Recently I took an interest in being in
35Q, or especially
15C in the US
Military. Trouble is, nothing is without a catch, and selling my soul for the
easy way doesn’t seem right anymore.
civilian life, I’m far into student loan debt, and don’t have current training
on how to make the world safer. As a hacker for the US military, I’d know how to
hack an enemy target, but depending on how they treat classified information, they’d
Funny, how I have Air Force memorabilia, not army stuff. And half of what they said isn’t up to muster. “You can pick”, isn’t quite guarenteed, even if they’ve tried to streamline that process.
What we agree on
Obviously, what you’d find from breaking into the kremlin is classified after a fashion. The exact way you did it is, as well. But being able to be a civilian and continue making things that break in, and making things that make it hard to break in, to continue the craft and share with other people (think GNU’s 4 freedoms), why sign away my rights to ever do that again?
0. To use software as you please 1. To change the software 2. To Distribute the source unmodified 3. To Distribute your changes
0. To Hack my own devices & systems 1. To Secure my own devices & systems 2. To Distribute my hacking tools 3. To Distribute my patches
Where we differ
In hacking, exposing a vulnerability on its own is reckless. Ethical hacking is patching it in as many places as you can before exposing that it existed. A company (or a military) sitting on a vulnerability is reckless, yours OR a competitor’s.
The US military has offensive reasons for keeping the exploits it knows secret, and for not patching civilian systems (domestic, allied, or enemies). However, It’s good defense to patch everyone, the question is, does the US Military care about the offensive advantage they loose by patching international civilian equipment?
Trouble is, you can’t find out their policy before being in the service, and if they change it on you in service, tough luck.
If I demolish bridges, and can’t tell people how to build a bridge that can’t be bombed, what’s the point of learning it?
If I pick locks, and can’t make lock picking harder, what’s the point of a bloody lock? Make it harder for the bad AND the good people. Kerckhoff. No golden key, no clipper chip.
Is their job to perfect the art of lock breaking and lock-smithing, to be ahead of every other and to keep civilians with the best locks, or is their end to be the largest burglar the world has ever known?
What the terrain might look like
I’m left with the following possibilities:
- Option 1. The US military sits on every exploit, patching it for .mil but leaving civilians insecure, leading to terrorist attacks on the internet. They do that purely for tactical advantage.
- Option 2. The military keeps their latest patch secret, so they can do their offensive job correctly, but patches old vulnerabilities as the enemies of the US will find out sooner or later.
- Option 3. The US Military behaves correctly, patches civilian systems, while hacking the targets they need before they update. It’s like the rules of war, it’s something we value above winning.
- Option 4. (Current Choice) In the civilian world, I don’t mess around with this and never sign an NDA that puts me in this position.
What the rules could be
Theoretically, the military could have in code somewhere that:
- For working as a contractor (selling clearance), you say “this is my recommendation”, without giving the classified “how”, or the exact way the military patches. I’m okay with this so long as it’s bullet proof that I can build what I want with what I know.
- For being in the military, you talk with your superior and try to appeal to reason. Good luck. In that case, I’d gain permission to patch a civilian system on a case by case basis and REALLY piss people off in other departments who were being lazy.
- Somewhere in writing you can see that code and know it won’t change. Again, good luck. The army doesn’t have an EULA, they make you sign something just before seeing the damn thing. You’d be shuttled to a desk job if you said no.
My Moral Code (patching, at least)
Winning doesn’t matter if Bad OR “Good” people can get into civilian systems, foreign or domestic. The arms race in the digital world will continue happening, whether or not we can’t say something exists. Sitting on a vulnerability instead of patching it is morally wrong.
Hacking helps you achieve your goals. Sure. I understand that the military gets a free pass on that, like killing people. For a company, I can sign a contract and be allowed to hack them. I will not sign a contract that prevents me from making the vulnerabilities people sit on useless. A lazy offense is not a good defense.
Free college, a steady job, and training are not worth more than a moral code. Being a slave to the United State’s people’s interests above my international friends, or above lesser countries, or above chances for democracy to arise in our enemy’s camps, is against what is right for me. You know what my motives are, make hacking harder for ANYONE, IRESPECTIVE of what entity they are.
If your way of securing America, Britain, Microsoft, or Google is by way of not
securing the rest of the world, you’re party to something I don’t know, some
logic above Kerckhoff and
(n-1) of the security personel I know*. You’ll
spend much more time fixing DOD stuff up from the vulnerable civilian spec than
just letting civilians maintain that for you. Be lazy, sure, don’t make work for
yourself, but move into the future, because I’m sure your enemies will invest in
finding more footholds, as will we. I, personally, will be finding footholds to
get rid of them.
"Security is more than Kerckhoff's principal". Sure, you can sit on vulns,
makes hacking vulnerable things easier, but you’re not learning. They will eventually
patch it on their own, yes, you are patching it for them, but keeping them safe
benefits your security.
It’s bad if ANYBODY’S nukes, stock exchange, or diplomats get hacked, it leads to worse things.
You hack to know if anyone’s off their top, or about to make a wrong move. Sure.
I can’t help you with crazy rulers. I can help you with keeping ANYONE from making that wrong security move that endangers anyone, friend or foe.
That includes a little bit of defending citizens from their crazy surveillance states too.