Yeah … yeah … yeah … probably not but it’s interesting to see that our government (or at least the US Marines) may have been way ahead of their time. We often think of governments being way behind as compared to the more agile commercial world but this isn’t always true.
One example is a FedBizOpps.gov posting that @mikko came across yesterday from way back in 2003 (a good number of years after War Games). In this solicitation the US Marines particularly called out the development of some exploit development training. Assuming media reports are true, could these classes have been the initial seeds that laid the foundation for the development of Stuxnet, Duqu, and Flame?
Here’s a sample of some of the content from the solicitation.
U–Exploit Development Training
Solicitation Number: DOI-SNOTE-030502-001
Agency: Department of the Interior
Office: Minerals Management Service
Added: May 2, 2003
The United States Marine Corps Network Operations and Security Command (MCNOSC) has an immediate requirement for Exploit Development training. This requirement is being issued by Gov.Works under the franchise authority of the Department of the Interior on behalf of MCNOSC. MCNOSC requires instruction be conducted on-site June 2-6, 2003 by two senior security consultants with a high level of experience working with Core Impact software. Each consultant must be an expert in the field of exploit development, both in general and in context of the Core Impact Framework. Instructors must be able to explain the concepts behind assembly programming needed to successfully exploit vulnerable programs. The training must include how to integrate exploit vulnerabilities into the Core Impact software. The contractor must provide a working copy of the Core Impact software for each terminal in the classroom. The Government intends to negotiate this commercial services requirement on a sole source basis with the Core Security Technologies in accordance with FAR 6.302-1. This is not a request for competitive proposals. However, interested parties may identify their interest and capabilities or submit proposals. All proposals or quotes must be received within 5 calendar days after the date of publication of this synopsis via email to [email protected] or via facsimile at (703)787-1836. Joyce Grudzinski can be reached at (703) 787-1365.
Source: U–Exploit Development Training
Of course the more rational explanation is that they were developing exploits to run against their own systems in order to better harden them. Other than that … note the mention of Core Impact. It’s hard to believe that they are almost a 10-year old company. And I don’t think Metasploit is that much further behind them.
Today’s post pic is from TVTropes.org. See ya!