DHS Seeks "Ethical Hackers" To Protect Federal Net Infrastructure

Death Metal sends this excerpt from an AP report: "General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011. With warnings that the US is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology (PDF) to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes. ... Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government."

From the article :)

[click2005]

How do you prove you're good enough?

There is a secret NSA computer somewhere for potentiial job applicants to leave their C.V. on.

airline flight systems, and nuclear launch codes?

[nurb432]

Why are those even remotely accessible?

While i see a need for networking ( at least in some cases ) they should be on their own completely dedicated line.

priorities, priorities...

[martas]

let me get this straight, they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts" a year by 2011? And this after all the "reports" about russia and china bullying the entire world, including the US, with their DoS and other kinds of attacks? I see, if you can't see it explode, then it can't hurt you, right?

Ethical "Hackers".. of course

[nurb432]

If you are old school, hacking IS ethical, and any damage/profit beyond learning is against the "code".

Amazing how powerful the media is in twisting definitions, public perception and alienating an entire culture.

Tin-foil hat time

[pongo000]

Has anyone considered this is just another version of the common ploy police use to round up criminals with outstanding warrants? They entice these people using false pretenses, then arrest them when they show up.

I'm not saying this is the case here, but what better way to build up a database of hackers (i.e., possible terrorists)?

Re:airline flight systems, and nuclear launch code

[JWSmythe]

    Your question is your answer.

    You'll find, even in the happiest secure network, there can be a security hole.

    Think of this. It shouldn't happen, but I know it has. You have two networks jacks on your wall. One is green. One is red. Unclassified machines can be plugged into the green one. Classified machines an be plugged into the red one. A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.

    Now, your nice secure network has a compromise. If that unclassified machine, on the unclassified network, becomes compromised, they have a nice portal into the classified network.

    Just because your network doesn't have any connections to the outside world, doesn't mean you shouldn't treat it as if it has a public IP on the Internet.

    What's happened more times than is funny is, some user decides he needs a wireless connection to his laptop, so he can put his laptop on another desk without an extra wire going to it. Since he's just a user, and picked up the AP at a retail store, he may not have set up security. "I'm 10 stories up in a secure building, I have nothing to worry about." Yup, nothing to worry about, until someone sits in the next building with a high gain antenna, and stumbles on the fact that there's an open AP begging for them to come in. Stores have been bitten by this. Schools have been bitten by this. Even banks have. Plenty of companies have had the same problem.

    I found a school once that did this. I found their printers very quickly. I installed the drivers for the printer, and printed a simple note. "Your network has an unencrypted access point on it. It is allowing anyone to access your network. Please call your network security administrator to correct this."

    I found a casino in Las Vegas did the same thing several years ago. I couldn't get in from outside, but from a legitimately purchased hotel room, I found I had access to every display board in the casino. I logged enough traffic to see how it worked. When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it. He said it was fixed within hours of my report. I'm sure it was an oversight when someone else did the install, and no one had ever looked at it as an outside hacker inside the building. Who would bother hack the casino network from a room in the hotel in Las Vegas. Oh ya, and DefCon was 3 months away. :) The only reason I was looking was, they didn't provide internet access in the rooms, and I was hoping to pick up an AP in the lobby or somewhere that was available for guests. Unfortunately, they didn't have one that I could reach the Internet with. No email for 3 days. :)

    Always be a good guy. Never be a bad guy. If you find a problem, report it with details. Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.

Re:Civilans Need Not Apply.

[Jah-Wren+Ryel]

Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs.

Your analysis is false. As someone who does not hold a clearance you have a slight handicap because it means that if they hire you, you won't get able to start on the "meat" of the work for a few months while your clearance is processed.. But if your skills are good, then they will hire you and put you on a desk in an unclassified area to get yourself up to speed on as much of the program as is unclassified. I know a lot of people who have done exactly that. You do not have to be ex-military to get a clearance.

Re:Civilans Need Not Apply.

[TheRaven64]

I've held security clearance in the past (it lapses if you don't renew it periodically, and I didn't), and I know a few people who got jobs that required a higher level of clearance than I had. Although the job adverts will say you require clearance, this usually means that any offer will be conditional on the clearance being granted. You can still apply without it and if they think you are qualified then they may offer you the job. The offer will say 'pending security clearance' or similar on it, and you will then have to undergo a background check (exactly how detailed this is depends on the level required, but it can usually be done in a couple of months). It is quite rare for someone to fail - most people who might tend not to apply. If you do need to go through the process, then don't lie. They don't care if you're gay or smoked pot, but they do care if you have secrets that someone can blackmail you about.