Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

R&D Grant Opportunities for Nmap

From: Fyodor <fyodor () insecure org>
Date: Thu, 11 Feb 2010 21:26:16 -0800
Hi Folks.  This email isn't announcing anything, but I wanted to bring
up the topic of research and development grants for the Nmap Project.
So far the only grants we've received (or applied for) are through the
Google Summer of Code project.  As everyone here has probably noticed,
that program has been a huge win for the Nmap project!  Features like
the Nmap Scripting Engine, Zenmap, the 2nd generation OS detection
system, and Ncat were all started by SoC students!  I think there is
room for the Project to benefit from further grants if we find any
which are appropriate.

Obviously we would only accept grants which help the Nmap project as
well as the grantor.  For example, we wouldn't take money to develop
features which we can't freely distribute to the wider Nmap community,
or which wouldn't be useful to the community.

But if a grant from a government, company, or organization can
facilitate work that benefits the Nmap project, we should go for it!
Obviously the U.S. government is a big source of such grants, and they
often go toward much less efficient R&D than is performed by the Nmap
project.  One traditional source for technology grants is DARPA, and I
noticed that Mudge (Peiter Zatko) has been recently appointed as a
program manager "in charge of funding research designed to help give
the U.S. government tools needed to protect against cyberattacks"[1].
According to that article:

  "One of his main goals will be to fund researchers at hacker spaces,
   start-ups, and boutiques who are most likely to develop
   technologies that can leapfrog what comes out of large
   corporations.... He's also hoping that giving a big push to
   research and development will do more to advance the progress of
   cybersecurity than public policy decisions have been able to do
   over the past few decades."

I can think of several ways that the Nmap project can help secure
national infrastructure and the private sector:

o Nmap has already proven that it can quickly respond to emerging
  threats.  I think it was the first free scanner (other than the very
  limited R&D proof of concept) to remotely detect the Conficker
  worm.  And we continued throughout last year (and this year) to
  release new scripts for new severe vulnerabilities.

o In this economy, many organizations can't afford expensive
  commercial solutions.  But governments and anyone else with a stake
  in proper and efficient functioning of the Internet want them to be
  secure.  Since anyone from individuals to large corporations can use
  Nmap for free, cost is not a barrier for them.  And with threats
  such as Conficker, we even provided specific command-line arguments
  so it didn't require much technical chops either.

o The Nmap project does some great research in areas like network
  topology visualization, the most effective techniques for OS
  detection, the relative frequency in which certain services are made
  available on the Internet, the most effective host discovery probes,
  etc.  This sort of work helps us make Nmap more efficient, but it
  can also be useful for other purposes.

When Nmap helps organizations secure their networks, it makes the
whole Internet safer from attacks.  After all, those first insecure
victims often become the launching pad and even weapon for the next
wave of attacks.

Unfortunately I don't know much about research grants (especially
U.S. government ones).  So it is no surprise that the project has never
applied for any.  But it has been suggested that we:

o Keep an eye on SBIR ("Small Business Innovation Research") grant
  solicitations. See http://www.sbir.gov/.  Apparently this money is
  set aside for _only_ small organizations, so we don't have to
  compete with giant enterprises who can, uh, "lobby" their way in.

o Keep an eye on Broad Agency Announcements (BAA's) which DARPA and
  other agencies use to announce research grants.  You may be able to
  find all of these at http://www.grants.gov.

Just think of how much Nmap could benefit from even a small grant?
Given how much great NSE script writing work we see from volunteers
who have to work around their day job, imagine how much could be
accomplished if we had one or two people working full time on NSE!  Or
imagine how much more data we could collect if our empirical scanning
research was sponsored by the U.S. government?!  I think that would
add a lot of credibility to the effort and hopefully result in fewer
complaints to our ISPs.

But I doubt I can keep on top of all these grant opportunities myself,
so I hope the Nmap community will help!  If you find any grants which
you think the Nmap project is well suited for, please let me know.
This applies to government (any government) or NGO grants.  Then we an
evaluate the opportunity and potentially apply.

Also, if you have any comments or suggestions on grants in general,
let me know.  As I mentioned, I have no experience in this area.

Cheers,
Fyodor

[1] http://news.cnet.com/8301-27080_3-10450552-245.html
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: