Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD Announces New Bug Bounty Program Called Hack the Pentagon (npr.org)

Posted by yaelk on from the hack-the-pentagon dept.

Quince alPillan writes: Announcing what it calls "the first cyber bug bounty program in the history of the federal government," the Department of Defense says it's inviting vetted hackers to test the security of its web pages and networks. Vetted hackers will need to pass a background check and will be attacking a predetermined system that is not a part of critical operations. This program is being put together by the Digital Defense Service, launched last fall.

62 comments

  1. FBI iPhones by Anonymous Coward · · Score: 0

    The FBI should follow suit with iPhones instead of litigation.

    1. Re:FBI iPhones by onkelonkel · · Score: 0

      Hack the iPhone. The problem with this is the FBI doesn't care one particle about the data on "the iPhone" They just want to use it as a lever to bend Apple to their will.

      --
      None of them can see the clouds; The polished wings don't care.
    2. Re:FBI iPhones by Anonymous Coward · · Score: 0

      the big problem with your logic is that if Apple has already given them access, then is is the last thing that either Apple or the FBI would want the public to know

  2. yeah... by Anonymous Coward · · Score: 0

    like, I cannot imagine this going hilariously astray

  3. Call Dade for the job by Lisandro · · Score: 1

    HACK THE PLANET!

  4. MoMs of the mile conference still being delayed by Anonymous Coward · · Score: 0

    MANic wmd on credit psychopaths refuse to share the stage with anyone? truth+mercy=justice.. cease fire.. in the moms we trust

  5. Eeeh by Anonymous Coward · · Score: 0

    Report a bug, get 10 year vacation at Guantanamo Bay?

    1. Re:Eeeh by penguinoid · · Score: 1

      I hear they have a fun watersport, I think it's like water-skiing except with a surf board or something, they call it waterboarding.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    2. Re:Eeeh by vel-ex-tech · · Score: 1

      Exactly what I was thinking. It's not entrapment merely because law enforcement asks you to do something. We see the FBI use this all the time to catch "terrorists." Regular pigs will sell drugs to make arrests. Are they giving any guarantee that being arrested under the Computer Fraud and Abuse Act isn't the real prize? Is that a guarantee that law enforcement can even credibly make?

  6. lol... morons by Anonymous Coward · · Score: 1

    'vetted' participants only testing things that don't matter = security theater. Meanwhile the unvetted Chinese and Russian hackers are hacking their critical operations.

    1. Re:lol... morons by Anonymous Coward · · Score: 0

      Meanwhile the unvetted Chinese and Russian hackers are hacking their critical operations.

      Yeah, like there were only Chinese and Russian hackers. [rollseyes]

    2. Re:lol... morons by sumdumass · · Score: 1

      Not really. . It will likely give them a fingerprint or signature of sorts that they can later use to identify you if you hack something they don't like.

      Sounds way too sketchy to me.

    3. Re:lol... morons by Anonymous Coward · · Score: 0

      One of the things our government does that makes me eternally wonder whether it is a conspiracy of malice or merely a conjunction of ignorance and negligence. Then again these days there is really not much difference.

    4. Re:lol... morons by Anonymous Coward · · Score: 0

      Not really. . It will likely give them a fingerprint or signature of sorts that they can later use to identify you if you hack something they don't like.

      Sounds way too sketchy to me.

      And we have a winner. Bingo!

      Captcha: bribed

    5. Re:lol... morons by Actually,+I+do+RTFA · · Score: 1

      Things that don't matter could be a mirror of things that do matter (or a mirror with all the data modified). It's reasonable to test on an almost identical system that doesn't accidentally trigger the order to launch ICBMs getting sent to real places.

      The 'vetted' part is probably to prevent someone from discovering a bug in play, and putting it in practice. But, yeah, depending on how the "vet" someone....

      --
      Your ad here. Ask me how!
    6. Re:lol... morons by Anonymous Coward · · Score: 0

      You forget "bored interns", who also get into things in our (DoD) networks (and are already vetted) but are dismissed and the holes left as is because NMCI wants $10M to fix their own shit.

      Woo.

  7. nope by Anonymous Coward · · Score: 1

    it's a trap

  8. Not to point out the obvious but by nehumanuscrede · · Score: 2

    The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.

    If the USG is serious about such a program, they might want to take this into consideration.

    1. Re:Not to point out the obvious but by Etherwalk · · Score: 1

      The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.

      If the USG is serious about such a program, they might want to take this into consideration.

      So is the risk.

      That's how investment decisions work. Risk v. Reward. For example, if you bluff your way into the New York Fed and steal the gold in the basement, you're gonna be pretty rich. But good luck explaining that one away when they catch you.

      Plus, you know, treason.

    2. Re:Not to point out the obvious but by arth1 · · Score: 2

      Plus, you know, treason.

      Well, if you're not a citizen, you can't be charged with treason, can you?

    3. Re:Not to point out the obvious but by Anonymous Coward · · Score: 0

      The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.

      If the USG is serious about such a program, they might want to take this into consideration.

      Military men and woman in SysAdmin positions wearing stripes on their sleeves earn considerably less than your average civilian in the same position, and they handle classified data all the time that could be sold for several times their paycheck.

      Somehow that threat hasn't concerned the payroll department of the US Military one fucking bit as we pay them jack shit to do that job and always have.

    4. Re:Not to point out the obvious but by mrchaotica · · Score: 1

      Well, if you're not a citizen, you can't be charged with treason, can you?

      IANAL, but I think in that case it might be espionage instead.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    5. Re:Not to point out the obvious but by arth1 · · Score: 1

      Military men and woman in SysAdmin positions wearing stripes on their sleeves earn considerably less than your average civilian in the same position

      Getting paid less than a private sector sysadmin these days is a feat in itself.

    6. Re:Not to point out the obvious but by Anonymous Coward · · Score: 0

      At least I can get a trial if I am a citizen. Otherwise it's straight to G-Bay for you.

    7. Re:Not to point out the obvious but by aliquis · · Score: 1

      Also will they be honoring "previous work" entries if one provide evidence for having already breached their systems by the same method previously? ;D

  9. Not just DoD... by TexasDiaz · · Score: 1

    North Korea just announced a Bug Bounty program called, "Hack the Pentagon" too. Except, they're encouraging the hacking of critical systems. "Tell us first, get big reward!" is the slogan for the program. Oh, if I were only an Onion contributor...

  10. In other news... by puddingebola · · Score: 1

    In other news, the Chinese government projects a massive surge in revenue from "foreign sources." Economists are unclear on the details, but speculate it could lead to increased spending in the second quarter of 2016.

  11. China has a similar program. by Anonymous Coward · · Score: 0

    Not sure if it pays better though.

  12. Re:Wait by arth1 · · Score: 2

    Are they going to clarify why a background check is required for people to test the security of their systems?

    I can think of two reasons:

    1: They have shown that a core interest is to protect what they're doing from the view of law-abiding citizens, so it makes sense to test it against law-abading citizens.

    2: Republicans would cry foul if they paid out prize money to anyone with a criminal history. All punishment must be based on revenge because the bible says so, disproportionate because it gets their rocks off, eternal, so they can continue to feel superior, and rehabilitation is ungodly commie speak.

  13. moms of the NILE conference you fool by Anonymous Coward · · Score: 0

    river of dreams award nominees.... infinite passion & patience, our real creators of traceable origin? no wonder they fuss?

    1. Re:moms of the NILE conference you fool by Maritz · · Score: 1

      Now you're talking gibberish to yourself. Well done.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  14. Industry opinions by Anonymous Coward · · Score: 0

    For who's curious, some industry opinions about their so-called bug bounty. Not that good apparently.

    http://news.softpedia.com/news/us-launches-bug-bounty-program-called-hack-the-pentagon-501261.shtml?utm_content=buffer150bd&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer

  15. Re:Wait by ShanghaiBill · · Score: 1

    Are they going to clarify why a background check is required for people to test the security of their systems?

    Because fewer and less qualified hackers will make it much easier to pass the test and declare their systems secure.

    If you ever worked for the government, you would understand exactly how this situation arose. There is a committee (there is always a committee). Some members liked the idea of the bounty, and others opposed it. So instead of making a clear decision, they compromised, and passed a resolution to offer the bounty, but with so many restrictions and exclusions that it was essentially meaningless. That way, everyone can take credit if there are no breaches in the future, and everyone can disavow responsibility if there is an intrusion.

  16. Dont ask what your country can do for you... by mongothesecond · · Score: 2

    The article says, "According to DDS Director Chris Lynch, "Bringing in the best talent, technology and processes from the private sector..." Because the best are just waiting to volunteer to work without clear compensation.

    1. Re:Dont ask what your country can do for you... by Anonymous Coward · · Score: 0

      Out of touch with reality director Chris Lynch also wrongly assumes that the best tech talent in the private sector is even remotely interested in being on yet another federal government list, where this new one might be titled "A list of people willing and capable of hacking federal government systems" (and without pay or a contract).

      Dear ABC DEF GHI whatever the F alphabet agency into domestic surveillance is reading this, not no but hell no would I ever help you in circumstances like the current. Your recent actions (as in the last few decades) have made us LESS secure and on top of it made me FEEL less secure. I know the [insert agency] can not guarantee my safety, but I am at least happy with them when I feel secure. Right now I don't feel secure from the threat(s) and I don't feel secure in my home. I feel like not only are the borders being invaded by foreigners (good and bad), but also my privacy is being invaded by the very people I thought would protect the borders, too.

      So what can I do for my country today? Well I'm not going to support organizations committing to illegal or immoral activities.
      What can my country do for me today? Quit with the illegal domestic surveillance and I might feel more patriotic; I might even decide to try to help, for free.

  17. I mean, yea... by dciman · · Score: 1

    What could possibly go wrong? :)

  18. Re:Wait by Anonymous Coward · · Score: 0

    Come on, blaming republican narcissism is about one step away from blaming it on the second law of thermodynamics.

  19. First prize by Anonymous Coward · · Score: 1

    First price for the "hack the Pentagon" bug bounty program is a one way trip and indefinite accommodations at a tropical island not of your choosing. Stay in a sprawling complex overlooking a beautiful "bay," in one of the most up and coming tourist destinations in the world, Cuba.

  20. hack this by Anonymous Coward · · Score: 0

    storing our unsalable crude oil in railroad tanker cars all over the place starting our towns on fire poisoning & suffocating people,,. whose fault is that?

  21. To quote Admiral Akbar: by overshoot · · Score: 1

    I don't really need to spell it out, do I?

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
    1. Re:To quote Admiral Akbar: by Krishnoid · · Score: 1

      Maybe you should edit the announcement into the formal list.

  22. Let a thousand flowers bloom, and hundred schools. by Anonymous Coward · · Score: 0

    of thought contend. said Mao before the great purge.

    We are having a contest to see who is the best hacker. You'll have to register first to be put on our special watch/no fly/no hire list.

    LOL lapalooza

  23. The only way to win by tgibson · · Score: 1

    is not to play.

  24. government out of touch with reality as usual by illestov · · Score: 1

    the Department of Defense says it's inviting vetted hackers to test the security of its web pages and networks. Vetted hackers will need to pass a background check"

    thats like cops inviting vetted thieves to try and break into a house, after passing a background check yeah.... that will work! LULZ

    1. Re:government out of touch with reality as usual by will_die · · Score: 1

      Closer to them asking locksmiths to pick a lock.
      There is a large legal industry of hackers, so getting a large amount of skilled people who can pass a background check and are vetted is expensive but possible.

  25. Its a TARP! by Anonymous Coward · · Score: 0

    Why don't they just hire infosys or TCS?

    Or better yet why don't you get Disney to test your servers. They have cheap enough labor now....

  26. Honey Pot by Anonymous Coward · · Score: 0

    To fish out Hackers?

  27. Pentagon doesn't say $$$ by JesseEnjaian · · Score: 1

    None of the articles I Googled showed numbers. I'm skeptical the public side of the government can compete with the private business sector. Facebook split $900k over 210 people (or a whopping $4,300k per person) for their bug bounty program, and I can't believe that many people put that much effort into cracking top-notch security at Facebook for that little. In contrast, "black market" (I'm pretty sure vulnerability disclosure isn't illegal, yet) prices for an iOS RCE are $1m+, and I bet our government would pay more for it. http://www.tripwire.com/state-...

  28. In other news... by Anonymous Coward · · Score: 0

    Chris Hanson is interviewing for baby sitters.

  29. hack the irs! by Anonymous Coward · · Score: 0

    well, hacking the irs worked so well I guess they needed to expand the program

  30. "Come into my parlor..." by Anonymous Coward · · Score: 0

    I think they call this a "Honey Pot."

  31. And afterwards by Anonymous Coward · · Score: 0

    you will be on 51 different lists and files, and you may be arrested and sent to prison.

  32. Re:Wait by istartedi · · Score: 1

    It's pretty obvious why they should require background checks. Simply knowing what the DoD wants you to hack is information that's valuable to spies. Also, I guarantee you there are some Chinese and Russian hackers who would pass background checks. That's the whole point of inserting your agents into a foreign country.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  33. predetermined system? by Anonymous Coward · · Score: 0

    sounds like a huge waste of time

  34. Free Background Check by bezenek · · Score: 1

    For those wanting to add "passed DoD background check" to their resume, this might be an opportunity to do it for free (as in no up-front monetary cost).

    --
    Omne ignotum pro magnifico.
  35. Non-critical systems are pointless by Anonymous Coward · · Score: 0

    How about mirroring the critical systems and their traffic, and arrange a continuous and monitored war game for the recruits of the relevant institutions? The best can then be selected for the oh-so-fashionable-and-futuristic cyber-divisions.

  36. D O Duh by fyngyrz · · Score: 1

    What's really amusing here is just how absurd the "must pass background check" hurdle is. It's an isolated system. There is zero risk. The DOD would benefit from any reveal of a vulnerability within this system from anyone. And of course there are many accomplished hackers out there who could contribute and would likely do so for the bounty, assuming it isn't trivial. but couldn't pass a background check under any circumstances. This approach is a poster child for "cutting off your nose to spite your face."

      "Oh, you've hacked corporation X? Getoudaheah, you backround-check-failing-lowlife"

    Sure. That will help them out a lot. Oh, the pitfalls of not having an actual profit motive...

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:D O Duh by flopsquad · · Score: 1
      How could any 1337 hacker pass this up?
      - We'll tell you what to attack and when.
      - You'll be attacking fake targets.
      - We pick who gets to take part.
      - Please submit all your personal details and fingerprints so the FBI can sniff you a bit.
      - If they didn't already have an entry for you, the FBI, CIA, NSA, and DIA will be updating your profile with:

      <subversive>
      • <type>computer hacker</type>

      </subversive>

      --
      Nothing posted to /. has ever been legal advice, including this.
  37. Nuts/business as usual by Anonymous Coward · · Score: 0

    First,
    The Pentagon has demonstrated they are not trustworthy to do a background check.
    They are the folks who put the results in the OPM database where it got hacked and published.

    Second,
    If the hacking is only happening on honey pots, then the background check is not required for the hacking.
    Hopefully the honey pot limit is only a first stage to find the easy holes.
    The goal should be to actually secure the Pentagon, but the limit makes a mockery of that goal.
    Long term, every machine should have a /honeypot/getmeifyoucan file which is fair game and comes with a reward.
    Fair game means is you get on the machine and only go there, you get a get out of jail free card and the cash.

    The interesting question is why are they asking for the background check. Maybe:
    1) Their security folks only have one way to do things, even when they don't make sense
    2) They are using the program as a tool to hire hackers for something more useful
    3) They are using the program as a tool to catalog hackers who might be doing bad stuff somewhere else.
    4) Most likely is all of the above.

  38. DoD Announces they are utterly clueless by WaffleMonster · · Score: 1

    Screw vetting and permission. If you want results publically announce a target and dispense with terms and conditions bullshit. Otherwise your just wasting everyone's time.

  39. Why wast the time? by Anonymous Coward · · Score: 0

    All anybody has to do is figure out what email server Hillary is using and the data will be free to collect.