Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits

← Back to Stories (view on slashdot.org)

Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits

Posted by samzenpus on Wednesday March 21, 2012 @08:00AM from the selling-to-the-man dept.

Sparrowvsrevolution writes "Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen's hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word. Those individual fees often cost much more than that six-figure subscription, and Vupen sells them non-exclusively to play its customers off each other in an espionage arms race. The company's CEO, Chaouki Bekrar, says Vupen only sells to NATO governments and 'NATO partners' but he admits 'if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.'"

108 of 158 comments (clear)

Min score:

Reason:

Sort:

Damn... by cayenne8 · 2012-03-21 08:03 · Score: 5, Funny

That's serious money...
The question is...how do "I" get into that??!?
:)
Hacking stuff, and protected by 'NATO' government paying you handsomely for the 'service'.
sweet...

--
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
1. Re:Damn... by lennier · 2012-03-21 08:23 · Score: 4, Insightful
  
  The question is...how do "I" get into that??!?
  1. Write any sufficiently large piece of C++ code
  2. Wait
  3. Get rooted by the black hats
  4. Find out which trivially-detectable-if-you'd-used-a-decent-language error the black hats found in your code and sell it to NATO
  5. Profit!
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
2. Re:Damn... by Anonymous Coward · 2012-03-21 08:28 · Score: 3, Insightful
  
  Because we all know that programs written in interpreted languages never have bugs nor do their VMs or interpreters.
3. Re:Damn... by Anonymous Coward · 2012-03-21 08:30 · Score: 1, Insightful
  
  Whereas you're clearly doing great things with your life.....
4. Re:Damn... by mjwalshe · 2012-03-21 08:36 · Score: 1
  
  Many Security services do now do open recruitment look up the appropriate website - I would imagine in France going to ENA might help.
5. Re:Damn... by Geek70 · 2012-03-21 08:48 · Score: 1
  
  Would you really want to? I would imagine that every single person working there is having every aspect of their life watched by a whole range of governments/agencies. Great place if you have no love of personal privacy!
6. Re:Damn... by Anonymous Coward · 2012-03-21 08:50 · Score: 1
  
  What in God's name are you blathering about?
7. Re:Damn... by morcego · 2012-03-21 09:08 · Score: 3, Insightful
  
  What's next ? My dog ate my boundary checking ?
  Seriously, blaming the language for the coding bug is one of the lamest things I've ever heard. Bugs (exploitable or not) will be found on any sufficiently large piece of code, written in any language. Heck, there were 1 or 2 cases of bugs introduced by the compiler.
  The real problem is that companies need to get the software out "fast". It is cheaper for the company to fix the code after it is released and payed for, and to keep developing out of it own pockets. It is that simple.
  
  --
  morcego
8. Re:Damn... by Anonymous Coward · 2012-03-21 09:12 · Score: 1
  
  Not wasting your time posting on retarded news websites might be a good start
9. Re:Damn... by daktari · 2012-03-21 09:31 · Score: 1
  
  Whereas you're clearly doing great things with your life.....
  Thanks AC. You've restored my "miserably failing" faith in the institution of AC posting by putting a smile right where it belongs: on my face!
  
  --
  A fool sees not the same tree that a wise man sees. -- Willam Blake
10. Re:Damn... by Anonymous Coward · 2012-03-21 09:38 · Score: 1
  
  The one good thing that has come from all the hackers is the number of stupid bugs in major software has dropped precipitously!
  Back in the day (when I actually programmed for living 20 years ago), I was constantly met with the 'but it works' excuse when I ran across crappy bug ridden code. Refactoring was nearly impossible as most of it was defective by design.
11. Re:Damn... by rtb61 · 2012-03-21 09:42 · Score: 1
  
  'Erm' not to put ton fine a point on it but, management username password and an external log in are sufficient to get in on the act. Once in the world of organised crime, the simplest, most direct solutions are often the most effective.
  So obtain access to and extract from, the holder of management user name and password and within the hour gain access to thousands of hours of cracking effort. You want to play you will always end up paying.
  
  --
  Chaos - everything, everywhere, everywhen
12. Re:Damn... by Anonymous Coward · 2012-03-21 12:11 · Score: 1
  
  Im pretty sure all those things u mentioned are written in C++, with the OSes more likely being C.
  -HasHie
13. Re:Damn... by morcego · 2012-03-21 14:34 · Score: 1
  
  It is not a matter of cheap vs expensive. It is "cheapER". It is always comparative. That's free market for you.
  What needs to change is the BUYING process. People would need to stop buying cheaper solutions. Yeah. For my next trick, I'm going to teleport myself to the moon and back.
  
  --
  morcego
14. Re:Damn... by Anonymous Coward · 2012-03-21 16:14 · Score: 3, Informative
  
  Ugh.
  securityfocus.com
  select vendor microsoft
  framework .net
  whatever version you use
  there's about a dozen vulnerabilities in version 4.0 alone, including this one overrunning an array
  http://www.securityfocus.com/bid/48212/discuss
  Shithead fanboy. Understand the tools you use. Marketing theory is not implementation reality.
  Yes, they've been found. Yes, they're open. And your question reveals absolutely horrific ignorance and shows that you've drank the kool-aid instead of doing some research.
  Next time you choose a platform, ask yourself what the possible vulnerabilities are, and then do a google search for them. Had you done this, you'd realize that Java is one of the exploit platforms of choice, second only to flash -- and has been for years.
15. Re:Damn... by lightknight · 2012-03-21 16:57 · Score: 2
  
  True, but it's harder to cut yourself with a pair of safety scissors than it is a machete.
  
  --
  I am John Hurt.
16. Re:Damn... by lightknight · 2012-03-21 16:58 · Score: 2
  
  There is only one way to know whether or not what you are saying is the truth: Did it involve a god function and a lot of gotos?
  
  --
  I am John Hurt.
17. Re:Damn... by lightknight · 2012-03-22 06:14 · Score: 1
  
  And all joking aside, I would add that supposedly they are still useful, even in good code.
  
  --
  I am John Hurt.
18. Re:Damn... by CastrTroy · 2012-03-22 06:59 · Score: 1
  
  If you click on the Exploit Tab, you'll see that it reads.
  
  Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information,
  
  There have been exploits in the past, but they have been fixed. Also, Java and flash are the most common because those are the main languages that run as plugins in your browser. Of course that's where everyone is going to look for these problems. It wouldn't be a big deal to find a similar bug in PHP or Python, because you couldn't get people's browser to execute them.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I'm not scared... by asdbffg · 2012-03-21 08:05 · Score: 5, Funny

Norton keeps me safe.
1. Re:I'm not scared... by Cazekiel · 2012-03-21 08:31 · Score: 1
  
  I keep seeing this, lolloplexing, scrolling down to read more... scrolling up, MORE lol; you gave the gift that keeps on giving.
  
  --
  You want to know how to help your kids? LEAVE THEM THE F*&K ALONE. --George Carlin
2. Re:I'm not scared... by lightknight · 2012-03-21 17:02 · Score: 1
  
  Yes, but the extra 5 minutes it takes to copy a small text file from one location of your SATA-3 SSD to another is a bit of a deal breaker.
  
  --
  I am John Hurt.
The war of the future by baldrad · 2012-03-21 08:05 · Score: 1

I think it will be interesting to see how the governments of the world start to evolve around this new threat.
So basically... by girlintraining · 2012-03-21 08:06 · Score: 5, Funny

Step 1. Paint giant bullseye on the top of your corporate office. Write "Insert bomb here," repeatedlty around the edge.
Step 2. Sell digital goods that can be used by sovereign powers to wage war on each other to both sides.
Step 3. ???
Step 4. Profi--Error: Connection reset by peer

--
#fuckbeta #iamslashdot #dicemustdie
Thieves among thieves by hjf · 2012-03-21 08:07 · Score: 5, Insightful

Oh, they only sell to NATO, right? You know, you can TRY to lie to us, but in the end, lying to the CIA is the same as lying to yourself. They know you sell to Iran, China, and every other regime out there.
You're on a shady enough business not to sell to the best offer.
1. Re:Thieves among thieves by Anonymous Coward · 2012-03-21 08:20 · Score: 2, Insightful
  
  Even if they do only sell to NATO, NATO governments haven't exactly had a stellar history of respecting human rights in the past decade.
2. Re:Thieves among thieves by WalkingBear · 2012-03-21 09:22 · Score: 1
  
  Of course they sell to Iran, China, et al.. And the CIA and MI5 *help* them with the code they write, especially the code they sell to others. Backdoors in the backdoors.
3. Re:Thieves among thieves by elucido · 2012-03-21 09:22 · Score: 2
  
  Even if they do only sell to NATO, NATO governments haven't exactly had a stellar history of respecting human rights in the past decade.
  What government respects human rights?
  If they don't sell their exploit to NATO who should they sell them to? The FBI?
4. Re:Thieves among thieves by Wrath0fb0b · 2012-03-21 12:19 · Score: 2
  
  Even if they do only sell to NATO, NATO governments haven't exactly had a stellar history of respecting human rights in the past decade.
  Compared to who? I'm pretty sure NATO collectively ranks at the very top of human rights respect on this planet.
5. Re:Thieves among thieves by lightknight · 2012-03-21 17:04 · Score: 1
  
  NATO, and out of the back of a white van, to people whose accents place them from various countries on the 'Naughty List.'
  
  --
  I am John Hurt.
6. Re:Thieves among thieves by L4t3r4lu5 · 2012-03-21 21:02 · Score: 3, Insightful
  
  Compared to who? I'm pretty sure NATO collectively ranks at the very top of human rights respect on this planet.
  Well put. Furthermore, Harold Shipman is my choice of Serial Killer of the Year, as he only ended the lives of the elderly and infirm, and in a humane fashion.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
7. Re:Thieves among thieves by Wrath0fb0b · 2012-03-22 04:17 · Score: 1
  
  Well put. Furthermore, Harold Shipman is my choice of Serial Killer of the Year, as he only ended the lives of the elderly and infirm, and in a humane fashion.
  And he is abominable as compared to the billions of people that don't murder anyone at all.
8. Re:Thieves among thieves by CAIMLAS · 2012-03-22 04:24 · Score: 1
  
  Well, compared to... pretty much everyone.
  Every single NATO-organized operation has not only been a significant failure, but human rights violations have been atrocious. This is more true with the smaller operations involving soldiers from non-Western countries in other non-Western countries. Complete... cluster... fuck.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
9. Re:Thieves among thieves by elucido · 2012-03-23 02:33 · Score: 1
  
  What government respects human rights?
  If they don't sell their exploit to NATO who should they sell them to? The FBI?
  The FBI is part of NATO - it is an organization owned by the US government - which is part of NATO. The FBI is not an "alternative". North Korea, China, Al quaeda and organized crime are all "alternatives" to NATO though. The only ones to purchase such stuff are criminals and governments with enemies...
  If they are only selling it to NATO governments and the FBI and US government are part of NATO then what is the problem? Isn't that what all the other contractors are doing anyway?
Kind of shady? by K.+S.+Kyosuke · 2012-03-21 08:07 · Score: 5, Insightful

I mean, aren't there laws against doing things like hacking into computers you don't own? Isn't this aiding in a crime? The last time I checked, even government agencies were obliged not to break laws.

--
Ezekiel 23:20
1. Re:Kind of shady? by Desler · 2012-03-21 08:11 · Score: 5, Funny
  
  Your post is so cute. You actually think they care.
2. Re:Kind of shady? by Iniamyen · 2012-03-21 08:16 · Score: 2
  
  The laws only apply if you are hacking into computers you don't own in order to download The Hurt Locker.
3. Re:Kind of shady? by Anonymous Coward · 2012-03-21 08:17 · Score: 1
  
  Spies act outside of legality. You think it was legal for french agents to place bombs inside the rainbow warrior in new zeland ?
  Sure it was! It was a warrior right? That means it was a warship!
  If you don't agree with this, the hippies... Er.... I mean... terrorists win!
4. Re:Kind of shady? by X0563511 · 2012-03-21 08:20 · Score: 1
  
  Silly citizen, gov't agents are above the law.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
5. Re:Kind of shady? by PPH · 2012-03-21 08:20 · Score: 4, Insightful
  
  even government agencies were obliged not to break laws.
  Unless we're at war.
  We're always at war.
  
  --
  Have gnu, will travel.
6. Re:Kind of shady? by Real_Reddox · 2012-03-21 08:22 · Score: 5, Insightful
  
  if a soldier hears his superior yell "fire", he shoots, no questions asked.
  
  As a soldier, I can only note your lack of insight in how the military works.
  
  --
  I spent five minutes stealing cool sigs and all I got was this.
7. Re:Kind of shady? by EvilBudMan · 2012-03-21 08:29 · Score: 1
  
  How do you prove it?
8. Re:Kind of shady? by Anonymous Coward · 2012-03-21 08:31 · Score: 1
  
  Who said anything about hacking into someone else's computer? Discovering exploits is not a crime.
9. Re:Kind of shady? by theonesandtwos · 2012-03-21 08:34 · Score: 1
  
  Just to play devils advocate, they're selling exploits. You need not hack machines that do not belong to you to develop exploits.
  Are they not in some sense selling knowledge? Since when is that illegal? (State secrets and whatnot aside).
  
  I don't agree with it, but I'm just saying.
10. Re:Kind of shady? by Sir_Sri · 2012-03-21 08:37 · Score: 3, Informative
  
  Espionage agencies are lawfully chartered. The activities they undertake in other countries are usually illegal in those countries, but so what, you do it to us, we do it to you, when you catch one of ours, we catch one of yours, trade, and back to business.
  In the case of the french bombing a ship in new zealand that was illegal, even though New Zealand would be a "NATO Partner" in the parlance of TFA. Two of the agents were caught, and charged.
  Of course had they got back to france (like the rest of the team) likely nothing would have happened to them, although with a more valuable ally like the UK that may not hold true. Countries act in their own interests, and if they're smart they are under no illusion about having any friends.
  The reason people still remember the rainbow warrior incident is because it was a major scandal in france, and might not even have been legal in france. Depends on the agreements they had with New Zealand.
11. Re:Kind of shady? by K.+S.+Kyosuke · 2012-03-21 08:38 · Score: 1
  
  That's possible, but I would think it is one thing for a spy agency to do something shady covertly (obviously, that happens), and another thing for private company to openly sell stuff like this, regardless of who is the buyer. That almost feels like Israel admitting that they have nukes.
  
  --
  Ezekiel 23:20
12. Re:Kind of shady? by meerling · 2012-03-21 08:40 · Score: 4, Informative
  
  The military has very strict rules, and you are only required to follow lawful orders. In fact, if you are given an unlawful order, you are, by military law, required to refuse to follow it and report it to the appropriate military authority. Nobody is protected by "I was just following orders" for performing an unlawful action.
  At least with regards to the US Military. I don't know about other countries.
13. Re:Kind of shady? by betterunixthanunix · 2012-03-21 08:42 · Score: 1
  
  It is also a crime to wiretap someone, but the police do it all the time. Judges can grant warrants to allow law enforcement agencies to do otherwise illegal things.
  
  --
  Palm trees and 8
14. Re:Kind of shady? by DroolTwist · 2012-03-21 09:16 · Score: 1
  
  LOL! I noticed that too.
  
  Just do what the rednecks to, and use 'yer' - nobody questions 'yer'.
15. Re:Kind of shady? by NIN1385 · 2012-03-21 09:19 · Score: 1
  
  Mod up please.
  
  This is the problem with the "war or terror". There is no end, the US government will never be able to declare a victory over this enemy. This plays right into their grand scheme of things, they have a free pass to do whatever they want anywhere in the world and the perfect terrorist attack to justify it.
  
  This is why you will never see a real investigation into the events of September 11th, if there were ever any highly publicized cracks in the story of what happened that day it would bring down the entire house of cards.
  
  --
  
  If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
16. Re:Kind of shady? by Opportunist · 2012-03-21 09:20 · Score: 1
  
  Possible, but what protects me from the bullet in the officer's gun?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
17. Re:Kind of shady? by elucido · 2012-03-21 09:23 · Score: 1
  
  I mean, aren't there laws against doing things like hacking into computers you don't own? Isn't this aiding in a crime? The last time I checked, even government agencies were obliged not to break laws.
  Government agencies don't believe in any laws besides the law of might. If they want to do it they do it just as long as they have the force to get away with it.
18. Re:Kind of shady? by elucido · 2012-03-21 09:33 · Score: 1
  
  Espionage agencies are lawfully chartered. The activities they undertake in other countries are usually illegal in those countries, but so what, you do it to us, we do it to you, when you catch one of ours, we catch one of yours, trade, and back to business.
  In the case of the french bombing a ship in new zealand that was illegal, even though New Zealand would be a "NATO Partner" in the parlance of TFA. Two of the agents were caught, and charged.
  Of course had they got back to france (like the rest of the team) likely nothing would have happened to them, although with a more valuable ally like the UK that may not hold true. Countries act in their own interests, and if they're smart they are under no illusion about having any friends.
  The reason people still remember the rainbow warrior incident is because it was a major scandal in france, and might not even have been legal in france. Depends on the agreements they had with New Zealand.
  You're forgetting that spies don't get "traded', officers get traded back and forth and only the officers with official cover. Officers are spy handlers, the spies are the people who if caught get killed.
19. Re:Kind of shady? by Hatta · 2012-03-21 09:45 · Score: 1
  
  In fact, if you are given an unlawful order, you are, by military law, required to refuse to follow it and report it to the appropriate military authority.
  What do you think actually happens when one does that?
  
  --
  Give me Classic Slashdot or give me death!
20. Re:Kind of shady? by HungryMonkey · 2012-03-21 09:47 · Score: 2
  
  I mean, aren't there laws against doing things like hacking into computers you don't own? Isn't this aiding in a crime? The last time I checked, even government agencies were obliged not to break laws.
  You've got it all wrong. I'm sure they hack into their own computers, nothing illegal there. Then they sell the knowledge of these exploits to their customers in order to protect them from these weaknesses. Now, if someone in one of those agencies "goes against policy" and uses these exploits against someone else, how is it their fault?
21. Re:Kind of shady? by Anonymous Coward · 2012-03-21 10:02 · Score: 1
  
  Possible, but what protects me from the bullet in the officer's gun?
  The bullet in your gun.
  I am always amazed at people who claim the military forced them to do whatever they now face war crimes death penalty for. Sheesh! In such a situation, don't succumb to the pressure. Just fire on the commanders, for a man with a weapon cannot really be forced.
  Of course, there is the risk of being killed for mutiny (unless the rest feel the same way). But if it is a death penalty either way, do what is right.It will make a difference.
22. Re:Kind of shady? by Opportunist · 2012-03-21 10:20 · Score: 3, Insightful
  
  If you go by logic, committing the war crime is the logical conclusion.
  Imagine you're ordered to shoot civilians, or having the option to get shot by your superior. What are your options?
  1. Refusing. You're dead.
  2. Shooting your superior. Chances for a trial: Almost certain. Chances for a conviction: Rather high.
  3. Shooting the civilian. Chances for a trial: Almost zero, as long as every witness is an accomplice. Chances for conviction: Close to zero unless a reporter somehow finds out about it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
23. Re:Kind of shady? by tnk1 · 2012-03-21 10:43 · Score: 4, Informative
  
  Summary executions by officers for anything are of extremely doubtful legality today, at least in the US. If an officer simply executed you for some cause and expected that to hold, he would face a guaranteed court-martial. If he tried to pretend that he merely apprehended you and you "escaped", there would still be an investigation at the very least. Unless the whole unit was on the side of the officer, it is unlikely that an officer would get away with it.
  As far as "friendly fire" incidents... those are always possible, but the shooter could still get found out.
  In short, if you turned the officer in for an offense that they might get execution, or life, or 20 years for, you may want to watch your back. Otherwise, no one is going to shoot you unless they are also unbalanced. In which case, you're pretty fucked anyway.
  That said, while it is actually required to refuse an unlawful order, you will still likely have to prove that at court-martial. So, you might well simply obey the officer ordering you to do something technically illegal, but petty. But, if he wants you to start shooting people, I'd suggest taking the court-martial.
24. Re:Kind of shady? by tnk1 · 2012-03-21 10:51 · Score: 1
  
  If the officer thinks he can get away with it, you will be subjected to non-judicial punishment or he might just send you straight to a court martial. If he tries to punish you non-judicially, you have a right to insist on a court-martial. The fact that the order was unlawful is your defense. If it is proven, the officer will get dinged himself, based on what the order was.
  If he doesn't think he can get away with it, he'll accept your refusal and move on.
25. Re:Kind of shady? by Opportunist · 2012-03-21 13:37 · Score: 1
  
  An officer doesn't have to shoot you to kill you in a war. He can easily put you in a position where the enemy does that unpleasant work for him.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
26. Re:Kind of shady? by lennier · 2012-03-21 14:16 · Score: 1
  
  There are also laws against doing things like shooting an unarmed person in the head, aka assassination, but if a soldier hears his superior yell "fire", he shoots, no questions asked.
  
  And that's precisely why I don't "support the troops" qua troops. Cyber or otherwise. If you aren't allowed to question orders to harm and kill, you're not allowed to be a free and ethical human being. Why are we (why are Republicans of all people!) still glorifying an institution which practices slavery in the 21st century?
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
27. Re:Kind of shady? by Anonymous Coward · 2012-03-21 15:09 · Score: 1
  
  Your post is so cute. You'd rather post snarky cynical comments than a thought-out analysis of legal and possibly ethical implications of said company's business.
28. Re:Kind of shady? by lightknight · 2012-03-21 17:07 · Score: 1
  
  Nonsense. More than 50% of ELF is made up of intelligence agents, trying to stir up some business.
  
  --
  I am John Hurt.
29. Re:Kind of shady? by Noughmad · 2012-03-21 20:50 · Score: 1
  
  even government agencies were obliged not to break laws.
  Unless we're at war.
  We're always at war.
  We've always been at war.
  
  --
  PlusFive Slashdot reader for Android. Can post comments.
30. Re:Kind of shady? by mapkinase · 2012-03-21 21:18 · Score: 2
  
  No, he'd rather post thought-out analysis of legal and possibly ethical implications of said company's business.that happens to take the snarky cynical form that you so wittily grasped
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
31. Re:Kind of shady? by Alarash · 2012-03-21 22:02 · Score: 1
  
  Pretty sure you can turn this around saying it's for defense purposes, or "research." Isn't "security researcher" the official term for "white hat" ?
32. Re:Kind of shady? by DrBoumBoum · 2012-03-21 23:15 · Score: 1
  
  Care to elaborate?
33. Re:Kind of shady? by Hydian · 2012-03-22 02:31 · Score: 1
  
  You're forgetting that spies don't get "traded', officers get traded back and forth and only the officers with official cover. Officers are spy handlers, the spies are the people who if caught get killed.
  Yup! Just like Anna Chapman! Oh, wait...she got on the cover of Maxim magazine after being sent home instead...
34. Re:Kind of shady? by Real_Reddox · 2012-03-22 04:28 · Score: 1
  
  Well, Lobasomething apparently subscribes to the belief that all soldiers are mindless robots without consciences. It should go without saying that this isn't true. There is such a thing as illegal orders, and it's every soldier's duty to not follow orders he or she believes are illegal.
  
  --
  I spent five minutes stealing cool sigs and all I got was this.
Exploit to exploit by WinstonWolfIT · 2012-03-21 08:10 · Score: 5, Insightful

Wow. That puts huge incentive on planting moles in projects with wide distribution simply for the aim of writing exploitable code.
1. Re:Exploit to exploit by elucido · 2012-03-21 09:25 · Score: 1
  
  Wow. That puts huge incentive on planting moles in projects with wide distribution simply for the aim of writing exploitable code.
  Agencies probably already do that to save money having to pay these guys.
2. Re:Exploit to exploit by Anonymous Coward · 2012-03-21 10:57 · Score: 1
  
  Well of course. Did you think Adobe monetized Acrobat Reader and Flash by selling content creation tools?
3. Re:Exploit to exploit by ihatewinXP · 2012-03-22 04:28 · Score: 2
  
  That is what I have been wondering.
  How many open source projects / commercial products are compromised by 3 letter agency insiders? Yeah we can 'look at the source' for some software but I have no pretenses on most anyone being able to find a backdoor left in by the best of the best that MIT / NSA etc have to offer. And with an unlimited budget to boot...
  I know if I was in charge id just make sure to get my code into Flash installers, Webkit, MS Office, and a few of the most popular linux packages and call it a day. I mean, what computer worth looking at isnt going to have an office suite, a browser, or flash?
  By the looks of Stuxtnet apparently routers are also a good thing to throw backdoors into as well....
  
  --
  ---- The real Slashdot is still here. You just have to browse at -1 to read the comments.
The true faith of an armorer by Animats · 2012-03-21 08:10 · Score: 4, Insightful

"To give arms to all men who offer an honest price for them, without respect of persons or principles: to aristocrat and republican, to Nihilist and Tsar, to Capitalist and Socialist, to Protestant and Catholic, to burglar and policeman, to black man white man and yellow man, to all sorts and conditions, all nationalities, all faiths, all follies, all causes and all crimes." - Undershaft
1. Re:The true faith of an armorer by forand · 2012-03-21 09:14 · Score: 3, Informative
  
  Anyone wondering where this is from it is from the play Major Barbara by George Bernard Shaw. You can find the full script on Gutenberg.
Scope of Work by Statecraftsman · 2012-03-21 08:20 · Score: 1

I wonder if they ever go from providing exploits to "remote controlled product support".
violation of the DMCA? by cjonslashdot · 2012-03-21 08:22 · Score: 1, Redundant

Isn't this a violation of the DMCA?
1. Re:violation of the DMCA? by Desler · 2012-03-21 08:32 · Score: 1
  
  They're a French company...
2. Re:violation of the DMCA? by cjonslashdot · 2012-03-21 08:43 · Score: 2
  
  Still, if the US can extradite Vladimir Zdorovenin and Gary McKinnon (let alone, Julian Assange) for their purported violation of US laws while outside the US, then the US should be able to extradite the execs of this company. Right?
3. Re:violation of the DMCA? by Lunix+Nutcase · 2012-03-21 08:56 · Score: 1
  
  No.
4. Re:violation of the DMCA? by geoffaus · 2012-03-21 09:18 · Score: 1
  
  or if they ever step on US soil this happened to an exec - cant remember who but he wasnt on good terms with the US then on a flight to canada his plane got diverted to NYC and they got him
  
  --
  As an online discussion grows longer, the probability of a reference to Godwin's Law approaches 1
I hope their physical security is top notch by swb · 2012-03-21 08:22 · Score: 2, Insightful

And not just for their offices, but for their homes and the homes, schools and offices of their families, friends and anyone else they might care about.
It strikes me that these are people you don't want to try to play around with and that some might try to influence you to give a better deal to their side than another side, perhaps using things like pictures of your kids walking to school or your wife gardening.
1. Re:I hope their physical security is top notch by Anonymous Coward · 2012-03-21 09:33 · Score: 1
  
  Why is this modded redundant? I am in ITSec yet am valued more for my knowledge about physical security and it's deep implications. Go ahead go take a look at a light primer: Locks, Safes, and Security by Marc Weber Tobias; then come back and say it is redundant.
2. Re:I hope their physical security is top notch by elucido · 2012-03-21 09:37 · Score: 2
  
  Why is this modded redundant? I am in ITSec yet am valued more for my knowledge about physical security and it's deep implications. Go ahead go take a look at a light primer: Locks, Safes, and Security by Marc Weber Tobias; then come back and say it is redundant.
  But if you know about physical security then you know in most workplaces it barely exists. You've got to secure the entire electromagnetic spectrum, worry about biological attacks, chemical attacks, psychological, and social engineering attacks on top of the technical exploits, lock picking, etc.
  These individuals in this company wouldn't be in the business they are in if they didn't have physical security of some sort. They have as little physical security as everyone else has, but perhaps they are aware of the fact that they aren't completely safe.
  But you're right, if they aren't locked down like a fort someone will still their exploits and then sell them to their clients.
From the desk of Zorg by Anonymous Coward · 2012-03-21 08:25 · Score: 1

"'if you sell weapons to someone, there's no way to ensure that they won't sell to another agency.'""
Or worse!
Zorg: I hate warriors, too narrow-minded. I'll tell you what I do like though: a killer, a dyed-in-the-wool killer. Cold blooded, clean, methodical and thorough. Now a real killer, when he picked up the ZF-1, would've immediately asked about the little red button on the bottom of the gun.
[Scene shifts to Aknot, who is staring in confusion at the little red button. He shrugs and pushes it]
Zorg: [Casually smokes a cigarette as the room with the Mangalores blows up] Bring me the priest.
But my orgies! by Cazekiel · 2012-03-21 08:26 · Score: 1

the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word.
NUUU not my slash!fic!! No touching my pr0n!
Oh wait, Microsoft Word required my first-born for payment, so I downloaded OpenOffice. Not on the list, MY PR0N IS SAFE.

--
You want to know how to help your kids? LEAVE THEM THE F*&K ALONE. --George Carlin
1. Re:But my orgies! by colinrichardday · 2012-03-21 09:23 · Score: 2
  
  You have porn on Microsoft Word? Wouldn't LaTeX be safer? Just don't use a petroleum-based editor.
2. Re:But my orgies! by Cazekiel · 2012-03-21 09:38 · Score: 1
  
  LOLZ, oh, I like you. You can stay. :D
  
  --
  You want to know how to help your kids? LEAVE THEM THE F*&K ALONE. --George Carlin
whom are they using these exploits against? by NarcoTraficante · 2012-03-21 08:40 · Score: 1

As long as the government agencies don't use them within their own territories against their own citizens then it's fine.
1. Re:whom are they using these exploits against? by Opportunist · 2012-03-21 09:15 · Score: 1
  
  Oh, so it's allright if I use it?
  Care to share your IP address?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Perspective:Inside Cisco's eavesdropping apparatus by Anonymous Coward · 2012-03-21 08:59 · Score: 1

Perspective: Inside Cisco's eavesdropping apparatus
By Declan McCullagh | April 21, 2003 4:00 AM PDT
- http://news.cnet.com/2010-1071-997528.html?tag=fd_nc_1
"Cisco Systems has created a more efficient and targeted way for police and intelligence agencies to eavesdrop on people whose Internet service provider uses their company's routers.
The company recently published a proposal that describes how it plans to embed "lawful interception" capability into its products. Among the highlights: Eavesdropping "must be undetectable," and multiple police agencies conducting simultaneous wiretaps must not learn of one another. If an Internet provider uses encryption to preserve its customers' privacy and has access to the encryption keys, it must turn over the intercepted communications to police in a descrambled form.
Cisco's decision to begin offering "lawful interception" capability as an option to its customers could turn out to be either good or bad news for privacy.
Because Cisco's routers currently aren't designed to target an individual, it's easy for an Internet service provider (ISP) to comply with a police request today by turning over all the traffic that flows through a router or switch. Cisco's "lawful interception" capability thus might help limit the amount of data that gets scooped up in the process.
On the other hand, the argument that it hinders privacy goes like this: By making wiretapping more efficient, Cisco will permit governments in other countries--where court oversight of police eavesdropping is even more limited than in the United States--snoop on far more communications than they could have otherwise.
Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I don't see why the technical community should hardwire surveillance standards and not also hardwire accountability standards like audit logs and public reporting. The laws that permit 'lawful interception' typically incorporate both components--the (interception) authority and the means of oversight--but the (Cisco) implementation seems to have only the surveillance component. That is no guarantee that the authority will be used in a 'lawful' manner."
U.S. history provides many examples of government and police agencies conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt, Martin Luther King Jr., feminists, gay rights leaders and Catholic priests. During its dark days, the bureau used secret files and hidden microphones to blackmail the Kennedy brothers, sway the Supreme Court and influence presidential elections. Cisco's Internet draft may be titled "lawful interception," but there's no guarantee that the capability will always be used legally.
Still, if you don't like Cisco's decision, remember that they're not the ones doing the snooping. Cisco is responding to its customers' requests, and if they don't, other hardware vendors will.
If you're looking for someone to blame, consider Attorney General John Ashcroft, who asked for and received sweeping surveillance powers in the USA Patriot Act, along with your elected representatives in Congress, who gave those powers to him with virtually no debate.
I talked with Fred Baker, a Cisco fellow and former chairman of the Internet Engineering Task Force (IETF), about his work on the "lawful interception" draft.
Q: Why did Cisco decide to build "lawful interception" into its products? What prompted this?
A: Cisco's customers, not just in United States but in many countries, are finding themselves served with subpoenas to mandate lawful intercept functionality. Cisco received requests from its customers for this capability.
When I found out about the project, I asked to be involved because I wanted to ensure that it was done in a manner that was as close to balanced as I could get. From an engineering perspective, the easiest thing is to give everything to law enforcement and let them sort it out. But I wanted to d
Can't Help But Wonder... by Zamphatta · 2012-03-21 09:00 · Score: 1

Might Vupen have been the ones that discovered the exploits used by Duqu & Stuxnet? If they were, then they might know who created Duqu & Stux.
$100,000 is not rich. by elucido · 2012-03-21 09:04 · Score: 1

I admit it's good enough for one security researcher, or maybe 1.5, but it's not rich.
If we are talking about millions of dollars then we are talking rich.
1. Re:$100,000 is not rich. by Opportunist · 2012-03-21 09:13 · Score: 1
  
  100k per customer. Multiply by x, with x being everyone and anyone willing and able to join the cyber arms race.
  Plus, those 100k are the admission ticket, not the ride fee. Actually getting informed about an exploit and how it works costs extra, and then you WISH it was just 100k...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:$100,000 is not rich. by Khashishi · 2012-03-21 09:17 · Score: 3, Informative
  
  That's just the membership fee. How much is the actual product?
3. Re:$100,000 is not rich. by elucido · 2012-03-21 09:26 · Score: 1
  
  100k per customer. Multiply by x, with x being everyone and anyone willing and able to join the cyber arms race.
  Plus, those 100k are the admission ticket, not the ride fee. Actually getting informed about an exploit and how it works costs extra, and then you WISH it was just 100k...
  If it's profitable to do things this way then this might be the beginning of a new industry.
Yeah but thats where the money is. by elucido · 2012-03-21 09:09 · Score: 1

And not just for their offices, but for their homes and the homes, schools and offices of their families, friends and anyone else they might care about.
It strikes me that these are people you don't want to try to play around with and that some might try to influence you to give a better deal to their side than another side, perhaps using things like pictures of your kids walking to school or your wife gardening.
There is no easy way for hackers to make money. You'll have to sell to the spies or you don't make money at all because the spies are the ones with the money to pay for security researchers.
As far as them trying to influence for a better deal or exclusive deal this much is obvious.
Just a reminder by Opportunist · 2012-03-21 09:11 · Score: 3, Insightful

When you're extorting, don't get greedy. At some point it's cheaper to just get rid of you than to pay you.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Just a reminder by elucido · 2012-03-21 09:28 · Score: 2
  
  When you're extorting, don't get greedy. At some point it's cheaper to just get rid of you than to pay you.
  So who is going to do the getting rid of? Google?
  Also it's not extortion. Bug testing is Googles job not ours. Finally you have all these agencies that want to buy exploits so it's more like weapons trading but thats basically what the defense industry does anyway. I don't see how this would be extortion but selling missiles to a NATO country isn't?
you are only required to follow lawful orders by rabenja · 2012-03-21 09:19 · Score: 4, Insightful

This is true, but "report[ing] it to the appropriate military authority" will nearly always land the reporting person in deep doo doo. I know that from experience. A junior person's word against the CO and the system that is designed to protect the CO.
1. Re:you are only required to follow lawful orders by El+Torico · 2012-03-22 02:01 · Score: 2
  
  Courage comes in many forms, as does cowardice. It sounds as though you did the right thing and got burned by it. Nonetheless, you did what you thought was right, so I commend you for it (whatever that's worth).
  
  --
  In the land of the blind, the one-eyed man is usually crucified.
Re:All Gun Makers Should Be Arrested?! by elucido · 2012-03-21 10:00 · Score: 1

You make plenty of good points. You need to be modded up.
There are companies in the U.S. doing this! by Anonymous Coward · 2012-03-21 10:14 · Score: 3, Informative

Check out this company: Siege Technologies (http://www.siegetechnologies.com/). I had never heard of them before and have no idea how big they are. But they openly advertise that they have a "Vulnerability Discovery Incentive Plan" in their benefit package (http://www.siegetechnologies.com/careers).
They claim to do work for private companies and the U.S. government. They advertise a "Five year contract awarded to provide DoD with training material on Offensive/Defensive Windows Kernel Security and Development" and are advertising for jobs looking for Reverse Engineers.
Scortched... by guygo · 2012-03-21 10:26 · Score: 1

Sounds like a good reason for the existence of Napalm to me. I wonder how their browser exploits would work against that?
Netragard EAP by netragard · 2012-03-21 16:49 · Score: 1

I'm the COO of Netragard, one of the companies mentioned in this article. I recommend reading http://pentest.netragard.com/netragards-eap/, and if there's interest, I'd be happy to go into as much detail as I can about how EAP functions, and what to expect from the program.
Re:hahaha by lightknight · 2012-03-21 17:01 · Score: 1

Nonsense. Steve Ballmer had unilaterally decided that the .Net languages are far too safe (gotta give the Security Services division something to do / the increased revenue should help prop up that stock price...), and has decided that mandating C++ development is the way to go.

--
I am John Hurt.
France, huh? by bryan1945 · 2012-03-21 21:31 · Score: 1

Figures, they're surrendering before it even becomes an issue.

--
Vote monkeys into Congress. They are cheaper and more trustworthy.
Re:MOD PARENT UP!! by netragard · 2012-03-22 03:01 · Score: 1

Thanks for pointing that out. We recently removed the snosoft.com domain from service, and there's still some stale links that we're purging out.