NSA Takes On West Point In Security Exercise

Wired is running a story about a recent security exercise in which the NSA attacked networks set up by various US military academies. The Army's network scored the highest, put together using Linux and FreeBSD by cadets at West Point. Quoting: "Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones. 'One of the challenges was when they see a scan, deciding if this is it, or if it's a cover,' says [instructor Eric] Dean. Spotting 'cover' attacks meant thinking like the NSA -- something Dean says the cadets did quite well. 'I was surprised at their creativity.' Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."

More details, anybody?

[neapolitan]

Man, I love reading about stuff like this, but this article has some serious vagueness that really leaves unanswered questions. Perhaps a true security-fluent slashdotter can offer some insight if they are familiar with this particular game:

Why does this require "custom tools" with automatic monitoring? Really, I doubt the students know the details of asymmetric security theory / Ph.D. level mathematics, and were monitoring something like (if I get a port scan from IP x.x.x.x then tell "router guys" to block IP x.x.x.x).

It seems to me that this should be something that essentially should be done automatically, and with a very well-configured system would not cause that much of a problem.

Also, the article was written for somebody who doesn't understand computers to go "whoa." "Kernel-level rootkit"? How the hell did this "unwelcome executable file" get on the box to begin with, and why was it executing in kernelspace? I assume they were required to start with a compromised system, otherwise this is something that major corporations do all day (general traffic monitoring) and is actually kind of not exciting.

I wish that Wired and magazines would write at a technical level and describe accurately what is going on - IMHO more information is always better!

I was in the exercise...

[Anonymous Coward]

I was actually part of the exercise, and I would agree that the article is very vague. The main purpose of the exercise was to help cadets learn best security practices of building a network. There were required services we had to run, such as exchange, a web server, DNS, active directory, and a jabber messaging server. The rootkit they speak of was on the box because the other part of the exercise was trying to secure untrusted computers. They riddled two Windows VMs and one Linux VM with as much stuff as they could, and the told us to secure them. Naturally we missed some things, which allowed the callback to go out.

As for the 'custom tools', I have no idea what they are talking about. We used native Windows logging and a few open source programs to pull logs to a log server, but that was about it for extra programs. I would agree that the article was written for the non-technical person, but those are the kinda of questions they were asking us when the reporter was here.

Curious

[WillRobinson]

Biggest question is, did they allow you to use your own tools, or did they just let you use divining rods.

Sort of ignorant on their part, that they would expect you to keep security on one of the most critical networks in the world and not have proper tools.

Example: image the drive, make it read only, no execute and use tools like rkhunter, and many other programs to see what is running on the system under test.

To me, having a compromised machine on a military network would get it a instant pulled plug, and

Re:Curious

[Pinb4ll]

The tools we used were Nagios for service verification on an external computer (just to make sure we saw what the scorers saw, so we didn't lose points due to their slow network) and one box running Snort through a one way cable. We weren't allowed to let Snort block things, but it let us know who was doing what, allowing us to send up a request to the graders to block the IP. As for checking the untrusted boxes, we were able to run whatever we wanted on them. The root kit that we missed we simply didn't find in the mess of everything else.

Re:

[Pinb4ll]

It all came down to the scenario. Built into the game was a notional 'cost' for different network items, making certain items prohibitively expensive. It mainly came down to the semantics of the rules, but the costs were going to be looked at for next year. The overall effect was eliminating the use of some best practices simply because of cost.

Re:

[krunk7]

I'm also curious why you had to "clean" a known compromised client. In most real world cases, "cleaning" would involve wiping the client clean and re-imaging. If the system had critically important data on it. The drive would be put as a secondary drive in a server with the system partition mounted read only or maybe boot to a recovery dvd and clean only the data with a fine grained comb over a period of time.

Seems they imposed some "bad practices" on the defense team .

Re:I was in the exercise...

[Anonymous Coward]

I was also in the exercise... from the NSA side ;) (I have to post anonymously). I agree that the article IS very lean on details (as it should be), and geared toward a somewhat nontechnical audience. I have a different perspective from what the cadets at the USMA saw, as I experienced it from the opposition side.

The network directive given out to the academies had stipulation they had to follow, and a scenario that reflected real world situations (the cadets were setting up a network that included VMs of computers they HAD to include in their network). The network directive also had costs associated with anything the cadets wanted to do. So if they wanted to park a cadet at a Snort terminal for the duration of the exercise, that had a cost associated with it, as did setting up VLANS, using IPSEC, other IDS sensors, firewalls, host/service monitors, etc. Each academy had to submit their network structure for review and approval prior to STARTEX. The scenario reflects real world situations that would come up in most operations that involve other allied nations.

The NSA was strictly there to attack the networks and document any exploits they succeeded with. I can't go into details as to what our Rules of Engagement were, but suffice to say that we met with success with every school that was actually scored (the two graduate schools that participated were not scored).

The whole goal of the exercise is to prepare the cadets for SECURING a network against information security threats. It is a DEFENSIVELY ORIENTED exercise. The cadets don't do any hacking (and I honestly think that unless a gifted or experienced cadet was at an academy with the skills to do a network penetration, they would not meet with much success).

Re:

[Anonymous Coward]

Actually, I have a friend (and I'm posting anon for his sake) that was a part of the games from the naval side. He is a very sharp person that is near completing his CompSci Masters. We we friends in CompSci undergrad and he joined the Navy and now has a high security clearance. I wish I could've grilled him a little more on what all goes on for these war games but I had something else important going on at the time he was telling me about them. Plus I'm a little used to getting vague descriptions of th

Re:More details, anybody?

[milsoRgen]

but this article has some serious vagueness that really leaves unanswered questions.

Just like every other Wired article ever written.

Re:

[joeboomer628]

Despite what Stephen King says, there are numerous highly intelligent individuals attending the US service academies that can not only read, they can do math also.

Re:

[gad_zuki!]

Wired is written for non-technical people. I dont think its ever pretended to be anything but the 'people magazine' of technology, hence its popularity.

Re:

[gad_zuki!]

Thats pretty subjective, but for me its Make Magazine.

You have to understand

[WillRobinson]

Purchasing Open Source Tools that could automatically thwart these types of attacks is to expensive. They cost at least as much as a toilet seat, and we know from the news, that they have not been purchasing any toilet seats.

Re:

[TubeSteak]

Purchasing Open Source Tools that could automatically thwart these types of attacks is to expensive. They cost at least as much as a toilet seat, and we know from the news, that they have not been purchasing any toilet seats.

Right, Purchasing is another department.
We send all our orders through the Requisitions Dept.
/In triplicate.

Re:

[Stickney]

The cost of free software is, of course, nothing... but the notional costs, built into the exercise through a restrictive budgeting system, of deploying those tools, along with training people to use them, put them outside our notional budget for the exercise.

Re:

[drinkypoo]

The cost of free software is, of course, nothing... but the notional costs, built into the exercise through a restrictive budgeting system, of deploying those tools, along with training people to use them, put them outside our notional budget for the exercise.

So the budget has zero dollars allocated for security now? Because any tool, Open or not, requires training...

Rootkit is payload...

[argent]

Rootkits are payload, normally, something deposited by an attacker using an exploit to get in. THe author of the article doesn't seem to appreciate the difference between the holes used to get into the network and the secondary attacks launched from there. It's not even clear from the article whether the Army ever found out how the rootkit was delivered.

Re:

[ozmanjusri]

It's not even clear from the article whether the Army ever found out how the rootkit was delivered.

TFA says they used Sysinternals RootkitRevealer to find it, which means it was a Windows exploit. The NSA guys probably just waved the rootkit in the general direction of kernel32...

Re:

[RiotingPacifist]

AM i reading a different TFA, i cant find any mention of that and i got the impression they were using a Linux & BSD based system?

Re:

[ozmanjusri]

i cant find any mention of that and i got the impression they were using a Linux & BSD based system?

But the kernel-level rootkit was much more dangerous. This stealthy operating-system hijacker can open unseen "back doors" into even highly protected networks. When they detected the rootkit's "calls home" the cadets launched Sysinternal's security software to find the hijacker, then they manually scoured the workstation to find the unwelcome executable file.

Since the article says the West Point team was running Linux/BSD, and specifically mentions that the cadets were running a "Fedora Core 8 Web server", I'm guessing the Windows system was being run by one of the other teams.

Frankly, I was underwhelmed by the whole story. It was pretty clear the journo doesn't have a clue what was going on. Wired should be able to do better than that.

Re:

[LilGuy]

That is probably part of the requirements the NSA put on the agreement to allow the story to run.

Re:Rootkit is payload...

[Stickney]

"Fedora Core 8 Web server", I'm guessing the Windows system was being run by one of the other teams.

Yes, we ran a Fedora 8 LAMP server, but we were also required to run a Windows domain controller, an exchange server, and a Windows DNS server, along with two XP user workstations. The rest of our network, to including logging, traffic monitoring, and XMPP services, ran on FreeBSD (our choice). You're right though; not many of the reporters grasped much of what was going on.

Mod parent up "informative"

[argent]

Mod parent up "informative" only because there isn't "primary source" as an option. :)

Re:

[EQ]

Actually the rootkits mentioned did not "get int". They were preloaded along with tons of other security messes and misconfigurations on machines that the cadets were then challenged to secure on their network.

The point of that part of the exercise being how good you are at detecting threats from the inside (far more common due to users introducing viruses and trojans from web sites they stupidly vision, hijacked browsers, programs loaded from thumb drives, CDs burned at home, etc.

Re:

[argent]

Interesting, I'll have to read the story more carefully because I didn't catch that...

What's with the fearmongering?

[pikakilla]

But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network

Um, isn't the NSA part of the DoD? So they would not need anything special to take down a network as they are all under the same organization. Or, likewise, they would have consent which would allow them to attack the network. I really do not see the need for such a fear-mongering statement at the end of this summary.

Re:

[gbutler69]

No, the NSA IS NOT part of the DOD. DOD is Department of Defense. There are 3 to 4 branches, depending on how you count: Army, Navy(Marines), Air Force. Yes, technically "The Marines" are part of the Navy.

Re:What's with the fearmongering?

[SoapBox17]

According to wikipedia [wikipedia.org], "The National Security Agency/Central Security Service (NSA/CSS) is a cryptologic intelligence agency of the United States government, administered under the U.S. Department of Defense. " and "The Department includes the Army, Navy, Air Force, Marine Corps, as well as non-combat agencies such as the National Security Agency and the Defense Intelligence Agency."

Under Secretary of Defense for Intelligence
* Defense Intelligence Agency
* Defense Security Service
* Counterintelligence Field Activity
* National Geospatial-Intelligence Agency
* National Reconnaissance Office
* National Security Agency

Re:

[flydpnkrtn]

According to wikipedia [wikipedia.org]

I know this is a bit citation Nazi-ish, but please don't cite Wikipedia directly. Any random yahoo could have thrown that up 5 minutes ago... hell you could have made that edit 5 minutes ago!

That entire intro paragraph doesn't have one citation other than a passing reference to Title 10 USC

Just sayin'...I'd like to read the part of the USC that sets up the NSA but honestly that's a big law document to parse

Re:

[CrimsonAvenger]

Just sayin'...I'd like to read the part of the USC that sets up the NSA but honestly that's a big law document to parse

No Such Agency? Whatever gave you the idea that enough information about NSA was put into the USC to make a big law document?

Re:

[flydpnkrtn]

Lol well I was just expecting a one-liner in something like "10 USC Section 5 Subsection 4 Paragraph 3" or whatever :P

Re:

[maxume]

The NSA themselves:

http://www.nsa.gov/about/about00003.cfm [nsa.gov]

Point to an executive order:

http://www.archives.gov/federal-register/codification/executive-order/12333.html#1.12 [archives.gov]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[zippthorne]

they dont even have a department

Neither do the Army and Navy. I know what you're getting at, but all of the branches fall under the Department of Defense. And although the Marines are a part of the Navy, they still get a seat on the Joint Chiefs of Staff [wikipedia.org].

Re:

[RockoTDF]

Yes they do, the Departments of the Army, Navy, and Air Force all exist with their respective secretaries under the DoD.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[maxume]

O.k., poor wording, but read that link, there is an executive order directing the Secretary of Defense to utilize the NSA to gather intelligence.

Re:

[sammy baby]

You're making the assumption that one branch of the armed services (say, the Navy) is permitted by regulation to try to infiltrate another one. The NSA's mission is specifically to provide SIGINT and to protect government against foreign SIGINT - including military systems.

Re:

[Anonymous Coward]

The NSA's mission is specifically to provide SIGINT

You mean those PhD mathematicians sit around all day hitting Control-C's?

Re:

[sammy baby]

The NSA's mission is specifically to provide SIGINT

You mean those PhD mathematicians sit around all day hitting Control-C's?

Well, let's be fair. They probably have a bash script that does it pretty efficiently.

Given the supercomputing clusters they no doubt have at their disposal, they could be generating a lot of SIGINT that way.

Re:

[mi]

The real enemy would be attacking/scanning/jamming from many directions — using hired and/or own botnet(s) and other already cracked-into computers belonging to other schools, governments, individuals, corporations, and other organizations.

The participants in the exercise weren't allowed to do that, except, maybe, for NSA and their near-universal root-access...

Re:

[stewbacca]

Um, isn't the NSA part of the DoD?

And now we begin to see why most attacks against the NSA/CSS on slashdot are completely without merit. The NSA is part of the Intelligence Community and not the DoD. The CSS portion of the NSA is staffed by military folks, however, the NSA part is staffed by civil servants.

I see it is easy enough to be confused with the facts that are open to the public; no wonder you guys can't get the more secretive bits right...

speemborkle deregulus

[quonsar]

But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."

yah, right. 14 year old serbo-croatian kids do that every day.

Re:

[AHuxley]

Yes kids outside the USA have to pass.
http://en.wikipedia.org/wiki/Social_promotion [wikipedia.org]

Sysinternals? Windows?

[FranTaylor]

Isn't that a Windows thing? There is no other mention of Windows in the article.

Re:

[Dreadneck]

Yes, SysInternals was sucked up by the collective...err...Microsoft. From reading the article it is fairly obvious that the only serious security challenge came from a Windows box compromised by a rootkit. It seems the LAMP server they were running (I assume it was LAMP - they mentioned Fedora 8, MySQL and Apache... I assume it also had PHP, Perl and Python) easily handled the SQL injection attacks. I wonder if having a windows box in your network was part of the requirements insisted upon by the NSA whe

Re:

[0racle]

[blockquote] NSA-Key[/blockquote] Oh shut up.

Re:

[0racle]

Oh great, now I look like an idiot.

Re:

[Dreadneck]

Yeah, and you can't make proper use of HTML either. :)

Re:

[Stickney]

As the cadet in charge of security for the Linux/FreeBSD boxes on the network, I can say that yes, it was LAMP on a Fedora 8 box; the NSA gave us 5 Windows virtual machines and 2 running Fedora 6. Because of the rules of the exercise, basically a very restrictive budget, we were able to build a Fedora repo and update the two linux machines to Fedora 8, but not enable firewalls or antivirus on any but a select few. Two of the Windows machines and the non-LAMP Fedora box were meant to simulate user workstatio

Re:

[Dreadneck]

Thanks for the info! Out of curiosity, were the machines with the rootkits compromised prior to the beginning of the exercise or during the course of the exercise? It would be interesting to know just what level of handicap you guys were forced to work with.

Re:

[Stickney]

As mentioned a few other places, we were given several machines (5 Windows, 2 Fedora 6) which we had to put on our network. Based on the budgeting rules, we scrapped one Windows box (a Windows 2000 XMPP server) and replaced it with a FreeBSD box. That server and three "user workstation" machines (1 Fedora, 2 Windows XP) were absolutely riddled with rootkits and other malware. We removed as much as we could find beforehand, but missed one rootkit in one of the Windows machines.

Re:

[AHuxley]

Read up on the "Millenium Challenge '02" war games.
Opposing Force Commander, Gen. Paul van Ripen won.
He was not invited back :-)
Cadets do not learn, they just get to press the "refloat" icon.
http://www.nytimes.com/2008/01/12/washington/12navy.html?ex=1357794000&en=a4dbb42d5ad2a700&ei=5088&partner=rssnyt&emc=rss [nytimes.com]
"The sheer numbers involved overloaded their ability, both mentally and electronically, to handle the attack,.. "

Re:

[Stickney]

Ummm.... cadets = Army or Air Force.

Refloat = Navy.

You mean "midshipmen".

And yes, as a matter of fact, the US Naval Academy participated, and they got destroyed.

Re:

[AHuxley]

You have generation wintendo fresh from the streets and shopping malls of the USA.
They are trained up a bit more on 'windows'.
Why waste years, when they be interacting with a
Tablet PC like gui on the front line?
If they get McCained they can talk about moving
icons around a screen and then the sky lights up.

West Point Club

[Dak RIT]

This isn't really an official extension of West Point, but rather a club at West Point known as SIGSAC.

The club's members every year get a chance to visit the NSA and see some rather interesting stuff, and so has a rather good relationship with the NSA in general.

The club itself operates out of West Point but has a network connection that isn't attached to West Point's network. It has actually participated in contests in the past as well with other schools/groups, so unless something's changed in the pas

Re:West Point Club

[Pinbll]

Although SIGSAC was involved, this was done for the Information Assurance class that is taught by the CS department there. This was the culminating exercise. The course teaches security practices, and gives cadets a look into why it is important to program securely.

Re:

[failedlogic]

I at least have a general understanding of the purpose of West Point. But I'm wondering: if you have a college graduate in a certain field, do they need to go to West Point afterwards or write a "West Point equivalency test"? or does the DoD formally recognize the degree? Its purely out of curiosity for me. I'm a Canadian anyhow so I likely wouldn't qualify for any jobs in the DoD anyways.

Pentagon hacker Gary McKinnon could do it...

[AHuxley]

With MS pw's and a perl script.
http://arstechnica.com/news.ars/post/20060712-7249.html [arstechnica.com]

The Army's network scored the highest

[crack_vial]

Nice job guys! I have seen a lot of air force cyber talk, but not much coming out of the Army. Good work.

ENDEX

[sciop101]

Every agency/party involved in the exercise will publish an ENDEX (End of Exercise) report.

IF Asked AND IF Unclassified, the agency/party MAY provide a copy of the ENDEX.

Contact the Acadamies, NSA, even the Departments of Defense, Army, Air Force, Navy.

ENDEX's have event logs, referee notes, exercise build and teardown plans....

There is no cleaning a rootkit

[symbolset]

When you detect malware installed on your system, wipe and reinstall. Always! There is no "cleaning".

Probably wasn't possible given the parameters of the test, but they tried to clean a rootkit and got the predictable result.

Re:

[dw604]

How hard can it be to secure a system -for real-? They could have done it with the right tools. Spybot S&D has a nice resident malware scanner and system settings change monitor. Combine that with an in and outgoing firewall program and a few other tools (alert with parent process id every time a file is written?) and you should be able to trace every last bit of a trojan.

Re:

[Pinb4ll]

It all comes down to the rules of the exercise: those items weren't allowed to be installed during the actual exercise time, so they had to be removed after the prep was done.

Go Army

[Hasai]

Those West Pointers usually make pretty good officers. Or, at least they do after a few SFCs drag the new looie behind the barracks and beat all the West Point hogwash out of them.
];)

Been There, Done That

[FurtiveGlancer]

I invited NSA to run their red team against a classified intelligence network I ran back in the '90s. That's back when nearly every security tool was of your own creation. I was running SunOS 4.1.3, so at least I had a little help from OS security options.

They had to come on-site to break us and they identified only one finding for which we didn't already have fix planned or in work. We considered that a raging success!

The most embarrasing moment was when they broke the System Security Officer's password with an expanded dictionary attack. I got to kid her about that for months! "How's your password today?" "Strong, dammit!"

Register the Trainees

[Doc Ruby]

So the US government is creating a generation of black hat security experts: pros who define the cutting edge of hostile attacks on infosystems. That's all right and proper as part of the US military, the necessary maintenance of infiltration and coercive force that is required to operate as a last resort of public policy produced under the Constitution, like any military power.

Leaving aside the separate and important issue of Congressional and other oversight to ensure the military crackers operate always under proper law and in the formal national interest, what happens to these people when they leave government service? We'll have created dangerous people whose careers are dedicated to acts that are illegal, and threaten national (and private) security if they are used in attacks outside the proper military context. Sure they're like any other armed soldier, whose many other developed skills are valuable in many contexts not violence. But the fact is that many retired soldiers do find their skills and interests best fit a police or private security career, and even as paramilitary mercenaries - some of which private armies are emerging as serious threats to world stability in its balance of power. Military crackers are different, though: there is little or no role in non-military police, and virtually no legal role in private employ cracking anything.

We are creating an army of high-end crackers who will find themselves leaving the military, and available for hire by the legions of private employers whose use of them to crack systems is mostly illegal, or even acts of war.

We should consider how to track these people and their later activities. Working to secure and to test secure systems with permission of their owners is a valuable asset to keeping us all safe, whether as national service or in private employment. But leaving lots of them floating around loose practically guarantees that at least some of them will find jobs illegally cracking systems without the owners' permission, to do crimes, or perhaps even working for foreign militaries running attacks without coordination with proper US foreign policy, perhaps against our allies, perhaps against us, perhaps even just destabilizing some balance worked out among our enemies.

We are creating many serious potential threats, as part of our programme to reduce and eliminate threats. Part of that programme should be minimizing the increased threat we're creating with them. There's got to be a way to help these people continue their careers with the most freedom, which will overall increase security (and their personal benefit) that doesn't let some few people turn against their training (and likely oaths to "be good").

Which trainees?

[Pinb4ll]

Exactly which trainees do you plan on registering, the students or the red team? I think you are missing the overall point of the exercise. There was no offensive side to the students networks, only setting up the services and try to protect them. The red team - those that the NSA already employs - were the only ones attempting to break in. The academies' jobs were to simply keep them out. I can see your point about keeping track of those who have been part of the NSA, but I would be willing to bet tha

Re:

[not_hylas( )]

At this writing Parent is deemed "Flamebait" - curious, that, I find the concerns quite valid, they do keep tabs on Spy assets. They DO shoot horses, don't they? :-)
Being naive is not an excuse.
For those of you scoring at home (and those of you alone) it's accustom to giving every man/woman an AK-47 to take home in a land of mercenaries.
Loose cannons (canons too), indeed.

The Army's got chops. I'm just glad that after 10 years, or so, they've finally joined the fray.

This is starting to get interesting.

Re:

[johnny cashed]

FUD.

The military has been graduating experts in the "black arts"* since the inception of organized militaries. Guys who know basic hand to hand combat, firearms skills. Advanced soldiers learn even more technical and lethal combat skills. I'm not saying that every soldier is a killing machine, but that is what they train for. Black hat network uber hacker on the "outside" a real threat? As veterans, aren't they already sort of registered? They've got their DNA on file. What more do you want from t

Re:

[Doc Ruby]

Is Binladen's Qaeda "FUD"? As blown out of proportion and abused as their 9/11/2001 (and 1993) attacks have been, we all should surely have learned at least the lesson that creating attackers can blowback when they're left unattended in a world of rich potential enemies.

Just registering "our" crackers' DNA isn't going to do anything to ensure they don't blow back on us. I'm talking about tracking these people's careers, probably combined with a referral program to help them get jobs assisting legitimate emp

Re:

[johnny cashed]

But it seems that your are saying that for "national security" all government crackers (those employed by the government to crack targeted networks) should be kept on a tight leash, even post employment, because they have knowledge and skills which cannot be obtained in the private sector.

Is that what you are saying?

Re:

[Doc Ruby]

Not quite to the degree you probably mean by "tight leash", which implies control and not just registering updated employment info.

And not necessarily all government crackers, perhaps just the ones trained in techniques created by (or for) the government. Though keeping tabs of some degree, even if just an initial registration with their skillset and a risk analysis, would be worthwhile. These stakes are high, these people are extraordinarily (by definition) more risky than the general public, and we alread

Re:

[spinkham]

Honestly, these types of skills get you good jobs at large companies or the ability to work for yourself and earn a comfortable living.
Any skilled hacker who is also good at understanding the needs of business and has good communications skill will not be without good ethical job prospects for the foreseeable future.

Re:

[Doc Ruby]

Yes, I noted that. But crime pays. The economy, already pretty stagnant or bad, is going rapidly down the toilet. Jobs illegally cracking systems will decrease slower, perhaps even rise as their bosses get comparatively more stable and profitable compared to the failing legal economy. But even in good times, there are plenty of bad guys with money to buy "evil henchmen" who can outbid the good guys with ethical jobs.

The point is that we're sending lots of potential threats out there. The programme whose val

Re:

[Hasai]

....We'll have created dangerous people whose careers are dedicated to acts that are illegal, and threaten national (and private) security if they are used in attacks outside the proper military context. ....

Um, you mean like infantry?

....We should consider how to track these people and their later activities. ....

Well, we could just go the cheap and easy route and just kill them when they are no longer of use, like many Third World tin-pots do with their burned-out Intelligence agents.

Or, we could do with them what we do with all the rest of our military and Intelligence veterans; accept their word of honor. I know this "honor" thing may be a hard concept for someone like you to accept into your world-view, but, believe it or not, it actually works.

Re:

[Doc Ruby]

"Someone like me" would have read my post and seen where I noted how these NSA crackers aren't like infantrymen. But for soemone like you, who thinks I should dignify a response like "maybe we should just kill them" when all I suggest is tracking their post-government employment, I'll also point out that we require people to register weapons like infantry are trained to operate, when we allow private ownership of those weapons at all. Since these people's weapons are skills with commodity hardware, all we c

Re:

[Doc Ruby]

I'm not talking about tracking the cadets being trained in nothing but defensive methods. I'm talking about the NSA staff who are being trained to attack the academies' systems. Those NSA trainees are learning a lot more serious stuff, new stuff, that can't be learned in a publicly offered course. Including specific experience cracking the latest military security coming out of the academies.

Re:

[Doc Ruby]

Nuclear scientists are tracked currently. NSA staff and trainees, like Binalden and his Qaeda, are known to blow back on us, and we should have learned by now that we need to take steps to minimize these risks we create.

These NSA staff are being trained to attack secure systems like these academic targets, just as the academies and their cadets are being trained in securing from such attacks.

Your argument is ignorant, stupid and obnoxious. From an Anonymous Coward, to boot. Just sit down and shut up, and yo

Re:

[Doc Ruby]

No, you denied that there was any NSA blowback, and it was trivial to point to lots of it - that we even know of.

And when you denied it, you were such a rude asshole that you deserve a beating - return insults are just countering in a language you should understand.

And now that you are calling black white, and projecting your own defects onto my legitimate arguments, demonstrating all you want to do is bitch, not get at the truth of the risks of these NSA programmes that we're escalating, you're toast. Bitc

Re:

[Doc Ruby]

All I'm talking about is that they use a Federal registry as they change employers. Which should also work to help place them in jobs they like that also help protect us, which is why they were trained that way in the first place.

Government service includes all kinds of compromises in exchange for certain kinds of training. Nuclear physicists are just one precedent for mitigating the risks we create by inventing new destructive techniques and training people who can blow back on us.

There's nothing unethical

Re:

[Doc Ruby]

I didn't say tailing them around the country or invading their privacy. I have further clarified more specifically what I'm talking about, though it's the principle of somehow mitigating the risk we're creating in them rather than any specific implementation that I'm talking about. I said that they should register their employers with a government office that also helps place them in good jobs that also protect Americans. Since I'm repeating myself, I'm done in this thread.

Heaven forbidden

[RealGrouchy]

But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else)...

No, Heaven doesn't have the security clearance to access that information.

- RG>

Academy academics

[identity0]

Anyone here know how good the CS/IT/EE curriculum in the military academies are? And do those members usually end up deployed where their expertise is useful?

I've heard the Air Force is the leading branch for network stuff, so I'm surprised the Army did well.

Re:

[Keebler71]

I've heard the Air Force is the leading branch for network stuff

Let me guess - did an Air Force recruiter tell you that?

Re:

[Anonymous Coward]

I've heard the Air Force is the leading branch for network stuff, so I'm surprised the Army did well.

Heh. In the exercise this year, the Air Force team actually had the worst performance of all. The Coast Guard Academy and the Merchant Marine Academy both put in better performances.

Re:Academy academics

[Daniel Wood]

The truth of the matter is that the Army generally has the least amount of fuckups when it comes to communications. This is because the Army curriculum is VERY methodical and almost reads like a checklist (in fact, we often use checklists and cut-sheets).

I'm not saying the Army is any more intelligent than any other branch. We have some really dumb people. The Army trains so that the dumbest kid on the block can do the job perfectly, every time.

But --

[WillRobinson]

But the commercial tools, with the yearly support, and sending the men all off to be trained, Priceless

Sorry above is a bit of a rant.

hehe, sweet

[religious freak]

The NSA: Granted, they are all powerful and perhaps evil, but at least they on OUR SIDE. I don't like wars or conflict (I think they are outdated methods of resource allocation), but if shit hits the fan, we've got people that can and will defend us.

I think that is good.

Which is it?

[stewbacca]

"Legal limitations were a surprising obstacle to a realistic exercise. ...But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network."

Which is it? Legal limitations or NSA not affected because of 'arsenal of waivers...'? I hate summaries like this with such an overt bias against anything the NSA does. Either they were legally limited, or they had a bunch of waivers...which is it? The sad thing is that this could

Re:Fantastic

[Keebler71]

Are you implying that previous generations do not have intelligence and creativity? Who do you think is teaching these cadets and running the exercise?

Re:Fantastic

[maxume]

Dumbledore?

Re:

[Anonymous Coward]

"kids that go there are the top 2% of the nation. Also, did I also mention that many of the the US best leaders came from West Point"

Oh please, they all say that - the USNA, USAFA, even the USCGA. Not to mention that MIT, Stanford, Carnegie Melon, et al contend that they get the best of the best. I have worked with managers and engineers that graduated from various military academies; other than an inflated sense of patriotism and an intolerance for dissent, these people are no different from any other coll

Re:Fantastic

[earthforce_1]

The USMA academy is some of the best of the best. Meaning, these guys have to be appointed by two state senators to even apply...

Meaning they have to be politically well connected.

Re:

[Keebler71]

I had absolutely zero political connections and I managed to get nominated (twice actually). I think it had more to do with my writing my congressman every year:

- Hi... I'll be seeking a nomination from you in 3 years, here is what I have done to earn it.

- Hi... I'll be seeking a nomination from you in 2 years, here is what I have done to earn it.

- Hi... I'll be seeking a nomination from you in 1 years, here is what I have done to earn it.

- Hi... I'll am seeking a nomination from you and here is what

Re:

[drinkypoo]

I had absolutely zero political connections and I managed to get nominated (twice actually). I think it had more to do with my writing my congressman every year:

...

Also, the whole nomination process is pretty misunderstood. It is just a nomination - you still have to get an appointment (read: accepted).

So what you're saying is that you didn't actually accomplish anything of note? And that your anecdote is spectacularly useless?

Re:

[Keebler71]

no.... you still have to get a nomination - my point was that it isn't as difficult as many perceive. Getting the appointment is the real challenge.

Re:

[BranMan]

But wait, there's more. I seriously considered West Point, and talked to some folks about applying and getting an appointment. I was a finalist for the NMS at the time, so our reps basically told me "Don't worry about it, if I have to borrow a nomination and pay it back for the next ten years, you'll get one." So, they can even horse-trade them like picks at the drafts!

Re:

[Helevius]

You don't know what you're talking about. I am a military academy graduate and I had absolutely zero political ties.

Re:

[LurkerXD]

The USMA academy is some of the best of the best. Meaning, these guys have to be appointed by two state senators to even apply... That is why the kids that go there are the top 2% of the nation.

I don't know...my sister makes me wonder about what the hell our tax dollars are financing...