The story has begun when one of the most famous US hackers Peiter C. Zatko, also known as Mudge and a member of the hacking group The Cult of the Dead Cow, decided to leave underground to work for private industry and government.
He is considered the “intellectual father” of the concept of buffer overflow, in 1995 he published the work “How to Write Buffer Overflows” explaining the potentiality of exploiting these categories of vulnerabilities.
Several years ago Peiter Zatko started a prolific collaboration with the US government and in particular with Defense Advanced Research Projects Agency (DARPA) supporting the authorities to improve their cyber capabilities. His contribution was crucial for the Department of Defense, his program known as Cyber Fast Track (CTF) has gained in have great success, but like any story, it has an end that is taking place in a few weeks.
According official source the program CFT “funds research to be performed by boutique security companies, individuals, and hacker/maker-spaces, and allow them to keep the commercial Intellectual Property for what they create. The goal is not to have these entities focus on solving DoD problems, but rather to fund research efforts these organizations would have considered on their own but are not pursuing due to complexity/cost/time/etc. Where it is an effort that may help the community at large it is almost by definition within the running lanes of CFT to consider. What’s good for the community is good for DARPA “
The intent was to funds multiple small projects for all technologies related in the area of cyber characterized by high value-added in shorter time frames, limited cost and with the expectation of results demonstrated in less than 12-month period … and there have been many success stories as we will see shortly.
“For the time and money currently invested for one program, the government is striving to engage in dozens of programs,” “The government needs agile cyber projects that are smaller in effort, have a potential for large payoff, and result in a rapid turnaround, creating a greater cost to the adversary to counter.” DARPA explained.
The project deadline is April 1st this is the last day for submission of new proposals, but many security specialists including Zatko, are sure that the soul of the CFT project will reincarnate in new activities equally prolific. Until now CFT program has received around 400 proposals and sustained 101 of them.
During a talk at the CanSecWest conference, Zatko announced:
“CFT is ending because it was an experiment. DARPA isn’t an open organization. We were looking for a new way to work with people,” “The back end is what’s designed to transition so other large organizations can use this. I hope they look for more people who look at this and say, Mudge did it and he got out mostly intact.”
To provide some samples on the activities promoted by the program let’s remind the Convergence system for replacing the CA infrastructure designed by Moxie Marlinspike and the research conducted by popular security expert Charlie Miller on security of NFC (near-field communication) communication protocol.
According to various sources such as Nexgov portal recent and “ongoing projects include investigating forensic evidence on Mac OS X-based machines, and developing software in support of a command and control system for disposable computers that are dropped from a drone into an area of interest”.
In my opinion, the program represents excellence in the research sector, contrary to the guideline of the majority of programs of DARPA that have a long duration, it finances only projects focused on short-term goals, do not forget that today’s technological scenario has the same dynamic with a short timeline, this is a revolutionary approach.
Why think of projects with huge investments that go on for years, when the technology may become obsolete due to the disproportionate length of research activities?
The philosophy behind the approach of Zatko is synthesized in an exceptional way by the following statement of the popular hacker:
“Trying to reduce predictable complexity with more predictable complexity is a bad strategy,”
This is a radical change of thought, exactly what the US government desired for its research, the cyber threat is increasing in complexity and attackers explore everyday new tactics, a continuous evolution that have to be mitigated with a dynamic and adaptive approach.
“We often times forget in security that your adversary has good ideas too. People forget that their are game theoretics involved. If you make a change, they don’t just pack up their ball and go home.”
“When you see that more and more money is being invested and the problem is getting worse, people ask whether we should invest more or none at all,” “Why are we not making progress? There’s a whole bunch of factors involved.”
Apparently, the decision of DARPA to turn off funding for hackers pursuing cyber security research appears a contradiction, the US has one of the most careful governments on the necessity to grow up cyber army and increase cyber capabilities. The hacker’s skills are fundamental to increase the cyber capabilities of the countries, and investments are necessary but they are unless guided in the wrong way, the “Resilient Military Systems and the Advanced Cyber Threat” written by Defense Science Board (DSB) highlighted it
“Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems”
The statement is eloquent, skilled hackers using resources commonly available on the internet are able to create serious damage to American infrastructures, the report also sustains the need to invest a huge quantity of money to improve US cyber capabilities … so why suppress so interesting and cheap cyber security research?
(SecurityAffairs – hacking, Zatko)