Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pentagon Seeks a New Generation of Hackers

ScuttleMonkey posted more than 5 years ago | from the just-give-them-places-to-play dept.

Security 134

Hugh Pickens writes "Forbes reports on a new military-funded program aimed at leveraging an untapped resource: the population of geeky high school and college students in the US. The Cyber Challenge will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. 'The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it. [...] The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources. In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data. Talented entrants may be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.'"

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

Awesome! (0)

Anonymous Coward | more than 5 years ago | (#28057603)

Where do I submit my resume?

Re:Awesome! (4, Funny)

snowraver1 (1052510) | more than 5 years ago | (#28057929)

If you are asking, you don't qualify.

Re:Awesome! (5, Funny)

mikeee (137160) | more than 5 years ago | (#28058231)

>If you are asking, you don't qualify.

Exactly. In fact, if you're any damn good, just break into the HR system, insert yourself, and tell the front desk you forgot your badge when you show up for work the tomorrow morning.

This now concludes your interview.

Re:Any Damn Good (1)

TaoPhoenix (980487) | more than 5 years ago | (#28058551)

If you're better, make yourself a COO/CEO type, and Fire HR. Then award yourself a bonus.

Re:Any Damn Good (2, Funny)

sexconker (1179573) | more than 5 years ago | (#28059021)

And if you're the best, you simply give yourself a pension and numerous titles/awards/etc..

FIST SPORT (1)

ringbarer (545020) | more than 5 years ago | (#28057611)

Didn't corporate interest ensure that anyone with the hacking mindset be treated as an enemy of the state?

Foreigners?? (3, Insightful)

rodrigoandrade (713371) | more than 5 years ago | (#28057647)

Will they accept foreign applicants?? Because restricting this program to US citizens is madness, considering all the hacks done overseas.

Re:Foreigners?? (3, Insightful)

TinBromide (921574) | more than 5 years ago | (#28057695)

They're probably looking for people who can get a security clearance. It may be harder to do if you're a Chinese foreign national. They're not looking for hacks, but hackers.

Re:Foreigners?? (1, Interesting)

cayenne8 (626475) | more than 5 years ago | (#28057815)

I wonder if they'd consider someone who hasn't really gathered the hacking skills yet, but, would be VERY interested in learning how. Especially, if said person had or was capable of getting a clearance, and had an extensive computer background with skills other than cracking into systems and security in general?

Re:Foreigners?? (1)

Niris (1443675) | more than 5 years ago | (#28057937)

That's something I was wondering too. Am a computer science major and have spent a couple years working in IT, know a couple programming languages decently, but have no clue where to start for this sort of stuff.

sans.org (2, Informative)

Frigga's Ring (1044024) | more than 5 years ago | (#28058355)

SANS.org offers a whole lot of courses regarding InfoSec. Start with SANS 401 unless you feel you really need the into 301. Sadly, they get pretty pricey if you don't have a company reimbursing you.

Re:Foreigners?? (4, Insightful)

Opportunist (166417) | more than 5 years ago | (#28058153)

Probably not. There are quite a few talented people out there who spent already years to get into "it". Why bother training someone for 2-4 years if you can get someone who already has the skill?

Part of being a hacker is being able to find the resources. So if you want to learn, just do it.

Re:Foreigners?? (1)

conspirator57 (1123519) | more than 5 years ago | (#28059791)

Probably. If you already knew how to hack, that'd imply you had already done some hacking. What were you hacking and was it illegal for you to hack? Can they trust someone who would break the law to learn the things they want people to come in knowing? Classic chicken-egg that way, so yes, I'd imagine you'd be welcome. Of course, if you've not got the temperament for hacking, how good of a hacker will you make? Will you just end up being another gov hack? (Noting personal, these are all meta-speculative quasi-rhetorical questions about the mindset of the gov and the possible repercussions of such putative mindsets.)

Re:Foreigners?? (2, Informative)

Jeian (409916) | more than 5 years ago | (#28057803)

Literally any governmental or military job that involves dealing with classified information, requires you to be a US citizen. I imagine this would be no different.

Re:Foreigners?? (1)

morgan_greywolf (835522) | more than 5 years ago | (#28057991)

Literally any governmental or military job that involves dealing with classified information, requires you to be a US citizen. I imagine this would be no different.

Or even merely ITAR-restricted data.

They can't legally accept foreigners (2, Informative)

MikeRT (947531) | more than 5 years ago | (#28058097)

To work on these systems you'd need to hold a security clearance. It is not prima facie absurd to say that some restrictions could be lifted for Secret-classified networks, but you'd never get them to do Top Secret and Top Secret/SCI because of how incredibly sensitive the data is on those networks.

Gays?? (2, Interesting)

mcmonkey (96054) | more than 5 years ago | (#28058301)

Will they accept homosexuals?

Or is "deviant sexual behavior" only acceptable when done as part of an "enhanced interrogation"?

Re:Gays?? (0)

Anonymous Coward | more than 5 years ago | (#28058719)

Will they accept heterosexuals?

Re:Foreigners?? (1)

Simulant (528590) | more than 5 years ago | (#28059255)

Hell, most of the time they won't even except US citizens unless they already have a clearance. It's a very closed system.

I spend a few years doing IT/Security for the DOD.

The worst job ever, for what it's worth. So bad that I now happily work for 50% less pay, elsewhere.

In other news, it was announced that the US Army will be upgrading from XP to Vista because "It's easier to upgrade to Windows 7 from Vista than it is from XP." (not an exact quote) This is the type of mentality you have to deal with in DOD IT.

http://www.theinquirer.net/inquirer/news/1137451/us-army-finally-moves-vista [theinquirer.net]

Re:Foreigners?? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28059545)

Madness? THIS...IS...AMERICA!!
Sorry, had to do it /* crawls back into geek cave */

Hackers or crackers? (0)

Anonymous Coward | more than 5 years ago | (#28057653)

"My Daddy ate my eyes."

Re:Hackers or crackers? (1)

sexconker (1179573) | more than 5 years ago | (#28059057)

Jeepers, creepers.
Where'd you get those peepers.

Looking forward to it. (0)

Anonymous Coward | more than 5 years ago | (#28057679)

I'm looking forward to DC3 this summer. I don't believe they accept foreign applicants. I don't believe that it is madness either, why train or let someone participate in something they may not even be able to stay here and participate in.

Stephen King's daughter is a lesbian (-1, Offtopic)

Smidge207 (1278042) | more than 5 years ago | (#28057691)

True: she looks like a bull-dyke and is married to an Ethiopian woman (Thedanka). They are both ministers in a Unitarian Church in Florida. Read it on Wikipedia. Care to discuss?

=Smidge=

Re:Stephen King's daughter is a lesbian (0)

Anonymous Coward | more than 5 years ago | (#28057755)

True: she looks like a bull-dyke and is married to an Ethiopian woman (Thedanka). They are both ministers in a Unitarian Church in Florida. Read it on Wikipedia. Care to discuss?

=Smidge=

Your comments are a sine wave of quality, my friend ... unfortunately it has a very very low trough.

The fine print (1)

d474 (695126) | more than 5 years ago | (#28057773)

...which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.

And the winner does not pass "Go", does not collect $200, and goes straight to jail.

Re:Do Not Pass Go (2, Funny)

TaoPhoenix (980487) | more than 5 years ago | (#28058641)

Thank you. Finally someone with some caution.

"Hey, we'll interrogate Terrorists."
"But we aren't getting any hits sir."
"Okay. Let's hold a contest to find some."

Finally.... (4, Funny)

BJ_Covert_Action (1499847) | more than 5 years ago | (#28057777)

Angelina Jolie has a legitimate excuse to stop posturing as an actress and can pursue her true destiny... [imdb.com]

Re:Finally.... (1)

morgan_greywolf (835522) | more than 5 years ago | (#28057975)

Sorry, dude, I hate to be the one break the news to you, but Angelina Jolie? She doesn't know anything about hacking. Neither did her character in that movie.

OTOH, she did do her own stunts for the Tomb Raider movies. Athletic and sexy....yum.

Re:Finally.... (3, Insightful)

bencoder (1197139) | more than 5 years ago | (#28058675)

but her laptop's got a 28.8bps modem AND it runs on RISC architecture! She must be a hacker!

Re:Finally.... (1, Funny)

Anonymous Coward | more than 5 years ago | (#28058679)

"Me, alright? I did it. She knows shit about computers. She... she's just my girlfriend."

"Are you crazy? What are you doing?"

"I'm trying to help you."

"Dade."

"What?"

"Thanks for your help."

And remember folks. (4, Insightful)

fahrbot-bot (874524) | more than 5 years ago | (#28057829)

which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.

When they work for you, they're "freedom fighters".
When they work for the other guys, they're "terrorists".

Re:And remember folks. (2, Interesting)

Yvan256 (722131) | more than 5 years ago | (#28058055)

And good luck denying cyber-attacks against other countries with a publicly announced program like that.

Re:And remember folks. (2, Interesting)

megamerican (1073936) | more than 5 years ago | (#28058119)

which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.

When they work for you, they're "freedom fighters".

When they work for the other guys, they're "terrorists".

You could also say that When they SAY they work for the other guys, they're "terrorists."

This news isn't very surprising considering that the The National Research Council [blacklistednews.com] is pushing for the offensive use of âoecyberattackâ against enemies foreign and domestic.

It isn't very hard to imagine that they may commit attacks on our own infrastructure in order to get more power and money. Our government has a proven track record of using false flag attacks (see Operation Ajax or the Northwoods documents) or exaggerating attacks on us (Gulf of Tonkin). This is even more plausible considering there would probably be no loss of life.

I'm not saying this is happening but given knowledge of previous examples it would be best to be skeptical of the governments claims.

Re:And remember folks. (1)

Ukab the Great (87152) | more than 5 years ago | (#28058759)

"If the people raise a great howl against my barbarity and cruelty, I will answer that war is war, and not popularity seeking"--William Tecumseh Sherman

Cybersecurity (3, Insightful)

oneirophrenos (1500619) | more than 5 years ago | (#28057835)

... a young generation of cybersecurity researchers ... attacking and defending digital targets, stealing data ...

Isn't it funny that whenever there is talk about security it generally means the opposite?

Re:Cybersecurity (2)

HomelessInLaJolla (1026842) | more than 5 years ago | (#28057941)

It is somewhat humorous. The government and large corporations have been paying nothing but lip service to security for years, in the interest of advancing various personal agendas and profit driven ventures. For them to now be taking military funds and directing it at security development is somewhat pointless now.

The only logical answer is that it is yet another boondoggle, just a way for various people in key positions to advance personal agendas and promote themselves and their particular private consulting service. More fat pigs feeding at the taxpayer funded feeding trough that runs between Washington DC and Wall Street.

Take a good hard look at the state of information security today. All of that information which all of those various organizations gather about you, and store on file, is all available with little more than a hardware hack.

Re:Cybersecurity (0)

Anonymous Coward | more than 5 years ago | (#28059913)

All of that information which all of those various organizations gather about you, and store on file, is all available with little more than a hardware hack.

[citation needed]

Seriously, someone mod this conspiracy theorist down.

Re:Cybersecurity (2, Informative)

morgan_greywolf (835522) | more than 5 years ago | (#28058057)

Isn't it funny that whenever there is talk about security it generally means the opposite?

Well, it makes sense. In order to defend a secure system/network, you must first know multiple ways to break into that secure system/network. Posers doing "IT security" jobs that don't know what they're doing are for sure going to drop the ball and get pwned.

Re:Cybersecurity (1)

ThrowAwaySociety (1351793) | more than 5 years ago | (#28058909)

... a young generation of cybersecurity researchers ... attacking and defending digital targets, stealing data ...

Isn't it funny that whenever there is talk about security it generally means the opposite?

Military thinking 101: The best defense is a good offense.

Re:Cybersecurity (0)

Anonymous Coward | more than 5 years ago | (#28059075)

What the government doesn't realise is that they are promoting black hat hacking by doing this. Now that I've read about this I am going to learn all I can about hacking, but if I don't make the team I am gonna use my skills against the pentagon. It's fighting fire with fire.

outsource it to china and russia (4, Funny)

circletimessquare (444983) | more than 5 years ago | (#28057885)

they seem to have thousands of enthusiastic youngsters who are already hard at work in this very field

Another stupid desicion by The Government (0)

Anonymous Coward | more than 5 years ago | (#28057967)

Why does the government just hire people who already have extensive experience? It take many years of constant dedication to become a great programmer and they want someone right out of school or college? LOL!!! I would like to know what retard of a leader made that decision. Actually I don't care.

I have to say I'm a little frustrated.... (5, Insightful)

netruner (588721) | more than 5 years ago | (#28058007)

I have been looking for formal academic training in computing security for quite some time. The best I've found is "boot camps" for CISSP and seminar courses taught by a local college on how to use tools like Metasploit, Wireshark and C&A.

I went all the way through a MS CS looking for any opportunity to study computing security and drew nothing but shrugs from my professors when I inquired about seriously studying the subject.

If they really want to produce cybersecurity experts, forget the competitions - you have to make training available. Forget all of the hand waving talk about academics not "having the right mindset". I have found that the kind of people who say such things just don't want to share their knowledge.

Re:I have to say I'm a little frustrated.... (3, Informative)

NES HQ (1558029) | more than 5 years ago | (#28058163)

Not sure how long ago you tried to do this, but there are a number of colleges (Bachelors and post-grad) that offer solid Infosec programs now (disclaimer, there are just as many that offer crappy Infosec programs). In-depth training and certification is available for most major/widely-deployed Infosec products, such as Snort (http://www.sourcefire.com/services/education). Also, there are professional training organizations (e.g. SANS) that offer excellent [mostly] vendor-neutral Infosec training. Infosec as an actual field is fairly young, so it's not surprising that there isn't an Infosec program at every college in the country, but there are numerous high-quality training options available.

This is hilarious! (2, Insightful)

tacokill (531275) | more than 5 years ago | (#28058179)

Your post is hilarious! I mean no offense by this reply so please don't get mad....

The idea that there is "hacking training" or even college is hilarious! Hacking, by definition, means you do things that were not designed to be done. IOW, you hacked them to make them work together. It could be computers...or it could be stereo speakers. They only differ in form.

Things like this can not be taught by books or professors. They are learned by experience and tinkering. There are no shortcuts to becoming a hacker. Only time, an inquisitive nature, and quite a bit of OCD can make you one. You'll probably need some Jolt cola too....but that's a topic for another post. The very idea that hacking can be taught is laughable. That's like teaching someone to 'be successful' or to 'live healthy' or some other cockamamie abstract concept.

Simply put: you are looking in the wrong place for your training and education.

Re:This is hilarious! (1, Informative)

Anonymous Coward | more than 5 years ago | (#28058265)

It could be computers...or it could be stereo speakers.

You're a moron. No offense. We're not talking about the bullshit hacking that lifehackers do. The kind of hacking we're talking about is specifically breaking computer security. This involves exploits, buffer overflows, timing attacks, DNS poisoning, spoofing, shell code, etc, etc... All those things can most certainly be taught though mastering these topics, or any topic, requires practice and experience. There's nothing abstract about that.

Re:This is hilarious! (0)

Anonymous Coward | more than 5 years ago | (#28058427)

Wrong.

Re:This is hilarious! (3, Informative)

Propaganda13 (312548) | more than 5 years ago | (#28058341)

Things like this can be taught by books or professors.

You start off with ground work on information security, networking, and penetration testing. You learn how things are being protected, how known flaws were exploited in the past, and what traces were left behind.

It's the same steps as being a programmer. The great ones love it, understand it, and spend their free time doing it. The average ones just tread where the great ones have gone before.

Agree to disagree (4, Insightful)

tacokill (531275) | more than 5 years ago | (#28058745)

The very idea that you could create any kind of meaningful "hacking curriculum" is laughable. Books and Professors? Are you really serious with your reply? Are they really the best source of hacking info? No...no they are not. They never have been. Sure, they can teach you the basics and get you in the game but in reality, that's where their capability ends. Last I checked, professors had nothing to do with 2600, Phrack, LoD, Code Red, Sasser, or any other hacking effort in the last 25+ years. Have you ever seen some of the pure genius that has come from true hackers? Some of it makes you step back in awe of how they "figured that out". Go back and read some of the ezines from the late 80's and 90's. They are quite dated by now but they covered topics that NO BOOK or class could ever touch.

I mean, think about it....many hackers know more about the equipment than the people who actually designed and built it. And you think books are going to teach them to hack it? C'mon....

Methinks you are confusing "security professional" with "hacker". Sometimes they overlap, but not always. I know plenty of INFOSEC guys who don't know a damn thing about hacking. If you were to put them into a room with a real hacker, you would quickly see the hacker run circles around the pro. Now, why would that be?

Riddle me this: IF what you say is true, then why aren't we swimming in hackers all around us? Why is the govt having such a hard time finding qualified applicants? Why aren't there more uber hackers "out there"? After all, if I want to be 1337, all I have to do is go to the right classes and have an active interest. So what is stopping millions of wannabe kids from doing just that?

Re:Agree to disagree (3, Interesting)

Vancorps (746090) | more than 5 years ago | (#28059843)

Sounds like someone is in love with mythical hackers that don't truly exist or are an extreme rarity.

The idea that the coding and all the underlying skills necessary to "hack" into any system is not teachable is what is laughable. You clearly weren't involved in 2600 if you think there weren't any professors involved. It's mostly academia where all of these people came from. They learned the computing skills in school and took the material above and beyond to try different tasks with the same tools.

My 2600 chapter was full of people from varying backgrounds and professions with a common interest in learning how to do things that others didn't know how to do.

If you know an infosec guy that doesn't know about hacking techniques then I pray for anyone that hires them as they will not be affective at all in their job. How are you supposed to guard against something you know nothing about? The term hacker existed before security researcher because hacker became stigmatized for the few like Kevin Mitnick who caused a lot of havoc and exposed a lot of utter stupidity.

The government is having a hard time finding hackers because most hackers are performing tasks which the government has deemed illegal. This does not a good relationship make. Combine this with the secret nature of a lot of hackers work and they simply don't want to be around authority unless they have just started out. Competitions like this are a way to attempt to change that image but unfortunately with the state of laws nothing will change especially with hackers that try to do the right thing by informing private parties of security vulnerabilities ending up in jail.

Millions of wannabe kids have other interests than computers. The people with the necessary OCD to take it to a level of interest is a very small number of people who tend to be withdrawn from the mainstream making them hard to find and more importantly volunteer to have your background checked.

I was part of Infragard in college until 9/11 happened it was mostly free to all who wanted to learn about infosec from a private infrastructure security standpoint and it was very eye opening. That is until the FBI did a background check after 9/11 and apparently I failed as they asked me not to come back until I had a job in the field even though I had contributed heavily with designing secure networks.

There are tons of books that "hackers" read to learn what they know and the rest is left up to creativity. Make no mistake, the vast majority of skills can and often are taught. My college degree back in 2004 had a network security major along with network engineer and both required a certain amount of programming so you understand what you're trying to manage. Many of those classes were very enlightening even though the real world was dramatically different it still gave me the tools to understand what was happening in real time.

Re:This is hilarious! (1)

netruner (588721) | more than 5 years ago | (#28058481)

I tried to choose my words carefully - "Hacking" in the current popularly accepted definition (as opposed to its original definition, which you referenced in your post) is not computing security, but one way to attempt to breach security. I have found several items to fall under the umbrella of computing security such as Configuration Management, confidentiality policy, forensics, disaster recovery, cost/benefit analysis of security measures, virus handling - and these are just the ones off the top of my head.

Hackers are only one of your concerns - hurricanes, power outages, disgruntled employees, that stupid screensaver trojan that the secretary keeps installing, short funding and that guy with admin level access who's a bit short on cash right now due to his crank habit are more of a threat.

Yes, all of the necessary skills can be taught academically. The notion that you can only learn these skills by trial and error is fed by the fact that due to the small number of quality institutions teaching the skills, most folks learn them by trial and error.

with you.... (1)

tacokill (531275) | more than 5 years ago | (#28058789)

Got it. Thanks for the clarification. You are right that we have to define what we mean when we say "hacker". I used the old school definition so thanks for pointing out the difference. It is helpful to the discussion.

Re:This is hilarious! (1)

Vancorps (746090) | more than 5 years ago | (#28059947)

While you do have a point, if a hacker understands those other concepts then he will be a lot more affective as he will understand where the vulnerability points lay. I'm particularly referring to backup and restore strategies and forensics but the rest are also good to know as they provide you with additional attack vectors to consider.

Holistic approaches are the most affective if you don't want to get caught. I would argue that security researcher and white hat hacker are considered the same.

I wish the term hacker hadn't been muddied by intent as in my mind at least it is a curiosity inherent to us all that drives people to learn and approach the same situations differently than expected. I've seen a lot of mechanics that have the same mindset as hackers when it comes to fixing or modifying cars or bikes. In most fields there is a lot of room for creativity which allows you to think and act outside the box. Sometimes it results in a modification that is not street legal and sometimes you violate the Computer Fraud and Abuse Act.

Fortunately for me, I'm paid to do a lot of this work for my company so I can have some fun and not break any laws which feels pretty good.

Re:This is hilarious! (2, Interesting)

cayenne8 (626475) | more than 5 years ago | (#28058927)

"The idea that there is "hacking training" or even college is hilarious! Hacking, by definition, means you do things that were not designed to be done. IOW, you hacked them to make them work together. It could be computers...or it could be stereo speakers. They only differ in form. "

To a large extent I agree with you, but, some courses to give you some of the real basics, history of exploits, tools currently used on both sides, and all, would go a long way in giving you a head start over someone that had to search, research and find out everything till they got to the stage of trying new things.

I'd think formal teaching of many things and basics could shortcut some of the early grind work,and get you on the productive path a bit quicker, no? At least unless you are one of the super elite that borders on genius and can learn everything VERy quickly, etc.

Re:I have to say I'm a little frustrated.... (2, Interesting)

zifr (1467429) | more than 5 years ago | (#28058199)

Look for schools that teach Information Assurance or Digital Forensics. It's normally a CS track.

Re:I have to say I'm a little frustrated.... (4, Interesting)

Opportunist (166417) | more than 5 years ago | (#28058203)

It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".

You're looking at a field here that reinvents itself every other month. What you knew 2 years ago is outdated and very near worthless today. 2 years ago, the big craze in security were bogus browser plugins and runtime packers. Nobody does it anymore, all security tools can easily identify and depack them. The thing now is the transition to true P2P updatable malware with digital signatures. Once this is achived, conficker will look like a toy.

Personally, I give it 3-6 months.

So it's not a matter of mindset. It's a matter of being outdated by the time you learned it.

Re:I have to say I'm a little frustrated.... (1)

Aragorn DeLunar (311860) | more than 5 years ago | (#28058411)

Don't completely discount formal education. Technologies come and go, but principles last forever. There is nothing new under the sun. All of this has happened before, and all of this will happen again.

Re:I have to say I'm a little frustrated.... (1)

Opportunist (166417) | more than 5 years ago | (#28059919)

The principles are already taught. It's called computer science.

What would you want to teach on top of that? "Principle" security holes like memory leaks? Anyone who knows at least a bit of assembler (again, should be part of a good formal CS education) can be shown how to exploit mem leaks in a few hours. That warrants a lecture maybe, but no course and certainly not a separate field of study.

So what should be taught in a computer security course?

Re:I have to say I'm a little frustrated.... (2, Interesting)

Aragorn DeLunar (311860) | more than 5 years ago | (#28060145)

So what should be taught in a computer security course?

You're assuming that we're only talking about breaking computer security. How about:
-Security models, such as the reference monitor concept and access control methods.
-Formal methods for verification.
-The history of computer security development, so you don't reinvent the wheel (happens all the time).
-Risk assessment and mitigation.
-Legal and policy frameworks.
-Methodologies for reverse engineering and disassembly.
-Proper implementation of cryptology (hint: anyone who writes their own crypto module is either an idiot or a genius).
-Managing and training end users.
-Secure lifecycle management.

As you stated, all of these elements build on the more general CS fundamentals, but we can't assume that they will be automatically inferred by students. This is where education should introduce us to ideas that we may not encounter or generate on our own. There is more to computer security than just blocking ports and running signature-based detection software.

You're describing education (2, Interesting)

chihowa (366380) | more than 5 years ago | (#28058441)

It's pointless to "study" computer security. By the time you're through, you get told "forget everything, it's outdated".

There's nothing specific to computer security here. In nearly every field, by the time you graduate what you've learned is outdated. The methods have changed, the accepted views and interpretations have changed, the tools have changed. Education isn't about learning the specifics of particular topics, it's about learning how to intelligently and rationally deal with a specific topic.

A computer security course of study could contain examples, such as browser exploits and conficker, but the focus should be on the more abstract concepts. Ideally, if you understand computer security, you will be able to deal with whatever the current craze is.

Re:You're describing education (2, Insightful)

Opportunist (166417) | more than 5 years ago | (#28058543)

So, essentially, you say people should learn computer theory, programming (and the pitfalls like memory leaks and bogus data input), assembler language and processor architecture, logic and various tools associated with it?

Gee, I wonder why there's no branch of study for that...

Re:You're describing education (1)

chihowa (366380) | more than 5 years ago | (#28058651)

I'm not a computer programmer, so I don't know what specifically would make a "computer security" path of study different from a "computer science" (or whatever) degree. The OP complained about "...hav[ing] been looking for formal academic training in computing security for quite some time," so I would assume he decided a regularly offered course of study didn't meet his requirements.

Seriously, is there a point to your post or are you just being argumentative? From your attitude toward education, it appears "you weren't burdened with an overabundance of schooling" yourself.

Re:You're describing education (2, Interesting)

Opportunist (166417) | more than 5 years ago | (#28059837)

Basically I have a degree in CS. Science, that is, not security. Security came on top of it. Or next to it, depending on how you want to look at it.

I don't know if it would make sense to "teach" IT-Sec in a normal, classroom-style way. A lot of it is tinker and toy, try and error. There's very little in the sense of true and tried, established ways. Mostly becaues as soon as it's true and tried, it's no longer a security concern. It's known, it's established, it's fixed, it's no longer a security issue. Of course there are perpetual security problems like social engineering and users (and their "human" shortcomings), but you'd probably be learning more from a psychology or (don't laugh) marketing course (seriously, it's all about "motivating" people to do what you want). On a technical side, most of what you need to know can be taken from computer science classes. You need some understanding of protocols and computer architecture, you probably should know a bit assembler, the rest is mostly coming up with ideas.

And reading the papers others publish. Reading. Reading more. Reading a lot more. Understanding them (which in turn requires little more than what's taught in CS classes). Repeating their steps. Gaining more insight. Building on top of it. Sometimes you get an idea, you look at it from an angle that the original writer didn't have in mind, you come up with something new, you publish it as well, you build a reputation.

Which leads to another aspect, being able to get into contact with others who do the same. Being in a company that deals with IT security can help but can just as well be a huge burden (because, for obvious reasons, a lot of people won't want to talk with you anymore if it gets out). Mostly it depends on what path you want to take.

From my point of view, half of that can't be taught in a standard classroom environment, the other half doesn't really need it. What makes IT security so interesting and so hard to teach at the same time is that it's mostly a matter of inspiration and ideas, not so much of standard approaches to a problem. If there was a standard approach, it would have been eliminated ages ago.

Re:You're describing education (0)

Anonymous Coward | more than 5 years ago | (#28059907)

>Gee, I wonder why there's no branch of study for that...

Because its illegal. (eg. (c), (r), TM, DMCA, DRM, RIAA, WTO, UN, etc)

thanks man (1)

tacokill (531275) | more than 5 years ago | (#28058991)

Thanks for posting in a much more graceful manner than I have on this thread. I was not as clear in my responses to this guy so thanks for laying it out much more clearly.

Re:I have to say I'm a little frustrated.... (0)

Anonymous Coward | more than 5 years ago | (#28058373)

Come study in Israel, where finding hacks and shortcuts is the MO of choice.

Pay particular attention to Eli Biham and Adi Shamir.

http://cryptome.org/gsm-crack.htm
http://redtape.msnbc.com/2007/08/researchers-say.html

and home to many infosec companies.
Aladdin Algorithmic Research Algosec Allot APProtect Beyond-Security Breach Security Bsafe Check-Point CheckMarx CipherActive Cognisafe
CommTouch Continuity Correlation ControlGuard Cyber-Ark DataMills Discretix Equivio Eurekify ForeScout Guardium Imperva Ingrid Networks Intaglio Intellinx Lambda DSS Payoneer Persay
PineApp Praxell PromiSec Radware Reflex Security Safend Sci-Tel Secured Dimensiones SecureOL SentryCom Skybox Sm@rtchip Snapshield SofaWare Tufin Software Varonis V-Secure WonderNet

Re:I have to say I'm a little frustrated.... (0)

Anonymous Coward | more than 5 years ago | (#28058397)

I guess I don't know what you are expecting people to be able to teach you.

If you have a Masters degree in computer science, and don't understand what it requires to be a security expert, or even where to start, what have you really learned?

Learn C and Assembly Language inside out. Spend night after night writing low-level code. Learn how security mechanisms work in the operating system. Expect to spend a decade doing this.

Re:I have to say I'm a little frustrated.... (1)

divisionbyzero (300681) | more than 5 years ago | (#28058423)

It looks like you are looking for a shortcut. In any case, if you are seriously going to do hacking you have to be extremely inquisitive and have lots of patience. A CS degree might give you general knowledge that will help you plan a strategy but specific knowledge of how a system works only comes from playing with it. Also going to college gives you a chance to play with hardware and software that you might not have otherwise been able to and that's the real value.

Re:I have to say I'm a little frustrated.... (2, Insightful)

querist (97166) | more than 5 years ago | (#28058703)

I can understand your frustration, but I hope I can offer some encouragement, too.

Yes, there is a significant difference between the academic and practical sides of things, and they each have their place. I may be biased here, but I feel that the best position is to have one foot firmly in each realm. I work full-time in infosec and I am a part-time university professor (with a Ph.D. in infosec), so I bridge that gap, bringing my practical real-world experience to my students and bringing the benefits of the academic world to my full-time employer.

There are universities with faculty who have practical experience and are willing to share that experience and understanding with anyone they feel they can trust. It's a judgement call, and people make mistakes on both ends. Sometimes, a well-intentioned and capable individual is passed by because the one with the knowlege is not sure if the individual can be trusted, and other times someone with malicious intent is trained.

The information is out there. You can find it from people who know and who are willing to teach or you can find it on your own through experimentation.

Do not give up. You will find the knowlege you seek if you persist.

Re:I have to say I'm a little frustrated.... (0)

Anonymous Coward | more than 5 years ago | (#28058731)

Want to become a good hacker? Learn assembly language for different platforms like the back of your hand. Learn assembly for the latest processors. If you do this correctly you should be able to make the machine function in any way that is possible, to include but not limited to permanently destroying hardware.

Posting anon so I don't lose the mods I have done.

Try Iowa State University (1)

Crazy Taco (1083423) | more than 5 years ago | (#28059347)

I have been looking for formal academic training in computing security for quite some time.

Try Iowa State University's program [iastate.edu] . It is one of the charter schools under a 1994 act signed by former President Clinton to do research and training in this area. The school has an excellent program (I actually attended it) with some good research going on, as well as very good formal courses. It's not just CISSP stuff or competitions, although the school does very well in competitions as well and hosts some of its own (and ISU undergraduate team also just won a major hardware hacking competition, beating out many prestigious schools). Personally, I'm very glad I attended ISU and studied in their security program, because it has made me a much better developer.

A recruiting aid for unclearable personnel (3, Insightful)

bzzfzz (1542813) | more than 5 years ago | (#28058033)

When you consider that only a lily-white goody twoshoes can pass the lifestyle polygraph it's no wonder they can't find enough people. They figure if you've ever tried to access any system without the Proper Authority, ever, you're a bad risk. So if you've ever held down two buttons at once on a vending machine to see what happens, you need not apply.

That makes about as much sense as refusing to recruit people into the army because they were in a fight, once.

There is no shortage of people with black hat skills. The problem is that the government does not want all but a handful of those few who are willing to work a job where a routine fuckup can be prosecuted as a felony.

Re:A recruiting aid for unclearable personnel (1)

fahrbot-bot (874524) | more than 5 years ago | (#28058117)

So if you've ever held down two buttons at once on a vending machine to see what happens, you need not apply.

Um, so what happens? I am feeling a bit peckish...

Re:A recruiting aid for unclearable personnel (1)

bzzfzz (1542813) | more than 5 years ago | (#28058165)

So if you've ever held down two buttons at once on a vending machine to see what happens, you need not apply.

Um, so what happens? I am feeling a bit peckish...

The same thing that happens if you try to ssh to whitehouse.gov. Which is to say, nothing, if the system under test was properly designed and constructed.

Re:A recruiting aid for unclearable personnel (3, Interesting)

Opportunist (166417) | more than 5 years ago | (#28058235)

They don't want black hats. They're unreliable. Above skill comes the problem that they will deal with sensitive data which must not fall into the wrong hands. Their worst fear is to make the fox guard the chicken pen.

I hear you, though. It's an old joke in the biz, there's good people, there's clean people and there's available people. You may pick two of the list.

Re:A recruiting aid for unclearable personnel (3, Informative)

Aragorn DeLunar (311860) | more than 5 years ago | (#28058531)

The purpose of the polygraph isn't to find out if you are lily-white. It is largely to determine if you can be blackmailed. If you are truthful about your "indiscretions", you can't be blackmailed. On the other hand, someone who is willing to lie on a polygraph clearly has some shame issues that could be exploited by a hostile agent. Obviously, admitting to a felony or intent to subvert the government isn't going to get you anywhere.

Re:A recruiting aid for unclearable personnel (1)

bzzfzz (1542813) | more than 5 years ago | (#28058781)

While that is the traditional use of the polygraph, IT people recruited for sensitive jobs are also questioned about any dirty tricks they may have pulled for fun or profit. Downloading pr0n on the corporate backbone while waiting for an upgrade to complete is enough to do it. Divorced IT people are effectively unclearable because almost all of them have guessed or otherwise obtained their ex's passwords for email, facebook, etc., and used these for nefarious purposes, minor or otherwise.

Game time (3, Funny)

speciesonly (1194865) | more than 5 years ago | (#28058035)

Finally, all those years of watching "War Games" might pay off.

Culture vs Goals (4, Insightful)

tacokill (531275) | more than 5 years ago | (#28058067)

I would think the very culture of the DoD would be adversarial towards the very people they are trying to recruit.

What's the hook? What I mean is: why would some high schooler join this program vs the alternatives? -which by the way....are way more fun. Would you really want to hack for some PHB who has TPS Cover Sheets to fill out? I can't imagine a less rewarding situation

This seems like wishful thinking to me. How many "hacker recruiting" programs have we seen/heard about now? I can count 3 or 4 off the top of my head. Methinks they are not having much success finding good hackers.

Re:Culture vs Goals (2, Interesting)

Anonymous Coward | more than 5 years ago | (#28058291)

I think you are playing to some stereotypes of the DoD. Although there are some inefficiently run programs in the DoO (obviously), there are also very efficient and fun programs as well. You'll be surprised how smart and young many managers are in divisions such as these and also where they came from.

There are good reasons to get into the field in DoD like steady pay, good benefits, the feeling of serving your country (for what that's worth anymore) and lastly the resources. I doubt many security firms have a thousandth the resources of various DoD departments. Some server farms were build for simulation or something like that, and instead of getting rid of them when the program is over, they just give the rights to the whole farm to other programs. So in the end you get some ridiculous power for really zero cost.

Granted I don't know how well these programs will work. Everyone I know in the field in the black world got there through word of mouth ("so... I know this guy" sort of stuff).

Re:Culture vs Goals (1)

Bucky Bit (764092) | more than 5 years ago | (#28058591)

Without appearing to cynical, but I wish them great luck. The education system is so flawed right now, the kids don't know algebra, basic skills etc,... - they should look out for russian school children or chinese, indian, etc...or wait, until Obama fixes the school system, besides the economy, the health-sy...ups, I digress.

Smart kids need an environment to play in. They need to feel comfortable and cozy. If the DoD expands their kindergartens, it'll be ok, I guess.

Re:Culture vs Goals (0)

Anonymous Coward | more than 5 years ago | (#28058625)

MAYBE that`s what they want you to believe? *puts on tinfoil hat and pants*

access to resources (1)

Johnny Mnemonic (176043) | more than 5 years ago | (#28059773)


why would some high schooler join this program vs the alternatives?

Good question. I would expect a DoD (read: NSA) backed program would give you access to compute resources beyond the imaginings of a kid-in-a-basement, like encryption cracking compute nodes with 1000 cores, direct connection to internet peers, etc. Not to mention a paycheck. Also, a badge: while you might like to work off the grid, there's something to be said for having a get-out-of-jail free card too.

Also, the DoD could point you at targets, and challenges, that you might not otherwise be able to get into. I wonder if every basement dwelling hacker is able to bust into the Chinese Military defense network, but I suspect that the NSA could get you past the first hurdles and into the tier 3 or 4. Just a guess.

It was a few years ago, but the DoD was advertising that they'd pay for your CS degree if you obligated yourself to working for them for 4 years after school. That read to me like it was a guaranteed job after school, and if they didn't take you it was on their option and you still got a free degree. How many college graduates have the guarantee of a job after college anymore? And then a resume that would have 4 years of DoD infosec on it, and probably clearance to boot? If I was 25 or younger, I would have seriously considered it.

Re:Culture vs Goals (2, Informative)

jeff4747 (256583) | more than 5 years ago | (#28060133)

You're forgetting a few details:

First, there's military contractors to work for, which have a more 'pleasant' attitude. On top of that, the DoD folks in this area aren't exactly your normal "grunt".

Second, the level of challenges are going to be extremely high. You're not trying to break in to some web server set up by a marginally-competent IT guy. You're working against (and with) the best on the planet.

Third, you put a few years in at the DoD, and you come out with a security clearance and very attractive resume. If you decide you don't want to keep working for the DoD, you can make a lot more money than if you only did your hacking 'on the side' while writing database apps.

Fourth, no jail time. "Pwn" servers all day, and if they somehow trace it back to you, you don't spend a few years being Bubba's special friend.

Lastly, you're seeing so many "hacker recruiting" programs because there's metric craploads of money being thrown at anything "Cyberwarfare".

What? (1)

NES HQ (1558029) | more than 5 years ago | (#28058069)

In the most controversial move, the SANS Institute, an independent organization, plans to organize the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.

Can someone explain to me why this is controversial? SANS is one of the leading security organizations in the world...

Re:What? (1)

bradorsomething (527297) | more than 5 years ago | (#28058133)

It's controversial because they're not giving out black badges if you win.

Re:What? (1)

querist (97166) | more than 5 years ago | (#28058589)

I agree. Why is this controversial? Other than the fact that they're opening the doors to "all comers", it sounds very much like the "capture the flag" competition on the last day of the "Hacker Tools and Incident Response" course that I took in San Jose a year or two ago.

SANS organizes similar events at their larger conferences. The difference is that it's open.

I also agree with those who have stated that the DoD culture is not exactly in sync with the culture of those who can do this sort of thing. I was one of a very small number of "academics" (university infosec professors) who attended the DoD cyber crime conference in St. Louis this year and it was pretty clear that the DoD folks are reaching out for help and are not quite sure how to reach out to the academic community. It was an interesting conference, but much of what was presented by the DoD folks as "leading edge" was stuff I encountered years ago while working on my dissertation.

good identifier of both sides (4, Insightful)

Vspirit (200600) | more than 5 years ago | (#28058093)

Quite an ingenious move.

While the initiative may seem to foster and legalize what previously have been considered acts of malevolence, it also helps the government to identify and build a register of possible future trouble makers with skills.

This will get them both a great recruitment program, but it will also give them a a great monitoring tool.

I'm not pro nor con, just saying. Nice Database of profiles. Do you bite?

Re:good identifier of both sides (3, Funny)

Opportunist (166417) | more than 5 years ago | (#28058279)

I'm not pro nor con, just saying. Nice Database of profiles. Do you bite?

Bite? You nuts? I'll hack it, that info is juicy!

Re:good identifier of both sides (1)

DarkMage0707077 (1284674) | more than 5 years ago | (#28058949)

Reading that post made me strangely hungry...

Re:good identifier of both sides (1)

Opportunist (166417) | more than 5 years ago | (#28059951)

Reading it again made my crotch uncomfortably tender...

Nothing new.... (1)

RobDude (1123541) | more than 5 years ago | (#28058295)

Yeah - they had this back when I was in high school.

Only, instead of a prize; I got an F in my programming class, threats of expulsion, and had to promise never to use one of the "school's" computers again.

Tracked for Life (1)

Nickodeemus (1067376) | more than 5 years ago | (#28058935)

Probably paranoid of me but this looks like a way for the gov't to track people in this country who have this skillset. Face it, these types of skills could potentially be turned to very negative pursuits. This type of contest/internship/whatever, is a great way to get a lot of unknowns within the skillset on the radar.

Endless Cycle (2, Insightful)

Ukab the Great (87152) | more than 5 years ago | (#28058983)

And so continues the cycle of Slashdot stories of "$ARMED_FORCE is starting a new elite CyberSecurityDefenderProtectUsFromBadGuysSuperForce" and:

1. Former IT folks in the $ARMED_FORCE ranting on Slashdot about how $ARMED_FORCE did nearly everything in their power to make competent IT people leave.
2. $ARMED_FORCE continuing to disqualify those who are over 30 or who have a pasty-faced a complexion unbecoming to G.I. Joe.
3. $ARMED_FORCE not wanting to stop using Windows for anything secure.
4. More Chinese hackers putting stupid stuff on $ARMED_FORCE's IIS servers.

Obligator Good Will Hunting quote... (2, Insightful)

CarpetShark (865376) | more than 5 years ago | (#28059281)

"Why shouldn't I work for the N.S.A.? That's a tough one, but I'll take a shot. Say I'm working at N.S.A. Somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it and maybe I break it. And I'm real happy with myself, 'cause I did my job well. But maybe that code was the location of some rebel army in North Africa or the Middle East. Once they have that location, they bomb the village where the rebels were hiding and fifteen hundred people I never met, never had no problem with, get killed. Now the politicians are sayin', "Oh, send in the Marines to secure the area" 'cause they don't give a shit. It won't be their kid over there, gettin' shot. Just like it wasn't them when their number got called, 'cause they were pullin' a tour in the National Guard. It'll be some kid from Southie takin' shrapnel in the ass. And he comes back to find that the plant he used to work at got exported to the country he just got back from. And the guy who put the shrapnel in his ass got his old job, 'cause he'll work for fifteen cents a day and no bathroom breaks. Meanwhile, he realizes the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And, of course, the oil companies used the skirmish over there to scare up domestic oil prices. A cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon. And they're takin' their sweet time bringin' the oil back, of course, and maybe even took the liberty of hiring an alcoholic skipper who likes to drink martinis and fuckin' play slalom with the icebergs, and it ain't too long 'til he hits one, spills the oil and kills all the sea life in the North Atlantic. So now my buddy's out of work and he can't afford to drive, so he's got to walk to the fuckin' job interviews, which sucks 'cause the shrapnel in his ass is givin' him chronic hemorrhoids. And meanwhile he's starvin', 'cause every time he tries to get a bite to eat, the only blue plate special they're servin' is North Atlantic scrod with Quaker State. So what did I think? I'm holdin' out for somethin' better. I figure fuck it, while I'm at it why not just shoot my buddy, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard? I could be elected president. "

Re:Obligator Good Will Hunting quote... (0)

Anonymous Coward | more than 5 years ago | (#28059667)

cock.

Re:Obligator Good Will Hunting quote... (1)

CarpetShark (865376) | more than 5 years ago | (#28060141)

No, get your own.

Any second now, from a secret bunker.... (0)

Anonymous Coward | more than 5 years ago | (#28059505)

They are coming to get [samgropler.com] you

GHynson (0)

Anonymous Coward | more than 5 years ago | (#28059581)

And then the Government makes you disappear when you know to much?

I'll pass.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>