US Navy Solicits Zero Days 59
msm1267 writes: The US Navy posted a RFP, which has since removed from FedBizOpps.gov, soliciting contractors to share vulnerability intelligence and develop zero day exploits for most of the leading commercial IT software vendors. The Navy said it was looking for vulnerabilities, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others. The RFP seemed to indicate that the Navy was not only looking for offensive capabilities, but also wanted use the exploits to test internal defenses.The request, however, does require the contractor to develop exploits for future released CVEs. "Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild," the RFP said.
Ask the NSA (Score:4, Interesting)
So much for post-911 interagency cooperation. While one agency is inserting weaknesses, another is having to buy then on the open market. Though the Navy approach is probably cheaper.
Re: (Score:2)
Ask China.
Re: (Score:2)
The Navy is always fighting the last war. In 1939 they had too many battleships. Now they have too many aircraft carriers and too many SSBNs. This wastes massive resources. A good thing they are paying at least a little attention to newer threats.
Re: (Score:3)
The US has ten carriers. China, Russia and France have one each.
Re: (Score:1)
We have 2 new ones under construction in the UK and we only realised after we started building them that we don't actually have any planes to put on the them yet [theguardian.com] while we wait for our FGR4 replacements and our F-35s from you guys.
Re: (Score:2)
The USA has obligations in both the Pacific and Atlantic (and arguably the Indian) oceans.
Aircraft carriers don't yet have teleportation technology, so it takes a while to move them from one side of the world to the other.
So, we need enough in each ocean to handle any conceivable problem. Plus extras to deal with required time in port (while a CVN can stay at sea for very long periods, its non-nuclear escorts require rather more time in port) and yards (even CVNs require time in shipyards every few years
Re: (Score:2)
Two things:
1) the US wasn't involved in a war in 1939.
2) the US had exactly the number of battleships as allowed by the Naval Treaties of the time. And the US had exactly the number of aircraft carriers as allowed by the same Naval Treaties. Note that having fewer BBs then would not have affected the number of CVs in any way, since both were limited by treaty.
Oh, and in spite of the US having "too many battleships", it l
Re: (Score:2)
For example, they invented Tor.
Re: (Score:2)
So much for post-911 interagency cooperation. While one agency is inserting weaknesses...
Did you think the Congress was going to tell the NSA to stop doing unconstitutional things and then the US Government, as a whole, would just stop violating the Constitution? As long as there's free money being printed (or kept off books through arms and drug sales), the activities will always just hop to a different group, and the Congress can keep playing Whack-A-Mole until a supermajority is compromised.
Then we get
This has been happening since day one (Score:2)
How many years it officially took the hackers to stumble across the existence of the embedded NSA backdoor inside MS Windows??
Way before the news of that 'discovery' was told to the world, a friend of mine found it, but was told to 'shut up or else' by his then boss
Apparently they (and many other people) already knew about it for quite a while, but none of them bother to tell the world about it
That's Not How You Do It (Score:2)
2. Have companies submit reports to you as part of the process.
3. Charge companies for the security rating and reviewing their reports.
4. Profit AND build a repository of zero-days.
This is how you do it now (Score:2, Funny)
I would have made $x but you changed the rules, pay up!!
Why.... (Score:2, Interesting)
Re: (Score:2)
does every agency and division of the military need to do this? Seems like the classic not invented here syndrome and a colossal waste of tax payer money.
The Soviets are our adversary. Our enemy is the navy. -- Curtis LeMay, General, USAF
Navy did signals intelligence first (Score:2)
The navy has been doing signals intelligence for a hundred years or so. Ships do two interesting things - they communicate with their allied forces via radio using giant antennae, and they loiter close to enemy territory, and therefore enemy communications. It's only natural that they would point their large antennae at the enemy, and they've been doing so since just after radio was invented.
The navy also legitimately brings large numbers of personnel into foreign ports on a regular basis. It's only n
Security and 1984 (Score:4, Insightful)
The ever-present security camera? That's bad, but it's still out in public. It's on the street, maybe in the stores. They're not in your home, not yet. Rubber stamp warrants? That's worse: It allows targeted invasions of privacy. But at least it requires a the resources of a human with a paycheck and his own sense of morals. But breaking into computer systems? They're in our pockets, in our homes, and have access to every bit of our modern lives. From shopping lists to love letters to medicine prescriptions they contain whole lives. Snippets from every trip you've taken are encoded there.
And a program doesn't have a sense of right and wrong. It will never refuse to spy on ethical grounds. It won't bring things up to the attention of oversight committees. It won't make anonymous calls to the ethics line. It won't refuse to work, leak information, or demand orders in writing. A program will quietly do as its told, wherever it can. Above all prying surveillance I believe ubiquitous IT access by the government needs to be contained.
"share"? (Score:2)
Navy? (Score:2)
Re: (Score:1)
No, this is just SOP with the armed services. Some time ago, the Air Force put together a cyber command structure so now the Navy wants one. Bailiwick and all that.
Navy has long done this. They hang out near foreig (Score:2)
The navy has been doing signals intelligence for a very long time. Ships communicate with their allied forces via radio using giant antennae, and they loiter close to enemy territory, and therefore enemy communications. It's only natural that they would point their large antennae at the enemy, and they've been doing so since just after radio was invented.
The navy also legitimately brings large numbers of personnel into foreign ports on a regular basis. It's only natural to give some of those sailors
One wonders if/how Microsoft, Apple, Oracle, etc. (Score:2)
...respond to government requests for zero-days, whether official or unofficial.
Re: (Score:1)
If they want to keep their business going internationally, they'd better not give them anything without a fight. Especially now considering that Snowden's leaks made a lot of people, both inside and outside the US, wary of US made software / hardware.
Actually, I wonder why they would want to post such a thing to begin with? The best thing for them (the US) would be to give lip service to reforms while moving and re-securing their espionage activities out of the public eye. By posting this request to the web
and yet real secuirty research is all but outlawed (Score:2)
Find a zero day and report it to someone who might fix it, that is criminal. Find a zero day and report it to the na
Liberty/security (Score:1)
So now that the government is making life a little less secure, does that mean we also get back some liberty?
Wow ... (Score:1)
So when the US Navy and other government agencies are publicly looking to develop exploits ... I think they've pretty much said "go ahead and hack us".
"Because we're the Navy and therefore allowed" suggests you now have a giant target on you.
So I sincerely hope the black hats of the world take up the challenge. You can't piss and moan when other entities do it, and not all of your stuff will be properly hardened.
Time to make popcorn, and settle in and wait for someone to decide to burn the Navy's computers
Novell? (Score:1)
Are they also soliciting attack vectors for SCO, VMS, BeOS & CP/M?