US military swoops into DEF CON seeking a few good hackers for debut aviation pwning village For the first time, Vegas's annual DEF CON hacking conference has an "aviation hacking village", and the US military is scouting around there for a few good hackers to find bugs that its own hackers have missed. "We've got some great hackers on our team and we're proud of them," Dr Will Roper, assistant secretary of the Air …
Essentially DEF CON seems to sell out to the highest bidder. In European conferences not even sponsors are well visible. A recruiting event for the military would be absolutely unimaginable, and even if it happened, most people would try their best to sabotage it.
In fact a few years ago during the CCC congress, some artists hired actors to act as recruiters for such organizations. Most people downright rejected those, while some people turned up to the arranged meeting with hidden microphones and cameras. Nobody took the offer.
So it is better in the Euro conferences you refer to to have military/spy agency recruiters in the shadows? Surely you're not naive enough to believe they aren't present! Maybe the "artists" in your example simply didn't fool anyone into believing they were who they portrayed and that's why nobody took the bait. That doesn't mean there weren't real recruiters there also, who aren't going to tell anyone whether their recruiting efforts met with success or not.
Isn't it better if this sort of business is conducted out in the open? Those who aren't interested can more easily stay away if everyone is on the up and up about who they represent. And isn't a laudable goal to try to harden military aircraft against hackers? Hijacking a jet would be a terrorist's dream, hopefully that is as difficult as possible (though I'm still very leery about this idea of giving them an IP connection in flight, that's just asking for it)
as a 5 time attendee (very fortunate my job sent me), clearly you have never been involved in a DefCon - you are are a fricking idiot Chrissie to make a comment like that.
You should attend next year, just to understand. But I'm sure you will be doing your hair or something other really cool thing...
This is exactly what the SCADA vendors will tell you, you can keep running our 1980's kit air-gapped from the world with zero software changes but when top need to change configuration settings you better use a laptop which is used for this one purpose and is wiped after every connection. They would rather you replace the kit with our newer connected model but for gods sake never ever connect this to anything but a private network.
Unfortunately there are a large number of companies flogging interfaces with cellular connections to allow you to remote control valves, switch-gear etc 'securely'. Unfortunately once you get through the 'connectivity kit' there is bugger all security preventing you from performing mischief. The military may be able to station guard with m16s but the security of a sluice-gate on the Norfolk fens is another matter.
Or does this "village" sound like one of those "contests" that companies continue to run where they invite artists and designers to redesign their logos / websites / headquarters with a few-hundred-dollar prize* for the winning entry -- getting hundreds of people to do work for them for free...?
* That's, at best, the prize. Otherwise, the "prize" is EXPOSURE!
https://theoatmeal.com/comics/exposure
More likely the top prize is a job offer. Even if you aren't interested in working for the military, that exposure can't hurt a security professional looking for a job involving say connected cars or SCADA type systems that would have some similarity as far as threat models and exploit methods.
No one is forcing anyone to participate, so if they need to be paid they should start looking for those $1 million iPhone exploits.
Village is more of an open (just walk in and participate) lab. You don't give your name, you don't say who you work for. Unless you want to... The voting system village last year did a world of good for voting systems. There are several villages, these are not contest. However, there were plenty of CTF events that are contest, with very awesome prizes. But it takes top notch skills to win. less than .01% of attendees win. - because there can be only one (team).
I'd love to fix the world but they wont give me the source code.
Seriously though, I am the greatest. You could spend decades "port scanning" for vulnerabilities, or I could spend weeks examining the schematics for "short sighted" holes. EVERY vulnerability and bug boils down to faulty software design, either caused by incompetence, lack of funding, or lack of time before deadlines. That being said, FU Pay me. I dont give a crap about hacking planes, I care about getting paid, getting laid, and not losing my pay or lay to criminals. Show me some commas, plural $,$$$,$$$
If I can solve homeless and fix the economy, you bet your ass I can build unhackable software and cryptography.
You know where to find me, I dont hide.
It occurs to me that they have been allowed to hack the systems of an old plane the US don't use much anymore, and have mostly offloaded to other countries.
Other countries which may or may not (mostly not) get the same fixes (damn those supply chain issues eh).
If they want to be able to hack the planes they sold off to their "allies" years ago, this seems like a good way to get the advantage needed.
If they want to improve the security of the F-35 then the hackers should be hacking that.
However all anyone needs to do to scupper an F-35 is pick a fight in bad weather, make it fly "too fast", make them have to take off and land a few times and use up their tyres (damn those supply chain issues eh.), or hold up a mirror and just shame it into killing itself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
