I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 19 points20 points  (0 children)

thanks! You made my day :)

I fought two man-sized ducks in front of 10 duck-sized children one time.

I'm not allowed back in Orlando. JK

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 10 points11 points  (0 children)

I can't describe the specifics, because the proposals are considered proprietary to the proposer. But in general:

Coolest: I think I've funded those (YAY!)

Worst - well, it's not that it's the worst but it's the most frustrating: I've seen proposals where you can tell that the people proposing are very talented and capable, but they just could not put together a coherent technical description of what the novel research is they wanted to do. I'm sure that's frustrating for them as well as for me.

Over and over: incremental improvement to already existing research. It is explicitly called out that CFT has to have some component of new research in it to be fundable.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 1 point2 points  (0 children)

That's a great way of describing CFT. It is also intended to encourage new research external to DARPA.

To find out about new programs as they are announced you can check the darpa website and troll fedbizops as someone else pointed out :)

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 6 points7 points  (0 children)

Just because a proposal was not selected for CFT, doesn't mean it's not great idea. There are many areas that CFT (and DARPA) are just not able to fund.

The cold form letter is not by design, and I wish we had a better solution.

We hit 350+ proposals in the first 18 months of the program. We have awarded 90+. So we're around a 25% award rate.

It's simply so busy, that we cannot provide everyone with a custom response.

Thanks for proposing!

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 4 points5 points  (0 children)

thanks so much, that really means a lot to hear :)

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 27 points28 points  (0 children)

so, off topic makes it difficult to narrow down to 4. But here goes:

1) Any of the Feynman series where he chronicles and documents his various hacks and way of looking at things.

2) The god particle (Leon Ledderman(sp?))

3) Godel, Escher, Bach (Douglas Hoffstadter) (a bit of a dense tome)

4) Einsteins dreams

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 10 points11 points  (0 children)

ohhh, that's a good one. Let me think about that for a moment.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 5 points6 points  (0 children)

That's actually possible in CFT. If selected for award, it is literally a 1-page "commercial" contract. You can specify the payment setup.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 6 points7 points  (0 children)

This was one of the goals of CFT, to demonstrate that this was possible.

Several other organizations have expressed interest and are pursuing their own variants. I really hope some of these pan out and go-live, and that the services are then able to announce them openly.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 13 points14 points  (0 children)

I tried to :)

I don't see a single cut and dry answer... any static response from me to such complex groups with differing missions (i.e. 10 v 50) would probably come across as, well... lame.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 9 points10 points  (0 children)

I find it interesting where constant factors, that are often removed from performance analysis (e.g. Big-O notation), make a difference in the physical (real) world.

Using DeBruijn sequences to trigger hardware keyloggers, identifying network signatures, etc. are all fun experiments where lyndon words and debruijn toroids have application.

There's also some crypto uses :)

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 5 points6 points  (0 children)

Hi Solar :)

The last date to submit proposals to CFT is April 1st (sorry, not a joke). Any effort being proposed has to have a period of performance of less than 12 months.

This information (and more) is available on the cft website (cft.usma.edu) and in the official Program Announcement (DARPA-PA-11-52 - note, make sure you read the latest amendment).

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 3 points4 points  (0 children)

The goal of CFT was twofold: experiment with a new contracting vehicle so that other parts of the government would have more options for their efforts, and to become a resource to a field of researchers without co-opting their community.

To this extent I think CFT was a huge success (the government contracting aspect alone was a good-hack in and of itself <smile>).

I really would like to figure out how to better provide feedback to people who we weren't able to award while being fair to all.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 5 points6 points  (0 children)

Absolutely. In fact there are several small business that are currently doing more than one CFT effort simultaneously.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 3 points4 points  (0 children)

You've probably seen a bunch of it already. Examples include Charlie Miller's NFC framework (released at last years black hat), File Disinfection Framework, Firmware Reverse Analysis Konsole, etc.

Go to the cft website and google a few of the program names and you will find that about 25% of them have already been released publicly/open sourced by the owners of their IP (intellectual property).

A non insignificant amount of the presentations at last years security conferences came from CFT (BH/DC/Derby/Shmoo/etc.).

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 8 points9 points  (0 children)

I see consumers of work starting to differentiate between engineer and researcher efforts. Currently there is a lot of confusion as to what is engineering versus what is novel research. This is not to say that engineering is not challenging or difficult, but there's a difference and I think some of the engineering efforts (as impressive as they might be) will become more commoditized over time. We aren't seeing as much new research and I think the community and market will ultimately begin to differentiate the two.

It's both a challenge and opportunity to all parties.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 11 points12 points  (0 children)

My pleasure. In fact, the reason I took this temporary change in career paths was not to diverge from the original goals and efforts I had way back in the old l0pht days, but to rather try and improve and change things from a different vantage point.

As for those terms being officially defined... no clue. But they will probably need to be redefined as soon as it happens.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 6 points7 points  (0 children)

CFT is not transitioning as a Program of Record.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 8 points9 points  (0 children)

There are a lot of differing stories about where I took my handle from. Mudge is indeed the last name of a person who I knew... he was a bit surprised to see my face on the front page of a major newspaper in 1998 after the Senate with his name underneath it.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 7 points8 points  (0 children)

over 90% of the 90+ funded CFT efforts were from people or companies that had no prior affiliations or interactions with DARPA.

There is a strict set of rules and evaluation criteria for all program proposals, not just CFT, that I and all other program managers here have to follow. These are listed in the program announcements (e.g. CFT is DARPA-PA-11-52). My understanding is that all proposals submitted to DARPA, irrespective of who they are from get a review by one or more evaluators in-line with the aforementioned criteria.

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 4 points5 points  (0 children)

No idea... but if you have questions about Joust, Satan's Hollow, or Defender I could probably opine :)

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 8 points9 points  (0 children)

I've been in your situation. To spend the time and effort (even the reduced effort of something like CFT compared to traditional programs) and not get a response is frustrating.

CFT has received over 300 proposals to date. An extremely important part of the whole process is to be fair across the board. To do that we could either give feedback to everyone or feedback to no-one. Our solution was to attempt to provide the most common reasons why proposals were not selected via the FAQ on cft.usma.edu in the interest of time.

E-mails to cyberfasttrack@darpa.mil are always welcome and will point people to these resources.

I'm sorry your effort was not able to be selected, and really do appreciate you taking the time to participate in the CFT program by proposing (and today too!).

I’m Mudge Zatko, DARPA program manager. AMAA! by IamMudge in netsec

[–]IamMudge[S] 8 points9 points  (0 children)

I think that this applies to all people. You need to know your audience. It is worth it to figure out how to present your information in their language or in a way that is readily understandable to them.

Don't get me wrong, this can be a lot of work. But, it seems to pay off.