Slashdot Mirror

← Back to Stories (view on slashdot.org)

Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits

Posted by samzenpus on from the selling-to-the-man dept.

Sparrowvsrevolution writes "Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen's hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word. Those individual fees often cost much more than that six-figure subscription, and Vupen sells them non-exclusively to play its customers off each other in an espionage arms race. The company's CEO, Chaouki Bekrar, says Vupen only sells to NATO governments and 'NATO partners' but he admits 'if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.'"

7 of 158 comments (clear)

  1. Re:Kind of shady? by Sir_Sri · · Score: 3, Informative

    Espionage agencies are lawfully chartered. The activities they undertake in other countries are usually illegal in those countries, but so what, you do it to us, we do it to you, when you catch one of ours, we catch one of yours, trade, and back to business.

    In the case of the french bombing a ship in new zealand that was illegal, even though New Zealand would be a "NATO Partner" in the parlance of TFA. Two of the agents were caught, and charged.

    Of course had they got back to france (like the rest of the team) likely nothing would have happened to them, although with a more valuable ally like the UK that may not hold true. Countries act in their own interests, and if they're smart they are under no illusion about having any friends.

    The reason people still remember the rainbow warrior incident is because it was a major scandal in france, and might not even have been legal in france. Depends on the agreements they had with New Zealand.

  2. Re:Kind of shady? by meerling · · Score: 4, Informative

    The military has very strict rules, and you are only required to follow lawful orders. In fact, if you are given an unlawful order, you are, by military law, required to refuse to follow it and report it to the appropriate military authority. Nobody is protected by "I was just following orders" for performing an unlawful action.
    At least with regards to the US Military. I don't know about other countries.

  3. Re:The true faith of an armorer by forand · · Score: 3, Informative

    Anyone wondering where this is from it is from the play Major Barbara by George Bernard Shaw. You can find the full script on Gutenberg.

  4. Re:$100,000 is not rich. by Khashishi · · Score: 3, Informative

    That's just the membership fee. How much is the actual product?

  5. There are companies in the U.S. doing this! by Anonymous Coward · · Score: 3, Informative

    Check out this company: Siege Technologies (http://www.siegetechnologies.com/). I had never heard of them before and have no idea how big they are. But they openly advertise that they have a "Vulnerability Discovery Incentive Plan" in their benefit package (http://www.siegetechnologies.com/careers).

    They claim to do work for private companies and the U.S. government. They advertise a "Five year contract awarded to provide DoD with training material on Offensive/Defensive Windows Kernel Security and Development" and are advertising for jobs looking for Reverse Engineers.

  6. Re:Kind of shady? by tnk1 · · Score: 4, Informative

    Summary executions by officers for anything are of extremely doubtful legality today, at least in the US. If an officer simply executed you for some cause and expected that to hold, he would face a guaranteed court-martial. If he tried to pretend that he merely apprehended you and you "escaped", there would still be an investigation at the very least. Unless the whole unit was on the side of the officer, it is unlikely that an officer would get away with it.

    As far as "friendly fire" incidents... those are always possible, but the shooter could still get found out.

    In short, if you turned the officer in for an offense that they might get execution, or life, or 20 years for, you may want to watch your back. Otherwise, no one is going to shoot you unless they are also unbalanced. In which case, you're pretty fucked anyway.

    That said, while it is actually required to refuse an unlawful order, you will still likely have to prove that at court-martial. So, you might well simply obey the officer ordering you to do something technically illegal, but petty. But, if he wants you to start shooting people, I'd suggest taking the court-martial.

  7. Re:Damn... by Anonymous Coward · · Score: 3, Informative

    Ugh.
    securityfocus.com

    select vendor microsoft
    framework .net

    whatever version you use

    there's about a dozen vulnerabilities in version 4.0 alone, including this one overrunning an array

    http://www.securityfocus.com/bid/48212/discuss

    Shithead fanboy. Understand the tools you use. Marketing theory is not implementation reality.

    Yes, they've been found. Yes, they're open. And your question reveals absolutely horrific ignorance and shows that you've drank the kool-aid instead of doing some research.

    Next time you choose a platform, ask yourself what the possible vulnerabilities are, and then do a google search for them. Had you done this, you'd realize that Java is one of the exploit platforms of choice, second only to flash -- and has been for years.