Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government United States

US Senators Propose Bug Bounties For Hacking Homeland Security (cnn.com) 66

An anonymous reader quotes CNN: U.S. senators want people to hack the Department of Homeland Security. On Thursday, Senators Maggie Hassan, a Democrat and Republican Rob Portman introduced the Hack DHS Act to establish a federal bug bounty program in the DHS... It would be modeled off the Department of Defense efforts, including Hack the Pentagon, the first program of its kind in the federal government. Launched a year ago, Hack the Pentagon paved the way for more recent bug bounty events including Hack the Army and Hack the Air Force...

The Hack the DHS Act establishes a framework for bug bounties, including establishing "mission-critical" systems that aren't allowed to be hacked, and making sure researchers who find bugs in DHS don't get prosecuted under the Computer Fraud and Abuse Act. "It's better to find vulnerabilities through someone you have engaged with and vetted," said Jeff Greene, the director of government affairs and policy at security firm Symantec. "In an era of constrained budgets, it's a cost-effective way of identifying vulnerabilities"... If passed, it would be among the first non-military bug bounty programs in the public sector.

This discussion has been archived. No new comments can be posted.

US Senators Propose Bug Bounties For Hacking Homeland Security

Comments Filter:
  • Hmmm. Yes... Nope, not biting. No way. Not a chance.

  • by Anonymous Coward on Sunday May 28, 2017 @11:40PM (#54503959)

    The Computer Fraud and Abuse Act of 1986 [wikipedia.org] imposes very harsh penalties for hacking and has been used as a hammer to crush individuals who've managed to draw the attention of the authorities. The US Government has used this law repeatedly over the years to destroy the lives of promising young Americans with prodigious computer skills who were relatively harmless if somewhat misguided. For example, the case of Aaron Schwartz comes easily to mind. Fast forward thirty years and now that cyber security is a thing they want our help? Talk about ingratitude.

    • The act you mentioned was passed into law a generation ago, and this new legislation is specifically designed to protect white hats from misguided prosecution under this law. You realize one law can supersede another, right? We always bitch about incompetent government IT, and then when someone in gov tries to rectify it with some legislation that, at least as described, sounds like a good idea, we just bitch about that as well?

      This is becoming standard practice in the private tech/software industry, and

  • Oh, by the way... (Score:5, Insightful)

    by bistromath007 ( 1253428 ) on Sunday May 28, 2017 @11:44PM (#54503967)
    If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.
    • by Picodon ( 4937267 ) on Monday May 29, 2017 @12:40AM (#54504087)

      If you get any credible proof you've succeeded, you're still going to Gitmo for the rest of your life.

      Of course not! When you succeed hacking the DHS:
        - If you didn’t get caught, you sell your data to Russia as usual for a rather large reward.
        - If you did get caught, you explain that this was for the bug hunt and submit your findings to the DHS for a much smaller reward.

      • When you succeed hacking the DHS:
        - Sell your modified data to Russia for a large reward.
        - Submit your findings to the DHS for a smaller reward and tell them Russia somehow got their hands on a non-working, modified copy of your findings.

    • by AHuxley ( 892839 )
      Re 'If you get any credible proof you've succeeded"
      A nice conversation will be had. That only a small part of the federal network was ever open to the "contest" and that the skilled person got too far in.
      A one time offer will be made to work with the government.
    • by quenda ( 644621 )

      "Let a hundred flowers bloom!", said senators Hassan and Portman.

  • by 93 Escort Wagon ( 326346 ) on Sunday May 28, 2017 @11:49PM (#54503975)

    Sure, some mysterious government organization starts a hacking contest. Then, if you win, Samaritan has you killed.

    Nice try!

  • This program, if implemented (snowball's chance in hell), will be answered by no one of merit. The government has been making enemies of these people it now needs for decades. This really seems like a desperate attempt to detour around several of the government's long standing and self-defeating policies.

    • Time and money heals all wounds. There is a whole generation out there that are barely aware of the past abuses of power the government has committed against hackers because most of the bad stuff happened before they were even born. Your view on the matter may only apply to old grognard hackers and sociopolitical hackers. Young, skilled and looking for cash will be the demographic of future hackers.

      • Actually, I know quite a few mathematicians who refuse to work for NSA just because of its policies, irregardless of the President's policies. And now that you'd be helping Comrade President Trump implement his policies (whatever they are--imo a policy is something that stands solid for at least a year or two), I suspect the number of refuseniks just grew larger.
        • That might be some observer bias on your part.

          • That's not observer bias. Bias is saying lots and lots or most people or everybody. Go down to your local math/comp sci department and ask what the opinions are about working for NSA. I suspect the majority of folks will have no opinion and there will be two significant minorites that love/hate the NSA. You are correct tho, that is all based purely on my observations.
            • I know quite a few

              Allegory and observer bias. I don't know if you're right or not, but you shouldn't feel satisfied if you are later shown to be right because you really have no basis to feel so certain.

  • How much are they going to pay for exploits?
    Now how much more are those exploits worth on the market to the right enemy states?

    Also, you're assuming the researchers have a dollar amount to begin with. With the mission of a Holy War driving you, helping your home team will outweigh a bunch of greenbacks.

  • Your Honour, I swear the only reason I went to that URL 290 times last week is because my buddy said the best way to get all up in the NSA's business is through one of their fake porn sites.

    Honest.

  • by PPH ( 736903 ) on Monday May 29, 2017 @02:46AM (#54504291)

    But I have to fly in the next few days. And the TSA isn't noted for their sense of humor.

    So I'm just going to refrain until I get back home.

  • Not that I think companies implementing bug bounties is a bad idea, but for government departments, I wouldn't be too sure...
    Problems aplenty. For hackers, it's hard to overcome years of being looked down upon, plus the risks of being prossecuted.
    And then, for stuff on this level there are always chances of other governments doubling the offer.
    CIA is plenty ok with keeping the bugs and exploits they find for themselves, why wouldn't others also do it? Not sure how much of a cross section there is between ha

  • "mission-critical" systems [that] aren't allowed to be hacked

    OK, since the purpose is finding bugs, I guess "mission-critical" is a code word for "these can stay broken". ;)

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Monday May 29, 2017 @05:45AM (#54504607)
    Comment removed based on user account deletion
  • Pre-1990: Pravda runs a contest for the best political joke. First prize: All-expenses paid trip to Sibiria.
    Post-2001: Homeland security runs a contest for the best hack: First prize. All-expenses paid trip to Cuba.

  • It's just a fucking trap. You do all the work to find the vulnerabilities and weaknesses, document them, submit them, get ignored, get ignored, get ignored, and then suddenly a bunch of FBI goons show up and arrest you for hacking and act like YOU are the criminal for trying to find and warn them about their own problems.

    Oh sign me up! /s

One good suit is worth a thousand resumes.

Working...