Slashdot Mirror
DHS Seeks "Ethical Hackers" To Protect Federal Net Infrastructure
Death Metal sends this excerpt from an AP report:
"General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011. With warnings that the US is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology (PDF) to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes. ... Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government."
How do you prove you're good enough?
There is a secret NSA computer somewhere for potentiial job applicants to leave their C.V. on.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
The only black hats who would be interested in this type of work are script kiddies looking for a legal outlet for their elite skills.
But if these kids are the experts, who is going to develop the hacking tools?
Why are those even remotely accessible?
While i see a need for networking ( at least in some cases ) they should be on their own completely dedicated line.
---- Booth was a patriot ----
let me get this straight, they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts" a year by 2011? And this after all the "reports" about russia and china bullying the entire world, including the US, with their DoS and other kinds of attacks? I see, if you can't see it explode, then it can't hurt you, right?
weinersmith
Too bad they don't provide a link of where to apply.
Worse for some of us is the typical stumbling block for us well skilled civilians who haven't worked for the government yet. I just skimmed through the GD listings for "Defense/Military Intelligence Analysis" and "Information Technology". They all require at least TS/SCI
Since I haven't worked for the government, nor for any company who would sponsor security clearance, I can't even apply for these jobs. It's not that would be excluded. Anything in my history is trivial at best. I've held many secrets. I've ensured privileged data has never been released. I've joked with friends about things I've told them. They say "You can't keep a secret", but I've always responded "Those are the secrets I could tell. You'll never know the secrets I can't."
Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs. This is a perfect example. I spent years intercepting, analyzing, and protecting against people doing "bad things". I'm well versed in what the "bad guys" can do, and used their own tools and methods against myself to ensure my defenses were up to par. For example, it's one thing to know my firewalls can block any unwanted traffic. It's another thing to poke a huge glaring hole in the firewall for myself to attack, and then proceed to attack.
I've posed as an inside attacker. I've posed as an outside attacker. I see what each can get away with, and protected against both.
I won't claim that I know everything. No one does. But people come to me asking "What the hell is this?" and I can give them a practical off-the-cuff response, and a detailed response after a good analysis. Most of the time, they match.
Without the clearance, I'd never be allowed to use these skills for a position like that. I know if I ever got my foot in the door, things would be different. Until then, I do my job well for civilian clients
Then again, none of you know me. Maybe I have TS/SCI with EBI and FSP. If I had it, would you know? :) Bragging rights aside, if I were to announce my clearance, that indicates that I may have access to information that someone may want, which could put myself, my family, my friends, and my neighbors at risk. Don't get too anxious, officially my clearance is "none" and my work history is "civilian". :) I'd like to correct that some day, so if any real recruiters read this, feel free to find me. It won't be hard for you. Check the file for "Smythe, JW (alias)"
Serious? Seriousness is well above my pay grade.
If you are old school, hacking IS ethical, and any damage/profit beyond learning is against the "code".
Amazing how powerful the media is in twisting definitions, public perception and alienating an entire culture.
---- Booth was a patriot ----
Someone who really knows how to game Technology needs to be kept very very happy if he or she is not to turn on you.
During the Cold War certain 'Special Forces' were used to entice secrets from many using torture free and very 'personal' interrogation techniques in undisclosed hotel rooms. No amount of technology can stop that unless the hacker has a smart phone implanted to record and transmit everything.
This opens the question of whether there need to be several such persons in separate undisclosed locations, that are tasked with monitoring each of the others.
Her lips were softer than a duck's bill, but her quacks
Has anyone considered this is just another version of the common ploy police use to round up criminals with outstanding warrants? They entice these people using false pretenses, then arrest them when they show up.
I'm not saying this is the case here, but what better way to build up a database of hackers (i.e., possible terrorists)?
So Obama can clear a runway and launch a nuke from his Blackberry.
Clearly written by a technologically illiterate PHB. Any good security person worth his/her salt can think like the bad guy and knows hackers tools. They also know the difference between what the term "hacker" really means and what the knucklehead who wrote this ad thinks it means.
Your question is your answer.
You'll find, even in the happiest secure network, there can be a security hole.
Think of this. It shouldn't happen, but I know it has. You have two networks jacks on your wall. One is green. One is red. Unclassified machines can be plugged into the green one. Classified machines an be plugged into the red one. A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.
Now, your nice secure network has a compromise. If that unclassified machine, on the unclassified network, becomes compromised, they have a nice portal into the classified network.
Just because your network doesn't have any connections to the outside world, doesn't mean you shouldn't treat it as if it has a public IP on the Internet.
What's happened more times than is funny is, some user decides he needs a wireless connection to his laptop, so he can put his laptop on another desk without an extra wire going to it. Since he's just a user, and picked up the AP at a retail store, he may not have set up security. "I'm 10 stories up in a secure building, I have nothing to worry about." Yup, nothing to worry about, until someone sits in the next building with a high gain antenna, and stumbles on the fact that there's an open AP begging for them to come in. Stores have been bitten by this. Schools have been bitten by this. Even banks have. Plenty of companies have had the same problem.
I found a school once that did this. I found their printers very quickly. I installed the drivers for the printer, and printed a simple note. "Your network has an unencrypted access point on it. It is allowing anyone to access your network. Please call your network security administrator to correct this."
I found a casino in Las Vegas did the same thing several years ago. I couldn't get in from outside, but from a legitimately purchased hotel room, I found I had access to every display board in the casino. I logged enough traffic to see how it worked. When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it. He said it was fixed within hours of my report. I'm sure it was an oversight when someone else did the install, and no one had ever looked at it as an outside hacker inside the building. Who would bother hack the casino network from a room in the hotel in Las Vegas. Oh ya, and DefCon was 3 months away. :) The only reason I was looking was, they didn't provide internet access in the rooms, and I was hoping to pick up an AP in the lobby or somewhere that was available for guests. Unfortunately, they didn't have one that I could reach the Internet with. No email for 3 days. :)
Always be a good guy. Never be a bad guy. If you find a problem, report it with details. Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.
Serious? Seriousness is well above my pay grade.
an internal Microsoft job posting for a malware/security research position was done this way.
Hiring manager sends out an email, with an ip address, says there is a chat server listening on a port with a buffer overrun vuln in it. In n days he'll start reading over the resumes left in c:\ on the machine.
My opinions are my own, and do not necessarily represent those of my employer.
And the DHS will look up and shout "Save our Internets!"
And I'll look down and lol "QQ moar n00b."
Is it really that hard to essentially blacklist entire countries?
Do we really need remote access from .ru, .cn, and .ua? (just to name a few)
FedNet...would you like to know more?
Or SeeFee or SuFu or whatever it's called now. Haxx0rz -- Elite hacker Jason St. Phibes and his crew of one rotund recluse, one hot babe genius, and one socially awkward but lovable nerd tackle laptop-wielding Muslims who would threaten our homeland's data and stuff.
They don't want to hire them, they want to catch them.
Anyone stupid enough to show an interest will be repaid by having their background and their "back" proctoscoped by the Feds.
Security clearances aren't classified. They are prerequisites to have access to classified material, but the clearances themselves aren't. So if you had a TS clearance, sure we could know. You'd be free to tell us if you liked. You couldn't tell us about the classified material you saw, of course, but the clearance itself would be no secret at all.
As a practical matter there's no way to keep such a thing a secret due to the nature of the SSBI. More or less what they do is talk to everyone you've ever known, and in various cases talk to people they've known. They tell people the reason too, because they ask questions such as "Do you think this person could be trusted with national secrets?"
I've known more than a few people with security clearances and it was never any kind of secret. It wasn't like they'd walk up and say "Hi my name is Bob, I have a clearance," but if it came up in conversation or you asked they'd be happy to tell you.
Private The Plague reporting for duty, sir!
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.