Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS Seeks "Ethical Hackers" To Protect Federal Net Infrastructure

Soulskill posted more than 5 years ago | from the loaded-phrases dept.

Government 133

Death Metal sends this excerpt from an AP report: "General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011. With warnings that the US is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology (PDF) to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes. ... Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government."

cancel ×

133 comments

From the article :) (5, Funny)

click2005 (921437) | more than 5 years ago | (#27628011)

How do you prove you're good enough?

There is a secret NSA computer somewhere for potentiial job applicants to leave their C.V. on.

Re:From the article :) (3, Funny)

nurb432 (527695) | more than 5 years ago | (#27628185)

If you are good enough, they come to you.

Re:From the article :) (3, Funny)

JWSmythe (446288) | more than 5 years ago | (#27628325)

    Well....

    If you're good enough, they'll never come to you, because they'll never know you exist.

    If you're not quite good enough, you've talked too much, or left a trail somewhere you shouldn't have.

    Category 2 sucks. Category 1 is the happier place to be.

    I fall more into Category 1. I may talk on here, but I don't say enough to show the difference between someone who's full of hot air, and someone who should have a desk in sub-basement 4. You know, the one down the broken stairs, with no lights, behind the door marked "Beware Of The Leopard". At least I get my tan from the warm glow of a half dozen monitors. Too bad they don't let me leave very often.
   

Re:From the article :) (1)

cenc (1310167) | more than 5 years ago | (#27628427)

You have already said too much, and guys in dark glasses will be knocking on your door any moment. They will be escorting you to a different sort of interview at a "special" facility a nice beach.

Re:From the article :) (1)

Hurricane78 (562437) | more than 5 years ago | (#27628585)

Exactly. 20 monitors for one (huge?) person, in a sub-basement, give a very specific satellite signature. And if not, just follow the smell of bawls/sweat/pizza/hotpockets. ^^

Re:From the article :) (1)

nurb432 (527695) | more than 5 years ago | (#27628617)

Nah that means you are too good for them. They want controllable good.

Re:From the article :) (1)

inKubus (199753) | more than 5 years ago | (#27631645)

Yeah, this article was mistagged. No "itsatrap" ;)

Re:From the article :) (1)

Z00L00K (682162) | more than 5 years ago | (#27629773)

If you are good enough they won't come for you because you have hidden your tracks and possibly implicated someone else - hopefully someone that's guilty of something serious anyway.

So this leads to an interesting issue - if someone is pointed out as a hacker is that person really guilty or just a scapegoat?

Re:From the article :) (1)

cosm0naut (1535751) | more than 5 years ago | (#27632051)

Good luck finding me, I'm behind 7 proxies.

Actually (2, Interesting)

bmajik (96670) | more than 5 years ago | (#27628481)

an internal Microsoft job posting for a malware/security research position was done this way.

Hiring manager sends out an email, with an ip address, says there is a chat server listening on a port with a buffer overrun vuln in it. In n days he'll start reading over the resumes left in c:\ on the machine.

Re:Actually (0)

Anonymous Coward | more than 5 years ago | (#27631259)

So, if you have enough access to leave your resume there, what's to stop someone from deleting all the other resumes?

Basically, you'll get the resume of the first person to prevent anyone else from doing precisely that to him/her. Not necessarily the most qualified.

Re:Actually (2, Insightful)

Ihmhi (1206036) | more than 5 years ago | (#27632541)

Wouldn't people just start deleting the competition?

"Hey, only this one guy left a resume... also, he apparently installed SELinux and closed the buffer overrun vulnerability..."

Re:From the article :) (3, Insightful)

spydabyte (1032538) | more than 5 years ago | (#27628505)

If you're good enough, you'll remove the other applicants as well, and be the last man standing.

I personally enjoy International Capture The Flag [ucsb.edu]

Re:From the article :) (1)

JWSmythe (446288) | more than 5 years ago | (#27630731)

    I can do electronic recon and intelligence. I don't do hits. Then again, for the right money, with government protection (like, if it's part of my job, so I won't go to prison forever), it's not very hard to make someone disappear.

    [tappity][tappity] Inserted airline record for ticket booked to BOG (Bogotá, Colombia) on his credit card.

    [tappity][tappity] Inserted boarding pass issued and used.

    [tappity][tappity] Inserted customs & immigration record showing departure from US. Declared departure from US with $1000 cash and personal items.

    [tappity][tappity] Inserted Columbia customs & immigration record showing arrival in Columbia

    [tappity][tappity] Inserted hotel record showing 6 night stay at cheap resort hotel

    No return indicated.

    [tappity][tappity] Los Angeles county coroners office. Cremation order for one "Doe, John". Drug overdose. No identity available. Appearance was of vagrant. Detected heroin in remains.

    Ok, one gone. Who else was on that list again?

Re:From the article :) (0)

Anonymous Coward | more than 5 years ago | (#27628677)

You mean like this one: http://www.nsa.gov/careers/index.shtml [nsa.gov] ?

Re:From the article :) (0)

Anonymous Coward | more than 5 years ago | (#27628797)

Just crack their database and find Kim Bauers cellphone number - if you survive when Jack find's you, you're hired.

A useless gesture (2, Interesting)

BadAnalogyGuy (945258) | more than 5 years ago | (#27628019)

The only black hats who would be interested in this type of work are script kiddies looking for a legal outlet for their elite skills.

But if these kids are the experts, who is going to develop the hacking tools?

airline flight systems, and nuclear launch codes? (4, Informative)

nurb432 (527695) | more than 5 years ago | (#27628043)

Why are those even remotely accessible?

While i see a need for networking ( at least in some cases ) they should be on their own completely dedicated line.

Re:airline flight systems, and nuclear launch code (1)

4D6963 (933028) | more than 5 years ago | (#27628211)

Oh come on, who has never watched YouTube while waiting to be told or not to push the red button?

Re:airline flight systems, and nuclear launch code (3, Funny)

Kugrian (886993) | more than 5 years ago | (#27628281)

So Obama can clear a runway and launch a nuke from his Blackberry.

Re:airline flight systems, and nuclear launch code (4, Interesting)

JWSmythe (446288) | more than 5 years ago | (#27628479)

    Your question is your answer.

    You'll find, even in the happiest secure network, there can be a security hole.

    Think of this. It shouldn't happen, but I know it has. You have two networks jacks on your wall. One is green. One is red. Unclassified machines can be plugged into the green one. Classified machines an be plugged into the red one. A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.

    Now, your nice secure network has a compromise. If that unclassified machine, on the unclassified network, becomes compromised, they have a nice portal into the classified network.

    Just because your network doesn't have any connections to the outside world, doesn't mean you shouldn't treat it as if it has a public IP on the Internet.

    What's happened more times than is funny is, some user decides he needs a wireless connection to his laptop, so he can put his laptop on another desk without an extra wire going to it. Since he's just a user, and picked up the AP at a retail store, he may not have set up security. "I'm 10 stories up in a secure building, I have nothing to worry about." Yup, nothing to worry about, until someone sits in the next building with a high gain antenna, and stumbles on the fact that there's an open AP begging for them to come in. Stores have been bitten by this. Schools have been bitten by this. Even banks have. Plenty of companies have had the same problem.

    I found a school once that did this. I found their printers very quickly. I installed the drivers for the printer, and printed a simple note. "Your network has an unencrypted access point on it. It is allowing anyone to access your network. Please call your network security administrator to correct this."

    I found a casino in Las Vegas did the same thing several years ago. I couldn't get in from outside, but from a legitimately purchased hotel room, I found I had access to every display board in the casino. I logged enough traffic to see how it worked. When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it. He said it was fixed within hours of my report. I'm sure it was an oversight when someone else did the install, and no one had ever looked at it as an outside hacker inside the building. Who would bother hack the casino network from a room in the hotel in Las Vegas. Oh ya, and DefCon was 3 months away. :) The only reason I was looking was, they didn't provide internet access in the rooms, and I was hoping to pick up an AP in the lobby or somewhere that was available for guests. Unfortunately, they didn't have one that I could reach the Internet with. No email for 3 days. :)

    Always be a good guy. Never be a bad guy. If you find a problem, report it with details. Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.

Re:airline flight systems, and nuclear launch code (0)

Anonymous Coward | more than 5 years ago | (#27628843)

Your hypothetical situation made no sense. At all.

Re:airline flight systems, and nuclear launch code (1)

tacarat (696339) | more than 5 years ago | (#27628931)

I think the only real skill the hackers will need to master is being able to get the users, tenured civil servants and their bosses, to stop being security risks. You can't just throw money at this problem thinking that good code will be the end all be all solution. Social engineering is going to remain the #1 way to get stuff done. I say #1 only because practically anybody can do it, no technical skills required at all.

Talking to the right guy (1)

troll8901 (1397145) | more than 5 years ago | (#27629209)

When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it.

You are very, very, very lucky that he did not report to his management.

The casino is very lucky to have a smart network administrator like him.

---

Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.

You are still very lucky that he didn't let anyone else know. He probably had Caller ID on his office phone. Also, he was able to retrieve Internet email from you.

My only questions: How did you manage to get through all the receptionists/secretaries, and how did you assess that he's smart and non-idiotic?

Re:Talking to the right guy (1)

JWSmythe (446288) | more than 5 years ago | (#27630837)

    I didn't call. I did a whois on their domain. They were nice enough to have a legitimate address for their NOC. I emailed the NOC saying that there was a security problem with their network and that I would like their security admin to write to me. I received a response in about a day.

    I did a little research on who had written to me, and confirmed that he appeared to actually be network security for them. He had a good background in network security, after I found his resume online.

    I then sent it to him.

    I wouldn't be surprised if it had been brought up with management. I had absolutely nothing to hide, which is why I sent my logs and a full description of what I had done to accomplish it. I'm sure they reviewed their information too, and saw that there was no unusual activity in the period.

    If they had noticed anything weird, I'm sure Vinny and the boys would be at my house within hours to rough me up. Rather, I he said thanks, we had a good chat, over the course of the next couple days, and that was it.

    I guess the important part was, I didn't ask for reimbursement for the information. I didn't threaten to exploit it, or release it. I just gave it to them. If I had one anything else, it would have been a potentially deadly issue.

Re:Talking to the right guy (1)

troll8901 (1397145) | more than 5 years ago | (#27631277)

Thank you for your reply. I'm humbled that you are so willing to help others in your personal and professional time. I'm learning so much from you and everyone else in Slashdot. I hope I can be qualified to pass on the favor one day to other people.

Re:airline flight systems, and nuclear launch code (0)

Anonymous Coward | more than 5 years ago | (#27629345)

A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.

Except 1) You can't bring your own equipment into a classified environment (yes, the guard at the door and metal detectors prevent you)... 2) Your unclassified government computer cannot be plugged into the classified network (they will detect it being connected and show up at your cubicle).. 3) If you unplug your classified computer they will also notice it and come knocking... 4) the classified network is monitored and since the normal traffic is 100% under IT control, any out of the ordinary activity (port scan, indexing network shares/files, excessive bandwidth usage) is immediately red-flagged... 5) your classified computer usage IS monitored and audited.

But you just go ahead and keep believing that the government treats its classified networks the same are your company treats its internal private network.

Re:airline flight systems, and nuclear launch code (1)

JWSmythe (446288) | more than 5 years ago | (#27630963)

    Actually, I know that.

    A lot of computers come with a second NIC, so it's not inconceivable for a cable to be plugged in.

    I'm sure they do plenty of proper security. But...... Do we all live in a perfect world? No.

    I buy lots of used networking equipment. One piece of equipment in particular was still fully configured for a 3 letter agency. No, not an intelligence agency, a slightly more annoying and less dangerous one. I pulled the config, send it off to a friend that works at the DOD, and wiped it out. I was reselling it, and I always sell equipment with a clean config. He told me "this was a security breach, I have to send it to my superiors." I told him no problem. They can interview me about what I found. I actually expected the knock on my door where they'd interview me for a few hours. It never happened. I held onto the piece for several weeks, rather than just getting it out the door. It wasted floor space, but didn't change my profit, so I didn't care.

    But.... That piece of equipment should have NEVER left the facility as it was. It contained passwords, credentials for various things, labels for what was attached to each interface. Information on their routes, etc, etc, etc. It was very nicely done, except for the fact that I got my hands on it.

    I asked my friend a year later if he had heard anything about it, just after I received another piece of equipment that was previously owned by a Fortune 500 company in the same condition (full config). Actually, it's currently listed in the top 10 companies in the US. Since I don't particularly care about that company, and the information wasn't particularly sensitive, I just wiped it.

    We're only talking about maybe 2% of the equipment that has passed through my hands.

    The moral is.... In a perfect world, things work exactly as expected. Security protocols are followed to the letter. In the real world, mistakes happen more often than you'd like to know.

    I know I'm an ass about protecting my data. I never resell hard drives from my own network. I make very sure configs are wiped on anything taken out of service. If it's sitting in storage, it's a blank slate. It's not laying around with the old config on it. People thought I was nuts for retaining a box of hard drives for several years. I recycled some internally, but once they were too old/slow/small for use they were worthless to me, but entertaining. Have you ever popped the cover off a hard drive just so you could dig grooves in the platters with a screwdriver? :) It makes an awful noise, but it's good for demonstrating to someone who hasn't how a hard drive works. Well, until it's destroyed. :) I like the forged rings inside too. They bounce very nicely off of concrete floors. The platters themselves make good but slightly dangerous frisbees. :)

   

Re:airline flight systems, and nuclear launch code (1)

KevinIsOwn (618900) | more than 5 years ago | (#27631731)

I think the line about the "guard at the door" and "metal detectors" was the first indication that the AC has absolutely no idea what (s)he is talking about.

priorities, priorities... (5, Insightful)

martas (1439879) | more than 5 years ago | (#27628075)

let me get this straight, they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts" a year by 2011? And this after all the "reports" about russia and china bullying the entire world, including the US, with their DoS and other kinds of attacks? I see, if you can't see it explode, then it can't hurt you, right?

Re:priorities, priorities... (1)

uniqueUser (879166) | more than 5 years ago | (#27628649)

they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts" a year by 2011?

250 is plenty! I swear, if one more cyber- anything is created, I will rip off my fucking nose. Regular experts will do just fine thank you.

Re:priorities, priorities... (1)

kaizokuace (1082079) | more than 5 years ago | (#27628889)

250 is all they can afford for these Cyber-Soldiers! The experimental drug based augmentation program costs a fortune on its own, aside from the genetic and cyborg mods.

Re:priorities, priorities... (0)

Anonymous Coward | more than 5 years ago | (#27628949)

One hacker can do more than one soldier.

Re:priorities, priorities... (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#27629093)

they're aiming to train only 250 "cyberexperts" a year by 2011? And this after all the "reports" about russia and china bullying the entire world,

Those "reports" are their primary means of funding these departments. Apparently the PR/FUD hasn't been working so much, probably because the nation's had bigger things on its collective mind for the last year or two.

Re:priorities, priorities... (1)

martas (1439879) | more than 5 years ago | (#27629161)

well, that's kind of the hidden message - if you only do what will make you more popular in the voter's eyes, you won't do any of the things that need to be done because of somewhat complex reasons, since the voters (aka idiots) can't understand these. in other words, if you can't break something down to the level of "they hate america!" or "you won't be able to afford a 25,000 inch tv if we don't do this", then sorry, it ain't happening.

Re:priorities, priorities... (1)

Arthur Grumbine (1086397) | more than 5 years ago | (#27629581)

and they're aiming to train only 250 "cyberexperts" a year by 2011?

Combined with the fact that they're probably going to get mostly script kiddies, they should seriously consider ramping their target number up to 640.

640Kiddies should be enough for any government.

Re:priorities, priorities... (0)

Anonymous Coward | more than 5 years ago | (#27629867)

Because the bottom 10% of your high school class(the people they hand the guns to and say good luck), is way more people then the top 1% of your class that is capable of learning such advanced topics, if that 1% even wants to go into the military.

Re:priorities, priorities... (1)

Tubal-Cain (1289912) | more than 5 years ago | (#27630207)

...they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts"...

Everybody always points out that you need less *nix admins.

Re:priorities, priorities... (1)

mlts (1038732) | more than 5 years ago | (#27632539)

How about not cyber soldiers, but true IT professionals who know their field?

Security is not all about the technological side. A major part of security is dealing with social engineering. Another major part is dealing security needs of a department or organization. Security and infrastructure needs of a law firm with 5 workstations and a server are totally different from the security of a multi-location corporate environment. Security needs of a TS facility are absolutely different from an unclassified facility.

The "whiz kids" are an important part of this, but you also need security people who can handle not just finding the more exotic bugs, but be able to make sure that a department, enterprise, or organization are up to speed. You need people who can (for example) LART the reprobate who is in receiving and who is browsing pr0n on a workstation with the AV program disabled and IE's security set to "low" so he doesn't get asked to install IE controls that stand between him and his excitement.

Security takes a lot of puzzle pieces, and people with many talents.

Who wants the... (1)

canuck57 (662392) | more than 5 years ago | (#27628081)

Who wants the politics?

Ooops, politics is the issue. Better shutup before they come and get me.

Civilans Need Not Apply. (3, Interesting)

JWSmythe (446288) | more than 5 years ago | (#27628169)

Too bad they don't provide a link of where to apply.

    Worse for some of us is the typical stumbling block for us well skilled civilians who haven't worked for the government yet. I just skimmed through the GD listings for "Defense/Military Intelligence Analysis" and "Information Technology". They all require at least TS/SCI

    Since I haven't worked for the government, nor for any company who would sponsor security clearance, I can't even apply for these jobs. It's not that would be excluded. Anything in my history is trivial at best. I've held many secrets. I've ensured privileged data has never been released. I've joked with friends about things I've told them. They say "You can't keep a secret", but I've always responded "Those are the secrets I could tell. You'll never know the secrets I can't."

    Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs. This is a perfect example. I spent years intercepting, analyzing, and protecting against people doing "bad things". I'm well versed in what the "bad guys" can do, and used their own tools and methods against myself to ensure my defenses were up to par. For example, it's one thing to know my firewalls can block any unwanted traffic. It's another thing to poke a huge glaring hole in the firewall for myself to attack, and then proceed to attack.

    I've posed as an inside attacker. I've posed as an outside attacker. I see what each can get away with, and protected against both.

    I won't claim that I know everything. No one does. But people come to me asking "What the hell is this?" and I can give them a practical off-the-cuff response, and a detailed response after a good analysis. Most of the time, they match.

    Without the clearance, I'd never be allowed to use these skills for a position like that. I know if I ever got my foot in the door, things would be different. Until then, I do my job well for civilian clients

    Then again, none of you know me. Maybe I have TS/SCI with EBI and FSP. If I had it, would you know? :) Bragging rights aside, if I were to announce my clearance, that indicates that I may have access to information that someone may want, which could put myself, my family, my friends, and my neighbors at risk. Don't get too anxious, officially my clearance is "none" and my work history is "civilian". :) I'd like to correct that some day, so if any real recruiters read this, feel free to find me. It won't be hard for you. Check the file for "Smythe, JW (alias)"

Re:Civilans Need Not Apply. (0)

Anonymous Coward | more than 5 years ago | (#27628333)

Clearances are expensive, with a burden on the government and the company to maintain. Application for higher clearance can take months for approval. It is just another component of your qualifications - one that is likely decided early on in your career. Many science and technology fields require depth; consider advanced research in any government regulated area (aerospace,medicine, etc). Also, consider that every individual with access to cleared information is a possible vulnerability.

Re:Civilans Need Not Apply. (0)

Anonymous Coward | more than 5 years ago | (#27628367)

...Apply for the job.

If you are good enough they will get you through the process of the Security Clearances... The process will take a few months to clear, but it will be done.

Re:Civilans Need To Apply. (0)

Anonymous Coward | more than 5 years ago | (#27629023)

when you are done stroking your ego-
NSA - job search - http://www.nsa.gov/careers/jobs_search_apply/index.shtml [nsa.gov]

Re:Civilans Need Not Apply. (2, Interesting)

rts008 (812749) | more than 5 years ago | (#27629063)

Bragging rights aside, if I were to announce my clearance, that indicates that I may have access to information that someone may want, which could put myself, my family, my friends, and my neighbors at risk.

The waters are muddier than that. More often the reasons for something/position being classified carry no such risks. They can, but those are in a minority.

Example:
1976-77 I worked at NASA's Goddard Space Flight Center, in the NTTF** building. I had to hold a Top Secret clearance while working there.
The reason? Some of the parts in my work area were classified.
I was a Logistics Technician, in the Logistics Dept., Yes, basically nothing more than a parts man working behind the parts counter.
The classified equipment?
Some bit of electronics that were encased in gold sheetmetal, called Gold Bricks. They were part of the satellite tracking control system, and kept locked up. I had no access without a dept. supervisor to unlock them for me.

They were not classified due to the technology, they were classified due to their cost. They ranged from several hundred-thousand dollars apiece to several million apiece.

Re:Civilans Need Not Apply. (1)

Sycraft-fu (314770) | more than 5 years ago | (#27629739)

They also get over paranoid about that kind of thing. I was chatting with a guy now working at Cisco who used to work for the CIA. He had Top Secret clearance, which of course made him valuable for Cisco since they could send him on contracting work to classified sites. At any rate he talked about his time at the CIA and how some of the classified documents he read were really stupid. He said that he saw nothing of any substance in the whole thing that he hadn't already heard on CNN. The reason it was classified wasn't the information but the source it had come from or some other reason like that. He said he was amazed the number of documents that he dealt with like that. He'd always assumed, as had I, that if something was classified it was because the information needed to be secret. He discovered that was the case only some times, other times he said he had no idea why.

Over all I think erring on the side of caution is probably how you want to go with this. After all, maybe he was wrong about one of those documents and it would have told an enemy agent something real valuable even though he didn't think so. However people shouldn't assume that just because something is classified that means that it is the amazing secret, or that people who work in classified areas necessarily work with secret items.

Re:Civilans Need Not Apply. (1)

JWSmythe (446288) | more than 5 years ago | (#27631005)

    I knew a lady with a similar situation. She did have security clearance. Why? Because she bolted seats down in fighter aircraft. Well, I'm sure she bolted other parts down too. She had no idea what they did, how the worked, or anything else. She knew to line the bolt holes up, and tighten them down properly. But, she was in a facility with classified stuff, so she needed it.

    But, she got her clearance, and I still apply for a variety of positions and get nothing. Oh well, maybe someday I can bolt seats down in fighters. :)

Re:Civilans Need Not Apply. (4, Informative)

Jah-Wren Ryel (80510) | more than 5 years ago | (#27629133)

Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs.

Your analysis is false. As someone who does not hold a clearance you have a slight handicap because it means that if they hire you, you won't get able to start on the "meat" of the work for a few months while your clearance is processed.. But if your skills are good, then they will hire you and put you on a desk in an unclassified area to get yourself up to speed on as much of the program as is unclassified. I know a lot of people who have done exactly that. You do not have to be ex-military to get a clearance.

Re:Civilans Need Not Apply. (2, Informative)

gmhowell (26755) | more than 5 years ago | (#27631827)

You do not have to be ex-military to get a clearance.

But it sure as hell helps out.

If the GP has a resume that looks as good as he thinks, some hiring manager at some DOD contractor somewhere will find him a security eligible position while waiting for a TS/Q to come in.

Re:Civilans Need Not Apply. (5, Informative)

TheRaven64 (641858) | more than 5 years ago | (#27629151)

I've held security clearance in the past (it lapses if you don't renew it periodically, and I didn't), and I know a few people who got jobs that required a higher level of clearance than I had. Although the job adverts will say you require clearance, this usually means that any offer will be conditional on the clearance being granted. You can still apply without it and if they think you are qualified then they may offer you the job. The offer will say 'pending security clearance' or similar on it, and you will then have to undergo a background check (exactly how detailed this is depends on the level required, but it can usually be done in a couple of months). It is quite rare for someone to fail - most people who might tend not to apply. If you do need to go through the process, then don't lie. They don't care if you're gay or smoked pot, but they do care if you have secrets that someone can blackmail you about.

Re:Civilans Need Not Apply. (1)

gmhowell (26755) | more than 5 years ago | (#27631841)

It is quite rare for someone to fail - most people who might tend not to apply. If you do need to go through the process, then don't lie. They don't care if you're gay or smoked pot, but they do care if you have secrets that someone can blackmail you about.

+1 informative. If you fill out the paperwork, list all of your deep dark secrets. And know what you said. At some point you'll be interviewed, and they will ask about all of that stuff. The stories better line up.

FYI (2, Interesting)

Sycraft-fu (314770) | more than 5 years ago | (#27629225)

Security clearances aren't classified. They are prerequisites to have access to classified material, but the clearances themselves aren't. So if you had a TS clearance, sure we could know. You'd be free to tell us if you liked. You couldn't tell us about the classified material you saw, of course, but the clearance itself would be no secret at all.

As a practical matter there's no way to keep such a thing a secret due to the nature of the SSBI. More or less what they do is talk to everyone you've ever known, and in various cases talk to people they've known. They tell people the reason too, because they ask questions such as "Do you think this person could be trusted with national secrets?"

I've known more than a few people with security clearances and it was never any kind of secret. It wasn't like they'd walk up and say "Hi my name is Bob, I have a clearance," but if it came up in conversation or you asked they'd be happy to tell you.

Re:FYI (1)

fluffy99 (870997) | more than 5 years ago | (#27629605)

No classified, but knowledge of who has clearance is still FOUO (or sometimes called Sensitive But Unclassified, or now called Controlled Unclassified Information). Release of such information to the public is still prohibited. So while technically you are not supposed to advertise having a current clearance, you can put on your resume that your are able to hold a clearance.

Ethical "Hackers".. of course (4, Informative)

nurb432 (527695) | more than 5 years ago | (#27628173)

If you are old school, hacking IS ethical, and any damage/profit beyond learning is against the "code".

Amazing how powerful the media is in twisting definitions, public perception and alienating an entire culture.

Re:Ethical "Hackers".. of course (2, Funny)

Anonymous Coward | more than 5 years ago | (#27628187)

If you to nit-pick, a hacker is a bad golf player.

Amazing how the internet twisted the definition.

Re:Ethical "Hackers".. of course (2, Informative)

nurb432 (527695) | more than 5 years ago | (#27628629)

umm the term hacker predates the commercial internet.

True it doesn't predate people that suck at golf however.

Re:Ethical "Hackers".. of course (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27628239)

Words, definitions and languages change, get over it.

It's been that way for 1000's of years. Long before the "media" took over.

Re:Ethical "Hackers".. of course (1)

nurb432 (527695) | more than 5 years ago | (#27628645)

I can still bitch about it. Now, get off my lawn!

Re:Ethical "Hackers".. of course (2, Interesting)

dontmakemethink (1186169) | more than 5 years ago | (#27628313)

Beat me to it. However the blame for the misnomer lies not in the media. A benign exploit was called a hack, but a hack causing damage was called a crack. That meant those who performed cracks were initially called 'crackers', a term that already had a racial connotation. They couldn't call them 'crackheads' either. Both the media and 'crackers' adopted the next closest related term.

Kinda sad that it's difficult to find a derogatory name for something because all relevant options are already in widespread use...

Re:Ethical "Hackers".. of course (1)

kaizokuace (1082079) | more than 5 years ago | (#27628905)

HACK THE PLANET!

Re:Ethical "Hackers".. of course (0)

Anonymous Coward | more than 5 years ago | (#27631307)

...... Haaaccckkk Thheee Pllaaaannneeettt!!! THEY ARE TRASHING OUR RIGHTS!!! Trashinggg!!

hackers? (1)

prndll (1425091) | more than 5 years ago | (#27628181)

Bill Clinton was supposed to make "hacking" a federal offense.

Keep them Happy (2, Informative)

aoheno (645574) | more than 5 years ago | (#27628189)

Someone who really knows how to game Technology needs to be kept very very happy if he or she is not to turn on you.

During the Cold War certain 'Special Forces' were used to entice secrets from many using torture free and very 'personal' interrogation techniques in undisclosed hotel rooms. No amount of technology can stop that unless the hacker has a smart phone implanted to record and transmit everything.

This opens the question of whether there need to be several such persons in separate undisclosed locations, that are tasked with monitoring each of the others.

Outsource it . . . (1)

PolygamousRanchKid (1290638) | more than 5 years ago | (#27628195)

. . . this would be much too expensive for folks in the US to do . . . outsource it to some place like China or Russia.

Re:Outsource it . . . (1)

British (51765) | more than 5 years ago | (#27628351)

Well, if they outsource it to China they will already have experience.

Ethical Hacking... (0)

Anonymous Coward | more than 5 years ago | (#27628207)

...for Military Intelligence.

It's a trap! (1)

Bastard of Subhumani (827601) | more than 5 years ago | (#27628243)

It's a trap, they just want to know who to watch.

Tin-foil hat time (4, Insightful)

pongo000 (97357) | more than 5 years ago | (#27628251)

Has anyone considered this is just another version of the common ploy police use to round up criminals with outstanding warrants? They entice these people using false pretenses, then arrest them when they show up.

I'm not saying this is the case here, but what better way to build up a database of hackers (i.e., possible terrorists)?

its a trap! (1)

TheGratefulNet (143330) | more than 5 years ago | (#27628345)

who's the good guys? who are the bad ones?

are you sure?

will it be the same tomorrow?

don't trust the gov and DO NOT WORK FOR THEM. you will regret it, either now or later. time has proven that.

"its a trap!"

(sorry)

just get someone who will do it to getout of jail (1)

Joe The Dragon (967727) | more than 5 years ago | (#27628299)

just get someone who will do it to get out of having to go to jail for being a Hacker.

Re:just get someone who will do it to getout of ja (1)

nathan.fulton (1160807) | more than 5 years ago | (#27628771)

"What could possibly go wrong?"

What the... (1)

creimer (824291) | more than 5 years ago | (#27628301)

The government does realize that any hacker will behave like a Wall Street CEO walking out of the Treasury with a wheelbarrow full of money? No... Cool! Sign me up.

Contradiction (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27628315)

Anyone working for the government is inherently unethical, using stolen money for themselves and other people. So it's a contradiction that a government agency would be looking for 'ethical' hackers, they cannot find them no matter how hard they try.

Written by a PHB (3, Interesting)

seeker_1us (1203072) | more than 5 years ago | (#27628335)

Ethical Hacker...

seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems.

Clearly written by a technologically illiterate PHB. Any good security person worth his/her salt can think like the bad guy and knows hackers tools. They also know the difference between what the term "hacker" really means and what the knucklehead who wrote this ad thinks it means.

Re:Written by a PHB (0)

Anonymous Coward | more than 5 years ago | (#27628439)

You're not going to start with the "hacker" versus "cracker" nonsense are you? That battle is over, get over it.

Re:Written by a PHB (0)

Anonymous Coward | more than 5 years ago | (#27628625)

You know--you say that...and there's a lot of truth to it. Many of the 'white hats' I met were incompetent--not all of them, and there's a lot of *great* ones out there. But I think in security--it sometimes takes a certain degree of sociopathic traits underlying your personality to spot some of the nastiest vulnerabilities out there--things people would never even consider a vulnerability, because it would never occur to them that it could be denied/adulterated/done.

You don't actually have to act on the sociopathic thought--but to spot the flaw in the underlying assumption. I guess that's the biggest problem I've continually witnessed with "white hat" training--they never actually teach the people to think maliciously--and as a result, many of them are continually playing a losing game of catchup. They don't come up with new exploits because they've been trained not to be malicious--even when they "think as the adversary" they come up with solutions like the TSA bullshit where they address yesterdays threat instead of the issue being to easily cause terror, chaos and disruption. We have bombs off of aircraft--and everyone funneled in a narrow corded aisle and unarmed by definition--but nobody thinks that this poses a bigger threat because it doesn't seem to occur to them in their misguided focus on "the problem"

You can take some trustworthy army or AF tech, train them in the best tools, give them the top secret NSA exploits and toolkit, access to echelon or whatever--but you can't teach them to independently make the observation that all it would take to tear down a webserver to have all of its traffic routed back to it. They learn, but never seem to innovate...

Re:Written by a PHB (0)

Anonymous Coward | more than 5 years ago | (#27630053)

I believe that what the government is looking for is a cookie cutter shaped hacker something they can order on the spot. When you look at their purchase request orders you see they don't go after the best materials. Usually they go after something offered from a company with a guarantee to wave at the higher ups to approve. Some degree or qualification that can work with this "computer security thing". It shouldn't require thought or experimentation. But something risk free from a catalogue.

Funny... (1)

Hurricane78 (562437) | more than 5 years ago | (#27628473)

...they would be the only people with any ethics in the department. ^^

Quis custodiet ipsos custodes? (3, Funny)

psicop (229507) | more than 5 years ago | (#27628495)

And the DHS will look up and shout "Save our Internets!"

And I'll look down and lol "QQ moar n00b."

Is it really that hard to essentially blacklist entire countries?

Do we really need remote access from .ru, .cn, and .ua? (just to name a few)

FedNet...would you like to know more?

Re:Quis custodiet ipsos custodes? (1)

gmhowell (26755) | more than 5 years ago | (#27631887)

Is it really that hard to essentially blacklist entire countries?

Technically, no. Politically...

Isn't this a little like... (1)

mc1138 (718275) | more than 5 years ago | (#27628531)

Hiring gang members to be part of a vice squad? Don't get me wrong, I'm all for hiring black hats for security jobs, as they can often be the best for the job, the problem is keeping a close watch on the few that would double cross if the rewards were good enough. If I were them I'd try and recruit those that are finding vulnerabilities and reporting them, rather then prosecuting them which too often happens.

Re:Isn't this a little like... (1)

nathan.fulton (1160807) | more than 5 years ago | (#27628833)

How is that problem unique to "black hats?" Spies, double agents, and the like have existed since the beginning of time, and they come from all backgrounds.

It's important to remember that black hats are like gang members in many ways -- and the most important is that the financial motive is often a red herring. I am willing to bet that most black hats worth their salt in the US -- like most gang members -- are in it for the sense of community, the respect, and other non-financial motives. therefore, the most important preventative measure the DHS has to take is to make sure they don't feel like they are being treated like crap. Good luck with that one, DHS.

I see a SciFi Channel series in the offing (2, Funny)

serutan (259622) | more than 5 years ago | (#27628553)

Or SeeFee or SuFu or whatever it's called now. Haxx0rz -- Elite hacker Jason St. Phibes and his crew of one rotund recluse, one hot babe genius, and one socially awkward but lovable nerd tackle laptop-wielding Muslims who would threaten our homeland's data and stuff.

Re:I see a SciFi Channel series in the offing (1)

senorpoco (1396603) | more than 5 years ago | (#27628705)

I'd watch that show, and it's off Broadway musical counterpart.

Re:I see a SciFi Channel series in the offing (1)

nathan.fulton (1160807) | more than 5 years ago | (#27628851)

You mean like Star Gate: Atlantis (except replace muslim with big creepy alien)?

Re:I see a SciFi Channel series in the offing (1)

rts008 (812749) | more than 5 years ago | (#27629129)

That already sounds too much like Chuck [hulu.com] :

...a one-hour, action-comedy series about Chuck Bartowski (Zachary Levi, "Less Than Perfect") -- a computer geek who is catapulted into a new career as the government's most vital secret agent....

[from the link]

easy, use Linux with their own product, SELinux. (0)

Anonymous Coward | more than 5 years ago | (#27628783)

yup

FFS (0, Flamebait)

smoker2 (750216) | more than 5 years ago | (#27628789)

Have a look at the last few stories posted here. The US appears to be a nation of wankers, led by wankers. Discuss.
BTW, if you mod this as troll you are one of the aforesaid wankers.

Hacker Honeypot (2, Insightful)

littlewink (996298) | more than 5 years ago | (#27628791)

They don't want to hire them, they want to catch them.

Anyone stupid enough to show an interest will be repaid by having their background and their "back" proctoscoped by the Feds.

Re:Hacker Honeypot (1)

nathan.fulton (1160807) | more than 5 years ago | (#27628855)

I would agree with you, except that it's the feds... Don't attribute to malice what stupidity can explain.

Universally Global Internet Patriot Act (0)

Anonymous Coward | more than 5 years ago | (#27628891)

Something tells me this is a continuation of the US governments attempt to gain control of the web, the last medium for true free speech.

But I'm crazy, so something is always telling me something :D

"Can you think like the 'bad guy'" is a perfect example of the governments inability to view the world through the eyes of the less fortunate or the oppressed who seem to stand in the way of the empire and wreak the destruction of our bounty.

No ethical hacker... (1, Flamebait)

boyko.at.netqos (1024767) | more than 5 years ago | (#27628929)

No ethical hacker would ever work for the DHS.

Because DHS ethics is... (1)

Requiem18th (742389) | more than 5 years ago | (#27629565)

... an obvious oxymoron.

Re:No ethical hacker... (0)

Anonymous Coward | more than 5 years ago | (#27630043)

I hear Gary McKinnon is looking for a new job...

Re:No ethical hacker... (0)

Anonymous Coward | more than 5 years ago | (#27632411)

correction: no ethical person

Free Advice (1)

PingXao (153057) | more than 5 years ago | (#27629059)

You want to keep your system safe from hackers? Don't put it on the public internet. Problem solved.

But no, they'll waste millions on this. Some people will take advantage and build lucrative "careers" with it. Other snake oil salesmen will get their start in life.

If you are "Ethical"... (0)

Anonymous Coward | more than 5 years ago | (#27629157)

..how could you ever work for and take the side of the US federal government?

What am I missing here?

We're SAVED!!! (1)

FatdogHaiku (978357) | more than 5 years ago | (#27629307)

I can see it now. "Ethical Hackers" working for "Diligent Bureaucrats" under the direction of "Honest Politicians"... Things are gonna be just great!

Ten-Hut! (2, Funny)

ZarathustraDK (1291688) | more than 5 years ago | (#27629863)

Private The Plague reporting for duty, sir!

Linked pdf is not the result of the 60 day study (1)

Helevius (456392) | more than 5 years ago | (#27631607)

Watch for a report from Melissa Hathaway, who is leading the effort. The linked .pdf is from GAO and was published 10 March.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...