Nmap Development mailing list archives
R&D Grant Opportunities for Nmap
From: Fyodor <fyodor () insecure org>
Date: Thu, 11 Feb 2010 21:26:16 -0800
Hi Folks. This email isn't announcing anything, but I wanted to bring up the topic of research and development grants for the Nmap Project. So far the only grants we've received (or applied for) are through the Google Summer of Code project. As everyone here has probably noticed, that program has been a huge win for the Nmap project! Features like the Nmap Scripting Engine, Zenmap, the 2nd generation OS detection system, and Ncat were all started by SoC students! I think there is room for the Project to benefit from further grants if we find any which are appropriate. Obviously we would only accept grants which help the Nmap project as well as the grantor. For example, we wouldn't take money to develop features which we can't freely distribute to the wider Nmap community, or which wouldn't be useful to the community. But if a grant from a government, company, or organization can facilitate work that benefits the Nmap project, we should go for it! Obviously the U.S. government is a big source of such grants, and they often go toward much less efficient R&D than is performed by the Nmap project. One traditional source for technology grants is DARPA, and I noticed that Mudge (Peiter Zatko) has been recently appointed as a program manager "in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks"[1]. According to that article: "One of his main goals will be to fund researchers at hacker spaces, start-ups, and boutiques who are most likely to develop technologies that can leapfrog what comes out of large corporations.... He's also hoping that giving a big push to research and development will do more to advance the progress of cybersecurity than public policy decisions have been able to do over the past few decades." I can think of several ways that the Nmap project can help secure national infrastructure and the private sector: o Nmap has already proven that it can quickly respond to emerging threats. I think it was the first free scanner (other than the very limited R&D proof of concept) to remotely detect the Conficker worm. And we continued throughout last year (and this year) to release new scripts for new severe vulnerabilities. o In this economy, many organizations can't afford expensive commercial solutions. But governments and anyone else with a stake in proper and efficient functioning of the Internet want them to be secure. Since anyone from individuals to large corporations can use Nmap for free, cost is not a barrier for them. And with threats such as Conficker, we even provided specific command-line arguments so it didn't require much technical chops either. o The Nmap project does some great research in areas like network topology visualization, the most effective techniques for OS detection, the relative frequency in which certain services are made available on the Internet, the most effective host discovery probes, etc. This sort of work helps us make Nmap more efficient, but it can also be useful for other purposes. When Nmap helps organizations secure their networks, it makes the whole Internet safer from attacks. After all, those first insecure victims often become the launching pad and even weapon for the next wave of attacks. Unfortunately I don't know much about research grants (especially U.S. government ones). So it is no surprise that the project has never applied for any. But it has been suggested that we: o Keep an eye on SBIR ("Small Business Innovation Research") grant solicitations. See http://www.sbir.gov/. Apparently this money is set aside for _only_ small organizations, so we don't have to compete with giant enterprises who can, uh, "lobby" their way in. o Keep an eye on Broad Agency Announcements (BAA's) which DARPA and other agencies use to announce research grants. You may be able to find all of these at http://www.grants.gov. Just think of how much Nmap could benefit from even a small grant? Given how much great NSE script writing work we see from volunteers who have to work around their day job, imagine how much could be accomplished if we had one or two people working full time on NSE! Or imagine how much more data we could collect if our empirical scanning research was sponsored by the U.S. government?! I think that would add a lot of credibility to the effort and hopefully result in fewer complaints to our ISPs. But I doubt I can keep on top of all these grant opportunities myself, so I hope the Nmap community will help! If you find any grants which you think the Nmap project is well suited for, please let me know. This applies to government (any government) or NGO grants. Then we an evaluate the opportunity and potentially apply. Also, if you have any comments or suggestions on grants in general, let me know. As I mentioned, I have no experience in this area. Cheers, Fyodor [1] http://news.cnet.com/8301-27080_3-10450552-245.html _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- R&D Grant Opportunities for Nmap Fyodor (Feb 11)