Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD Announces New Bug Bounty Program Called Hack the Pentagon (npr.org)

Posted by yaelk on from the hack-the-pentagon dept.

Quince alPillan writes: Announcing what it calls "the first cyber bug bounty program in the history of the federal government," the Department of Defense says it's inviting vetted hackers to test the security of its web pages and networks. Vetted hackers will need to pass a background check and will be attacking a predetermined system that is not a part of critical operations. This program is being put together by the Digital Defense Service, launched last fall.

32 of 62 comments (clear)

  1. Call Dade for the job by Lisandro · · Score: 1

    HACK THE PLANET!

  2. lol... morons by Anonymous Coward · · Score: 1

    'vetted' participants only testing things that don't matter = security theater. Meanwhile the unvetted Chinese and Russian hackers are hacking their critical operations.

    1. Re:lol... morons by sumdumass · · Score: 1

      Not really. . It will likely give them a fingerprint or signature of sorts that they can later use to identify you if you hack something they don't like.

      Sounds way too sketchy to me.

    2. Re:lol... morons by Actually,+I+do+RTFA · · Score: 1

      Things that don't matter could be a mirror of things that do matter (or a mirror with all the data modified). It's reasonable to test on an almost identical system that doesn't accidentally trigger the order to launch ICBMs getting sent to real places.

      The 'vetted' part is probably to prevent someone from discovering a bug in play, and putting it in practice. But, yeah, depending on how the "vet" someone....

      --
      Your ad here. Ask me how!
  3. nope by Anonymous Coward · · Score: 1

    it's a trap

  4. Not to point out the obvious but by nehumanuscrede · · Score: 2

    The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.

    If the USG is serious about such a program, they might want to take this into consideration.

    1. Re:Not to point out the obvious but by Etherwalk · · Score: 1

      The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.

      If the USG is serious about such a program, they might want to take this into consideration.

      So is the risk.

      That's how investment decisions work. Risk v. Reward. For example, if you bluff your way into the New York Fed and steal the gold in the basement, you're gonna be pretty rich. But good luck explaining that one away when they catch you.

      Plus, you know, treason.

    2. Re:Not to point out the obvious but by arth1 · · Score: 2

      Plus, you know, treason.

      Well, if you're not a citizen, you can't be charged with treason, can you?

    3. Re:Not to point out the obvious but by mrchaotica · · Score: 1

      Well, if you're not a citizen, you can't be charged with treason, can you?

      IANAL, but I think in that case it might be espionage instead.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    4. Re:Not to point out the obvious but by arth1 · · Score: 1

      Military men and woman in SysAdmin positions wearing stripes on their sleeves earn considerably less than your average civilian in the same position

      Getting paid less than a private sector sysadmin these days is a feat in itself.

    5. Re:Not to point out the obvious but by aliquis · · Score: 1

      Also will they be honoring "previous work" entries if one provide evidence for having already breached their systems by the same method previously? ;D

  5. Re:Eeeh by penguinoid · · Score: 1

    I hear they have a fun watersport, I think it's like water-skiing except with a surf board or something, they call it waterboarding.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  6. Not just DoD... by TexasDiaz · · Score: 1

    North Korea just announced a Bug Bounty program called, "Hack the Pentagon" too. Except, they're encouraging the hacking of critical systems. "Tell us first, get big reward!" is the slogan for the program. Oh, if I were only an Onion contributor...

  7. In other news... by puddingebola · · Score: 1

    In other news, the Chinese government projects a massive surge in revenue from "foreign sources." Economists are unclear on the details, but speculate it could lead to increased spending in the second quarter of 2016.

  8. Re:Wait by arth1 · · Score: 2

    Are they going to clarify why a background check is required for people to test the security of their systems?

    I can think of two reasons:

    1: They have shown that a core interest is to protect what they're doing from the view of law-abiding citizens, so it makes sense to test it against law-abading citizens.

    2: Republicans would cry foul if they paid out prize money to anyone with a criminal history. All punishment must be based on revenge because the bible says so, disproportionate because it gets their rocks off, eternal, so they can continue to feel superior, and rehabilitation is ungodly commie speak.

  9. Re:Wait by ShanghaiBill · · Score: 1

    Are they going to clarify why a background check is required for people to test the security of their systems?

    Because fewer and less qualified hackers will make it much easier to pass the test and declare their systems secure.

    If you ever worked for the government, you would understand exactly how this situation arose. There is a committee (there is always a committee). Some members liked the idea of the bounty, and others opposed it. So instead of making a clear decision, they compromised, and passed a resolution to offer the bounty, but with so many restrictions and exclusions that it was essentially meaningless. That way, everyone can take credit if there are no breaches in the future, and everyone can disavow responsibility if there is an intrusion.

  10. Dont ask what your country can do for you... by mongothesecond · · Score: 2

    The article says, "According to DDS Director Chris Lynch, "Bringing in the best talent, technology and processes from the private sector..." Because the best are just waiting to volunteer to work without clear compensation.

  11. I mean, yea... by dciman · · Score: 1

    What could possibly go wrong? :)

  12. First prize by Anonymous Coward · · Score: 1

    First price for the "hack the Pentagon" bug bounty program is a one way trip and indefinite accommodations at a tropical island not of your choosing. Stay in a sprawling complex overlooking a beautiful "bay," in one of the most up and coming tourist destinations in the world, Cuba.

  13. To quote Admiral Akbar: by overshoot · · Score: 1

    I don't really need to spell it out, do I?

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
    1. Re:To quote Admiral Akbar: by Krishnoid · · Score: 1

      Maybe you should edit the announcement into the formal list.

  14. The only way to win by tgibson · · Score: 1

    is not to play.

  15. government out of touch with reality as usual by illestov · · Score: 1

    the Department of Defense says it's inviting vetted hackers to test the security of its web pages and networks. Vetted hackers will need to pass a background check"

    thats like cops inviting vetted thieves to try and break into a house, after passing a background check yeah.... that will work! LULZ

    1. Re:government out of touch with reality as usual by will_die · · Score: 1

      Closer to them asking locksmiths to pick a lock.
      There is a large legal industry of hackers, so getting a large amount of skilled people who can pass a background check and are vetted is expensive but possible.

  16. Pentagon doesn't say $$$ by JesseEnjaian · · Score: 1

    None of the articles I Googled showed numbers. I'm skeptical the public side of the government can compete with the private business sector. Facebook split $900k over 210 people (or a whopping $4,300k per person) for their bug bounty program, and I can't believe that many people put that much effort into cracking top-notch security at Facebook for that little. In contrast, "black market" (I'm pretty sure vulnerability disclosure isn't illegal, yet) prices for an iOS RCE are $1m+, and I bet our government would pay more for it. http://www.tripwire.com/state-...

  17. Re:Wait by istartedi · · Score: 1

    It's pretty obvious why they should require background checks. Simply knowing what the DoD wants you to hack is information that's valuable to spies. Also, I guarantee you there are some Chinese and Russian hackers who would pass background checks. That's the whole point of inserting your agents into a foreign country.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  18. Free Background Check by bezenek · · Score: 1

    For those wanting to add "passed DoD background check" to their resume, this might be an opportunity to do it for free (as in no up-front monetary cost).

    --
    Omne ignotum pro magnifico.
  19. D O Duh by fyngyrz · · Score: 1

    What's really amusing here is just how absurd the "must pass background check" hurdle is. It's an isolated system. There is zero risk. The DOD would benefit from any reveal of a vulnerability within this system from anyone. And of course there are many accomplished hackers out there who could contribute and would likely do so for the bounty, assuming it isn't trivial. but couldn't pass a background check under any circumstances. This approach is a poster child for "cutting off your nose to spite your face."

      "Oh, you've hacked corporation X? Getoudaheah, you backround-check-failing-lowlife"

    Sure. That will help them out a lot. Oh, the pitfalls of not having an actual profit motive...

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:D O Duh by flopsquad · · Score: 1
      How could any 1337 hacker pass this up?
      - We'll tell you what to attack and when.
      - You'll be attacking fake targets.
      - We pick who gets to take part.
      - Please submit all your personal details and fingerprints so the FBI can sniff you a bit.
      - If they didn't already have an entry for you, the FBI, CIA, NSA, and DIA will be updating your profile with:

      <subversive>
      • <type>computer hacker</type>

      </subversive>

      --
      Nothing posted to /. has ever been legal advice, including this.
  20. Re:Eeeh by vel-ex-tech · · Score: 1

    Exactly what I was thinking. It's not entrapment merely because law enforcement asks you to do something. We see the FBI use this all the time to catch "terrorists." Regular pigs will sell drugs to make arrests. Are they giving any guarantee that being arrested under the Computer Fraud and Abuse Act isn't the real prize? Is that a guarantee that law enforcement can even credibly make?

  21. DoD Announces they are utterly clueless by WaffleMonster · · Score: 1

    Screw vetting and permission. If you want results publically announce a target and dispense with terms and conditions bullshit. Otherwise your just wasting everyone's time.

  22. Re:moms of the NILE conference you fool by Maritz · · Score: 1

    Now you're talking gibberish to yourself. Well done.

    --
    I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.