DARPA Commits To Funding Useful Hacking Projects

Hugh Pickens writes "Fahmida Y. Rashid reports that the Defense Advanced Research Projects Agency will fund new cyber-security proposals under the new Cyber-Fast Track project intended to cut red tape for hackers to apply for funding for projects that would help the Defense Department secure computer networks, says Peiter Zatko, a hacker known as Mudge who was one of the seven L0pht members who testified before a Senate committee in 1998 that they could bring down the Internet in 30 minutes and is now a program manager for the agency's information innovation office. Anything that could help the military will be considered, including bug-hunting exercises, commodity high-end computing and open software tools and projects with the potential to 'reduce attack surface areas, reverse current asymmetries' are of particular interest. Under the Cyber-Fast Track initiative, DARPA will fund between 20 to 100 projects annually. Open to anybody, researchers can pitch DARPA with ideas and have a project approved and funded within 14 days of the application."

Honey Pot?

[WrongSizeGlass]

Could this be a giant honey pot?

Re:Honey Pot?

With public disclosure it could never become such.

If DARPA funds hacker x who posts to a list about a vuln in product y at line z, then everybody can see the problem and look towards solutions.

49 Year Old Militant Feminist Grandmother Here

You're an idiot. DARPA has a history of funding technology and has better things to do than make a gigantic trap to destroy their reputation for the purpose of catching a few historically insignificant basement losers.

Re:49 Year Old Militant Feminist Grandmother Here

.... not sure if just trolled or really stupid ...

Re:49 Year Old Militant Feminist Grandmother Here

DARPA is a US government agency. The US government has proven to be untrustworthy. I would not put it past the US to misuse DARPA "for the good of the country".

Re:49 Year Old Militant Feminist Grandmother Here

[Doc+Ruby]

You mean like the Pentagon did in Iraq?

Re:49 Year Old Militant Feminist Grandmother Here

[somersault]

The US government is comprised of humans. Humans have proven to be untrustworthy.

On the other hand, some humans are also trustworthy. Shit. How can I apply both of these into one absurd gross generalisation?

Re:49 Year Old Militant Feminist Grandmother Here

[AHuxley]

Re a few absurd gross historical generalisation?
A 56k using UFO hunter used a perl script to glide around a set of wide open MS "mil" US networks.
The CIA has In-Q-Tel like fronts to seek any useful project at any price and nobody will know.
DARPA has.... like fronts and nobody will know.
The US has usually found solutions to its language, math, computer, crypto, science ect. issues very quickly, with less press and with lots of cash.
Yet now we are to believe the US suffers from unique bug related, surface area and very real "high-end" computing issues.... all very public and only "You" can help..

Re:49 Year Old Militant Feminist Grandmother Here

[somersault]

Well, they did just lose their "AAA" credit rating..

Re:49 Year Old Militant Feminist Grandmother Here

This is slashdot. EVERYTHING is a fucking government conspiracy. The government is both completely incompetent and at the same time evil geniuses bent on taking away your open source software.

Re:49 Year Old Militant Feminist Grandmother Here

shhh, the slashdot bent towards government conspiracies is actually a plot by the government to discredit the users of slashdot!!

Re:49 Year Old Militant Feminist Grandmother Here

Or maybe that is what they want you to think.

YES

dont trust

Finally

For the cost of a few cruise missiles humanity will be left with something of value from the defense budget.

Hopefully this becomes a superfund for cleaning up vulnerabilities by the best and the brightest. With all the money wasted every year we should not agonize over tiny sums being expedited to people who will catch the bugs and disclose to the public.

The cybercrime gangs are well funded. The bughunters are not.

Prevention is much cheaper and much more friendly towards civil liberties than is having a cyberwar bureaucracy staffed by the sort of reactive code grinders who couldn't make it in cutting edge startups.

Mudge? This might actaully work then.

[sp332]

If you recall,there was a campaign to make Mudge the USA cyber-czar back when Obama created that post. The guy knows what he's doing, and even now that he's in big-government stuff, the community still trusts him.

Re:Mudge? This might actaully work then.

Bating people with skills to make it easier for the government to enforce copy protection laws doesn't endear him. Protecting .mil from attacks is cool and all but that isn't what they are wanting. If it was, it wouldn't be a call to all projects. I find it hard to believe he doesn't realize this. If he doesn't, I hope the clue bus hits him. Soon.

Infinite Military Money

[Doc+Ruby]

The military/intel is totally protected from our debt crisis, no matter how distantly related to protecting us any of its expenses might be. That's why the majority of our debt is owed for past military/intel budgets - so it costs 50% more in interest than what was appropriated on paper. And now that the debt has gotten our credit rating downgraded, it will cost us even more in interest - along with all our borrowing that it's dragged along with it.

So the smart people will turn all their projects into military/intel projects. Which will gradually turn the US into not just a hopeless debtor, but an exclusively warmongering hopeless debtor.

Re:Infinite Military Money

[NotAGoodNickname]

Very true. I know the company I work for loves these programs, there is no risk since it is guaranteed money if you win the contracts. It also diverts engineering resources into supporting these programs.

Re:Infinite Military Money

[tryptogryphic]

This is why the citizens of any democracy should be on guard, demanding answers from their representatives about spending etc. to ensure that such things do not happen. This is indirect war profiteering in it's finest form.

Re:Infinite Military Money

[Doc+Ruby]

Like "why are we invading Iraq when it had nothing to do with the 9/11/2001 attacks"?

Those of us who did ask that question were drowned out by the majority of voters who insisted on re-electing Bush/Cheney instead of impeaching and imprisoning them.

Re:Infinite Military Money

people deserve the government they get. and people are stupid. the only way to change this is for you, joe citizen, to hold public office and work your way to the top. by the time you get there the system will have molded you into someone no better than the sharks running good ol' USA currently. thems the breaks.

Re:Infinite Military Money

[Doc+Ruby]

Well, what's actually more true is that "in a democracy, the people get the government they deserve". Maybe that means we deserve the government we get.

As far as holding public office being the only way to change it, that's clearly not true. Indeed the biggest problem in America's democracy is that our republic, the elected people, are not the ones who make change. They're lackeys to the people who do make the change. And those people are not only the rich. Plenty of not rich (outside their expenses-paid political racket) people fill the ranks of decision makers in the "Social Conservatives" groups that exert such power.

I've actually worked in government, in the NYC City Council (legislature). Change is made by staking out clear and useful positions ahead of the immediate term where the sharks are busy grabbing whatever bleeds. By being persistent, over many years, and playing the social groups to get the access that defines power in politics. And I've also seen some, not many, who get and keep power without being corrupt.

It's pretty broken. But if we just give up and accept the corruption, there's no way out. And we can be much, much worse - look at Argentina, and any of the banana republics we've created in our backyard. Maybe the majority of Americans deserve it - the people who don't even vote, while they see those who do driving us into ditch after ditch. But I deserve better. And I'll do what I can to get it.

Re:Infinite Military Money

They should have attacked every damn country in the area using targeted air strikes to inflict maximum damage as a clear warning of what would happen the next time some jumped up emir, mullah, or mujahideen done attempts to attack US interests. And also refuse to provide any money after the fact to repair any inflicted damage. There isn't a single country in the world that would interfere. Non-state actors operate under the belief that no matter what atrocity they commit the "international" community will tie themselves in knots politically and won't respond to any provocation. It was assumed that the US could not respond militarily to these types of attacks because the UN would never approve. GWB showed the UN and everyone else that when necessary the US does not really give a shit what other countries think when it comes to US military actions. One very good example of this approach to preventing large attacks is Israels military. The Arab countries have not openly tried to attack the state of Israel in force since their 1973 ass kicking because there is no question in thier minds about what Israel would do for retribution. Of course the Arabs changed tactics and try to use the "palestinians" as cannon fodder and human mortars to avoid direct state attacks and avoid being humiliated once more because of their military ineffectiveness.

Re:Infinite Military Money

[Doc+Ruby]

In what area? Iraq? No jumped-up mullah in Iraq or anywhere else except Afghanistan did anything to us on 9/11/2001. GWB showed the UN and the world that even when the US was hideously attacked, all he cared about was invading a country that had nothing to do with it. So his cronies could make $TRILLIONS and grab as much power for as long as they could, while smashing our obligations to protect us. All of which is precisely Binladen and his fellow assholes wanted.

And so you voted for Bush twice, giving us the endless wars, bottomless debts and worthless governments we suffer with now. You Republicans are incapable of learning even the most obvious lessons. Binladen's jihad couldn't have prayed for better partners in the Terror War than you people.

Re:Infinite Military Money

[cavreader]

Damn near every middle-eastern and N Africa country funds and provides political protection for groups committing terrorists acts all over the world. In a comment above someone said that the people in the US are directly responsible for the consequences of thier government policies so why shouldn't that same principle be true for all countries? This isn't just about 9/11. I am against the wars in Iraq, Libya,and Afghanistan and would have preferred to leave Iraq alone and allow them to continue their own self destruction in peace. And using air based attacks in Afghanistan combined with spec ops Taliban hunters would have been more effective and certainly cheaper. Specifically targeting the vast poppy fields would also hit the Afghan leaders where it hurts and encourage them to actually go after those providing the US with resons to attack. The majority of the US oil imports are from Canada, Mexico, Venezuela, and domestic sources. Let the European countries deal wit the middle east since they rely heavily on Arab oil and they are also the ones responsible for creating this mess in the first place with their arbitrary drawing of country borders in the middle-east. And I didn't vote for Bush. I consider both US political entities ignorant and incompetent of doing anything else besides campaigning. Bin Laden and all of his disciples in jihad have only succeeded in creating a growing hatred of Muslims across the world.

Re:Infinite Military Money

Nah. After having paid all those people, they will declare the Dollar worthless by printing a quintillion Dollars, and you can wipe your ass with them. Just like China. ^^

Just make sure

[Fnord666]

Just make sure the funding check clears. It is issued by the US government after all and their credit isn't as good as it once was.

That is all well and good.

[das3cr]

But what is DARPA, or anyone else for that matter, about making sure chips made in china don't have bugs built in?

I /refuse/ to purchase an item that is known to me to have chips made in china because I believe it to be compromised.

How can one be sure that the hardware in the devices made there are not bugged?

Re:That is all well and good.

"I /refuse/ to purchase an item that is known to me to have chips made in china because I believe it to be compromised." ......so how are you even posting this then?
or are you just very willfully ignorant about where electronics come from?

Non Americans

[Yvanhoe]

But can non-Americans apply ? You know, this category of persons that form 85% of Internet.

Social Semantic Desktop for Sensemaking on Threats

[Paul+Fernhout]

http://sourceforge.net/projects/pointrel/

At least I could spin it that way... :-)

And have:
"The need for FOSS intelligence tools for sensemaking etc."
http://groups.google.com/group/openmanufacturing/msg/2846ca1b6bee64e1

Where do I apply? :-)

I have a brilliant idea!

[SendBot]

I'm going to seek a $20k grant to advise police agencies against having their website developed by BJM marketing.

In case you are wondering what the hell I'm talking about: http://www.computerworld.com/s/article/9218961/AntiSec_hackers_dump_data_after_hacking_police_websites

Re:Social Semantic Desktop for Sensemaking on Thre

[Paul+Fernhout]

I see where to apply, a link in one of the articles:
    https://www.fbo.gov/?s=opportunity&mode=form&id=406db188e0e1935a806c143a5603eb48&tab=core&_cview=0

If slashdot allowed longer tittle I woudl have called it: "Social Semantic Desktop for Sensemaking on Threats AND OPPORTUNITIES"

We'll see if they like some variation on:
    http://groups.google.com/group/openmanufacturing/msg/2846ca1b6bee64e1
"Summary: This note is essentially about how civilians could benefit by have access to the sorts of "sensemaking" tools the intelligence community (as well as corporations) aspire to have, in order to design more joyful, secure, and healthy civilian communities (including through creating a more sustainable and resilient open manufacturing infrastructure for such communities). It outlines why the intelligence community should consider funding the creation of such FOSS "dual use" intelligence applications as a way to reduce global tensions through increased local prosperity, health, and with intrinsic mutual security."

Why not insist on free and open source?

[Paul+Fernhout]

From the reuters article: "Addressing a key issue for hackers doing government projects, they will be allowed to keep the commercial intellectual property rights while giving the Defense Department use of the project."

Major problem with entire solicitation design

[Paul+Fernhout]

I skimmed through the solicitation. It has people paid on achieving milestones they set out in advance (and they say ideally for two month or four month working time frames). Essentially, they are insisting on a waterfall development model. That makes difficult any basic research and general creativity in exploring topic areas. I guess someone could get around that a bit by promising a report or something, but that is probably not what they are looking for.

In general it is a rule of thumb in some projects by competent people that those who do not promise delivery dates get done faster. :-)

It's not clear to me how streamlined this is relative to usual government proposals, other than a quicker approval turnaround and shorter project scopes. You still need to do a bunch of paperwork and planning.

For what I want to do, with a social semantic desktop that does some specific things for public sensemaking, where I've worked on related stuff for years, and made some related stuff like that before (for governments), there may be just enough potential for milestone definition for some proposal. I could see some other people might have projects they've long been wanting to do and worked on pieces of that they could try to fit into this too. But for most people, thinking of something new, it would not be easy to plan for those milestones if they were other than work for X hours, and the endeavor could be high risk for the proposer if they don't meet their milestone (they would presumably not get paid?). Anyway, I just skimmed it, so maybe I missed something.

I'd suggest DARPA might have more success if they just asked for resumes from talented people and small groups, said we will fund you to work wherever (home office) for three months on cool free and open source stuff in an area you propose and we find interesting related to security, and if you want more funding after that, we'll decide based on what you deliver in that time period. Call the program "DARPA Cyber-Security Fellows" or something like that.

I'd be curious what other have to say on that.

Re:Major problem with entire solicitation design

Complete project out of curiosity.
Feed "milestones" while working on next project.

You just need a 1 project buffer!

(just a joke please don't let darpa get me)

Re:Major problem with entire solicitation design

[Paul+Fernhout]

It's a joke with lot of truth to it. My undergrad adviser said he used this model sometimes (he's 90 or so now, so probably OK to mention this). He said he would essentially get a grant for work he had already (mostly) done, and then use much of the money to do the next thing. So, you are right, it's an interesting and sometimes successful model.

A much deeper problem is that the people good at looking good may not be the same people good at doing stuff. As someone suggested recently (forget where, maybe on slashdot) that is why so many mediocre films are produced. The best directors and writers may not be the best at convincing others to give them money to make films. This is in part a function of how many lesser skilled wannabees are around and how desirable the area is. The more mature a field is, perhaps the bigger the problem?

I think that was implied in another recent slashdot article that at first glance seemed to be about how the popularity of computer programming was insuring the unemployment of true geeks. Will a true geek, even one with decent social skills, get hired when hiring managers can find a lot of very appealing people who look even more on paper like true geeks than the true geeks, and they can't tell the difference, or at least, can't tell from the information they have to work with? This is also a problem in the "Seven Samurai", how does a farmer know what makes a good Samurai? And there are so many aspects to what makes people effective, even a focus on skills and experiences can be misleading.

A completely different issue is you may be hiring the wrong type of person, or the wrong person may be doing the hiring. For example, this presentation by David Eaves suggests that big open source projects need good facilitators at the core more than they need good coders:
http://www.slideshare.net/david_a_eaves/community-management-presentation/

Still, coding skills in the case of open source may be important for a certain level of respect by the community. In general, we need better software tools for collaboration, as that presentation talks about (and thus the need for a social semantic desktop and good tools on it, including for stuff like Structured Dialogic Design and a variety of other methods for collective sensemaking and analysis and collaboration).
http://www.globalagoras.org/
http://en.wikipedia.org/wiki/Sensemaking
http://collaboration.wikia.com/wiki/Stigmergic_collaboration

The best "manager" I ever had in a commercial setting did not know how to code that well (although he could code enough to understand the problem area and contribute to it), but he was great at managing a team well.

Another option for running a program like this is to not have applications. Just find people doing the work you like and give them money.

Still, ultimately, the best security is going to emerge from a society with things like a "basic income" to live off of so the people who like resolving these issues have the time to do so, without imposing this problematical filtering process on it. That is what is depicted in James P. Hogan's "Voyage From Yesteryear" sci-fi novel. And it is backed up by research, like discussed here:
"RSA Animate - Drive: The surprising truth about what motivates us "
http://www.youtube.com/watch?v=u6XAPnuFjJc

The best motivated work comes from taking money off the table, and people having a sense of purpose, developing a sense of mastery, and having a sense of ownership/influence over what is happening.

This is all why it is so how hard to give money away well, as discussed near the end to the Seven Laws of Money

Hudson says....

[meglon]

Sarge, is this going to be a stand up fight, or just another bug-hunt?

Re:Hudson says....

[gmhowell]

There may be a xenomorph involved.

Re:Social Semantic Desktop for Sensemaking on Thre

[Paul+Fernhout]

I wrote this up last month as a proposal abstract for an IARPA soliciation, but I have not sent it (someone who had been with the CIA and does public intelligence said it would be pointless essentially as the US intelligence community is so broken). Anyway, I though I'd post it here, as I've written it already, and it seems a shame to waste it, and because it is what I'd like to do maybe for this solicitation. Any constructive feedback would be appreciated. Maybe DARPA might be interested in it if not IARPA, given the structural problems in the US intelligence community it seeks to address and which are part of why the US cyber infrastructure is so at risk? Imagine global security researchers having a tool like this to work collectively for mutual benefit to maximize the intrinsic security of our cyber infrastructure. I know some people may say terrible things about any attempt to engage with the US security apparatus (not without some justification), but, beyond being motivated by running out of cash (in part by doing so much free stuff), I do think the issue is that we all need security -- the issue is how we go about getting it. This proposal attempts to shift the US security paradigm in a more intrinsic and mutual direction, which is more sustainable over the long term than a focus on extrinsic (guarded) or unilateral (dominance) security. Maybe others might find the general concept of shifting the security paradigm useful in their own proposals.

====

Title: "Twirlip: Towards a 21st Century Worldwide Public Intelligence Desktop Platform for Collaborative Sensemaking, Analysis, Risk Assessment, and Horizon Scanning"

Company: Kurtz-Fernhout Software
Organizational form: Woman-owned small business (Cynthia F. Kurtz, CEO)

Prepared: July 12, 2011

Amount requested: US$297,000

Responding to: IARPA Incisive Analysis Office Wide Broad Agency Announcement (BAA) Solicitation Number: IARPA-BAA-10-08, especially these aspects:
* Methods for measuring and improving human judgment and human reasoning
* Understanding and managing massive, dynamic data
* Effective analysis of massive, unreliable, and diverse data
* Assessing relevancy of new data
* Analysis of significant societal events
* Estimation and communication of uncertainty and risk

Summary: As a legacy from the 20th century, there are currently broad institutional barriers in the US intelligence community that make it difficult for intelligence analysts to gain 21st century insights into 21st century issues using 21st century technology and 21st century public data sources. To address the need to move beyond those institutional barriers, we propose a proof-of-concept project called "Twirlip" as a free and open source software (GPL) Public Intelligence desktop platform for the general public. It would use Java/JVM desktop technologies and CouchDB as a backend relay server and indexed archive. It would be built around the idea of a social semantic desktop. The public can then use this system to process open source data to crowdsource sensemaking and analysis about global socioeconomic, technical, and geopolitical trends, with a special emphasis on understanding the likely global consequences of Moore's law. The global community can also expand this platform in various ways by adding new freely licensed modules. The US intelligence community can then build on this public software and public content in its own internal sensemaking and analysis. Supporting this system by IARPA may create both a strategic first mover advantage and a public relations advantage for the US intelligence community. Whether the software is of any use to the US intelligence community directly is not as important as whether the community gets new ideas from seeing what the public does with such tools or seeing how such tools are expanded.

Technical/Administrative contact:
Paul D. Fernhout, CTO
Kurtz-Fernhout Software ...
Website: http://www.kurtz-fernhout.com/

Social Media Protocals

[hhawk]

Open Protocols for Social Media would be very helpful..

Think along the lines of Diaspora and Google+ but within a military context, where each command/outfit, etc. needs to own it's own data, various aspects of data needs to shared (nor not shared) based on a firm but flexible set of permissions and you have a fairly ideal way of allowing modern war fighting use social tools; all of those still on secure networks but having a wide range of secure sharing. This could include pushing data out to non secure networks from civilian to governmental (e.g, congress, white house, etc.) and NGOs or pushing data to other secure networks (e.g., CIA, NSA, etc.).

 

Re:Who is scummy enough to work there

You can mark my fucking score down so it's un-readable, but you can't change facts.

I'm submitting this... apk

A return to the "old" to combat the problems of "the new" & why, in combination with filtering DNS servers (vs. malware-in-general in most ALL forms) that use DNSBL's vs. them! I have done so for YEARS now (since 2002 in my older Delphi model, which used "brute force" dedup methods which was FINE on HOSTS files in those days that only MAYBE hit 16k lines - lately, they're a LOT larger than that, so I switched to a Python system my nephew & I co-wrote that processes MILLIONS @ a time & faster dedup algorithms in place is why because of Python's built in routines).

It does the following things:

---

1.) Data gather from reputable sources for HOSTS data (some listed below, not all though), DNSBL's too!

2.) Alphabetize the data

3.) Removes duplicates/normalizes the data

4.) Changes from the larger & slower 127.0.0.1 "loopback adapter address" to the just as compatible & faster 0.0.0.0 "blackhole routing" address instead

5.) Filtering vs. "problematic" sites that MAY 'disturb' some sites IF their adbanner servers are disrupted (YAHOO, AOL, MSN & quite a few others)

6.) Commits back (from a "temp/scratch" file) to the ORIGINAL HOSTS file for use by the system &/or apps (@ RPL 0/Ring 0/kernelmode level, FAR faster & more efficient than Ring 3/RPL 3/Usermode filtering solutions are mind you) by OVERWRITE, assuring CLEAN COPY & a pristine unaltered (by malware) HOSTS file!

---

As well as a recommendation for this, in combination with it (using the excellent CIS Tool as a guide) -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE

My custom HOSTS file currently protects me vs. 1,554,666++ (& growing every 15 minutes) KNOWN bad sites/servers/hosts-domains that are KNOWN to be either maliciously scripted, or serving up malware-in-general, plus spamming/phishing sources as well as botnet C&C servers.

How/Why? Ok, read on:

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY th