DARPAVANCOUVER–When Peiter Zatko, the security researcher and pioneering hacker known as Mudge, joined the federal government several years ago to help run a DARPA research program, some in the security industry wondered what effect someone with his background could have in an organization as famously change-resistant and slow as the Department of Defense. As it turns out, the Cyber Fast Track program he started has been a huge success and though the CFT is ending in less than a month, the program may well serve as a model for other agile research programs inside the U.S. government. 

Zatko is widely known in the security community as a member of the L0pht hacking collective and was a pioneer in the independent security research community. A few years ago, he surprised many people by going to DARPA to run the CFT program, which awards grants for short-term security research projects. Some of the projects that have relied at least in part on CFT funding include the NFC security research Charlie Miller did last year and Moxie Marlinspike’s Convergence system, which aims to be a replacement for the current CA infrastructure. Now, the CFT program is ending, as of April 1, which is the last day that new proposals will be accepted, but Zatko said that there’s a good chance that the programs and systems he developed to enable CFT will live on in other ways.

“CFT is ending because it was an experiment. DARPA isn’t an open organization. We were looking for a new way to work with people,” Zatko said during a talk at the CanSecWest conference here Wednesday. “The back end is what’s designed to transition so other large organizations can use this. I hope they look for more people who look at this and say, Mudge did it and he got out mostly intact.”

The CFT program was designed to help deliver funding quickly for interesting security research proposals. This was a major change from the way that most DARPA proposal programs work, usually on a long time line. Zatko said that the CFT program so far has received nearly 400 proposals and handed out grants to 101 of them.

While CFT has helped change the way that the government looks at security research specifically and the proposal system in general, Zatko said that he also learned quite a lot during his three years in Washington. One of the things that he found is that by looking at the security advisories put out by security vendors themselves on their own products, he could identify that on average each month, about 28 percent of the vulnerabilities introduced are from defensive technologies.

“Trying to reduce predictable complexity with more predictable complexity is a bad strategy,” he said.

He also said that there needs to be a bit of a shift in mindset in the defensive security community in order to adapt to the attackers’ changing tactics.

“We oftentimes forget in security that your adversary has good ideas too. People forget that their are game theoretics involved. If you make a change, they don’t just pack up their ball and go home.”

That fact has become all too obvious in recent years as advanced persistent threats (APT) and other sophisticated attackers have infiltrated some of the most well-defended networks there are. But Zatko said he doesn’t see the threat landscape as just a black-and-white world where you’re either winning or losing. There are a lot of subtleties involved.

“When you see that more and more money is being invested and the problem is getting worse, people ask whether we should invest more or none at all,” he said. “Why are we not making progress? There’s a whole bunch of factors involved.”

Scenes from CanSecWest 2013

Categories: Government, Vulnerabilities