DoD Announces New Bug Bounty Program Called Hack the Pentagon (npr.org) 62
Quince alPillan writes: Announcing what it calls "the first cyber bug bounty program in the history of the federal government," the Department of Defense says it's inviting vetted hackers to test the security of its web pages and networks. Vetted hackers will need to pass a background check and will be attacking a predetermined system that is not a part of critical operations. This program is being put together by the Digital Defense Service, launched last fall.
Re: (Score:1)
Hack the iPhone. The problem with this is the FBI doesn't care one particle about the data on "the iPhone" They just want to use it as a lever to bend Apple to their will.
D O Duh (Score:2)
What's really amusing here is just how absurd the "must pass background check" hurdle is. It's an isolated system. There is zero risk. The DOD would benefit from any reveal of a vulnerability within this system from anyone. And of course there are many accomplished hackers out there who could contribute and would likely do so for the bounty, assuming it isn't trivial. but couldn't pass a background check under any circumstances. This approach is a poster child for "cutting off your nose to spite your face."
Re: (Score:2)
- We'll tell you what to attack and when.
- You'll be attacking fake targets.
- We pick who gets to take part.
- Please submit all your personal details and fingerprints so the FBI can sniff you a bit.
- If they didn't already have an entry for you, the FBI, CIA, NSA, and DIA will be updating your profile with:
<subversive>
</subversive>
Re: (Score:3)
Are they going to clarify why a background check is required for people to test the security of their systems?
I can think of two reasons:
1: They have shown that a core interest is to protect what they're doing from the view of law-abiding citizens, so it makes sense to test it against law-abading citizens.
2: Republicans would cry foul if they paid out prize money to anyone with a criminal history. All punishment must be based on revenge because the bible says so, disproportionate because it gets their rocks off, eternal, so they can continue to feel superior, and rehabilitation is ungodly commie speak.
Re: (Score:2)
Are they going to clarify why a background check is required for people to test the security of their systems?
Because fewer and less qualified hackers will make it much easier to pass the test and declare their systems secure.
If you ever worked for the government, you would understand exactly how this situation arose. There is a committee (there is always a committee). Some members liked the idea of the bounty, and others opposed it. So instead of making a clear decision, they compromised, and passed a resolution to offer the bounty, but with so many restrictions and exclusions that it was essentially meaningles
Re: (Score:2)
It's pretty obvious why they should require background checks. Simply knowing what the DoD wants you to hack is information that's valuable to spies. Also, I guarantee you there are some Chinese and Russian hackers who would pass background checks. That's the whole point of inserting your agents into a foreign country.
Call Dade for the job (Score:2)
HACK THE PLANET!
Re: (Score:2)
Re: (Score:2)
I hear they have a fun watersport, I think it's like water-skiing except with a surf board or something, they call it waterboarding.
Re: (Score:1)
Exactly what I was thinking. It's not entrapment merely because law enforcement asks you to do something. We see the FBI use this all the time to catch "terrorists." Regular pigs will sell drugs to make arrests. Are they giving any guarantee that being arrested under the Computer Fraud and Abuse Act isn't the real prize? Is that a guarantee that law enforcement can even credibly make?
lol... morons (Score:1)
'vetted' participants only testing things that don't matter = security theater. Meanwhile the unvetted Chinese and Russian hackers are hacking their critical operations.
Re: (Score:2)
Not really. . It will likely give them a fingerprint or signature of sorts that they can later use to identify you if you hack something they don't like.
Sounds way too sketchy to me.
Re: (Score:2)
Things that don't matter could be a mirror of things that do matter (or a mirror with all the data modified). It's reasonable to test on an almost identical system that doesn't accidentally trigger the order to launch ICBMs getting sent to real places.
The 'vetted' part is probably to prevent someone from discovering a bug in play, and putting it in practice. But, yeah, depending on how the "vet" someone....
nope (Score:1)
it's a trap
Not to point out the obvious but (Score:3)
The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.
If the USG is serious about such a program, they might want to take this into consideration.
Re: (Score:1)
The financial payoff is likely to be several orders of magnitude higher if you figure out how to hack ANY Department of Defense network and sell it on the black market vs working for the USG and pointing out the same flaws.
If the USG is serious about such a program, they might want to take this into consideration.
So is the risk.
That's how investment decisions work. Risk v. Reward. For example, if you bluff your way into the New York Fed and steal the gold in the basement, you're gonna be pretty rich. But good luck explaining that one away when they catch you.
Plus, you know, treason.
Re: (Score:3)
Plus, you know, treason.
Well, if you're not a citizen, you can't be charged with treason, can you?
Re: (Score:2)
IANAL, but I think in that case it might be espionage instead.
Re: (Score:2)
Military men and woman in SysAdmin positions wearing stripes on their sleeves earn considerably less than your average civilian in the same position
Getting paid less than a private sector sysadmin these days is a feat in itself.
Re: (Score:1)
Also will they be honoring "previous work" entries if one provide evidence for having already breached their systems by the same method previously? ;D
Not just DoD... (Score:1)
In other news... (Score:2)
Dont ask what your country can do for you... (Score:2)
I mean, yea... (Score:2)
What could possibly go wrong? :)
First prize (Score:1)
First price for the "hack the Pentagon" bug bounty program is a one way trip and indefinite accommodations at a tropical island not of your choosing. Stay in a sprawling complex overlooking a beautiful "bay," in one of the most up and coming tourist destinations in the world, Cuba.
To quote Admiral Akbar: (Score:2)
Re: (Score:2)
Maybe you should edit the announcement into the formal list [youtube.com].
The only way to win (Score:2)
is not to play.
government out of touch with reality as usual (Score:1)
thats like cops inviting vetted thieves to try and break into a house, after passing a background check yeah.... that will work! LULZ
Re: (Score:2)
There is a large legal industry of hackers, so getting a large amount of skilled people who can pass a background check and are vetted is expensive but possible.
Pentagon doesn't say $$$ (Score:1)
Free Background Check (Score:2)
For those wanting to add "passed DoD background check" to their resume, this might be an opportunity to do it for free (as in no up-front monetary cost).
DoD Announces they are utterly clueless (Score:2)
Screw vetting and permission. If you want results publically announce a target and dispense with terms and conditions bullshit. Otherwise your just wasting everyone's time.