Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Navy Solicits Zero Days

Posted by samzenpus on from the how-would-you-break-this? dept.

msm1267 writes: The US Navy posted a RFP, which has since removed from FedBizOpps.gov, soliciting contractors to share vulnerability intelligence and develop zero day exploits for most of the leading commercial IT software vendors. The Navy said it was looking for vulnerabilities, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others. The RFP seemed to indicate that the Navy was not only looking for offensive capabilities, but also wanted use the exploits to test internal defenses.The request, however, does require the contractor to develop exploits for future released CVEs. "Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild," the RFP said.

24 of 59 comments (clear)

  1. Ask the NSA by quenda · · Score: 3, Interesting

    So much for post-911 interagency cooperation. While one agency is inserting weaknesses, another is having to buy then on the open market. Though the Navy approach is probably cheaper.

    1. Re:Ask the NSA by CaptainDork · · Score: 1

      Ask China.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:Ask the NSA by quenda · · Score: 1

      The Navy is always fighting the last war. In 1939 they had too many battleships. Now they have too many aircraft carriers and too many SSBNs. This wastes massive resources. A good thing they are paying at least a little attention to newer threats.

    3. Re:Ask the NSA by quenda · · Score: 2

      The US has ten carriers. China, Russia and France have one each.

    4. Re:Ask the NSA by aaaaaaargh! · · Score: 1

      For example, they invented Tor.

    5. Re:Ask the NSA by DanJ_UK · · Score: 1

      That's almost as hilarious as the 50 or so the UK has had in its time.

      We have 2 new ones under construction in the UK and we only realised after we started building them that we don't actually have any planes to put on the them yet while we wait for our FGR4 replacements and our F-35s from you guys.

      --
      - Dan
    6. Re:Ask the NSA by CrimsonAvenger · · Score: 1

      The USA has obligations in both the Pacific and Atlantic (and arguably the Indian) oceans.

      Aircraft carriers don't yet have teleportation technology, so it takes a while to move them from one side of the world to the other.

      So, we need enough in each ocean to handle any conceivable problem. Plus extras to deal with required time in port (while a CVN can stay at sea for very long periods, its non-nuclear escorts require rather more time in port) and yards (even CVNs require time in shipyards every few years, which takes them out of service for weeks to months at a time (to years at a time in some cases)).

      Plus there's the thing we learned in ww2 - when you get into a fight, bring enough stuff to guarantee a win. In war there are no Good Sportsmanship consolation prizes....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    7. Re:Ask the NSA by CrimsonAvenger · · Score: 1

      The Navy is always fighting the last war. In 1939 they had too many battleships.

      Two things:

      1) the US wasn't involved in a war in 1939.

      2) the US had exactly the number of battleships as allowed by the Naval Treaties of the time. And the US had exactly the number of aircraft carriers as allowed by the same Naval Treaties. Note that having fewer BBs then would not have affected the number of CVs in any way, since both were limited by treaty.

      Oh, and in spite of the US having "too many battleships", it looks like they managed to win that war just fine.

      And an aside - did you know that the US was the only major naval power to not lose a single battleship/battlecruiser at sea during WW2? And yes, we used BBs in the Pacific (including most of the ones sunk at Pearl Harbor - Arizona and Oklahoma were the only ones not returned to service).

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    8. Re:Ask the NSA by bill_mcgonigle · · Score: 1

      So much for post-911 interagency cooperation. While one agency is inserting weaknesses...

      Did you think the Congress was going to tell the NSA to stop doing unconstitutional things and then the US Government, as a whole, would just stop violating the Constitution? As long as there's free money being printed (or kept off books through arms and drug sales), the activities will always just hop to a different group, and the Congress can keep playing Whack-A-Mole until a supermajority is compromised.

      Then we get to see the Prisoner's Dilemma play out with big guns.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. That's Not How You Do It by Greyfox · · Score: 1

    1. Get government to create a security rating (required for government contracts) that requires software audit reports.
    2. Have companies submit reports to you as part of the process.
    3. Charge companies for the security rating and reviewing their reports.
    4. Profit AND build a repository of zero-days.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  3. Why.... by Luthair · · Score: 1, Interesting

    does every agency and division of the military need to do this? Seems like the classic not invented here syndrome and a colossal waste of tax payer money.

    1. Re:Why.... by ShanghaiBill · · Score: 1

      does every agency and division of the military need to do this? Seems like the classic not invented here syndrome and a colossal waste of tax payer money.

      The Soviets are our adversary. Our enemy is the navy. -- Curtis LeMay, General, USAF

  4. Security and 1984 by Iamthecheese · · Score: 4, Insightful

    Little is more Orwellian among our government's many exploits than its attempts to break into our computer systems.

    The ever-present security camera? That's bad, but it's still out in public. It's on the street, maybe in the stores. They're not in your home, not yet. Rubber stamp warrants? That's worse: It allows targeted invasions of privacy. But at least it requires a the resources of a human with a paycheck and his own sense of morals. But breaking into computer systems? They're in our pockets, in our homes, and have access to every bit of our modern lives. From shopping lists to love letters to medicine prescriptions they contain whole lives. Snippets from every trip you've taken are encoded there.

    And a program doesn't have a sense of right and wrong. It will never refuse to spy on ethical grounds. It won't bring things up to the attention of oversight committees. It won't make anonymous calls to the ethics line. It won't refuse to work, leak information, or demand orders in writing. A program will quietly do as its told, wherever it can. Above all prying surveillance I believe ubiquitous IT access by the government needs to be contained.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
  5. "share"? by turkeydance · · Score: 1

    no. not that.

  6. Navy? by codepigeon · · Score: 1

    My first thought was why in the world would the navy want these capabilities, but then I remembered reading a story here that discussed the use of windows NT to run a ship. I suppose the navy is looking for the ability to take out opponent ships control computers?

    1. Re:Navy? by Anonymous Coward · · Score: 1

      No, this is just SOP with the armed services. Some time ago, the Air Force put together a cyber command structure so now the Navy wants one. Bailiwick and all that.

  7. This has been happening since day one by Taco+Cowboy · · Score: 2

    How many years it officially took the hackers to stumble across the existence of the embedded NSA backdoor inside MS Windows??

    Way before the news of that 'discovery' was told to the world, a friend of mine found it, but was told to 'shut up or else' by his then boss

    Apparently they (and many other people) already knew about it for quite a while, but none of them bother to tell the world about it

    --
    Muchas Gracias, Señor Edward Snowden !
  8. One wonders if/how Microsoft, Apple, Oracle, etc. by Burz · · Score: 1

    ...respond to government requests for zero-days, whether official or unofficial.

  9. and yet real secuirty research is all but outlawed by onproton · · Score: 1
    I am finding it harder and harder to accept that the people in charge of these types of programs aren't aware of just how glaringly hypocritical they are. I can't help but be reminded of the quote:

    We grow up in a controlled society, where we are told that when one person kills another person, that is murder, but when the government kills a hundred thousand, that is patriotism.
    - Howard Zinn

    Find a zero day and report it to someone who might fix it, that is criminal. Find a zero day and report it to the navy, you've done a service for your country. There is a unfortunate disconnect when the things the government does in the name of keeping us safe, end up making us all decidedly less safe in the end.

  10. This is how you do it now by Anonymous Coward · · Score: 2, Funny

    You cant disadvantage foreign companies/intelligence agencies by creating new rules, without them suing you under the new proposed trade treaties.

    I would have made $x but you changed the rules, pay up!!

  11. Re:One wonders if/how Microsoft, Apple, Oracle, et by Anonymous Coward · · Score: 1

    If they want to keep their business going internationally, they'd better not give them anything without a fight. Especially now considering that Snowden's leaks made a lot of people, both inside and outside the US, wary of US made software / hardware.

    Actually, I wonder why they would want to post such a thing to begin with? The best thing for them (the US) would be to give lip service to reforms while moving and re-securing their espionage activities out of the public eye. By posting this request to the web, they are effectively giving everyone inside and outside the US more proof that the US is not their friend / ally / etc. when it comes to technology, and that anyone and everyone, regardless of where they are, should avoid US technology products and services AT ALL COSTS. "US technology is ABSOLUTELY NOT TRUSTWORTHY AT ALL, it is ALL co-opted by us for our own purposes, and WE WILL USE IT TO OUR ADVANTAGE, we don't care if you know about it or not." That is what the US is saying with this post, and it will come back to bite them when other countries come in to capitalize on the untrustworthiness of the US and seek to replace them.

    The sad thing is as a result, the US will utterly destroy it's technology sector and any influence over international technology development and manufacturing it had. It's my opinion, but I foresee future layoffs and more unemployment for US technology workers, as the bad behavior of the US government causes increasing international mandates for any serious development effort to occur completely outside of the US and it's jurisdiction as a security measure.

  12. Navy did signals intelligence first by raymorris · · Score: 1

    The navy has been doing signals intelligence for a hundred years or so. Ships do two interesting things - they communicate with their allied forces via radio using giant antennae, and they loiter close to enemy territory, and therefore enemy communications. It's only natural that they would point their large antennae at the enemy, and they've been doing so since just after radio was invented.

    The navy also legitimately brings large numbers of personnel into foreign ports on a regular basis. It's only natural to give some of those sailors varying degrees of training in keeping your eyes and ears open while on foreign soil. Thus, the Office of Naval Intelligence has long been a significant part of our foreign intelligence capability.

  13. Navy has long done this. They hang out near foreig by raymorris · · Score: 1

    The navy has been doing signals intelligence for a very long time. Ships communicate with their allied forces via radio using giant antennae, and they loiter close to enemy territory, and therefore enemy communications. It's only natural that they would point their large antennae at the enemy, and they've been doing so since just after radio was invented.

    The navy also legitimately brings large numbers of personnel into foreign ports on a regular basis. It's only natural to give some of those sailors varying degrees of training in keeping your eyes and ears open while on foreign soil. Thus, the Office of Naval Intelligence has long been a significant part of our foreign intelligence capability.

  14. Novell? by forty-2 · · Score: 1

    Are they also soliciting attack vectors for SCO, VMS, BeOS & CP/M?

    --
    never drink kool-aid from a big vat