, however after 9/11 happened the emphasis to get people interested in it increased. It's a brand new program nationwide and at Mississippi State, so I know that it's not entirely the 9/11 'experience' that started the program, since we began school in August and they announced the program in the spring... However 9/11 has definitely fueled the program, funneled more money into it, and increased interest. They give you a ton of money to be in the program, thousands of dollars, however you are required to do so much internship time with the gov't and then you have to go into a gov't security position WHEREVER THEY WANT TO PUT YOU when you graduate. I considered it at first, but I'm not sure it would have been the best route for me personally to take.
At least the gov't is trying to get some better sysadmins into there workforce. Not to insult any gov't sysadmins out there, but it's obvious that they want more people checking each others work so that there are fewer holes, hopefully/theoretically.
[Something witty and intelligent should have appeared here.]
{Traicovn}
I'm a grad student in CprE/Security at Iowa State, one of the schools administering this program; I was too far along in my studies to apply. Some notes:
1. This started before 9/11. This is not in response to terrorist threats, but rather a real nderstanding that critical infrastructure is at risk.
2. There are both 2-year fellowships for grad students and scholarships for undergraduates. They cover full tuition, room, board, books and fees, plus a stipend.
3. It works a lot like a ROTC scholarship: we give you two years of support, you owe us two years of work after you graduate. Which in security isn't a bad tradeoff; guaranteed job plus very resume-boosting experience. Yeah, you can make more money elsewhere, but it's a good job.
If you want more information about actually applying, you can look at the program webpage here, or the ISU Information Assurance Program site here.
"This message is composed of 100% recycled electrons."
"This is in response to the general state of paranoia that has ensued since 9/11, with 'cybersecurity' as a high priority."
Yeah, there seems to be no end to the proposals the government has come up with since 9/11. The only problem is, none of them would have stopped the 9/11 terrorists. It's a bit like shutting the barn door after your car has been stolen from the garage.
Don't discount the athletic ability of the CyberCorps!
At the University of Tulsa, we made it to the finals for Intramural Flag Football. However, I don't believe TU's real football team could handle writing an Intrusion Detection System for a Signalling System Seven telecom network. Check us out!
Yes I know this is likely a research facility.
Is this something like the search for Intelligent life in the Universe?
"It is a greater offense to steal men's labor, than their clothes"
This is so horribly inaccurate. Bill Clinton was trying to gather support for Government funded training schools for IT security that mandated Government service afterwards while he was still in office. I never could find substantiate information on it and I assumed it simply got lost at some point.
I don't really see a big correlation to that tragic event and this program, at all. What, is learning how to properly firewall a system going to suddenly make INS and customs capable of keeping known terrorists out of our country? I don't think so. Not *everything* that happens in this country is related to that, you know.
http://about.me/paultenny
Look at the pic in the CNN article -- they look like my grandma and grandpa! Not exactly our typical college students, huh? =P
There's 10 types of people in this world, those who understand binary and those who don't.
Aren't all the REALLY critical systems (defense, air traffic, etc) already air-gapped from public networks like the Internet?
There's 10 types of people in this world, those who understand binary and those who don't.
It is, however worth noting that according to the scholarship program website, the proposal deadline for this scholarship was December 19, 2001. Way to fuck with me on 01Apr, Slashfags.
The fact is that IT positions in the government actually pay quite well.
Perhaps on the low end for unskilled workers, but that's it. I make $90K/year writing Web applications. I got this job last August, well after the dotcom shakeout - I was making significantly more before then. While I was looking for work last year, I checked the government pay scales.
I didn't bother to send them my resume.