Ah Booz|Allen|Hamilton ... or also known in the govt. contracting world as "we put warm bodies in seats and charge you tens of millions for it".
Anonymous rant about them is essentially correct, it is just a un-official wing of the government that shelters yesterdays' generals and other big figures from government institutions. If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.
If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.
That concern is exactly why the U.S. Small Business Administration exists. The federal government actively works to award ~23% of prime federal contracts to small businesses each year. Moreover, that quota contains specific goals for awarding contracts to Women-Owned Small Businesses (WOSB), Service-Disabled Veteran-Owned (SDVO) small businesses, other "small disadvantaged businesses," and businesses in "Historically Underutilized Business Zones" (HUBZones).
If you actually try to "undercut these large, wasteful, stupid and taxpayer moneysucking behemoths," you'll have federal policy at your back.
Furthermore, "[f]or all procurement actions expected to exceed the $150,000 simplified acquisition threshold, prime contractors are required to make a "best effort' attempt to make use of small disadvantaged businesses, SDVOs, and WOSBs as subcontractors if the opportunity exists under the contract. For procurement actions expected to exceed $650,000 ($1.5 million for construction), the winning contractor is required to provide the agency contracting officer with a written plan that establishes a small business subcontracting goal. The plan details how the winning contractor will make use of small business in each subcontract category and provide for timely payments." [0]
"[f]or all procurement actions expected to exceed the $150,000 simplified acquisition threshold, prime contractors are required to make a "best effort' attempt to make use of small disadvantaged businesses, SDVOs, and WOSBs as subcontractors if the opportunity exists under the contract"
My dad has a small software company that sells statistical analysis software. He told me that he often gets buyers from minority owned businesses that exist solely to exploit that regulation. Say BigCorp wants to score a sweet government contract, and they need to use my dad's software. The CEO of BigCorp talks to his buddy at IAmAMinorityCorp and says "We want the Neyer-D Optimal Test Suite from Neyer Software." IAmAMinorityCorp buys the software, then resells it to BigCorp for 2x what they paid, pocketing the difference.
The system is heavily broken. Anyone who thinks otherwise needs to get their head out of the sand or their hands out of my wallet, preferrably both.
However, the system also does some very good work by forcing more work into smaller companies. I have had the pleasure of working for two companies doing business with the government. One doing research through the SBIR program, and another just winning contracts as a small business.
On the good side, both of these companies did very good work and didn't do the "IP shuffle" as you described above. In fact, I'd say the biggest impediment to us getting stuff done was either the government moving slow, or some other company we were forced to work with slowing us down. In fact, the kiss of productivity death for any project was getting involved in a project with one of the bigger consulting companies (BAH, Accenture, etc).
On the other side, the title of "woman owned" and "minority owned" are completely taken advantage of at all times. Both companies I worked for were "woman owned", which in practice meant that the wives of the bosses owned the company (or at least some of it), but really didn't take part in anything other than showing up for Christmas parties. I am not aware, however, of any real advantage the "woman owned" and "minority owned" titles got us, though.
In all my experience, the SBIR program was one of the biggest scams around. At the end of project, you only have to produce "proof that you researched" the problem. It's completely ok for you to spend all the money to simply determine that the project is not feasible (i.e. we watched movies all day and did a few google searches during the previews).
In theory, the government would stop giving projects to companies that never produced anything. I personally never saw that happen.
If a company is really on the up and up, the SBIR program could be a great opportunity. However, it's way too easy to game the system.
Phase I requirements are typically (but not always) that you have to produce a report that you did feasibility research on the problem. Sometimes a working prototype is the Phase I deliverable. Usually Phase II is where the working prototype is and Phase III is a delivered working system (though for larger projects, Phase III is just the prototype or improvements to Phase II's prototype).
Typical payouts for the phases:
Phase I - 75-100K
Phase II - 750K
Phase III - 2 mil
Most of these projects are challenging enough that for 75K, you're not going to be able to deliver much more than a report. Once you factor in overhead, that's about 4-6 man-months.
I agree with you wholeheartedly, though, that it is greatly taken advantage of -- on a very large scale, and the relationship between companies and granting Program Managers is a big, big deal.
There are definitely companies that play the "we'll do nearly anything" open-ended engineering game and pay themselves using Phase I's.
I have seem some legitimately great work come out of NSF SBIRs, which are similar, but quite a different game in many ways from military SBIRs.
I worked for a company writing military SBIRs for 10 months. Worst job of my life, probably. It was also mind-blowing how OK with all of this that most people of all levels of that chain were.
In a Phase II, the deliverable is normally a prototype. But since it is by definition research, it's expected that some of these projects come against problems that are not reasonably solvable. Therefore, you can fail on your deliverable and have that be completely ok.
I worked for a Woman/Minority Owned Small Business. Believe me, it was the ol'govt'boys network, just at a smaller scale. We had a lady who's job description basically boiled down to being something pretty for our money/government guy to look at.
After $17 million-ish in projects, we produced nothing but a bunch of 'research'. And trust me, there were a few of us developers that really tried to do something useful. Management had no interest in what was produced other than more proposals to get more money. Your bonus/promotion was totally tied to how many proposals you wrote (and this was a software company). Your bonus/promotion had zero to do with how much or how well you wrote code.
Every single time I've come across a WOSB, SDVO, or HUBZone business, it's essentially been a scam, using some technicality to just barely qualify for the program while the contractor is actually run as the standard good ol' boys club that they usually are.
I own a Service-Disabled Veteran Owned Small Business (SDVOSB) and am also a "minority" Hispanic/East Asian female.
From years of experience in Iraq in particular, I believe I am in the minority of small businesses that do not abuse certifying programs like 8(a) for profit in the world of defense contracting.
Yeah, I worked for a small tech company in Illinois whose owner's Asian wife became the owner for the right contracts and who put the minority receptionist in a suit and introduced him as a... president (I think it was) for different state contracts.
If you actually try to "undercut these large, wasteful, stupid and taxpayer moneysucking behemoths," you'll have federal policy at your back.
What about the billions of no-bid contracts awarded to the likes of Halliburton? The kind of companies you would be competing with have a revolving door to the freaking whitehouse!
> That concern is exactly why the U.S. Small Business Administration exists.
Good point, it exists and it is a good thing. I see a lot of bids from companies specifically tagged as being those entities. Sometimes they get the contract sometimes they don't.
> winning contractor is required to provide the agency contracting officer with a written plan that establishes a small business subcontracting goal.
So they have to find a way to recruit all their college buddies, cousins and friends. Yes on paper it all looks legit, no doubt, it is the loopholes and what goes around the paper trail that makes the difference.
For example for contract jobs there are written requirements, then there are the real requirements. If you don't know the real requirements (which you find out by knowing so-and-so from back-in-the-day ...) you won't get the contract. When it comes to pick the bid surprise! they made a "best effort" but alas, this other bidder "just happened to guess exactly what we need". Well that other bidder might turn out to be a neighbor who needed a favor returned and so on.
> "we put warm bodies in seats and charge you tens of millions for it".
Are there any defense contractors this doesn't apply to?
> If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.
I think the reason is more that the big companies understand the byzantine government processes and have things like CMMI/ISO certifications and certified-secure locations than pure corruption
No. I have worked with and seen small, lean defense contractors and those who are smart enough in the govt. (and there are some of those as hard as it maybe to believe) know where to find those companies.
> I think the reason is more that the big companies understand the byzantine government processes and have things like CMMI/ISO certifications and certified-secure locations than pure corruption
True. You need someone full-time basically to navigate all those ATOs,ISO, certification, security requirements, etc. So someone who worked on the 'other' side or with the 'other' side is needed. But then you just 30% in only. You need to know people to get the other 70%. Don't you think it is funny that most of these CEOs are ex-generals and ex-heads of CIA, NSA other large departments and then they turn around and sell their service to their old buddies, when their old buddies retire they find similar position to sell stuff to their buddies. Interesting correlation isn't it. Well what it is, is a huge conflict of interesest and an environment ready for rampant corruption and nepotism.
I wonder if we are seeing the beginnings of a new revolutionary movement that transcends borders, yet has the ability to cause drastic change within borders. This has the potential to get very interesting for people like me who think the government has overstepped its bounds in the electronic age.
It could be. This is the consequences of ignoring 20 years of warnings by security experts. #antisec is actually the best thing that could happen to the US govt. They are malevolent just enough to get media coverage but not enough to make serious damages. They will force reorganization and maybe the firing of some incompetent people.
Seems like a real stretch to me. HBGary like _targeted_intrusions_ with corresponding broad private information disclosures might have a bit of claim to that theory.
But as far as I can tell you just saw a couple of script kiddies run automated scans against whoever & whatever, happen to see a flaw at BAH, get in a dump a SQL database and then brag about how awesome they are. Big fucking deal?
Disclosing password hashes isn't going to bring down shit. It's like the hacker equivalent of the special olympics.
I'm not sure why so many people jump to calling members of these groups "script kiddies" -- perhaps because it's in the vogue and makes one feel more important than others? It's been shown that a few of the 0days these guys are using are from their own findings. A handful of members of different groups (of Antisec fame and some not) seem to take great interest in cryptography, reverse engineering, etc. As immature as their ways may be, as misguided as their goals may seem to you, they're not certainly not script kiddies and they're certainly pretty clever if they've managed to not get caught yet.
Lol, wait what? Which 0-days has it been shown they're using, let alone ones they developed themselves? I think the phrase here is citation needed. If you're using private zero days to break into systems you're almost assuredly not telling anyone about them - and the flip side is probably true as well.
Nope definitely not, there is a wide gulf between the two. It's just if they were using their own zero days then it'd be pretty obvious that I was wrong.
With the password hashes being unsalted MD5 and estimates of password reuse averaging from 12% this is valuable information that could be used to gain access to more sensitive systems. Sure it may be as simple as running an automated scan, but if a script kiddie could do that and get this information it's likely this information may well have been compromised before now, we just haven't heard of it.
but if a script kiddie could do that and get this information it's likely this information may well have been compromised before now, we just haven't heard of it.
Hi. This happens all the time. There is evidence of far more significant data breeches nearly every day in the press - Byzantine Hades, RSA, Aurora, Night dragon, the list goes on and on. Probably the best argument for why this specific sql database with web app passwords hasn't been compromised in the past is that it's of very questionable value.
The people holding up convenience stores aren't revolutionaries. And that's true even if you try to spin a yarn where removing the funds from a tax paying business might lead to an eventual budget shortfall.
Enclosed is the invoice for our audit of your security systems [...]
4 hours of man power: $40.00
Network auditing: $35.00
Web-app auditing: $35.00
Network infiltration*: $0.00
Password and SQL dumping**: $200.00
Decryption of data***: $0.00
Media and press****: $0.00
Total bill: $310.00
$10/hr - clearly they don't know the going rate for security researchers and pen-testers. Or perhaps I should circulate this to the guys I use, to get them down a bit :)
Looks like they grabbed some sort of online course system's DB. I am guessing it isn't as secure as some of their other servers and it has independent authentication. So it isn't their main user/password database, but looks like people using their email address to login.
I'm not sure if I agree. One thing that's nice about HN is that I so often get the story early, otherwise I would use one of the weekly/daily best-of aggregators anyway.
The front-page is big enough that I can handle there being one post for the original raw-data, and a subsequent post for the Ars analysis.
Your other point about "cheerleading" is well taken, It is easy to get caught up in the David vs. Goliath sentiment.
If we're waiting for Ars Technica to do an in-depth article, we'll be as late to the table as everyone else. I like learning about these things as they happen.
Right. Ars has a pretty solid reputation for taking its time to do an in-depth story. I'm happy to have both the quick version now and the Ars version later, and I don't mind both hitting the frontpage if the story is big enough.
I haven't seen this (yet) in any local media, and it's at least given me the opportunity to email all the Booz employees I know and urge them to at least change their passwords.
Having the information quickly is advantageous to both sides.
The thing is that it is also the main source of the "official" antisec statement. I prefer to read their direct humorous prose, it is less likely to leave important informations out.
Unsalted MD5 as well. And looking at the list of people apparently in their employ, this could lead to some serious drama.
Seriously though, unsalted MD5? Again? Like they say in the release, anonymous can't be any more explicit. Their slogan is "expect us." That should be a clue.
At this point, I think these guys should be given a job. If they can exploit these vulnerabilities then it's almost certain that our enemies already are exploiting them.
But it's worse to hide and ignore the problem. The other poster hit the nail on the head. This stuff is happening on a much larger scale - it's only because of lulzsec/anonymous that anyone even has a clue how bad the situation really is.
Actually, I don't disagree with you - it's a good thing (for a certain value of "good" - in a perfect world, things would all be secure, and we'd ride unicorns everywhere) that this kind of stuff is exposed.
What I disagree with is the "giving them a job" bit. I don't think that rewarding these kinds of people with employment is right - part of working in computer security is having a certain code of ethics. Whereas I'd much prefer that this kind of stuff be made public, giving them a job is similar to rewarding a thief with a job as a cop.
Due to the anonymous nature of these things, some of these recent attacks could easily be from within the USA's govt, just like the anthrax letters were.
It does seem clear, though, that we all have a lot to learn about protecting information...
I'm not encouraging the act, I'm just saying the companies should respond pro-actively not just pretend the problem(s) don't exist. Doing nothing is the absolute worst option.
Their habits show that they would not be interested in a job at the targets of their hacks, and a good portion of them are likely employed in the infosec industry already.
Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed: http://thenextweb.com/industry/2011/06/28/us-govt-plant-usb-...
Remember when Anonymous broke into HBGary and consequently, rootkit.org?
Releasing the emails was just one outcome. The other was that any dangerous knowledge (or digital weaponry) lying around there were ready for the taking.
Every time I see the term "digital weaponry" or a synonym, I think of a bleak future where citizens are jailed for possession of "military grade encryption systems".
I don't know if it's because I'm inside the industry, if software is inherently easier to create and duplicate, or if the damage is somewhat smaller, but I really can't see any software as a weapon.
Malware that specifically targeted (inadequately protected) control systems for critical infrastructure (think power/water/transport) would not be unlike an EMP bomb in my opinion.
A weapon is just a type of tool used with intent to harm.
>A weapon is just a type of tool used with intent to harm.
While that is correct, it can be extended to pretty much everything. In the end, weapons don't kill people, people kill people.
And while this will probably will get me labeled as conspiracy theorist, I still think that a lot about stuxnet was way too fishy, and it was way too conveniently timed for all the security facists that are raving about "Cyber War".
I think a more accurate description would be "a type of tool created with the intent to harm". You can use your kitchen knife to stab someone, but it's not its main purpose.
Rifles and bombs don't kill people by themselves either, but are a damn good indication of intent and their simple presence facilitates dangerous situations.
I'd say a weapon is a tool whose only use is harm to other men.
The line gets a little blurry around things like guns and knives, but I think it still holds. For example, an AK-47 is a weapon, while a bird shotgun can be used as a weapon.
While storing a straight SHA1 of a password is obviously a Bad Thing (TM), what does it say about the attackers that they couldn't tell an MD5 from a Base64'd SHA1? It's not exactly rocket surgery.
Anonymous rant about them is essentially correct, it is just a un-official wing of the government that shelters yesterdays' generals and other big figures from government institutions. If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.