Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Senators Propose Bug Bounties For Hacking Homeland Security (cnn.com)

Posted by EditorDavid on from the homeland-insecurity dept.

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

31 of 66 comments (clear)

  1. Let me think about this... by Frosty+Piss · · Score: 1

    Hmmm. Yes... Nope, not biting. No way. Not a chance.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Let me think about this... by dcollins117 · · Score: 1

      C'mon. You know you want to. This sounds like fun.

    2. Re: Let me think about this... by TheMeuge · · Score: 2

      Come on. This way the warrants write themselves... And come straight with a confession. It'll be Christmas day for the DHS and the FBI. Maximum arrests... minimum effort.

  2. The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 5, Interesting

    The Computer Fraud and Abuse Act of 1986 imposes very harsh penalties for hacking and has been used as a hammer to crush individuals who've managed to draw the attention of the authorities. The US Government has used this law repeatedly over the years to destroy the lives of promising young Americans with prodigious computer skills who were relatively harmless if somewhat misguided. For example, the case of Aaron Schwartz comes easily to mind. Fast forward thirty years and now that cyber security is a thing they want our help? Talk about ingratitude.

    1. Re:The US Government Wants Help from Hackers? by Anonymous Coward · · Score: 1

      Ah yes, you conveniently that aside from his legal issues, he was known to be depressed and suicidal...

      Remember the case of Martin Gottesfield http://www.huffingtonpost.com/entry/martin-gottesfeld-indictment-hunger-strike_us_580a5671e4b02444efa32523
      There must be many other hidden cases of unnasociated researches treatened by their own goverments.

      Remember Phil Zimmerman with PGP? His life was threatened by his own goverment.

      Also despite not being targeted because something he did but because of what he was: Alan Tourin was a war hero and his own goverment drove him to suicide and yes, most unassociated researches do have special psychological traits, and prosecutors are always abusing anything to get more win numbers in their resumes, remember that for them everyone is acceptable colateral damage and a step closer to their political aspirations.

    2. Re: The US Government Wants Help from Hackers? by Kabukiwookie · · Score: 1, Insightful

      If I have to make a guess from your grammar, would that three letter agency be the FSB?

      --
      The mountains of madness have many little plateaus of sanity - Terry Pratchett.
    3. Re:The US Government Wants Help from Hackers? by Dutch+Gun · · Score: 2

      The act you mentioned was passed into law a generation ago, and this new legislation is specifically designed to protect white hats from misguided prosecution under this law. You realize one law can supersede another, right? We always bitch about incompetent government IT, and then when someone in gov tries to rectify it with some legislation that, at least as described, sounds like a good idea, we just bitch about that as well?

      This is becoming standard practice in the private tech/software industry, and a lot of major bugs are found and closed in our modern infrastructure thanks to these sorts of bounties. I suspect security researchers and white hats will react favorably to this proposed policy change. The details of the legislation will be important, of course, but if it's as straightforward as its described, it seems like this can do nothing but improve our national IT infrastructure.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:The US Government Wants Help from Hackers? by zephvark · · Score: 1

      Alan... Tourin? ...keep up your study of English as a second language. You'll get there.

  3. Oh, by the way... by bistromath007 · · Score: 5, Insightful

    If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

    1. Re:Oh, by the way... by AHuxley · · Score: 2

      Re 'If you get any credible proof you've succeeded"
      A nice conversation will be had. That only a small part of the federal network was ever open to the "contest" and that the skilled person got too far in.
      A one time offer will be made to work with the government.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:Oh, by the way... by quenda · · Score: 1

      "Let a hundred flowers bloom!", said senators Hassan and Portman.

  4. It's a trap! by 93+Escort+Wagon · · Score: 2

    Sure, some mysterious government organization starts a hacking contest. Then, if you win, Samaritan has you killed.

    Nice try!

    --
    #DeleteChrome
  5. Crickets by Dracos · · Score: 1

    This program, if implemented (snowball's chance in hell), will be answered by no one of merit. The government has been making enemies of these people it now needs for decades. This really seems like a desperate attempt to detour around several of the government's long standing and self-defeating policies.

    1. Re:Crickets by OrangeTide · · Score: 1

      Time and money heals all wounds. There is a whole generation out there that are barely aware of the past abuses of power the government has committed against hackers because most of the bad stuff happened before they were even born. Your view on the matter may only apply to old grognard hackers and sociopolitical hackers. Young, skilled and looking for cash will be the demographic of future hackers.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Crickets by minstrelmike · · Score: 1

      Actually, I know quite a few mathematicians who refuse to work for NSA just because of its policies, irregardless of the President's policies. And now that you'd be helping Comrade President Trump implement his policies (whatever they are--imo a policy is something that stands solid for at least a year or two), I suspect the number of refuseniks just grew larger.

    3. Re:Crickets by OrangeTide · · Score: 1

      That might be some observer bias on your part.

      --
      “Common sense is not so common.” — Voltaire
    4. Re:Crickets by minstrelmike · · Score: 1

      That's not observer bias. Bias is saying lots and lots or most people or everybody. Go down to your local math/comp sci department and ask what the opinions are about working for NSA. I suspect the majority of folks will have no opinion and there will be two significant minorites that love/hate the NSA. You are correct tho, that is all based purely on my observations.

    5. Re:Crickets by OrangeTide · · Score: 1

      I know quite a few

      Allegory and observer bias. I don't know if you're right or not, but you shouldn't feel satisfied if you are later shown to be right because you really have no basis to feel so certain.

      --
      “Common sense is not so common.” — Voltaire
  6. Going to Gitmo? by Picodon · · Score: 5, Funny

    If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

    Of course not! When you succeed hacking the DHS:
      - If you didn’t get caught, you sell your data to Russia as usual for a rather large reward.
      - If you did get caught, you explain that this was for the bug hunt and submit your findings to the DHS for a much smaller reward.

    1. Re:Going to Gitmo? by DontBeAMoran · · Score: 1

      When you succeed hacking the DHS:
      - Sell your modified data to Russia for a large reward.
      - Submit your findings to the DHS for a smaller reward and tell them Russia somehow got their hands on a non-working, modified copy of your findings.

      --
      #DeleteFacebook
  7. LOL. It will be like most "bug bounty" programs... by SeaFox · · Score: 1

    How much are they going to pay for exploits?
    Now how much more are those exploits worth on the market to the right enemy states?

    Also, you're assuming the researchers have a dollar amount to begin with. With the mission of a Holy War driving you, helping your home team will outweigh a bunch of greenbacks.

  8. What do you mean this isn't one of theirs? by hyades1 · · Score: 1

    Your Honour, I swear the only reason I went to that URL 290 times last week is because my buddy said the best way to get all up in the NSA's business is through one of their fake porn sites.

    Honest.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  9. I have an insightful comment by PPH · · Score: 2

    But I have to fly in the next few days. And the TSA isn't noted for their sense of humor.

    So I'm just going to refrain until I get back home.

    --
    Have gnu, will travel.
  10. Eh... by XSportSeeker · · Score: 1

    Not that I think companies implementing bug bounties is a bad idea, but for government departments, I wouldn't be too sure...
    Problems aplenty. For hackers, it's hard to overcome years of being looked down upon, plus the risks of being prossecuted.
    And then, for stuff on this level there are always chances of other governments doubling the offer.
    CIA is plenty ok with keeping the bugs and exploits they find for themselves, why wouldn't others also do it? Not sure how much of a cross section there is between hardcore patriots and hackers.

    In any case, given the situation, perhaps it's the only reasonable way to go. Hiring based on competence doesn't seem to be much of a thing for this administration.

  11. "mission-critical" systems by K.+S.+Kyosuke · · Score: 1

    "mission-critical" systems [that] aren't allowed to be hacked

    OK, since the purpose is finding bugs, I guess "mission-critical" is a code word for "these can stay broken". ;)

    --
    Ezekiel 23:20
  12. Re:A way to gather new previously unexposed hacks? by Notabadguy · · Score: 1

    Now that NSA's tool-belt is spilled how do we get a new one? A contest!

    Wouldn't it be great if our government would work with us to secure our assets rather than working against us for their own nefarious undisclosed reasons?

    You assume that the government agencies work together. They do not - which is laughably, transparently obvious. This program started with good intentions - all the way back in 2004 - but so much has happened with different agencies with their own agendas that no one trusts anyone.

  13. Been in a similar situation by houghi · · Score: 3, Interesting

    Years ago I saw some child porn, so as a good citizen I reported it, When nothing was done after a week, I informed the newspapers. The next day the child porn was gone. Me was happy.

    Then came at my work (where I had done it all) the COO to me and asked me if he was allowed to give my details to the police, due to an investigation about child porn. So I explained him what has happened and I also showed the emails I had send. As I had done the right thing, I allowed to give my details.

    I was then ordered by the police to go to them and they where after me for.
    1) Obstruction of the law, because I informed the press about an ongoing investigation. "Oh, you send an email? Our mailserver is down at the moment, Sorry."
    2) Spreading of childporn. "Oh, so you just did a reply on a message on Usenet where the URL was in saying that you would be reporting it? Ok, not that bad as it was already known, we guess."
    3) Falsification of information "Yes, we understand that you gave fake information to a free email address."

    So not only where they clueless, if I would have had a different COO, I could have been fired as they told that it was about child porn.

    Since then I have not seen anything even remotely illegal on the Interwebs and I am sure that I never will.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Been in a similar situation by houghi · · Score: 1

      Indeed lucky that the COO and the rest of the board where very understanding. I even spoke to the CEO and he said at that time if anything came from it, they would pay for the lawyer.

      --
      Don't fight for your country, if your country does not fight for you.
  14. Old Soviet era joke refurbished by Opportunist · · Score: 1

    Pre-1990: Pravda runs a contest for the best political joke. First prize: All-expenses paid trip to Sibiria.
    Post-2001: Homeland security runs a contest for the best hack: First prize. All-expenses paid trip to Cuba.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. It's a trap! by RubberDogBone · · Score: 1

    It's just a fucking trap. You do all the work to find the vulnerabilities and weaknesses, document them, submit them, get ignored, get ignored, get ignored, and then suddenly a bunch of FBI goons show up and arrest you for hacking and act like YOU are the criminal for trying to find and warn them about their own problems.

    Oh sign me up! /s

    --
    Sig for hire.
  16. In Soviet Russia ... by PPH · · Score: 1

    ... bug turns in you!

    --
    Have gnu, will travel.