Slashdot Mirror
Pentagon Seeks a New Generation of Hackers
Hugh Pickens writes "Forbes reports on a new military-funded program aimed at leveraging an untapped resource: the population of geeky high school and college students in the US. The Cyber Challenge will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. 'The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it. [...] The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources. In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data. Talented entrants may be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.'"
Where do I submit my resume?
Will they accept foreign applicants?? Because restricting this program to US citizens is madness, considering all the hacks done overseas.
"My Daddy ate my eyes."
I'm looking forward to DC3 this summer. I don't believe they accept foreign applicants. I don't believe that it is madness either, why train or let someone participate in something they may not even be able to stay here and participate in.
True: she looks like a bull-dyke and is married to an Ethiopian woman (Thedanka). They are both ministers in a Unitarian Church in Florida. Read it on Wikipedia. Care to discuss?
=Smidge=
Your comments are a sine wave of quality, my friend ... unfortunately it has a very very low trough.
And the winner does not pass "Go", does not collect $200, and goes straight to jail.
Authority questions you. Return the favor.
Angelina Jolie has a legitimate excuse to stop posturing as an actress and can pursue her true destiny...
Motorcycles, Robots, Space Gossip and More!
When they work for you, they're "freedom fighters".
When they work for the other guys, they're "terrorists".
It must have been something you assimilated. . . .
... a young generation of cybersecurity researchers ... attacking and defending digital targets, stealing data ...
Isn't it funny that whenever there is talk about security it generally means the opposite?
they seem to have thousands of enthusiastic youngsters who are already hard at work in this very field
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Why does the government just hire people who already have extensive experience? It take many years of constant dedication to become a great programmer and they want someone right out of school or college? LOL!!! I would like to know what retard of a leader made that decision. Actually I don't care.
I have been looking for formal academic training in computing security for quite some time. The best I've found is "boot camps" for CISSP and seminar courses taught by a local college on how to use tools like Metasploit, Wireshark and C&A.
I went all the way through a MS CS looking for any opportunity to study computing security and drew nothing but shrugs from my professors when I inquired about seriously studying the subject.
If they really want to produce cybersecurity experts, forget the competitions - you have to make training available. Forget all of the hand waving talk about academics not "having the right mindset". I have found that the kind of people who say such things just don't want to share their knowledge.
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
When you consider that only a lily-white goody twoshoes can pass the lifestyle polygraph it's no wonder they can't find enough people. They figure if you've ever tried to access any system without the Proper Authority, ever, you're a bad risk. So if you've ever held down two buttons at once on a vending machine to see what happens, you need not apply.
That makes about as much sense as refusing to recruit people into the army because they were in a fight, once.
There is no shortage of people with black hat skills. The problem is that the government does not want all but a handful of those few who are willing to work a job where a routine fuckup can be prosecuted as a felony.
Finally, all those years of watching "War Games" might pay off.
"Don't Panic"
I would think the very culture of the DoD would be adversarial towards the very people they are trying to recruit.
What's the hook? What I mean is: why would some high schooler join this program vs the alternatives? -which by the way....are way more fun. Would you really want to hack for some PHB who has TPS Cover Sheets to fill out? I can't imagine a less rewarding situation
This seems like wishful thinking to me. How many "hacker recruiting" programs have we seen/heard about now? I can count 3 or 4 off the top of my head. Methinks they are not having much success finding good hackers.
Can someone explain to me why this is controversial? SANS is one of the leading security organizations in the world...
Quite an ingenious move.
While the initiative may seem to foster and legalize what previously have been considered acts of malevolence, it also helps the government to identify and build a register of possible future trouble makers with skills.
This will get them both a great recruitment program, but it will also give them a a great monitoring tool.
I'm not pro nor con, just saying. Nice Database of profiles. Do you bite?
To work on these systems you'd need to hold a security clearance. It is not prima facie absurd to say that some restrictions could be lifted for Secret-classified networks, but you'd never get them to do Top Secret and Top Secret/SCI because of how incredibly sensitive the data is on those networks.
Your post is hilarious! I mean no offense by this reply so please don't get mad....
The idea that there is "hacking training" or even college is hilarious! Hacking, by definition, means you do things that were not designed to be done. IOW, you hacked them to make them work together. It could be computers...or it could be stereo speakers. They only differ in form.
Things like this can not be taught by books or professors. They are learned by experience and tinkering. There are no shortcuts to becoming a hacker. Only time, an inquisitive nature, and quite a bit of OCD can make you one. You'll probably need some Jolt cola too....but that's a topic for another post. The very idea that hacking can be taught is laughable. That's like teaching someone to 'be successful' or to 'live healthy' or some other cockamamie abstract concept.
Simply put: you are looking in the wrong place for your training and education.
Yeah - they had this back when I was in high school.
Only, instead of a prize; I got an F in my programming class, threats of expulsion, and had to promise never to use one of the "school's" computers again.
Will they accept homosexuals?
Or is "deviant sexual behavior" only acceptable when done as part of an "enhanced interrogation"?
SANS.org offers a whole lot of courses regarding InfoSec. Start with SANS 401 unless you feel you really need the into 301. Sadly, they get pretty pricey if you don't have a company reimbursing you.
It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".
There's nothing specific to computer security here. In nearly every field, by the time you graduate what you've learned is outdated. The methods have changed, the accepted views and interpretations have changed, the tools have changed. Education isn't about learning the specifics of particular topics, it's about learning how to intelligently and rationally deal with a specific topic.
A computer security course of study could contain examples, such as browser exploits and conficker, but the focus should be on the more abstract concepts. Ideally, if you understand computer security, you will be able to deal with whatever the current craze is.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
If you're better, make yourself a COO/CEO type, and Fire HR. Then award yourself a bonus.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Thank you. Finally someone with some caution.
"Hey, we'll interrogate Terrorists."
"But we aren't getting any hits sir."
"Okay. Let's hold a contest to find some."
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
The very idea that you could create any kind of meaningful "hacking curriculum" is laughable. Books and Professors? Are you really serious with your reply? Are they really the best source of hacking info? No...no they are not. They never have been. Sure, they can teach you the basics and get you in the game but in reality, that's where their capability ends. Last I checked, professors had nothing to do with 2600, Phrack, LoD, Code Red, Sasser, or any other hacking effort in the last 25+ years. Have you ever seen some of the pure genius that has come from true hackers? Some of it makes you step back in awe of how they "figured that out". Go back and read some of the ezines from the late 80's and 90's. They are quite dated by now but they covered topics that NO BOOK or class could ever touch.
I mean, think about it....many hackers know more about the equipment than the people who actually designed and built it. And you think books are going to teach them to hack it? C'mon....
Methinks you are confusing "security professional" with "hacker". Sometimes they overlap, but not always. I know plenty of INFOSEC guys who don't know a damn thing about hacking. If you were to put them into a room with a real hacker, you would quickly see the hacker run circles around the pro. Now, why would that be?
Riddle me this: IF what you say is true, then why aren't we swimming in hackers all around us? Why is the govt having such a hard time finding qualified applicants? Why aren't there more uber hackers "out there"? After all, if I want to be 1337, all I have to do is go to the right classes and have an active interest. So what is stopping millions of wannabe kids from doing just that?
Got it. Thanks for the clarification. You are right that we have to define what we mean when we say "hacker". I used the old school definition so thanks for pointing out the difference. It is helpful to the discussion.
Probably paranoid of me but this looks like a way for the gov't to track people in this country who have this skillset. Face it, these types of skills could potentially be turned to very negative pursuits. This type of contest/internship/whatever, is a great way to get a lot of unknowns within the skillset on the radar.
And so continues the cycle of Slashdot stories of "$ARMED_FORCE is starting a new elite CyberSecurityDefenderProtectUsFromBadGuysSuperForce" and:
1. Former IT folks in the $ARMED_FORCE ranting on Slashdot about how $ARMED_FORCE did nearly everything in their power to make competent IT people leave.
2. $ARMED_FORCE continuing to disqualify those who are over 30 or who have a pasty-faced a complexion unbecoming to G.I. Joe.
3. $ARMED_FORCE not wanting to stop using Windows for anything secure.
4. More Chinese hackers putting stupid stuff on $ARMED_FORCE's IIS servers.
Thanks for posting in a much more graceful manner than I have on this thread. I was not as clear in my responses to this guy so thanks for laying it out much more clearly.
And if you're the best, you simply give yourself a pension and numerous titles/awards/etc..
"Why shouldn't I work for the N.S.A.? That's a tough one, but I'll take a shot. Say I'm working at N.S.A. Somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it and maybe I break it. And I'm real happy with myself, 'cause I did my job well. But maybe that code was the location of some rebel army in North Africa or the Middle East. Once they have that location, they bomb the village where the rebels were hiding and fifteen hundred people I never met, never had no problem with, get killed. Now the politicians are sayin', "Oh, send in the Marines to secure the area" 'cause they don't give a shit. It won't be their kid over there, gettin' shot. Just like it wasn't them when their number got called, 'cause they were pullin' a tour in the National Guard. It'll be some kid from Southie takin' shrapnel in the ass. And he comes back to find that the plant he used to work at got exported to the country he just got back from. And the guy who put the shrapnel in his ass got his old job, 'cause he'll work for fifteen cents a day and no bathroom breaks. Meanwhile, he realizes the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And, of course, the oil companies used the skirmish over there to scare up domestic oil prices. A cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon. And they're takin' their sweet time bringin' the oil back, of course, and maybe even took the liberty of hiring an alcoholic skipper who likes to drink martinis and fuckin' play slalom with the icebergs, and it ain't too long 'til he hits one, spills the oil and kills all the sea life in the North Atlantic. So now my buddy's out of work and he can't afford to drive, so he's got to walk to the fuckin' job interviews, which sucks 'cause the shrapnel in his ass is givin' him chronic hemorrhoids. And meanwhile he's starvin', 'cause every time he tries to get a bite to eat, the only blue plate special they're servin' is North Atlantic scrod with Quaker State. So what did I think? I'm holdin' out for somethin' better. I figure fuck it, while I'm at it why not just shoot my buddy, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard? I could be elected president. "
Try Iowa State University's program. It is one of the charter schools under a 1994 act signed by former President Clinton to do research and training in this area. The school has an excellent program (I actually attended it) with some good research going on, as well as very good formal courses. It's not just CISSP stuff or competitions, although the school does very well in competitions as well and hosts some of its own (and ISU undergraduate team also just won a major hardware hacking competition, beating out many prestigious schools). Personally, I'm very glad I attended ISU and studied in their security program, because it has made me a much better developer.
Beware of bugs in the above code; I have only proved it correct, not tried it.
They are coming to get you
And then the Government makes you disappear when you know to much?
I'll pass.
why would some high schooler join this program vs the alternatives?
Good question. I would expect a DoD (read: NSA) backed program would give you access to compute resources beyond the imaginings of a kid-in-a-basement, like encryption cracking compute nodes with 1000 cores, direct connection to internet peers, etc. Not to mention a paycheck. Also, a badge: while you might like to work off the grid, there's something to be said for having a get-out-of-jail free card too.
Also, the DoD could point you at targets, and challenges, that you might not otherwise be able to get into. I wonder if every basement dwelling hacker is able to bust into the Chinese Military defense network, but I suspect that the NSA could get you past the first hurdles and into the tier 3 or 4. Just a guess.
It was a few years ago, but the DoD was advertising that they'd pay for your CS degree if you obligated yourself to working for them for 4 years after school. That read to me like it was a guaranteed job after school, and if they didn't take you it was on their option and you still got a free degree. How many college graduates have the guarantee of a job after college anymore? And then a resume that would have 4 years of DoD infosec on it, and probably clearance to boot? If I was 25 or younger, I would have seriously considered it.
--
$tar -xvf
Provide me with an adequate quantity of hot, willing females of breeding age and I'll get right to work producing it.
Have gnu, will travel.
The problem with training hackers is that you can't train someone to be obsessed about computer security. They would be better off sifting through medical records looking for kids who were diagnosed with ADD (Probably misdiagnosed) and recruiting them to just play with computers. The best hackers I have known don't know as much about systems or networking as the best programmers I know. The skill that the hackers have is persistence, they will keep trying and trying until they have gotten something worthwhile. The hackers also tend to keep up to date with the latest security flaws and have / make the tools to take advantage of them.
On the other hand, if you are a programmer AND you have a knack for security, you are already gainfully employed and the military can't compare with your compensation package.
So to recap, the government is trying to recruit stupid kids. The smart ones are already focusing on what they care about / have a passion for, and they probably have no intention of working for the Gov't unless they have a parent they respect who works for the NSA.
Sometimes they overlook your unapproved mindset if you help them break into normal people's computers instead.
Also, on the topic of how they're being treated: How many of these contest "winners" do you think get to claim any money without giving their name, address, parents' names, and social security number to the sponsors (for "tax purposes")? For that matter, I wonder how much hair and related DNA is lying around in those keyboards after the contest. And all that is before they perhaps cast a wide net by suggesting that any participant who's not a total fool apply for work with them (consensual open-ended background checks).
If you read through the hacker ethic, you will find that it's completely incompatible to the values enforced by any military institution.
This question/assumption is exactly why this initiative is doomed to fail. Institutions don't get 'hacking' (cracking).
Hacking isn't about computers. Hacking is about a thought process. If you don't have it, you probably never will. Learning to 'think like a hacker' is about saying 'hmmm' when something unexpected happens and letting your mind explore a thousand options instead of shrugging and moving on. The true, scary-smart hacker types do exist, but the average profile is someone without a CS degree (likely no degree at all) very little evening social life (or none that you'd recognize), and they are tickled by finding a goofy little exploit with a piece of technology just because the engineers that created the system never intended it... and they ignore the fact it took them 2 weeks of mercilessly poking at the system to find it. They aren't high-power career types, they don't often look the part. (The few I know are terribly non-stereotypical nerds. One's kind of a gun-nut in fact, one used to work at car-stereo shop during daylight hours, one's married with 2 children.) Music ranges from Bob Dylan to bubblegum rock to hard-core trance.
The 'not quite ripe' profile is the kid who likes to figure out what his christmas presents are before he gets them without opening them, and later the puzzle of trying to read bank statements he gets in the mail through the security envelope without any evidence its been opened... (hint, try different frequencies of light) but doesn't know the first thing about computers.
Put another way, the best 'hacker type' I've seen in fiction recently is Gregory House MD., a man driven by 'the puzzle' above all else. Find a guy like that, sit him with a stack of about 5 O'Reilly books, and *that* is a hacker.
Let's join, and destroy them from the inside!
Cheers,
osama/bin/rootkid
Any sufficiently advanced intelligence is indistinguishable from stupidity.
"the DoO"
Freudian slip about the Department of Offense?
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.