Forgot your password?
typodupeerror
The Military Government Security United States Technology

Pentagon Contractors Openly Post Job Listings For Offensive Hackers 149

Posted by Soulskill
from the must-have-eight-years-experience-and-good-references dept.
Sparrowvsrevolution writes "In the wake of confirmation that the U.S. government was involved in the creation of Stuxnet and likely Flame, a look over job listings on defense contractor sites shows just how explicitly the Pentagon and the firms that service it are recruiting offense-oriented hackers. Northrop Grumman, Raytheon, Lockheed Martin, SAIC, and Booz Allen have all posted job ads that require skills like 'exploit development,' have titles like 'Windows Attack Developer,' or asks them to 'plan, execute, and assess an Offensive Cyberspace Operation.'"
This discussion has been archived. No new comments can be posted.

Pentagon Contractors Openly Post Job Listings For Offensive Hackers

Comments Filter:
  • Who better? (Score:5, Insightful)

    by jameson71 (540713) on Friday June 15, 2012 @03:01PM (#40338679)
    Who would better know how to defend against these attacks than someone who knows how to develop and implement them?
    • Too bad the people who are going to be doing the attacks are hiring up all the possible defenders then.

    • Re:Who better? (Score:5, Insightful)

      by Shagg (99693) on Friday June 15, 2012 @03:15PM (#40338821)

      What makes you think they're being hired for defense?

    • by poetmatt (793785)

      We're only about 10-15 years late. What's the worst that could happen, right? /sarcasm.

    • by ackthpt (218170)

      Who would better know how to defend against these attacks than someone who knows how to develop and implement them?

      How about people with enough sense to write code which sits there, unobtrusively doing nothing, until such time as it is called upon to do its dirty work? These are the people you want, not just someone who knows today's weakness, which may not be there tomorrow.

    • Re:Who better? (Score:4, Insightful)

      by bky1701 (979071) on Friday June 15, 2012 @03:57PM (#40339297) Homepage
      Hackers are like soldiers, though, in that defense and offense are really not that far apart (with the exception of just following good programming standards). Just like you can order the guy keeping watch to go shoot at some people, a 'friendly' hacker can still hack your enemies, in theory.

      The overall problem with "cyber war" is that it seems like the new excuse, now that kiddie porn has kind of fizzled out and piracy is widely accepted, to lock down the internet. The only real answer is to stop having vital systems programmed by idiots connected to the internet. When most bank and government systems are less secure than a site running PHPBB (for example, using unencrypted passwords), there is a serious problem that can't be fixed by plastering it over with censorship and playing war.
      • The only real answer is to stop having vital systems programmed by idiots connected to the internet.

        Disconnect idiots from internet before starting critical system software development -- Check!

    • Well theoretically if there exists offensive and defensive security experts (like this article implies) then the defensive oriented ones would be better at defence.

    • Re:Who better? (Score:5, Insightful)

      by gweihir (88907) on Friday June 15, 2012 @05:26PM (#40340165)

      Who would better know how to defend against these attacks than someone who knows how to develop and implement them?

      Almost anybody. Attackers are highly specialized and do not need to cover the whole or even significant parts of the protection angle. If the attacker gets in, the goal is reached. It does not matter at all that if a lot of potential other attack venues were not even touched.

      For this reason, black-hats make terrible security experts for the defender side. The myth that a good attacker is a good defender is patently false in IT security (and likely in other areas as well). What a good defender needs first is to find all possible attack venues. That is complicated and requires understanding the whole system, the organization using it, the cultural environment, etc. The black-hat, on the other side, can experiment and does not really need to understand any of these, except for the tony fragment where the attack is to be launched. Even there, the black-hat can afford to fail frequently. This is fundamentally different for the defender.

      • by baegucb (18706)

        I was called older than dirt, on irc, back in the 90s. If you've been around long enough, you get to know people. Like on private irc servers. Anything can be cracked. Sheesh, between social engineering, knowledge of unpublished holes in various OS's you find, and a few people with skills, anything can be gotten into.

        Now, get off my lawn. Really, get off.

        • by gweihir (88907)

          The pathetic state of practical IT security does not mean things cannot be secured a whole lot better. And yes, "not possible to break in" is achievable from a technological side, even for an Internet connected system. It will require high effort, a simple service and some special hoops, but it can definitely be done. Of course, it cannot be done by everybody. Social engineering also has its limits, depending on who you attack. For example, you will never get customer data by social engineering from a compe

      • by Xest (935314)

        What rubbish, an attacker similarly needs to understand every possible attack vector to be able to find a point of entry. They don't just magically happen upon an attack vector and then ignore the system, it takes a lot of time and effort to approach just about all different angles. If they carry out more than one attack in their life time, it's unlikely they'll be able to exploit the exact same vector every time so they'll have to cover many different angles to find ways in.

        Unless you're talking about scri

        • by gweihir (88907)

          The problem is that attackers do not need do be complete at all. There is absolutely no need (or typically skills and resources) to look at all possible attack vectors. Attackers will generally look at more than one possible vector, but once they have found one they can exploit with the specific attack techniques they have mastered, they are done. And with the sad state practical IT security is in, finding one vector that works is usually done relatively fast and with relatively limited skills.

          The defender

          • by Xest (935314)

            I think the problem is that you're still conflating low brow script kiddies against extremely talented defenders, it's just not a fair comparison.

            The fact is, to perform a highly skilled attack against a system that is well defended you do need to understand everything the defender does, because the system will be locked down so tight you'll need to be able to consider every possibility, and look so deep into every aspect of a system to find a way in.

            Attacking a well protected system ultimately relies on at

            • by gweihir (88907)

              What I see is that in each sector of competence, the skills are different for attacker and defender. While some black-hats may actually be good defenders, there is no reason to believe they are, besides a general understanding of the area. And no, you do not look at every possible attack vector even on the very top of attacker competence. There you look for a vector that fits your requirements. For example: How important is it that you remain undetected after the fact? For how long? How much time do you hav

              • by Xest (935314)

                "What I see is that in each sector of competence, the skills are different for attacker and defender. While some black-hats may actually be good defenders, there is no reason to believe they are, besides a general understanding of the area. And no, you do not look at every possible attack vector even on the very top of attacker competence. There you look for a vector that fits your requirements. For example: How important is it that you remain undetected after the fact? For how long? How much time do you ha

    • Nobody has produced any verifiable proof that the US built Stuxnet. People use opinions instead of actual facts to make grandiose claims. As more people accept an opinion it magically turns into a fact. The US could be responsible but so could a lot of other countries. After all It was Russian contractors who plugged in the infected USB at the Iranian facility.

  • by busyqth (2566075) on Friday June 15, 2012 @03:01PM (#40338685)
    For that exquisitely offensive hacker smell...
  • Offensive (Score:3, Insightful)

    by Concerned Onlooker (473481) on Friday June 15, 2012 @03:01PM (#40338689) Homepage Journal

    Aren't all hackers offensive?

    • Aren't all hackers offensive?

      Only to certain senses.

    • Re:Offensive (Score:5, Informative)

      by mcgrew (92797) * on Friday June 15, 2012 @03:33PM (#40339065) Homepage Journal

      What is so offensive about repurposing hardware? What is so offensive about writing quick and dirty single-use code? What is so offensive about pen testing your own network?

      Son, if you think hackers are offensive, you're on the wrong site, and so is the idiot who modded you "insightful." Not knowing there are white, gray, and black hat hackers shows a complete and utter lack of insight.

      • by St.Creed (853824)

        Too bad. Since they're hiring "offensive hackers" and hackers aren't offensive, I guess they won't be able to find anyone then :)

    • In this sense I think they said offensive hacker instead of defence oriented security expert.

  • by ip_freely_2000 (577249) on Friday June 15, 2012 @03:08PM (#40338743)
    the government is hiring people to hack my software with the intention of doing harm. If I was Apple or Google I'd be looking at this closely. Even if you hate Microsoft, this seems pretty ambiguous. I wonder if there's something in the Windows EULA that Microsoft should sue the government for violating.
    • by idontgno (624372) on Friday June 15, 2012 @03:21PM (#40338901) Journal

      ...the government is hiring people to exploit the weakensses I allow in my software with the intention of doing harm

      FTFY. If Microsoft doesn't want Windows hacked, they only have to fix the damn thing.

      I wonder if there's something in the Windows EULA that Microsoft should sue the government for violating.

      There's this little EULA [wikipedia.org] that says Microsoft can just suck it.

      • Re: (Score:2, Insightful)

        And if the Linux community wants Linux to be used, they only have to make it usable.

        Waiting for more than a decade...

        • Linux has been usable for 90% windows can do for over a decade. And today is used by an awful lot of people for a lot of things.

          Windows is targeted for home and office PC users and it fills that niche quite well. I just willingly paid for a Win7 professional OEM edition that was not forced on me, because I want my home desktop to run Windows. But like hell I'm going to install that thing on the server cluster that needs to stay up around the clock, unhacked for me to make money.

          Linux is already "pretty usab

          • It's the 90% thing that doesn't do it for me. Sure, I consider myself a nerd. I do run a fileserver and a thin mediaplayer client on linux. My main desktop, however, is Win7 and will stay Win7 for a considerable time, because Linux just does not do what I need when it comes to gaming and sound editing/digital music production. That's not the main point, though - the main point is that even my fileserver/media client setup is not something you can sell to your average Joe Blow. There IS a usability issue.
      • what would be the nearest "bird farm" to Redmond?? or maybe the nearest Jam Factory??

    • by tchdab1 (164848)

      I think these guys have all the source code and back doors they need from domestic developers. It's new features that they need to develop. Foggy Bottom/Langley needs to be able to say "I have an app for that!".

    • by mjwalshe (1680392)
      Um i think you will find that Governments reserve the right for their security services do do naughty things
    • Soon Windows Update will distribute these attacks.

  • by Tablizer (95088) on Friday June 15, 2012 @03:10PM (#40338757) Journal

    So then, why don't we have a Department of Offense instead of just a Department of Defense? If the lie, I mean creative labeling works for DOD, why not use it for hacking titles also?

    Also, I wonder if the inadvertent Stuxnet admission had anything to do with the change. Why mention such in job ads anyhow?

  • Don't respond!!! It's a trap!!

    • by ackthpt (218170)

      Don't respond!!! It's a trap!!

      *cough* *wheeze*You were right.. The imperial forces were arrayed against us*cough*

    • by synapse7 (1075571)
      Don't people usually go to jail for using such skills?
      • People go to jail for "unauthorised" use of such skills. There's nothing wrong with using them on systems where you have permission to, such as penetration testing, and I'm willing to bet MS employ a good few people to do just that. And, of course, when you hand your perfectly legal research over to the government or military then it's up to them to use it responsibly. Which, of course, they will.
        • by mjwalshe (1680392)
          Yes and for British Telecom I broke into a customers system when we took over a contract and the previous people had left under a cloud and not left the password - that was authorized by my boss the customer and a checked with a Very senior manager.

          ironically one of my coworkers i got help from was a reformed phreak and had been done for hacking :-)
      • Good, you're the first one to point out part of this problem.

        A lot of people learn hands on... so where are you supposed to learn this stuff legally? It kinda makes me laugh in the summary "a drying up supply of hackers". Okay, so we have 100 articles calling hackers terrorists, then you're complaining why people stop hacking?

      • Not if they are good at it.

  • the only downside... can't smoke weed at work

    http://www.youtube.com/watch?v=BBMtl79atFs [youtube.com]
    • Re: (Score:3, Insightful)

      by ackthpt (218170)

      the only downside... can't smoke weed at work

      http://www.youtube.com/watch?v=BBMtl79atFs [youtube.com]

      Problem with that stuff is it doesn't make you smarter or more creative, it just makes you think you are.

      • yeah, hackers!!! you hear that? booyah, bitches!!! sup now??
      • by History's Coming To (1059484) on Friday June 15, 2012 @03:41PM (#40339129) Journal
        It can snap you out of an infinite brain loop though. I've lost count of the number of times I've been stuck on a problem, but solved it pretty quickly after having a smoke. Ditto alcohol, adrenalin and caffeine, anything to get your brain out of the rut it's in. I've also had some insights while using the strongest hallucinogen known, dreaming. Agreed, being perpetually stoned isn't going to help in the long run, but many people working on logic based problems will admit to moderate drug use when they hit a mental block.
        • by ackthpt (218170)

          It can snap you out of an infinite brain loop though. I've lost count of the number of times I've been stuck on a problem, but solved it pretty quickly after having a smoke. Ditto alcohol, adrenalin and caffeine, anything to get your brain out of the rut it's in. I've also had some insights while using the strongest hallucinogen known, dreaming. Agreed, being perpetually stoned isn't going to help in the long run, but many people working on logic based problems will admit to moderate drug use when they hit a mental block.

          And here I was just going out for a walk...

      • the only downside... can't smoke weed at work

        http://www.youtube.com/watch?v=BBMtl79atFs [youtube.com]

        Problem with that stuff is it doesn't make you smarter or more creative, it just makes you think you are.

        Sayeth the Prophet -

        They lie about marijuana. Tell you pot-smoking makes you unmotivated. Lie! When you're high, you can do everything you normally do just as well – you just realize that it's not worth the fucking effort. There is a difference.

      • by Phyrexia (55710)

        I think there are studies which refute your assertion.

  • by ackthpt (218170) on Friday June 15, 2012 @03:14PM (#40338811) Homepage Journal

    Best advertising you could ask -- for Linux or Mac.

    • Not really. The spooks want to attack the platform the enemy is using and will have high value in comprimising.

      Linux and Mac computers don't manage the SCADA system in Iran's enrichment plants, nor do their military commanders, bureaucrats, and etc. use Linux or Mac computers on a day to day basis.

      Both Linux and Mac OS have had their share of embarrassing exploits.

      • Re: (Score:2, Interesting)

        by ackthpt (218170)

        Not really. The spooks want to attack the platform the enemy is using and will have high value in comprimising.

        Linux and Mac computers don't manage the SCADA system in Iran's enrichment plants, nor do their military commanders, bureaucrats, and etc. use Linux or Mac computers on a day to day basis.

        Both Linux and Mac OS have had their share of embarrassing exploits.

        That's the point. If all these developers are going to hack for $$$, without risk of going to the pokey, that's that many less who will be sitting around hacking Mac or Linux. Besides, Stuxnet succeeded because idiotic Iran bought a load of commodity PCs all loaded up with Windows and didn't have a lick of sense to isolate them from the outside world. If they had any competency they'd stay away from commodity garbage and be using dedicated hardware with specifically coded firmware, for the job, not a loa

  • by busyqth (2566075) on Friday June 15, 2012 @03:15PM (#40338823)
    Well I'm glad that they're posting the job listings openly.
    Secretly posted listings don't usually have a great response rate.
    • by Anonymous Coward
      In soviet russia, job finds you!
    • Well I'm glad that they're posting the job listings openly. Secretly posted listings don't usually have a great response rate.

      Yes, but posting it secretly--to your honeypot network--makes it a a whole lot easier to ferret out people with actual skill. ;-O

  • Not official (Score:5, Interesting)

    by cpu6502 (1960974) on Friday June 15, 2012 @03:15PM (#40338827)

    Quoting another slashdotter: "This is just a reporter's opinion sourced from conversations with people whose names he won't reveal at times he won't reveal..... he details the exact contents of a meeting that consisted of president Obama, vice president Biden, and CIA director Leon Panetta. For him to have this conversation, it means he has interviewed either the president, the vice president, or Panetta on this. Fat fucking chance. It's probably true, but no it's no way in hell close to "offical"."

    • by TubeSteak (669689)

      Quoting another slashdotter: "I know what happened in a lot of meetings I never personally attended. Participants talk, transcripts are shared, etc. I suspect this info came second or third-hand from the people under Panetta."

    • by KhabaLox (1906148)

      Quoting another slashdotter: "This is just a reporter's opinion sourced from conversations with people whose names he won't reveal at times he won't reveal..... he details the exact contents of a meeting that consisted of president Obama, vice president Biden, and CIA director Leon Panetta. For him to have this conversation, it means he has interviewed either the president, the vice president, or Panetta on this. Fat fucking chance. It's probably true, but no it's no way in hell close to "offical"."

      You could say the same thing, more or less, about Woodward and Bernstein and Deep Throat. It could be Biden or Panetta instructed an aide to leak the story at (or not) the President's direction.

  • Cool (Score:5, Funny)

    by Offensive Hacker (2663345) on Friday June 15, 2012 @03:19PM (#40338867)
    This is right up my alley.
  • by evilviper (135110) on Friday June 15, 2012 @03:22PM (#40338927) Journal

    Pentagon Contractors Openly Post Job Listings For Offensive Hackers

    People always say that I'm highly offensive...

  • Clearance Interview (Score:3, Interesting)

    by dloolb (159254) on Friday June 15, 2012 @03:23PM (#40338947) Homepage

    I bet the clearance interviews are interesting and probably resemble a job interview. Have fun with the EQIP form!

    • by ackthpt (218170)

      I bet the clearance interviews are interesting and probably resemble a job interview. Have fun with the EQIP form!

      RESUME

      IMA HACKER

      221 C BREAKER ST

      LONDON, OH

      Hai! I hakked vidio gamez, mobile fones, ipadz, and, can crack most browzers easly with some scriptz. Hire me or mi botnet will dsetroy you're company!

      MEMO: Ms. Swanson, hire this one, let's see what she can really do. Starting salary $90,000.

  • by jjohn (2991) on Friday June 15, 2012 @03:33PM (#40339069) Homepage Journal

    I don't need to explain why training terrorists might not be the best idea for our long term interest, right?

    • by rgbrenner (317308)

      I don't need to explain why training terrorists might not be the best idea for our long term interest, right?

      Yes! Why didn't the pentagon think of this? Training hackers is a terrible idea.

      Oh no.. it's worse than that. It looks like they are also training people how to use guns [army.mil], fly airplanes [airforce.com], and use armed ships [navy.mil]

    • And yeah we should stop training our military too. Training them in offense would turn them into terrorist too right?

  • Of course (Score:3, Informative)

    by Sparticus789 (2625955) on Friday June 15, 2012 @03:35PM (#40339091) Journal

    Leave it to the government to use outside contractors which demand a ridiculously high salary for this, when they could just develop more offensive capabilities with the people they already have. There are hundreds of military people who could perform this task with a little training and education, but the Pentagon, in their infinite wisdom, would rather those people sit on mountain tops playing Guitar Hero.

    Even in my short 8 years in the Army, I saw a complete brain dump of technical jobs. The people who replaced me keep getting more incapable, because all the capable ones get out and take contracting jobs. Then the Army can't fulfill their mission, so the contractors hire back the same former military people to fill their previous slots, with 3x the salary and benefits.

  • Now that there is an economic "boom" in offensive hacking in the US (and probably elsewhere, too), what are the core skill sets that one should have? Computer languages, networking, social engineering? Any non-IT skills, like physics, EE, etc.?
    • Now that there is an economic "boom" in offensive hacking in the US (and probably elsewhere, too), what are the core skill sets that one should have? Computer languages, networking, social engineering? Any non-IT skills, like physics, EE, etc.?

      Marksmanship would probably come in quite handy at some point.

      Survival skills as well.

      Though I can't verify the accuracy of it, and at risk of invoking Godwin, I recall hearing about the Nazi's 'allowing' Jewish scientists to work on their military rocket programs, only to turn and execute them after project completion...

      If so, history provides a great disincentive to fall prey to such governmental bullshit.

    • by Fnord666 (889225)

      Now that there is an economic "boom" in offensive hacking in the US (and probably elsewhere, too), what are the core skill sets that one should have? Computer languages, networking, social engineering? Any non-IT skills, like physics, EE, etc.?

      Arabic?

    • by gatkinso (15975)

      Embedded developers I would think would be a great starting point: they are comfortable at the kernel level and may already have training on the very control systems being targeted.

  • Recently US senators and members of Congress have been demanding punishment for anyone responsible for the recent media accounts of US involvement in Stuxnet and Flame. Can we assume that there's going to be a thorough investigation of what is in effect confirmation of those media stories? Starting with the HR departments of those giant defense (or offense) contractors and going as far as the evidence leads? Are we holding our breath?

  • I had one gig with a dod contractor, you could not pay me enough to do it again. Ok, I am lying but the rate would be near insanity.

"Why can't we ever attempt to solve a problem in this country without having a 'War' on it?" -- Rich Thomson, talk.politics.misc

Working...