Slashdot Mirror
DOD Kicks Up Cybersecurity Efforts
codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."
Is this why all those US bank notes say "IN DOD WE TRUST" on them?
They'll be unplugging the network. NSA probably has a work-around, though.
Username is joshua, and you don't need to enter a password.
Nowhere in the article does it say that the computers have to be on.
If anyone has enough money to be able to afford Macs, it's the government/military. :-)
The NSA will never break into those.
It sounds like a CTF match, except via the government. I somehow doubt they'd publish packet dumps and such of the event, but that'd be even more interesting. Kudos to the nsa/dod for trying to ensure some of our vital infrastructure is secured from attack.
:(){
While we would like to thank you for participating in our security test, we can not further report on this event due to National Security, and we humbly request that all key loggers, camera phones and recording devices remain in the safe hands of our NSA coat-check-girls (for fine tuning).
The dangers of knowledge trigger emotional distress in human beings.
Yessir.
The Army reading list
This will just make it easier for them to get the "secret" US backdoor into all software and have everyone consider it "trusted".
Combine this with the the DMCA and the "Trustworthy Computing" Palladium BIOS and nobody that teh **AA doesn't want running systems will be able to run systems. This is truly a sad day for privacy and security. Our boxen our no longer ours.
Those who would give up freedom for security deserve neither.
-- Paul Revere
I hope this is a path the military will continue to follow. Security is vital when you come to rely heavily on intelligence. Lets just hope the dont stop here and take this as a serious effort.
It would also be interesting to see which OS allows the "red team" to infiltrate the network.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I'm sure we all remember the LAST time some snotty smart punks hacked into a military computer!
"Hello Professor Falken. Would you like to play a game?"
*shudder*
Firewall it with OpenBSD, use pf's packet cleansing option. Ta-Da!
Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail.
Isn't this how most corporate networks are taken down? BTW, I can't access the intranet.
They'll probably just install Norton Internet Security.
What do we have for the runner-ups John?
Where the fun is
Isn't it great that our money isn't going to protecting us from REAL dangers!
You mean like all those weapons of mass destruction that Iraq had?
We get random netbios traffic from the DoD all the time... looks like something is not locked down over there. Either that or they are scanning other government agencies for open windows computers. hmmmm.
Not to beat a dead horse here, but can we stop calling this "hacking"? Cracking, yes.
Thank you for your time.
.
Ahh yes I do love these challenges.
The great thing is although the NSA can probably
get into most things, we can still slow them down.
And there's always self distructing media and files..
Swallowable hard disks!,
logic bombs!!..
Hmmm, I guess he's run out of cheap ways to get attention. Maybe he could quit the AAA or the Subway Sub Club, or something like that.
What I'm listening to now on Pandora...
Compromised information systems are a real danger. Especially in the military where good vs. bad information can mean the difference between bombing an enemy position, or the Chinese embassy.
As the post states, I don't think NSA will reveal all methods.
DOD: could you sec-test our network?
NSA: sure.
NSA: we've found these holes
DOD: fixed
DOD: hey, now even you guys can't get in!
NSA: Doh!
No electrons were harmed sending this message. Wait,
Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive.
Sun Tzu say "try asking them for their passwords, maybe offering a bar of chocolate in return."
---
"I did nothing. I did absolutely nothing and it was everything that I thought it could be."
Now that they've got a disgruntled former employee, the CyberSecurity corps of Homeland Security will turn their eyes on all unpatriotic Americans who can get TV time. And the rest of us will drown in emailed PIF viruses.
--
make install -not war
but can you just shupt up?
The US Army will try to secure an entire computer network against a team led by the NSAh a- ha-ha-ha-ha... eeeeeh ... -ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha!!!
Ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-ha-hoho-ha-ha-ha-
Hey, does anyone recall the NSAKey symbol that leaked on a debug version of a DLL in NT 4? (Was that GINA.DLL?) I wonder if it's still in there in later versions...
Those who can, do. Those who can't, consult.
It is good to see the issue of computer security intelligently approached.
It is much better to harness the natural competitiveness and curiosity of your geeks than to suppress it by any means possible and depend on security by obscurity.
"He is no fool who gives what he cannot keep in order to gain what he cannot lose."
...but I'm sure the NSA will try to hijack the EM transmissions at the endpoints. Of course, the military is quite aware of that, but your average computer installation probably wouldn't be safe simply by disconnecting the network...
Kjella
Live today, because you never know what tomorrow brings
A sargent is pacing in front of a line of soldiers at attention, bellowing, "I've never seen such a sloppy outfit! Dictionary passwords on the root filesystem - open NetBIOS ports on the security gateway!!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
that is based on the simple premise of limiting the impact that any attack can possibly have instead of trying to do the impossible and prevent all attacks. So, how do they do it? Simple really. In fact, its so simple that is even be accidental. Their systems are so diverse, numerous, both antiquated and modern at the same time, that even they don't know what they have. Much of the time, there are several completely separate systems based on different technologies from different decades that can be chosen at will by a commander to do any particular task. And even if the systems are up and using some common basis for attack such as MS Windows, the chances of any given system being available on a network at any point in time are probably less than 50/50 because their networks SUCK. So, the attack would have great difficulty spreading before detection. Once detected, they tend to just shut down all of the links. So, as long as they don't get stupid and standardize, fix and catalog everything, any concentrated attack can only have limited effects.
Hmmm. But it looks like that may be just what they are thinking about doing... :o)
...any chocolate bars.
post a link to the webserver on /. that ought to be a good stress test.
Unfortunately exercises like this show how our conventional approach to warfare (cyber- or human-) is doomed in the world of increasing unconventional war tactics.
With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.
Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.
Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.
_______
2B1ASK1
Actually, I don't think it will be much fun at all, simply because I don't think there is any chance either side will reveal any cards. No doubt there will be some already published exploits and/or configuration gaffes that will be used. But I doubt anything new will come out of this.
I would propose the army build a virtual sandbox in which to run applications safely - in the sandbox - external requests go through a mother-may-i query in which a real user - or a centralized database is queried as to the permissabiity of (deleting the file "some file x") etc. Once the application has run for a period of time under scrutiny - the repetitious requests can be quashed, and only new requests for external data raise flags - managing a list of valid external requests should be much more practical than line by line audits for buffer overrun opportunities on a billion lines of code.
my 2c
AIK
Wait. It was only for military? Uh...Nope, wasn't me. Hold on a sec'. Someone's at the door. DD0002111873A627F87DDE13B{}}|{|{00000000[NO CARRIER]
But why is the rum gone?
Who wants to bet that the cadets focus on electronic security and completely neglect the physical aspect?
I'm picturing the NSA splicing into cabling, doing some social engineering, kidnapping a sysadmin, etc.
... I personally find that Windows boxes are the hardest to crack, because every time I'm about to get in, the damn thing crashes and the victim reboots and I lose all my work. And then when I finally manage to get on the system, it crashes again, usually when I'm halfway done stealing his copy of Massive Zoomers and the Ladies Who Love 'Em 4. Arrrghghghghhhh!
It's just not worth it, the patented Windows BlueScreen Security System[tm] is foolproof. I'll take the easier road and stick to hacking OpenBSD boxes.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
"I would like to see what the NSA and friends could throw at my network" One could suppose the poster has skills in security, and is somewhat proud about it. yet ...
"into any Windows box :)"
Here is how you win:
...at the US Army cyber HQ...
NSA phone rings...
NSA-Person: "hello?"
Caller: "This is the deputy secretary for Condoleezza Rice. We are having a problem viewing the 'cyber war game' and are sending someone over right away."
NSA-Person: "umm, that isn't possible sir..."
Caller: "Listen son, This comes right from the top. Do you want to find yourself cleaning the latrines in the chinese resturaunt down the street?"
NSA-Person: "well, umm, no but.."
Caller: "No buts! We are sending our personal network specialist over to fix the problem. You will let him do his work or you will answer to me!" hangs up the phone
US Army Guy: "Well boys, were in..."
~SpermanHerman
I thought Common Criteria was something already is use to address some of these issues.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
What is that any operating system that is NMCI compliant?
The Navy as I understand it is heading for a completely monoculture network. Worse yet that monoculture is brought to you by the folks from Redmond. You can expect a few more ships towed into port.
The requirements specify using Exchange, but otherwise we're free to use whatever operating systems we want
That's nice, but I understand the Linux version of Exchange has been delayed, so you'll have to run Exchange under WINE for the time being.
My money is on using social engineering techniques to determine everything possible before launching an attack.
Even the attack itself would be more successful if it were tripped by an insider doing something stupid (clicking on an Outlook attachment with some local context softcore pr0n hint).
Given the current software environment, it's the people that leak like sieves.
"Provided by the management for your protection."
... all the Army has to do is call in an airstrike on the NSA team: "All systems secure, SIR!!"
A C-130 gunship will halt a DOS attack PDQ.
Does anyone happen to know if social engineering is allowed, or is this just a technical attack?
I would wager than any social engineering would a) be more likely to succeed, and b) be also more likely to occur in the real world. But it's less quantifiable too.
--
$tar -xvf
In related news, the stock prices of Alcoa and Reynold's skyrocketed by over 30 points each as the American public finally came to the realization that the military DOES know how to monitor all networks in real time and IS actively watching the populance using exploits that they DON'T tell anyone else about.
+++ATHZ 99:5:80
This has been going on each year for almost 10 years now. Each of the "official" military academies compete, and the best team wins the NSA Information Assurance Directorate Trophy. In the past Army, Navy, and Air Force have all done quite well, while Coast Guard has not.
Contrary to popular belief, the NSA Red Team isn't allowed to use any of the NSA arsenal of dirty tricks. They are only allowed to use software that is freely available off the internet (NMAP, snort, etc.) running on commodity hardware. They can't do anything that violates Federal Law, (other than the intrusion attempts themselves), but social engineering is ok.
Also, break-ins are not an automatic loss, per se. Nor is prevention of break-in an automatic win. The goal of the Red Team is DoS. For every minute a service remains down, the Red Team scores points. The cadet teams win points based on how quickly they detect and respond to the attacks. All judging is done by an NSA White Team.
I'll see if I can find some more info and post it here.
You are attempting to read sigs. Cancel or Allow?
If I had moderator points, you would be at -1 right now instead of 0.
This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.
It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!
You can find out the info at their webpage and get some more detailed information in the publications, especially the ones by Ragsdale and Schepens. http://www.itoc.usma.edu/CDX/wpia.htm I have attended two talks by LTC Dan Ragsdale and had the opportunity to meet with him to discuss the development of similar cyber defense exercises at UMBC CISA http://cisa.umbc.edu/ According to him the exercises use both linux and windows operating systems and teams are required to provide certain services (ftp, dns, etc.) They get points for having these services up and running and lose points for any downtime. New to the exercise this year are: an orange team (naval postgraduate school) allowing social engineering attacks All attacks are carried out over a VPN and as to the nature of the NSA red teams attacks... that is unknown, even to the exercise coordinators. So there could be exploits being tested here without anyone elses knowledge.
Just put link to computer in /. head story and then be ready to test against _real_ DDoS attack :)
I think that the NSA will win this one by falling back on the oldest hacker trick in the book: social engineering
Give one of the system admins a call, saying you're one of their higher ups and you need something done
Of course the NSA are much sneakier bastards than that... so we'll see what they come up with. I'm just hoping the cadets are aware of that very valid tactic.
Casual Games/Downloads
The ex-President of LALUG will then protest against using any of the lessons learned to make any Open Source systems more secure.
They rooted an easy box on the same subnet as mine at the ISP, put the NIC into promisc mode, sniffed my password when I was logged into the ISP box to test my home box remotely, and grabbed my ~/Mail directory via sftp. (sftp on my box is now a booby trap script).
They did this because I was one of two personal references he gave when he applied there. They did this AFTER they hired him. I am pretty certain my phone was tapped too, because after 12 years of getting mexican radio and other noise on my phone line, it started to sound like THX.
...beat the Navy -- what are they thinking, taking on the NSA?
At least they got home field advantage...
Following this guy's example, I am not going to use security on my network because the DOD does.
Lots of comments from participants in the tests already on this thread...
With everyone so keen to talk about it all, I reckon social engineering might be the key to winning this game, rather than pure hacking.
first off, people who join the military aren't the types who spend hours hacking and obsessing over ways to exploit a computer system. If they really want a test, they need to setup a server that will allow real hackers to login without being logged. Then they can hack the target machines without fear of being caught and put on trial. What are the chances there's a hardcore hacker in west point or in the military? I'd say less than .5%. People who hack tend to have a huge distaste for authority and marching in line.
The thing that worries me about any government computer security activity is that many managers who will have the final say have no practical experience beyond MS Word and a bit of COBOL as a undergrad. I once worked in a SCIF where the regs spoke of "zeroing core memory". Magnetic media was not allowed out once inside yet we had an internet connection and dozens of Macs running System 7 file sharing.
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
Most of you guys are just guessing here, my company does pen. testing for the DoD and NASA and they are full of holes (big enough to drive a Humvee through). Back in 2001, they had serious BIND issues, SMTP proxy alias issues, blank passwords on POP3, etc etc....now, these are all fixed but think about all of the vuln's that have been created since then. They don't have the internal expertise to secure themselves, most of the internal staff are high school drop-outs who didn't want to be in the infantry. Why do you think they use 3rd party vendors for most of their Info-SEC work. If terrorists even get a slight clue, we are in for a world of pain.....
"...A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.'..."
-Press Conference-
"Ladies and Gentleman: I am proud to anounce our new cyber security czar, Mr. William Gates..."
Laugh! Damn you!
After looking at all the options, to secure 100 9s of uptime and total security, Green team will be going with managed windows hosting from rackspace.
"Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail."
Jason Lotito
"Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail."
So, as you can see, turning the computers off is actually counter productive.
Also, this is pretty cool:
"The rules this year are designed to make the competition simulate more of a 24-hour operation, despite the reality that "Taps" still sounds at 2330 (11:30 p.m.) and cadets are required to be in bed with lights out by then. Overnight, the enemy can prey upon any network vulnerabilities with impunity."
Jason Lotito
Army slob 1: OK, everything locked down?
Army slob2: Services off, filtering on. Nothin's gettin' in here.
NSA hack: [Taps on keyboard. Clicks "Send."]
Army slob 1: Hey, check it out. I just got an email with nude pix of Natalie Portman and HOT GRITS!
Army slob 2: Score!
Army slob 1: [Clicks "Open Email"]
NSA 1: Army 0
blog
I'm wondering if social engineering would include taking one of the students hostage when he leaves the NOC for a pee and threatening his life with a car battery, a set of jumper cables, and some titanium nipple clips.
It seems that if I were a real enemy after real information, it might be a lot easier to take down a camo-clad cyber geek than the 14 levels of electronic protection and pervasive paranoia of social engineering that must be present in these situations...
Or is titanium not that good a conductor?
I have a plan. Using mainly spoons, we'll tunnel our way out of the city...
This really isn't all that new. The U.S. Naval Postgraduate School has been
sending their Infosec students to play Capture the Flag at Defcon for the last couple years as well as
this year's Interz0ne conference. In
fact, there was only one team (Anomaly - and they won ironically) that didn't
have government personnel or contractors on their team.
Also, Immunix, a DARPA funded hardened Linux version has also
been put under fire during CTF for the last couple year. (Their team placed a
solid second both times).
The Feds have learned over the last couple years that they
are behind the ball in terms of normal unclassified security training for their
personnel. These conferences have been really good at given them some real
world training that they normally don't get.
It's nice to see my tax dollars being put to a good use for
a change. Plus it makes the "Spot
the Fed" game MUCH easier.
"Omnis tuus capsa sunt inesse nos"
potential riches to rags, one step removed as my girlfriend tells it.
Long time ago, her dad (very well off lawyer) at Christmas offered all the kids a challenge.
On the spot, he asked all of them who's picture was on the 10 very large bill, whoever guessed right, they got it!
He held it up, his hand over the face, she says they could all see the zeros hanging out and about shit.
NONE of them guessed correct.
Dad puts the bill away back in his pocket.
I guess that was his lesson to the kids on "know your stuff" in the business/economic world.
An associate of mine says the Army has a way to remotely lock and freeze any windows box trying to hack their systems. Then they can take control of the box remotely to determine the owner - any truth to this claim?
Namaste
as the rules of engagement seem to preclude social engineering in this case. It's a fixed timeframe of maybe a few days at most. The defenders are all "teams" at the various military academies, all of whom probably never leave the staging area except to eat or sleep until the game is over. And the attacker is required to use an anonymous location in Maryland as their base of operations. Even if travel outside this BoO is allowed for the attackers, agents would have to hop on planes immediately, engineer their way into the academy and get at the teams, then try to glean some information from them or the surrounding location that they didn't already know.
Social engineering would be more suitable for a more open-ended game that didn't have so many constraints, or one that focused on secret keeping and the like rather than on network defense.
I competed against the West Points team in the ACM computer programming competition. My team sat next to them and I was far from impressed...didn't see any code, but they were clearly missing some HUGE concepts from what I heard from their discussions. And these are supposedly the academics of the US Army.
NSA's got this one in the bag.
"There are no such things as mutual fantasies. Yours bore us and ours offend you."
- Bill Maher
Hey all,
:)
/. would nuke it. I don't know about the academies, but we had old P3/1.4 ghz machines as servers.
I was one of the participants this year in the CDX. I'm not sure how much we are allowed to say in a public forum like this, so I will be fairly vague. I am also only familiar with what my team did; I have no clue on what the service academies did as far as securing their part.
As far as OS's go, we used almost all Windows 2k machines. One ran VMWare in order to accomodate a Red Cell inject (basically, they handed us a virtual machine and made us host it on our network to represent an insider), and one RedHat Linux machine as a firewall.
Quite a bit of the stuff we saw was 'real world,' but there were a lot of artificialities. We did see some social engineering, but it's pretty easy during an exercise to say, "Hmm, should I REALLY run this e-mail attachment?" Social engineering wasn't really necessary to map out our networks. We had to hand in a document to CFHQ outlining our implementation before the exercise; this included a network map. It seemed that Red cell had access to this document as we only saw network traffic aimed at valid IP's going by.
No one was abducted and tortured for information. As it was, I doubt we could've given much usable information. It's hard to memorize 20+ character passwords
Even with insider knowledge, our network was secure. Part of the exercise this year included handing over our AD/DNS machine and our firewall to Red Cell for a few hours, and giving them the passwords to root and all administrator accounts. Even with this, we were able to start up backups and isolate the compromised machines within a minute.
We couldn't use software like Norton Internet Security, etc. Essentially, everything we used was freeware (except for all of the MS products) or built into the OS's themselves, and available to all of the participants.
Posting a link to our webserver on
Red Cell wasn't allowed to launch DOS attacks (Smurf attacks, those sorts) to knock out services. Sometimes they'd inadvertently DOS our services (for instance, someone was sending 5 meg e-mails to everyone in our domain every few seconds for a while and filled up all of our mailboxes, which only had a 50 meg limit. It wasn't our fault that members could no longer receive new e-mail!) and White cell would force Red cell to stop doing that.
Also, AFAIK, CDX has only been going on in its current guise since 2000.
I didn't hear of an Orange Cell. I spent a lot of time monitoring our web server, so I didn't listen to the phone calls, and much of the e-mail that went by was encrypted so I couldn't read it via Ethereal (what a nifty program!). I was told that NPS was completely out this year - they didn't like the artificiality of the exercise and wanted to have a much less structured wargame, and so didn't participate. I could be wrong on that; all I know is that a bunch of people on my team were disappointed that we couldn't Beat Navy again this year.
We saw mainly script type activities directed towards our Web server. It gets suspicious when you receive 9500+ 404's and 403's and 401's on your web server, and only 200 valid page requests.
The only sleep issues that our team had came from the hours and hours of hard work nailing down security flaws, tweaking settings, and rebuilding servers when we tweak the wrong settings (remember - don't turn off the RPC service in W2k!) I can only speak for myself, but when I went home, I knew that my network was secure against any nasties that the Red Cell would throw at it. I don't think that the Red Cell did do much during the night, as they had specified hours that they could hack during (9:30am - 4:30 pm, generally). I never did get the chance to review the Ethereal logs generated overnight, though, so I can't confirm that.
Hope this answered some of your questions about CDX!
The Air Force Academy played a role this year (as defending champs). We used MS Exchange (unwillingly) along with OpenBSD 3.4. It was an interesting exercies, though, I'm a little disapointed at the Red Team's performance. At one point, we were forced to give out remote access to our border router/firewall (as part of the exercise). The the good folks at the Red Team hosed the SSH access we gave them (we had to enable ssh first) and locked themselves out. It was a great exercise...we'll see the final results in a few weeks.
The DOD and Fogarty Brothers Inc.(FBI) have been trashing my computers for years. Windoze was a joke, so was linux. FreeBSD locked down to the max with two firewalls has managed to keep them at bay for the time being. Since leaving the CIA 20 years ago it's been a cat and mouse game to see how quickly they can piss in my well. WahHahHah! I love having enemies in high places!
Does this mean that the NSA "Red Team" will go on to compete in the Defcon Root-Fu competition this year?
Will we end up with virtual reporters on the Alexis Park cable talking about "Red Team" getting beat by "Team Green (0x00FF00)" and "WMD"? (that I would love to see!)
Come to Defcon XII and find out!
I don't really see why not: most of the team members will probably be in attendance already, and according to some of the earlier posts, they are not allowed to use any classified tricks anyway.
If you want more information, take a look at West Point's Cyber Defense Exercise webpage...
http://www.itoc.usma.edu/cdx/
They also have a number of publications here...
http://www.itoc.usma.edu/cdx/publication.htm
~rumint
www.rumint.com
There's been no fatherly welfare I am aware of, his philsophy as related to me was while they were at home they got free room and board but did chores, no maid action or anything like that, hit 18 it was adios, go make something of yourself. Shes a retired stewardess, two years of college before she went flying,college paid for via athletic scholarship, nationally ranked swimmer. Her sisters are married and each runs a small business they started, one of her brothers is an architect, And the other I forget, but just some normal job in IT, but I honestly don't remember what it is. Her dad is a hoot, he was a B-24 pilot in ww2 and still flies his own plane, a cessna 210 I believe. He's just always been a lawyer since he got out of the war, mostly criminal cases, and always thrifty, saved his nickles. cheap but not mean, he DID offer the 10 grand bill if they knew who was on it. (sam chase, BTW) He does goofy stuff all the time, I've heard dozens of these sorts of stories. And, if there was any family welfare, I sure don't see it. We do caretaking now, make an absurdly small salary for hot nasty outdoor labor, and get a three room cabin of around 600 square feet. Not exactly the lap of luxury around here. Combined we make less a day than what most people here make per hour. My new whizzbang surfin machine is a 1996 ibm @ 200 mghz. She owns a 1980 jeep that needs a new cylinder head and rings and a carb, and I have a 1975 van with well over 300 thou on it. If there's tons of cash or platinum cards kickin around here, I'd sure like to go on a spree, like, buy some parts I need and maybe go eat in a restaurant someplace that had actual china plates on a table.
"Elgible Receiver" was a classic cyber wargame that took place a few years ago. The memory still gives nightmares to folks in the Pentagon.
There have only been a handful of public statements on the results of Elgible Receiver, and they indicate that the attacks reached classified systems.
The red team (the attackers from NSA) developed their attacks by cruising the Internet and collecting the most recent attack tools and discussions of attack techniques. They didn't use anything top secret, nor did they need government endorsed back doors. The red team was so successful that very few details have ever been released.
I have no doubt a red team can do as well today as they did back then, even if they start from scratch again. The main advantage the red team might have over a real cyberterrorist is a bit of insider knowledge about the networks under attack.