The pilot program will launch in April and the department will provide more details on requirements for participation and other ground rules in the coming weeks.
I do think this is an interesting effort, and I've met Chris Lynch in his DDS capacity. It's terribly interesting to see a Senior Executive government employee with Silicon Valley cred, who wears hoodies/jeans/sneakers to meet Admirals and Generals, who are (in terms of rank equivalency) his peers. Literally the first time I've seen someone knuckle-bump an Admiral rather than shake his hand after a meeting.
I think there is some value in this culture-clash/disruption, but I also know of some government-employed very skillful hackers who resent the assumption that non-government hackers are by-default more skillful than them.
I'm going for firmware and processor errata if they let me in on this. Their failure will be so expensive that I'll finally have the numbers to justify either semi-custom work from Intel/AMD for legacy or a multi-core, secure RISC-V. :)
"Testagons" is even better, a jewel. Testa (= Head) + Gone
This is a word that wants to be discovered. Practical example: "Hi, we call from the medicus mundi hospital, some of your damned testagons are bombing us again". Pure gold for journalists.
They've always used external pens, but through contracts. This seems to be more like an "open" bug bounty program which just requires prior vetting for obvious reasons.
Soon nearly every pentagon employee will be social-engineered and compromised. People will begin to believe that every single system they access is a MITM or phishing attempt.
Probably better than the alternative, since they'd at least be thinking about security as something more than an abstract "thing." If that. Then they just need to take that fear and find a way to funnel it into proper security education without that fear becoming crippling.
The spirit of this is great, since tech companies have been welcoming hackers for years via bounty programs. However, from the article -- The contest is only for "vetted hackers" -- that is a little sketchy. Just doesn't seem like the same folks who hack systems for a living would be open to months-long scrutiny of DoD. Also, I wonder how many of those willing would actually "pass"?
Furthermore, "hackers will target a predetermined system that's not part of its critical operations" -- that's great, but what's the point? Why would somebody smart, ambitious, clever, and extremely good at what they do, would work on hacking a system that isn't even critical to the nation's operations?
"Last summer, the Office of Personnel Management revealed that the private information of more than 20 million U.S. government workers and others had been stolen in a massive security breach." -- Personally, if you recruit top of the line security experts to help you with problems like these, I would hope the first thing they work on would be problems like this.
Good intentions, definitely, but curious to see what the community here has to say.
23 comments
[ 3.2 ms ] story [ 72.1 ms ] threadWhat do you all think are some decent choices for details and rules?
Edit: From the press release:
The pilot program will launch in April and the department will provide more details on requirements for participation and other ground rules in the coming weeks.
http://www.defense.gov/News/News-Releases/News-Release-View/...
I do think this is an interesting effort, and I've met Chris Lynch in his DDS capacity. It's terribly interesting to see a Senior Executive government employee with Silicon Valley cred, who wears hoodies/jeans/sneakers to meet Admirals and Generals, who are (in terms of rank equivalency) his peers. Literally the first time I've seen someone knuckle-bump an Admiral rather than shake his hand after a meeting.
I think there is some value in this culture-clash/disruption, but I also know of some government-employed very skillful hackers who resent the assumption that non-government hackers are by-default more skillful than them.
This is a word that wants to be discovered. Practical example: "Hi, we call from the medicus mundi hospital, some of your damned testagons are bombing us again". Pure gold for journalists.
Furthermore, "hackers will target a predetermined system that's not part of its critical operations" -- that's great, but what's the point? Why would somebody smart, ambitious, clever, and extremely good at what they do, would work on hacking a system that isn't even critical to the nation's operations?
"Last summer, the Office of Personnel Management revealed that the private information of more than 20 million U.S. government workers and others had been stolen in a massive security breach." -- Personally, if you recruit top of the line security experts to help you with problems like these, I would hope the first thing they work on would be problems like this.
Good intentions, definitely, but curious to see what the community here has to say.