Anonymous rant about them is essentially correct, it is just a un-official wing of the government that shelters yesterdays' generals and other big figures from government institutions. If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.
That concern is exactly why the U.S. Small Business Administration exists. The federal government actively works to award ~23% of prime federal contracts to small businesses each year. Moreover, that quota contains specific goals for awarding contracts to Women-Owned Small Businesses (WOSB), Service-Disabled Veteran-Owned (SDVO) small businesses, other "small disadvantaged businesses," and businesses in "Historically Underutilized Business Zones" (HUBZones).
If you actually try to "undercut these large, wasteful, stupid and taxpayer moneysucking behemoths," you'll have federal policy at your back.
Furthermore, "[f]or all procurement actions expected to exceed the $150,000 simplified acquisition threshold, prime contractors are required to make a "best effort' attempt to make use of small disadvantaged businesses, SDVOs, and WOSBs as subcontractors if the opportunity exists under the contract. For procurement actions expected to exceed $650,000 ($1.5 million for construction), the winning contractor is required to provide the agency contracting officer with a written plan that establishes a small business subcontracting goal. The plan details how the winning contractor will make use of small business in each subcontract category and provide for timely payments." 
My dad has a small software company that sells statistical analysis software. He told me that he often gets buyers from minority owned businesses that exist solely to exploit that regulation. Say BigCorp wants to score a sweet government contract, and they need to use my dad's software. The CEO of BigCorp talks to his buddy at IAmAMinorityCorp and says "We want the Neyer-D Optimal Test Suite from Neyer Software." IAmAMinorityCorp buys the software, then resells it to BigCorp for 2x what they paid, pocketing the difference.
The system is heavily broken. Anyone who thinks otherwise needs to get their head out of the sand or their hands out of my wallet, preferrably both.
However, the system also does some very good work by forcing more work into smaller companies. I have had the pleasure of working for two companies doing business with the government. One doing research through the SBIR program, and another just winning contracts as a small business.
On the good side, both of these companies did very good work and didn't do the "IP shuffle" as you described above. In fact, I'd say the biggest impediment to us getting stuff done was either the government moving slow, or some other company we were forced to work with slowing us down. In fact, the kiss of productivity death for any project was getting involved in a project with one of the bigger consulting companies (BAH, Accenture, etc).
On the other side, the title of "woman owned" and "minority owned" are completely taken advantage of at all times. Both companies I worked for were "woman owned", which in practice meant that the wives of the bosses owned the company (or at least some of it), but really didn't take part in anything other than showing up for Christmas parties. I am not aware, however, of any real advantage the "woman owned" and "minority owned" titles got us, though.
In theory, the government would stop giving projects to companies that never produced anything. I personally never saw that happen.
If a company is really on the up and up, the SBIR program could be a great opportunity. However, it's way too easy to game the system.
Phase I requirements are typically (but not always) that you have to produce a report that you did feasibility research on the problem. Sometimes a working prototype is the Phase I deliverable. Usually Phase II is where the working prototype is and Phase III is a delivered working system (though for larger projects, Phase III is just the prototype or improvements to Phase II's prototype).
Typical payouts for the phases:
Phase I - 75-100K
Phase II - 750K
Phase III - 2 mil
Most of these projects are challenging enough that for 75K, you're not going to be able to deliver much more than a report. Once you factor in overhead, that's about 4-6 man-months.
I agree with you wholeheartedly, though, that it is greatly taken advantage of -- on a very large scale, and the relationship between companies and granting Program Managers is a big, big deal.
There are definitely companies that play the "we'll do nearly anything" open-ended engineering game and pay themselves using Phase I's.
I have seem some legitimately great work come out of NSF SBIRs, which are similar, but quite a different game in many ways from military SBIRs.
I worked for a company writing military SBIRs for 10 months. Worst job of my life, probably. It was also mind-blowing how OK with all of this that most people of all levels of that chain were.
EDIT: formatting, minor content
In a Phase II, the deliverable is normally a prototype. But since it is by definition research, it's expected that some of these projects come against problems that are not reasonably solvable. Therefore, you can fail on your deliverable and have that be completely ok.
After $17 million-ish in projects, we produced nothing but a bunch of 'research'. And trust me, there were a few of us developers that really tried to do something useful. Management had no interest in what was produced other than more proposals to get more money. Your bonus/promotion was totally tied to how many proposals you wrote (and this was a software company). Your bonus/promotion had zero to do with how much or how well you wrote code.
From years of experience in Iraq in particular, I believe I am in the minority of small businesses that do not abuse certifying programs like 8(a) for profit in the world of defense contracting.
Very impressive program.
What about the billions of no-bid contracts awarded to the likes of Halliburton? The kind of companies you would be competing with have a revolving door to the freaking whitehouse!
Good point, it exists and it is a good thing. I see a lot of bids from companies specifically tagged as being those entities. Sometimes they get the contract sometimes they don't.
> winning contractor is required to provide the agency contracting officer with a written plan that establishes a small business subcontracting goal.
So they have to find a way to recruit all their college buddies, cousins and friends. Yes on paper it all looks legit, no doubt, it is the loopholes and what goes around the paper trail that makes the difference.
For example for contract jobs there are written requirements, then there are the real requirements. If you don't know the real requirements (which you find out by knowing so-and-so from back-in-the-day ...) you won't get the contract. When it comes to pick the bid surprise! they made a "best effort" but alas, this other bidder "just happened to guess exactly what we need". Well that other bidder might turn out to be a neighbor who needed a favor returned and so on.
Are there any defense contractors this doesn't apply to?
> If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.
I think the reason is more that the big companies understand the byzantine government processes and have things like CMMI/ISO certifications and certified-secure locations than pure corruption
> I think the reason is more that the big companies understand the byzantine government processes and have things like CMMI/ISO certifications and certified-secure locations than pure corruption
True. You need someone full-time basically to navigate all those ATOs,ISO, certification, security requirements, etc. So someone who worked on the 'other' side or with the 'other' side is needed. But then you just 30% in only. You need to know people to get the other 70%. Don't you think it is funny that most of these CEOs are ex-generals and ex-heads of CIA, NSA other large departments and then they turn around and sell their service to their old buddies, when their old buddies retire they find similar position to sell stuff to their buddies. Interesting correlation isn't it. Well what it is, is a huge conflict of interesest and an environment ready for rampant corruption and nepotism.
Anonymous may become catalyst, if nothing else.
But as far as I can tell you just saw a couple of script kiddies run automated scans against whoever & whatever, happen to see a flaw at BAH, get in a dump a SQL database and then brag about how awesome they are. Big fucking deal?
Disclosing password hashes isn't going to bring down shit. It's like the hacker equivalent of the special olympics.
 "A large-scale study of web password habits" http://portal.acm.org/citation.cfm?id=1242572.1242661
Hi. This happens all the time. There is evidence of far more significant data breeches nearly every day in the press - Byzantine Hades, RSA, Aurora, Night dragon, the list goes on and on. Probably the best argument for why this specific sql database with web app passwords hasn't been compromised in the past is that it's of very questionable value.
The people holding up convenience stores aren't revolutionaries. And that's true even if you try to spin a yarn where removing the funds from a tax paying business might lead to an eventual budget shortfall.
I figure finding out the moment your email account is compromised is worth investing in, especially in these most recent days of hackers running wild.
Enclosed is the invoice for our audit of your security systems [...]
4 hours of man power: $40.00
Network auditing: $35.00
Web-app auditing: $35.00
Network infiltration*: $0.00
Password and SQL dumping**: $200.00
Decryption of data***: $0.00
Media and press****: $0.00
Total bill: $310.00
The app is definitely over-engineered with 613 tables and few users. I bet Booze Allen charged millions of dollars for building that garbage.
Voting the actual raw data-dumps up emphasizes the other meaning of 'hacker' and almost looks like cheerleading.
The front-page is big enough that I can handle there being one post for the original raw-data, and a subsequent post for the Ars analysis.
Your other point about "cheerleading" is well taken, It is easy to get caught up in the David vs. Goliath sentiment.
Having the information quickly is advantageous to both sides.
Seriously though, unsalted MD5? Again? Like they say in the release, anonymous can't be any more explicit. Their slogan is "expect us." That should be a clue.
Oh, and it's probably not good to encourage this kind of thing either.
What I disagree with is the "giving them a job" bit. I don't think that rewarding these kinds of people with employment is right - part of working in computer security is having a certain code of ethics. Whereas I'd much prefer that this kind of stuff be made public, giving them a job is similar to rewarding a thief with a job as a cop.
People are free to disagree, of course :P
It does seem clear, though, that we all have a lot to learn about protecting information...
These aren't kids.
Who says they haven't been offered some?
Somewhat akin to having a day job installing security systems, and by night, breaking into houses secured by your competitors.
Releasing the emails was just one outcome. The other was that any dangerous knowledge (or digital weaponry) lying around there were ready for the taking.
I don't know if it's because I'm inside the industry, if software is inherently easier to create and duplicate, or if the damage is somewhat smaller, but I really can't see any software as a weapon.
A tool used in war? Sure. But a weapon? Hardly.
Malware that specifically targeted (inadequately protected) control systems for critical infrastructure (think power/water/transport) would not be unlike an EMP bomb in my opinion.
A weapon is just a type of tool used with intent to harm.
And yes, software can fit into the dictionary description of "weapon", but the scales are completely different.
Throwing it into the same regulatory basket as firearms just seems misleading and asking for trouble.
But maybe you are right, software can be a weapon, and I'm just afraid of the implications of classifying it as such.
While that is correct, it can be extended to pretty much everything. In the end, weapons don't kill people, people kill people.
And while this will probably will get me labeled as conspiracy theorist, I still think that a lot about stuxnet was way too fishy, and it was way too conveniently timed for all the security facists that are raving about "Cyber War".
Rifles and bombs don't kill people by themselves either, but are a damn good indication of intent and their simple presence facilitates dangerous situations.
The line gets a little blurry around things like guns and knives, but I think it still holds. For example, an AK-47 is a weapon, while a bird shotgun can be used as a weapon.
Password hashes are not MD5 but mostly BASE64(sha1(password)); some other hashes may be mixed in. Happy cracking.
echo -n PASSWORD123 | openssl dgst -sha1 -binary | base64