Slashdot Mirror
Defense Expert: Hire Hackers and Wage War
Phoghat writes "A top defense and cybersecurity expert says the U.S. should stop trying to take aim at expert hackers and start doing a better job of recruiting them. 'Let's just say that in some places you find guys with body piercings and nonregulation haircuts,' says U.S. Naval Postgraduate School professor John Arquilla . 'But most of these sorts of guys can't be vetted in the traditional way. We need a new institutional culture that allows us to reach out to them.'"
I am guessing that culture doesn't want to be vetted, by any means, traditional or non-traditional.
Most of these hackers inherently distrust the government, that's why they are hacking them. So what is the benefit in hiring them?
Isn't that what the man wants?
Government sanctioned hacking will lead to enemy government retaliation, and then they'll take the internet as we know it to save us from those damn terrorists.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Buy Blizzard. Threaten to close WoW account of said hacker. Et voila, you've got yourself a hacker that you can count upon! (Give them a free flying mount once in a while and you keep them happy too!)
Some of the most talented technical people I know are also the most clean-cut and athletic. Some of the worst, show-offs who know the talk but little else, fall into your usual hacker stereotype with their appearance. I think the former is more realistic, and the latter is more romantic fantasy— brought on by people who idealize Gibson. In other words, why bother? The first group is more likely to give you a well-rounded individual who actually knows her material. The second group is a total crapshoot.
Most of those guys are clueless about the outside world so they may be hard to motivate. Maybe sex will work. Hire some hookers.
Negative moral value of force outweighs the positive value of good intentions.
The problem is that vetting the ethics of a hacker needs someone who has insight in the cultural framework as much as the technical capabilities of the person under review, and that is MILES beyond your average HR setup.
I know from my own experience that the best reviewer for tech is someone who is either a former hacker him/herself, or has a personality that borders on Aspergers. You cannot understand technical people if you do not have the required mental tools, and especially the brighter hackers do not exactly conform to the standard employee model.
So, use one to know one, and forget about your average corporate HR droid doing anywhere near a sensible assessment. Oh, and forget about standard management techniques either - not only does it take one to know one, it certainly takes one to manage them.
Insert
While we're at it, could we please also *not* assume that l33t hackers come only in one visual package (piercings, ink, etc.)?
Take highly competent tech people who are generally speaking somewhat anti-authoritarian, give them the tools to do nasty things to the nations enemies via hacking, malware programming etc, and expect them to keep their mouths shut about it. :P
A lot of people don't trust the government - and often with very good reason - why would they want to hack for it?
How long until the complete log files of everything they and everyone they associate with are sent to Wikileaks?
Find technical people who are not anti-authoritarian and get them to do your hacking - just hire them for ability and knowledge rather than the traditional military virtues that most military organizations look for. In fact, hire them as civilian contractors and then keep them away from the rest of the military
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Want to reach the hacking culture? It's like hiring tribes people to help log the Amazon rainforest. Corporations should learn from the mistakes made in those senarios before even thinking of strategies such as this.
The irony here is although the Govt started the Internet as an official project, it has always rested on the shoulders of academics and the talent of the hacking community, corporations come further down the list.
you have to realize that many of the "cyber hackers" the government is eyeballing are the very same people that love nothing more than to leak classified data and hack into defense secrets solely because they view your establishent as the problem.
speaking as one of the the aformentioned non-regulation pierced guy, i can say that each time i hear a blowhard suit at the anything-department wax prophetic upon anything prefixed with "cyber," i roll my eyes, turn up the hardcore techno, and go back to writing that python interface for the communications receiver I bought on craigslist a few months back.
no one cares about the next war you're trying to sell america except the mouthbreathing walmartians in the sticks. the people youre trying to "reach out to" explicitly do not respond because they arent stupid enough to nod when told "be all you can be." as knowledge is power they understand enough about your institution to avoid it at all costs. all its done in the past 40 years is act as an engine of misery, destruction and sorrow across the globe.
Good people go to bed earlier.
I say it's awfully childish. Do we really want the Internet to be an unstable place?
It is far more childish to think that if we just play nice, everyone else will follow suit. The Internet will not be made secure by covering our eyes, crossing our fingers, and praying. It will only be more secure by making sure that those interested in its security have bigger "guns" than those interested in its instability.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
No age rules, no boot camp, no / limited medical disqualifies.
Why should some who say may be in a wheelchair not be able to do work like just because of having to go to boot camp or the same thing about age rules so you have long time pros come in that may be to old to pass boot camp.
Also there are smart IT people who don't have the mental mindset to handle a boot camp as well.
Or by actually investing in secure technologies and practices. In real life, it's better to make sure those interested in security are well-armed because there's not much that can withstand a bazooka, but, online, it's very difficult to compromise communications encrypted with 4096-bt RSA.
tl;dr offense is easier in the real world than it is online.
Internet Security is a fantasy. Allowing anyone and everyone access to the network makes it almost impossible. I can't believe that servers with secure information would ever, under any circumstances be connected to something so untamed. For starters all my secure computers would never run a disk based operating system. The entire OS would reside in ROM and when it was time for an upgrade I'd burn a new chip. Expensive? Not as expensive as having 1.5 billion dollars worth of research hacked. I don't think network security is nearly paranoid enough.
We need a new institutional culture that allows us to reach out to them.'
Cue MONTAGE featuring Cameron Diaz as cute "brutal" platoon sargeant yelling orders at misfis!
WARNING: Smartphones have side effects--most of them undocumented.
An organic system is inherently unstable - this is why the global network is so resilient against targetted attacks (such as wide-scale DNS poisoning, root name server outage...). The system will route around the dark spot. Whether or not it's "what the man wants" is irrelevant. If "The Man" wants the Internet to go dark permanently, all "The Man" has to do is cause a global, total and simultaneous blackout of every node, domain and name server, webserver - anything with a CPU and internet connection.
No biggy.
Operation Guillotine is in effect.
If you hand out bigger "guns" and the internet becomes a warzone, everyone loses. The only way to keep it civilized is by handing out better "armor", making "guns" as ineffectual as possible. Since the military isn't interested in armor only and i don't trust them to use "guns" in a reasonable way (if there actually is one) i don't know why i should put me under their command.
Do we really want the Internet to be an unstable place?
What makes you think it's stable now? Although I think "Cyberwarfare" is more media drama than actual warfare, networks could be doing a lot more to make them more secure. We don't becuase, users. Users don't want inconvenience. Users don't want two passwords (one email, one login). Users want their desktop on their mobile device. Users want access to confidential data on the same PC their kids play on. Don't get me wrong, without users there's no need for a network but things have gotten way out of hand with security.
I think it's a good sign that some places in the tech industry are starting to realize they could be doing better. Maybe they will finally get around to listening to real experts instead of paid-for marketing shills.
Join the Slashcott! Feb 10 thru Feb 17!
You expect inclusiveness from the US military? Up until quite recently, their policy was to kick out anyone they determined to be gay. Their policy on women is still to confine them to desk jobs, far away from combat. Perhaps it would be better to strip the DoD from all responsibility for internet security and assign such tasks exclusively to a new agency, answerable directly to congress. They'd work with the military and intelligence services, but not be part of them. No boot camp, no ranks, and a staff of tech-experts and intelligence experts rather than generals who got up the ranks by being good at killing stuff.
Want to reach the hacking culture? It's like hiring tribes people to help log the Amazon rainforest. Corporations should learn from the mistakes made in those senarios before even thinking of strategies such as this.
What the corporate MBAs would immediately deduce is that the tribespeople had been improperly incentivized, and should have been offered different shiny stuff. Numerous case studies would then be performed to find the optimum lowest-cost shiny stuff to offer to induce tribespeople to wreck their environment. Devastation of the rainforest would not be abated, while corporate profits and MBA bonuses would increase grotesquely for a few quarters.
Similar dysfunctional thinking would be applied to recruiting hackers.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Just don't hire them as members of the military in the usual sense.
now we need to go OSS in diesel cars
Like the opportunity to destroy AmeriCIA from within!
"Flyin' in just a sweet place,
Never been known to fail..."
What do you mean "We", white man?
"Flyin' in just a sweet place,
Never been known to fail..."
The entire OS would reside in ROM and when it was time for an upgrade I'd burn a new chip. Expensive? Not as expensive as having 1.5 billion dollars worth of research hacked. I don't think network security is nearly paranoid enough.
What makes you think you're going to write an OS without a single security flaw that could be exploited?
Burning it to ROM is just ensuring the exploit lingers in the wild longer than it should.
[Fuck Beta]
o0t!
From what I see, if the US government has to reach to the hacking culture, they need to "atone" for Operation Sun Devil. Right now, at best, they can get contractors because of this. Unlike China where their citizens will happily go to a computer room and start doing their work.
The pogrom against Steve Jackson Games and other sites forever made any person with non-tivial skillz not interested in any way to work for the US, just for fear that they will be labeled a "terrorist" should something happened, and burned at the stake.
The US government needs to view blackhats and whitehats as the same as soldiers, and give them the same respect. No, a guy doing fake VoIP calls in order to get a network topology so he can scout it with nmap is not as awe-inspiring as a Navy SEAL who racks up body counts. But the guy at the keyboard is as important if not more to an operation.
Did anyone see "Catch Me If You Can"? True story. The FBI hired a master conterfeiter and con-man. Trust? Both the CIA and the FBI have vetted guys and moved them to high posts while they were working for the KGB. With a hacker you know what you're getting. They have to decide whether they want to protect their country from enemies, foreign and domestic. Don't expect them to jump on board with massive personal intrusion, expect them to go after bad guys. They have to accept that they are going to watched, tapped, bugged, whatever, as part of the job.
By the way, polygraph tests are a joke. Aldrich Ames had to take a ploygraph test. His KGB handlers told him not to worry, get a good night's sleep and be friendly with the testers. He passed of course. Anyone can beat it and with some mild drugs they might as well be giving the test to a corpse. Read "Telling Lies" and "Lie Spotting" and you'll be able to do a better job.
You can sign up for SPAWAR as a civilian... many SPAWAR employees end up becoming navy reserve officers and show up in uniform once a month so they can get extra money.
They're actively recruiting hacking events.
More like thugs with piles of corpses of corpses in their basement, that are overshadowed only by their needy desire for approval and respect, gang up on anybody looking at them the wrong way, while robbing those they claim to protect blind. Which is exactly the opposite of what you claim it is, defending something of value. It's destroying value, and for pitiful reasons.
Bill Hicks said it best, why even bother typing when I could quote that:
Bill Fucking Hicks.
And if you think a comedian doesn't count, try just about any great mind... they more or less all agree. They either didn't write about it, or they said something to the effect of the above. Anything lower than that is just mediocre BS. People lie to themselves, so they lie to you ("you" as in "the people"), and you drag that cart all the way up the hill... in it? Banal bullshit. Trinkets and lies. Coffins are being flushed down the toilet, while show tunes play.
George Orwell.
Deadstick.