Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Senators Propose Bug Bounties For Hacking Homeland Security (cnn.com)

Posted by EditorDavid on from the homeland-insecurity dept.

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

66 comments

  1. Let me think about this... by Frosty+Piss · · Score: 1

    Hmmm. Yes... Nope, not biting. No way. Not a chance.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Let me think about this... by dcollins117 · · Score: 1

      C'mon. You know you want to. This sounds like fun.

    2. Re:Let me think about this... by Anonymous Coward · · Score: 0, Flamebait

      Not a chance you have the skill to do it, you mean. You are all talk.

    3. Re: Let me think about this... by Anonymous Coward · · Score: 0

      Come on man! All the cool kids are doing it. Didn't you know? This guy...

    4. Re: Let me think about this... by TheMeuge · · Score: 2

      Come on. This way the warrants write themselves... And come straight with a confession. It'll be Christmas day for the DHS and the FBI. Maximum arrests... minimum effort.

    5. Re: Let me think about this... by Anonymous Coward · · Score: 0

      The bounty may be free room and board at the local federal pen.

  2. The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 5, Interesting

    The Computer Fraud and Abuse Act of 1986 imposes very harsh penalties for hacking and has been used as a hammer to crush individuals who've managed to draw the attention of the authorities. The US Government has used this law repeatedly over the years to destroy the lives of promising young Americans with prodigious computer skills who were relatively harmless if somewhat misguided. For example, the case of Aaron Schwartz comes easily to mind. Fast forward thirty years and now that cyber security is a thing they want our help? Talk about ingratitude.

    1. Re:The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      For example, the case of Aaron Schwartz comes easily to mind.

      Ah yes, you conveniently that aside from his legal issues, he was known to be depressed and suicidal...

    2. Re:The US Government Wants Help from Hackers? by __aadota8673 · · Score: 0, Troll

      I very important security work at a 3 letter government agency that shall remain nameless. You are incorrect thinking the Act was used to destroy the lives of promising young Americans. Promising as future criminals - maybe, but as people that would do society good? I think not. Educate yourself.

    3. Re:The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      Whoosh

    4. Re:The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 1

      Ah yes, you conveniently that aside from his legal issues, he was known to be depressed and suicidal...

      Remember the case of Martin Gottesfield http://www.huffingtonpost.com/entry/martin-gottesfeld-indictment-hunger-strike_us_580a5671e4b02444efa32523
      There must be many other hidden cases of unnasociated researches treatened by their own goverments.

      Remember Phil Zimmerman with PGP? His life was threatened by his own goverment.

      Also despite not being targeted because something he did but because of what he was: Alan Tourin was a war hero and his own goverment drove him to suicide and yes, most unassociated researches do have special psychological traits, and prosecutors are always abusing anything to get more win numbers in their resumes, remember that for them everyone is acceptable colateral damage and a step closer to their political aspirations.

    5. Re: The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      A true cyber war may be coming and now they want help, but all the guys worth a damn are in prison, have priors, or their statute of limitations hasn't run out yet on what they may or may not have done. I say we just let the DHS rot. It's just a tax funded pyramid scheme but with guns and drones, no rules to follow, and free to label anyone or situation as a threat they see fit. People got scared after 911 (or 119 if your anyone but in the U.S.) and the government took complete advantage of all the media-hyped fear and patriotism going around. Anytime they need money all they got to do is mention "we have a suspicion" or "for the troops." The U.S. has too many intelligence agencies (seriously; well over 10, maybe 12-13) and not enough intelligence for checks and balances. It's not that hard to work for them either. You can actually major in Homeland in a lot of colleges, even though I don't think it's a requirement to get in. It's MUCH MUCH harder to get into the FBI, yet they have more transparency for what they do for some reason. I think republicans just wanted their own institution for nation-wide version of a Roosevelt wet-dream, but got a lot of rednecks with race/religion issues instead. There's to much going on to go around with warrants, kicking people's doors in, so they're trying to beef up their tech game. We already have this thing called the N$A for that. It started with GWB and should of ended with him.

    6. Re: The US Government Wants Help from Hackers? by Kabukiwookie · · Score: 1, Insightful

      If I have to make a guess from your grammar, would that three letter agency be the FSB?

      --
      The mountains of madness have many little plateaus of sanity - Terry Pratchett.
    7. Re: The US Government Wants Help from Hackers? by Zero__Kelvin · · Score: 0

      Yes. You very important. You very douchebag too.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re: The US Government Wants Help from Hackers? by __aadota8673 · · Score: 0

      Perfect. The slashdot retard who likes to call everyone else stupid. You too will figure it out one day moron. Until then, please do continue making a clown of yourself assfuck.

    9. Re:The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      " You are incorrect thinking the Act was used to destroy the lives of promising young Americans."

      You, sir, are a lying sack of shit.

    10. Re: The US Government Wants Help from Hackers? by Zero__Kelvin · · Score: 0

      Trust me ... Everyone is calling you a douchebag right now. I'm just the one who does it to your face.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    11. Re: The US Government Wants Help from Hackers? by Zero__Kelvin · · Score: 0

      Hi creimer!!!!!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    12. Re:The US Government Wants Help from Hackers? by Dutch+Gun · · Score: 2

      The act you mentioned was passed into law a generation ago, and this new legislation is specifically designed to protect white hats from misguided prosecution under this law. You realize one law can supersede another, right? We always bitch about incompetent government IT, and then when someone in gov tries to rectify it with some legislation that, at least as described, sounds like a good idea, we just bitch about that as well?

      This is becoming standard practice in the private tech/software industry, and a lot of major bugs are found and closed in our modern infrastructure thanks to these sorts of bounties. I suspect security researchers and white hats will react favorably to this proposed policy change. The details of the legislation will be important, of course, but if it's as straightforward as its described, it seems like this can do nothing but improve our national IT infrastructure.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    13. Re:The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      Still seems like a really big honeypot, remember that politicians do not have ethics, morals and most of them despise their own electors, they will do anything that could benefit them the most and with the current spirit of the goverment which is: Privatize everything and give harsher sentences for small offenses.

      Nobody sane would approach a cave with dead bodies lying in the entrance just because it has a giant pink luminous board with hearts saying: "Apply for jobs here", is just too obvious.

      Why dont they contract some research companies? (there are tons of those) or invest in academic researchers? (most colleges protect their researchers).

    14. Re: The US Government Wants Help from Hackers? by __aadota8673 · · Score: 0

      I love it when people do it to my face. I can't afford to pay for mouth-dick, so whenever I can get it for free, I usually thank the person by refactoring their balls. Now, did you like the cottage cheese in my mouth while you were doing it to my face or do you prefer ice cubes? If you want ice cubes, you are going to have to buy me a new refrigiretor. I live in Silicone Valley and make quite a bit of money for a pc support Sr Workstation Intern, but buying a refrigidairtor is outside of my budget. Oh crap, the script is done running. I gotta run. I mean walk up a small incline. Running is bad for the nees.

    15. Re: The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      Oh trust ME. The douche is always you, and you're never a part of "everyone." You are a part of the slashdot clown club though - you and the cream are both in that.

      The only time you're right on slashdot is when you give up early and don't figure out when you're wrong. I have a feeling you'll figure it out this time though.

    16. Re: The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 0

      thank you for playing "conspiracy theory nut or just stupid?" you lose.

      -troll account makes fun of a fat stupid loser
      -It's a russian spy spreading propaganda to change american public opinion!

    17. Re:The US Government Wants Help from Hackers? by zephvark · · Score: 1

      Alan... Tourin? ...keep up your study of English as a second language. You'll get there.

  3. Oh, by the way... by bistromath007 · · Score: 5, Insightful

    If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

    1. Re:Oh, by the way... by Anonymous Coward · · Score: 0

      Don't be silly.

      Gitmo doesn't exist and neither do you.

    2. Re:Oh, by the way... by Anonymous Coward · · Score: 0

      Or Worse. You get recruited to work for a TLA.

    3. Re:Oh, by the way... by AHuxley · · Score: 2

      Re 'If you get any credible proof you've succeeded"
      A nice conversation will be had. That only a small part of the federal network was ever open to the "contest" and that the skilled person got too far in.
      A one time offer will be made to work with the government.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Oh, by the way... by quenda · · Score: 1

      "Let a hundred flowers bloom!", said senators Hassan and Portman.

  4. It's a trap! by 93+Escort+Wagon · · Score: 2

    Sure, some mysterious government organization starts a hacking contest. Then, if you win, Samaritan has you killed.

    Nice try!

    --
    #DeleteChrome
    1. Re:It's a trap! by Anonymous Coward · · Score: 0

      Sure, some mysterious government organization starts a hacking contest. Then, if you win, Samaritan has you killed.

      Nice try!

      lack of respect for the

      What I find appalling is the lack of respect towards Computer Scientists, programmers and developers, who, together with physicists and mathematicians, form the cream of the cream of the human race's intelligence. We can't be lured so easily.

  5. As a followup question: by Anonymous Coward · · Score: 0

    Is anyone higher functioning enough to successfully hack and disclose these vulnerabilities currently feeling sympathetic enough toward the US Government, and especially the DoHS to actually sign up for these bug bounties?

    Because just on my anecdotal evidence, pretty much every hacker I have spoken with (because really, who is stupid enough to meet anymore?) has been pretty anti-establishment, at least until they have a wife and kids and go full corporate. And the ones in the latter category seem unwilling to take on this job since that would risk too much attention on them, whether from Homeland Security finding them 'too efficient' at finding vulnerabilities in their software, or from foreign agencies with moles in Homeland Security taking these applications and reviews/financial disclosures from successful bug bounty efforts leading them to attempt to turn these hackers into assets to provide undisclosed exploits to the foreign parties, whether for financial benefit, or simply to avoid detrimental actions against their families by foreign agents.

    Having said that, I wish them the best in this endeavor, because it seems like they will need it.

  6. Crickets by Dracos · · Score: 1

    This program, if implemented (snowball's chance in hell), will be answered by no one of merit. The government has been making enemies of these people it now needs for decades. This really seems like a desperate attempt to detour around several of the government's long standing and self-defeating policies.

    1. Re:Crickets by OrangeTide · · Score: 1

      Time and money heals all wounds. There is a whole generation out there that are barely aware of the past abuses of power the government has committed against hackers because most of the bad stuff happened before they were even born. Your view on the matter may only apply to old grognard hackers and sociopolitical hackers. Young, skilled and looking for cash will be the demographic of future hackers.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Crickets by minstrelmike · · Score: 1

      Actually, I know quite a few mathematicians who refuse to work for NSA just because of its policies, irregardless of the President's policies. And now that you'd be helping Comrade President Trump implement his policies (whatever they are--imo a policy is something that stands solid for at least a year or two), I suspect the number of refuseniks just grew larger.

    3. Re:Crickets by OrangeTide · · Score: 1

      That might be some observer bias on your part.

      --
      “Common sense is not so common.” — Voltaire
    4. Re:Crickets by minstrelmike · · Score: 1

      That's not observer bias. Bias is saying lots and lots or most people or everybody. Go down to your local math/comp sci department and ask what the opinions are about working for NSA. I suspect the majority of folks will have no opinion and there will be two significant minorites that love/hate the NSA. You are correct tho, that is all based purely on my observations.

    5. Re:Crickets by OrangeTide · · Score: 1

      I know quite a few

      Allegory and observer bias. I don't know if you're right or not, but you shouldn't feel satisfied if you are later shown to be right because you really have no basis to feel so certain.

      --
      “Common sense is not so common.” — Voltaire
  7. Going to Gitmo? by Picodon · · Score: 5, Funny

    If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

    Of course not! When you succeed hacking the DHS:
      - If you didn’t get caught, you sell your data to Russia as usual for a rather large reward.
      - If you did get caught, you explain that this was for the bug hunt and submit your findings to the DHS for a much smaller reward.

    1. Re:Going to Gitmo? by DontBeAMoran · · Score: 1

      When you succeed hacking the DHS:
      - Sell your modified data to Russia for a large reward.
      - Submit your findings to the DHS for a smaller reward and tell them Russia somehow got their hands on a non-working, modified copy of your findings.

      --
      #DeleteFacebook
  8. LOL. It will be like most "bug bounty" programs... by SeaFox · · Score: 1

    How much are they going to pay for exploits?
    Now how much more are those exploits worth on the market to the right enemy states?

    Also, you're assuming the researchers have a dollar amount to begin with. With the mission of a Holy War driving you, helping your home team will outweigh a bunch of greenbacks.

  9. What do you mean this isn't one of theirs? by hyades1 · · Score: 1

    Your Honour, I swear the only reason I went to that URL 290 times last week is because my buddy said the best way to get all up in the NSA's business is through one of their fake porn sites.

    Honest.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  10. I have an insightful comment by PPH · · Score: 2

    But I have to fly in the next few days. And the TSA isn't noted for their sense of humor.

    So I'm just going to refrain until I get back home.

    --
    Have gnu, will travel.
    1. Re:I have an insightful comment by Anonymous Coward · · Score: 0

      It might actually be a good idea to keep an eye on paranoid schizophrenics.

    2. Re:I have an insightful comment by Anonymous Coward · · Score: 0

      That's ok, the TSA will just ask you for your comment when they see you. Ask them to post it for you so we can see it as soon as possible!

  11. Airline miles by Anonymous Coward · · Score: 0

    The United Airlines experience is you should not participate in bug bounties where they can devalue the award.

  12. Re:LOL. It will be like most "bug bounty" programs by Anonymous Coward · · Score: 0

    How much are they going to pay for exploits?

    Free housing, food, healthcare and clothing for the rest of your life.

  13. Eh... by XSportSeeker · · Score: 1

    Not that I think companies implementing bug bounties is a bad idea, but for government departments, I wouldn't be too sure...
    Problems aplenty. For hackers, it's hard to overcome years of being looked down upon, plus the risks of being prossecuted.
    And then, for stuff on this level there are always chances of other governments doubling the offer.
    CIA is plenty ok with keeping the bugs and exploits they find for themselves, why wouldn't others also do it? Not sure how much of a cross section there is between hardcore patriots and hackers.

    In any case, given the situation, perhaps it's the only reasonable way to go. Hiring based on competence doesn't seem to be much of a thing for this administration.

  14. "mission-critical" systems by K.+S.+Kyosuke · · Score: 1

    "mission-critical" systems [that] aren't allowed to be hacked

    OK, since the purpose is finding bugs, I guess "mission-critical" is a code word for "these can stay broken". ;)

    --
    Ezekiel 23:20
  15. A way to gather new previously unexposed hacks? by Anonymous Coward · · Score: 0

    Now that NSA's tool-belt is spilled how do we get a new one? A contest!

    Wouldn't it be great if our government would work with us to secure our assets rather than working against us for their own nefarious undisclosed reasons?

    1. Re:A way to gather new previously unexposed hacks? by Notabadguy · · Score: 1

      Now that NSA's tool-belt is spilled how do we get a new one? A contest!

      Wouldn't it be great if our government would work with us to secure our assets rather than working against us for their own nefarious undisclosed reasons?

      You assume that the government agencies work together. They do not - which is laughably, transparently obvious. This program started with good intentions - all the way back in 2004 - but so much has happened with different agencies with their own agendas that no one trusts anyone.

  16. Been in a similar situation by houghi · · Score: 3, Interesting

    Years ago I saw some child porn, so as a good citizen I reported it, When nothing was done after a week, I informed the newspapers. The next day the child porn was gone. Me was happy.

    Then came at my work (where I had done it all) the COO to me and asked me if he was allowed to give my details to the police, due to an investigation about child porn. So I explained him what has happened and I also showed the emails I had send. As I had done the right thing, I allowed to give my details.

    I was then ordered by the police to go to them and they where after me for.
    1) Obstruction of the law, because I informed the press about an ongoing investigation. "Oh, you send an email? Our mailserver is down at the moment, Sorry."
    2) Spreading of childporn. "Oh, so you just did a reply on a message on Usenet where the URL was in saying that you would be reporting it? Ok, not that bad as it was already known, we guess."
    3) Falsification of information "Yes, we understand that you gave fake information to a free email address."

    So not only where they clueless, if I would have had a different COO, I could have been fired as they told that it was about child porn.

    Since then I have not seen anything even remotely illegal on the Interwebs and I am sure that I never will.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Been in a similar situation by Anonymous Coward · · Score: 0

      You were very lucky to escape that incident with both your freedom and your job intact. It's much much better for Americans who come across something like that these days to just keep it to themselves and say nothing. Remember, the police are not your friends. They're out to make arrests and score prosecutions for anything they can get and the US has plenty of felonies on the books to ensnare you with. It's like Cardinal Richelieu said, "Give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." As an individual you have absolutely zero interest in helping the police solve crimes. Even just by speaking with them you expose yourself to the danger of prosecution. The black people here in the United States already understand the perils of police contact all too well and it's a lesson that many whites are now learning too. The moral of the story is don't talk to the police.

    2. Re:Been in a similar situation by houghi · · Score: 1

      Indeed lucky that the COO and the rest of the board where very understanding. I even spoke to the CEO and he said at that time if anything came from it, they would pay for the lawyer.

      --
      Don't fight for your country, if your country does not fight for you.
  17. Old Soviet era joke refurbished by Opportunist · · Score: 1

    Pre-1990: Pravda runs a contest for the best political joke. First prize: All-expenses paid trip to Sibiria.
    Post-2001: Homeland security runs a contest for the best hack: First prize. All-expenses paid trip to Cuba.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. "Engaged with and vetted"? by Anonymous Coward · · Score: 0

    "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene

    It sounds to me like they want people to identify themselves by signing up first. No thanks.

  19. It's a trap! by RubberDogBone · · Score: 1

    It's just a fucking trap. You do all the work to find the vulnerabilities and weaknesses, document them, submit them, get ignored, get ignored, get ignored, and then suddenly a bunch of FBI goons show up and arrest you for hacking and act like YOU are the criminal for trying to find and warn them about their own problems.

    Oh sign me up! /s

    --
    Sig for hire.
  20. It's a trap by Anonymous Coward · · Score: 0

    n/t

  21. go fuck yourselves govt by Anonymous Coward · · Score: 0

    before i ever help any govt agency in usa they have to end all the ms telemetry and prove it 100% to the world

    till then get bent

  22. In Soviet Russia ... by PPH · · Score: 1

    ... bug turns in you!

    --
    Have gnu, will travel.
  23. change your grade by Anonymous Coward · · Score: 0

    A Problem discovered is a problem half solved, a problem not solved can destroyed ones future and can render ones happiness and life useless and makes the society and your parents to be disappointed in you. If you have an issues that is hack related either school grades, email, password, social media,credit fixing, examination questions hack, spy on your spouse and crashing of database. You can reach us via PRAWNCRACKER82@GMAIL.COM