Free pass to hack the Pentagon!

[Elixer]

https://hackerone.com/hackthepentagon
So, let me get this straight, they want people who "hack" to sign up for this, give them the keys to your life (SS#, taxpayer ID#) and all the other info, then you are "free" to hack them?

Individuals are eligible to participate only upon meeting ALL of the following conditions:

You must have successfully registered as a participant through this security page.
You must have a U.S. taxpayer identification number and a social security number or an employee identification number and the ability to complete required verification forms.
You must be eligible to work within the U.S.; meaning you are a U.S. citizen, a noncitizen national of the U.S., a lawful permanent resident, or an alien authorized to work within the U.S.
You must not reside in a country currently under U.S. trade sanctions.
You must not be on the U.S. Department of the Treasury's Specially Designated Nationals list.

 

[lxskllr]

In connection with your participation in this program you agree to comply with all applicable federal, state, and local laws

Doesn't this clause invalidate pretty much every hack? By participating, they get a vulnerability fixed, and the participant gets jail.

 

[John Connor]

I don't need to hack a website or server to know that you should have a HIPS and several honey pots. With these honey pots your hacker will fall in and you can learn what they are doing and patch that crap right quick. All the while your end point remains fortified.

It seems E-mail attachments are the biggest vector now a days. Thus they need to think of some way to rectify this. Perhaps a digital signnuture for attachments that is used with an in house server that issues said digital server for all attachments. If the attachment doesn't match a digital sig. it's tossed.

 

[John Connor]

Doesn't this clause invalidate pretty much every hack? By participating, they get a vulnerability fixed, and the participant gets jail.

Common sense to me thinks this must mean something like don't use resources that are otherwise illegal, etc. Like a hacked surfboard modem or a stress tester website. IDK... The Feds are some of the stupidest people there ever were.

 

[Elixer]

I don't need to hack a website or server to know that you should have a HIPS and several honey pots. With these honey pots your hacker will fall in and you can learn what they are doing and patch that crap right quick. All the while your end point remains fortified.

It seems E-mail attachments are the biggest vector now a days. Thus they need to think of some way to rectify this. Perhaps a digital signnuture for attachments that is used with an in house server that issues said digital server for all attachments. If the attachment doesn't match a digital sig. it's tossed.

I am still trying to figure out, why are the sensitive servers even connected to the internet at all?
Anything that even touches the outside world should be firewalled off, so nothing comes in through that machine.

I also think the number one attack vector, besides stupidity, is they allow people to surf the web on their machines.
They said, over 350 cases of ransomware has already infected them this year, and only a few of those were from attachments--which should never be allowed in the first place.
Idiots.
Now, they are going to convert most machines to windows 10, to get more 'protection'.

 

[balloonshark]

Not sure why they aren't running a program like anti-executable. http://www.faronics.com/products/anti-executable/

In all honesty I would love to have my computers running anti-executable and deep freeze (from the same company above). Of course I wouldn't give up using sandboxie for my internet facing apps.

 

[John Connor]

Anti-Executable looks awesome!

I'm confused though. I clicked order and it says a one year maintenance package. Is that updates? And how much after that?

Edit- Their Deep Freeze program looks nice too! I use a netbook for a Teamspeak and FTP server so that could come in handy.

I do use Sandboxie.

 

[Elixer]

Not sure why they aren't running a program like anti-executable. http://www.faronics.com/products/anti-executable/

Hmm, so this is a whitelist type of thing.
So, if the malware is named the same thing as one of the programs on the whitelist, it would run it, would it not?

 

[John Connor]

I would imagine perhaps the software uses a hash. That's how firewalls like Comodo operate I think.

 

[DigDog]

guess what most hackers' day job is? A: hacker.
they sign up as security experts, you don't know which ones also work "off hours".

 

[balloonshark]

Anti-Executable looks awesome!

I'm confused though. I clicked order and it says a one year maintenance package. Is that updates? And how much after that?

Edit- Their Deep Freeze program looks nice too! I use a netbook for a Teamspeak and FTP server so that could come in handy.

I do use Sandboxie.

I'm not 100% sure but I believe the maintenance package includes support and any program updates for a year. When I saw someone using the program he was using an older version though so I'm not sure what has changed with the program.

I'm sure you're familiar with wilders security but they discuss several similar programs in their other anti-malware software forums if you're interested. http://www.wilderssecurity.com/forums/other-anti-malware-software.35/

Since you're interested in Deep Freeze You might also check out the FD-ISR, Returnil and Sandboxing and Virtualization forums while you're there. I've been using Shadow Defender to virtualize my c: drive on demand when I'm surfing riskier sites.

 

[balloonshark]

Hmm, so this is a whitelist type of thing.
So, if the malware is named the same thing as one of the programs on the whitelist, it would run it, would it not?

Yes it uses a whitelist but I'm not sure about the details. It does block a ton of executables among other things like writes to certain areas. There is/was a guy at wilders named Rmus that threw everything he could find at it and it always stopped malware cold.

I would check out the forum link above though as there are other options that seem to be more popular at wilders. It's also tough finding a program that works well with your system and the way you use it so it's worth trying them before you purchase.

 

[Red Squirrel]

It's a trap!

 

[John Connor]

I'm not 100% sure but I believe the maintenance package includes support and any program updates for a year. When I saw someone using the program he was using an older version though so I'm not sure what has changed with the program.

I'm sure you're familiar with wilders security but they discuss several similar programs in their other anti-malware software forums if you're interested. http://www.wilderssecurity.com/forums/other-anti-malware-software.35/

Since you're interested in Deep Freeze You might also check out the FD-ISR, Returnil and Sandboxing and Virtualization forums while you're there. I've been using Shadow Defender to virtualize my c: drive on demand when I'm surfing riskier sites.

I actually never heard of Wilders. I just found something else called Appguard on that forum and also this: http://www.infoworld.com/article/3048529/security/spread-honeypots-over-your-defense-plan.html

Edit- Voodoo shield looks interesting too.

 

[balloonshark]

I actually never heard of Wilders. I just found something else called Appguard on that forum and also this: http://www.infoworld.com/article/3048529/security/spread-honeypots-over-your-defense-plan.html

Edit- Voodoo shield looks interesting too.

I have keys for both that I have never used. When I was looking at appguard some were afraid that it might mess with game launchers and drm so I put it on the back burner. The last thing I wanted was to get banned because of my security program. Plus I was comfortable with online armor and sandboxie. Now that they shut down OA's activation servers I need to rethink my setup again.

Also check out NoVirusThanks EXE Radar Pro. It seems to be popular.

The rabbit hole is deep (and sometimes addictive) if you want to explore alternative security setups.

 

[John Connor]

NoVirusThanks EXE Radar Pro looks nice too! I like the license.

Yes, the rabbit hole is deep. I never knew there were so many solutions to lock down your PC like this. I like this idea since I don't use an anti-virus on my gaming desktop because I don't want stuff to mess up with mods/hacks I use. LOL Also, I use a netbook as a FTP and Teamspeak server. So locking that down would be nice too.

 

[Bart*Simpson]

This is a pretty smart way to get a list of people who have skilz.

 

[John Connor]

Nah. That's done at DEF-CON every year.

 

[Dude111]

https://hackerone.com/hackthepentagon
So, let me get this straight, they want people who "hack" to sign up for this, give them the keys to your life (SS#, taxpayer ID#) and all the other info, then you are "free" to hack them?

Yes so they can add them to thier watch file and start spying on them even more!!

 

[Mike64]

This is a pretty smart way to get a list of people who have skilz.

A certain degree of "skilz" perhaps, but absolutely no survival instinct.