DOD on the hunt for hacker hires

LAS VEGAS — Hacker turned DARPA program manager Mudge returned to his roots at the Black Hat Briefings Aug. 4 to announce a new Defense Department program to fund small-scale hacker research and to make a pitch for ideas to fund.

The Defense Advanced Research Projects Agency's Cyber Fast Track program, officially DARPA RA-11-52, went live Aug. 3 and is expected to fund between 20 and 100 short-term projects a year at “considerably under $1 million,” said Mudge, whose real-world name is Peiter Zatko. The Fast Track is a pet project of Zatko's intended to fight bloat in both security software and government research.

“DARPA intends to cultivate relationships and become a resource” for the hacker community, he said.

Zatko, under his nom-de-hack Mudge, is well-known in the hacker world and at Black Hat, and was a founder of the L0pht hacker research group. He left the commercial world about a year ago for a four-year stint with DARPA as a program manager in the Information Innovation Office.

Over the past decade, security software has become exponentially more complex, Zatko said, averaging about 10 million lines of code, while the average size of malware has remained static at about 125 lines of code. In Las Vegas odds, 10 million to 125 would be considered a sucker bet, he said.

“It's not giving us defense in depth,” Zatko said. “It's increasing the attack surface. Everything is a large target in our modern operating systems.”

Zatko said he wanted to encourage small, flexible research groups with innovative ideas, but he knew from his L0pht experience that government funding is complex and impractical for such organizations.

“Looking at it with my DARPA hat on, I said, 'this is not good,' ” he said.

He developed the Fast Track program to provide small amounts of short-term help to researchers to continue their work while remaining independent.

Ideas being considered for funding include a project to use broad community resources to audit open-source code, and a device called the IED WarVox, a literal war-dialer for cell phones that could be used in war zones to discourage improvised explosive devices.

“Think about it,” Zatko said. “You're making bombs with cell phones and they are ringing all the time. In a couple of weeks we could put this together.

The Fast Track will have a quick turnaround time, responding to approved requests with contracts within 14 days. Developers would keep commercial intellectual property rights and the government would get government purpose rights.

The website for the program is www.cft.usma.edu.