Slashdot Mirror
U.S. Gov't Sponsors InfoSec Defense Training
Anomolous Cow Herd writes: "CNN is reporting that the U.S. government is awarding scholarships to a select few computer science students to study information security, with the caveat that they must agree to work for a government agency for at least two years afterwards. This is in response to the general state of paranoia that has ensued since 9/11, with 'cybersecurity' as a high priority. Considering that a vast majority of government agencies run on Windows NT and derivatives, it's no wonder that they consider the eventual graduating class of 180 'doesn't have a chance.'"
I'd rather see people get scholarships for IT security than for the ability to run fast with an oblong ball.
You can request free computer security training information (mostly on CD) from DISA.
http://iase.disa.mil/eta/index.html
On what basis do you make that statement? The most brilliant people almost always look for intellectual challenges and you are much more likely to find those challenges in an academic setting (because that's the point of them). Certainly some very intelligent people burn out and drop out of school but they generally do not live up to their potential intellectually, despite the fact that they may well have a much more satisfying life.
In reality, most of the really brilliant people in this world are professors in universities (note that the reverse is not nessecarily true however).
While the VERY FIRST PARAGRAPH of the article reads:
Ya know what? Other than putting some additional paranoia in the public (and management) mind, infosec has little to do with terrorism. Sure, the politicians like the run around screaming "digital pearl harbor". But the general state of most organizations' infosec stance has been in shambles well before 9/11. And those vulnerabilities mean that these organizations are much more likely to be attacked by a random attack-of-opportunity than a coordinated terrorist activity.
And that includes the US Government. It might go especially for the US Government where "security" is usually dealt with a Cold War mentality. One that has little to do with the current state of information security. Instead, government agencies tend to rely heavily on prosecution (which kicks in well after the damage has been done). Change to this mindset is hampered by limited budgets which make hiring experts (or retaining anyone with the appropriate skillset) difficult. A couple years ago, the FBI even complained to congress that they could not attract experts in the field due to their uncompetative pay.
So to wrap it all up. Government computer systems tend to make suprisingly easy targets. This program is part of the awakening and catch-up the government is undergoing on this issue. It has very little to do with terrorism and 9/11. And even the very article referred to states that.
Just thought I'd point out that the NSA has been running similar programs for a while. I actually looked into them when I was in college, but then I realized I was looking at Big Brother and asking for a part in the book 1984... on the wrong side.
On a lighter note, after hearing that Intel is trying to claim the word 'inside' as its own, I decided to do a little investigating as to exactly what is inside. Take a look.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
that usually, many of the most brilliant people aren't that interested in school
Certainly, some intelligent people don't get formally trained. Alot more do.
There is much less correlation between brilliance in the academic success and commercial success - alot of bright people have relatively ordinary jobs. It depends on what they want out of life.
So I don't think that this would deter all the prospective applicants for such a scheme, even though I would value my freedom more than that. Then again, I didn't really have any financial problems through Uni.
If it gives people an opportunity that they might not otherwise get, 2 years of work isn't a bad deal.
My 2c worth
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
The difference is that all of the Linux/BSD exploits are out in the open, and a large percentage come from people looking at the source code and going "oops!".
Whilst I know the "many-eyes" theory isn't as good as many people think, I'm sure that the average line of code in an open source app gets more eye time that the average line of code in a proprietary, closed source one, so we find a higher percentage of our security problems. Now, just what percentage of security issues do you think that Microsoft et al actually openly admit to? I don't think there have been more than a couple of occasions where microsoft has said, without someone sticking the proverbial gun in their back, hey - security issue, we fess up, come and get the fix. Do you believe they don't find many more? Sure they do, they either just ignore them or quietly fix them and slip it in a servicepack.
Quite clearly you can't compare the numbers just by taking them at face value. Filter out all those with "theoretical exploits" for a start. Next, take out all the duplicates - a patch released by RedHat may be for an identical issue to one released by SuSE and Mandrake - how many times did you count it? One? Three? Or do you just look at one distro? Which one? The one with the most patches - maybe they're really good at looking for problems and putting out fixes, on the other hand maybe they really screwed up the original release. The one with the least patches? Probably not paying attention.
Now a more interesting exercise would be to have a couple of groups of security experts sit down for a few months with the complete source of a recent Linux system and that of WinXP and tot up the number of security issues they can come up with. How about an independent study, draw up a set of rules, have MS put up 50% of the money and one (or more ) linux companies put up the other 50.
Stealing a rhinoceros should not be attempted lightly.
The difference is that all of the Linux/BSD exploits are out in the open, and a large percentage come from people looking at the source code and going "oops!".
Whilst I know the "many-eyes" theory isn't as good as many people think, I'm sure that the average line of code in an open source app gets more eye time that the average line of code in a proprietary, closed source one, so we find a higher percentage of our security problems. Now, just what percentage of security issues do you think that Microsoft et al actually openly admit to? I don't think there have been more than a couple of occasions where microsoft has said, without someone sticking the proverbial gun in their back, hey - security issue, we fess up, come and get the fix. Do you believe they don't find many more? Sure they do, they either just ignore them or quietly fix them and slip it in a servicepack.
Actually, a large portion of security holes in MS software are fixed before there is an exploit. The problem is the few that aren't get lots of press, and people don't install the patches, and MS still gets the blame. The CodeRed worm is a perfect example. There was a patch available months before CodeRed was even heard of, put people didn't install it, and now everyone points to CodeRed as the perfect example of MS vulnerability.
I'm not saying MS is perfect by any stretch, but check out how many security fixes they offer and compare it to the amount of tools for exploiting them. You'll find most holes are fixed before there is an exploit for them available.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
/start tangent
Yes, I do believe some terrorists use this so called "interweb" to communicate. I do not believe we are going to be having cyber terrorists hacking into the pentagon. If they hack into it via the web, well, shame on them for even putting any sort of outside access.
If a cyber terrorist hacks into our missile control system and has it launch missiles at ourselves, we deserve it, because if there is anyway for a terrorist to log onto the missile launch programs from their terrorist hide out we should be bombed for our stupidity.
/end tangent
-- Goto Blasto.Net for GOOD, FREE E-Mail, with many names to choose! Really! GO!
I work for the government, and in these times when the economy is still on shaky ground, the job security alone enough was enough to get me to take the position.
The fact is that IT positions in the government actually pay quite well. Considering the area I live in, my starting salary was quite competetive with what the private sector was willing to pay. Not to mention the famous government benefits packages.
The U.S. government does indeed have alot of NT servers. The Powers That Be (TM) understand the vulnerability, and apparently are willing to pay handsomely to fix it. In a time of a job market that's uncertain at best, I can think of worse situations than a free education and a 2-yr. job guarantee.
"Ask not what your country can do for you." --John F. Kennedy
The program only accepts U.S. born applicants; more information on the Iowa State fellowships is available as is information on the program as a whole. Most of the core training at Iowa State is in Computer Engineering classes: CprE530(protocols), CprE531(security), CprE532(warfare/hacking), CprE533(crypto) and CprE534(ethics). If you take a look at the ISU fellowship specs, I think you'll agree that this is a decent way of paying for school and serving your country at the same time. I agree with the previous post that this is basically ROTC for geeks. ;-)
Also, all classified systems run only on Trusted operating systems and software, which meet criteria for a specific level in the Orange Book from the NSA. According to this, the latest version of Windows that was certified is NT 4.0 with SP 6a and the C2 update, in Nov 1999.