¡ɜɿoɾɪɹℲ

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)

At a Google-run competition in ­Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged ­website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin.

A team of hackers from French security firm Vupen were playing by different rules. They declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.

“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods ­include ­attacks on software such as Micro­soft Word, Adobe Reader, Google’s ­Android, Apple’s iOS operating systems and many more—Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.

Even at those prices, Vupen doesn’t sell its exploits exclusively. ­Instead, it hawks each trick to multiple government agencies, a business model that often plays its customers against one another as they try to keep up in an espionage arms race.

Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won’t reveal or resell their exploits. But even so, he admits that the company’s digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”

That arms-trade comparison is one Vupen’s critics are eager to echo. Chris Soghoian, a privacy activist and fellow at the Open Society Foundations, calls Vupen a “modern-day merchant of death,” selling “the bullets for cyberwar.” After one of its exploits is sold, Soghoian says, “it disappears down a black hole, and they have no idea how it’s being used, with or without a warrant, or whether it’s violating human rights.” The problem was starkly illustrated last year when surveillance gear from Blue Coat Systems of Sunnyvale, Calif. was sold to a United Arab Emirates firm but eventually ended up tracking political dissidents in Syria. “Vupen doesn’t know how their exploits are used, and they probably don’t want to know. As long as the check clears.”

Vupen is hardly alone in the exploit-selling game, but other firms that buy and sell hacking techniques, including Netragard, Endgame and larger contractors like Northrop Grumman and Raytheon, are far more tight-lipped than Bekrar’s small firm in Montpellier, France. Bekrar describes his company as “transparent.” Soghoian calls it “shameless.”

“Vupen is the Snooki of this industry,” says Soghoian. “They seek out publicity, and they don’t even realize that they lack all class. They’re the Jersey Shore of the exploit trade.”

Even so, Bekrar won’t share revenue numbers, though he insists the firm is profitable. One person who will share those sales numbers is a South African hacker who goes by the name “the Grugq” and lives in Bangkok. For just over a year the Grugq has been supplementing his salary as a security researcher by acting as a broker for high-end exploits, connecting his hacker friends with buyers among his government contacts. He says he takes a 15% commission on sales and is on track to earn more than $1 million from the deals this year. “I refuse to deal with anything below mid-five-figures these days,” he says. In December of last year alone he earned $250,000 from his government buyers. “The end-of-year budget burnout was awesome.”

But the Grugq assesses Bekrar’s startup, which generates all its own exploits, as significantly more lucrative. “He’s pretty f—ing smart,” says the Grugq. “He holds all the cards. He can tell his clients to buy at the price he’s ­offering, or someone else will.”

Despite his talk about “transparency,” Bekrar won’t say much about his personal history or career prior to founding Vupen—not even his age. But Vupen is his third try at a startup focused on digging up software-security bugs. His previous companies, K-Otik and FrSIRT, made their bug findings public. Even after founding Vupen (whose name stands for “vulnerability research” and “penetration testing”) in 2008, Bekrar and his researchers initially worked with some software vendors to patch their flaws. But after taking $1.5 million in venture capital from 360 Capital Partners and Gant & Partners, Bekrar found that the firm could earn far more by keeping its findings under wraps and selling them at a premium.

Lately Bekrar goes so far as publicly taunting the companies whose products he hacks. In May 2011 Vupen released a video showing that it could penetrate a machine running Chrome but offered no further information to Google. When Google responded that Vupen’s exploit targeted the Flash ­plug-in that runs in the browser rather than Chrome itself, Bekrar accused the company on Twitter of downplaying its vulnerabilities and called it “pathetic.” Google security staffers responded by scolding Bekrar for disregarding users’ privacy and called him an “ethically challenged ­opportunist.”

Bekrar shrugs off the insults. “We don’t work as hard as we do to help multibillion-dollar software companies make their code secure,” he says. “If we wanted to volunteer, we’d help the homeless.”

(Source: forbes.com)

Farewell, My Lovely

By E. B. White
From the New Yorker for May 16, 1936

I see by the new Sears Roebuck catalogue that it is still possible to buy an axle for a 1909 Model T Ford, but I am not deceived. The great days have faded, and the end is in sight. Only one page in the current catalogue is devoted to parts and accessories for the Model T; yet everyone remembers springtimes when the Ford gadget section was larger than men’s clothing, almost as large as household furnishings. The last Model T was built in 1927, and the car is fading from what scholars call the American scene - which is an understatement, because to a few million people who grew up with it, the old Ford practically was the American scene. It was the miracle that God had wrought. And it was patently the sort of thing that could only happen once. Mechanically uncanny, it was like nothing that had ever come to the world before. Flourishing industries rose and fell with it. As a vehicle, it was hard working, commonplace, heroic; and it often seemed to transmit those qualities to the person who rode in it. My own generation identifies it with Youth, with its gaudy, irretrievable excitements; before it fades into the mist, I would like to pay it the tribute of the sigh that is not a sob, and set down random entries in a shape somewhat less cumbersome than a Sears Roebuck catalogue.

The Model T was distinguished from all other makes of cars by the fact that its transmission was of a type known as planetary - which was half metaphysics, half sheer fiction. Engineers accepted the word ‘planetary’ in its epicyclic sense, but I was always conscious that it also meant ‘wandering’, ‘erratic’. Because of the peculiar nature of this planetary element, there was always, in Model T, a certain dull rapport between engine and wheels, and even when the car was in a state known as neutral, it trembled with a deep imperative and tended to inch forward. There was never a moment when the bands were not faintly egging the machine on. In this respect it was like a horse, rolling the bit on its tongue, and country people brought to it the same technique they used with draft animals.

Its most remarkable quality was its rate of acceleration. In its palmy days the Model T could take off faster than anything on the road. The reason was simple. To get under way, you simply hooked the third finger of the right hand around a lever on the steering column, pulled down hard, and shoved your left foot forcibly against the low-speed pedal. These were simple, positive motions the car responded by lunging forward with a roar. After a few seconds of this turmoil, you took your toe off the pedal, eased up a mite on the throttle, and the car, possessed of only two forward speeds, catapulted directly into high with a series of ugly jerks and was off on its glorious errand. The abruptness of this departure was never equaled in other cars of the period. The human leg was (and still is) incapable of letting in the clutch with anything like the forthright abandon that used to send Model T on its way. Letting in a clutch is a negative, hesitant motion, depending on delicate nervous control; pushing down the Ford pedal was a simple, country motion - an expansive act, which came as natural as kicking an old door to make it budge.

The driver of the old Model T was a man enthroned. The car, with top up, stood seven feet high. The driver sat on top of the gas tank, brooding it with his own body. When he wanted gasoline, he alighted, together with everything else in the front seat; the seat was pulled off, the metal cap unscrewed, and a wooden stick thrust down to sound the liquid in the well. There was always a couple of these sounding sticks kicking around in the ratty sub-cushion regions of a flivver. Refueling was more of a social function then, because the driver had to unbend, whether he wanted to or not. Directly in front of the driver was the windshield - high, uncompromisingly erect. Nobody talked about air resistance, and the four cylinders pushed the car through the atmosphere with a simple disregard of physical law.

There was this about a Model T; the purchaser never regarded his purchase as a complete, finished product. When you bought a Ford, you figured you had a start - a vibrant, spirited framework to which could be screwed an almost limitless assortment of decorative and functional hardware. Driving away from the agency, hugging the new wheel between your knees, you were already full of creative worry. A Ford was born naked as a baby, and a flourishing industry grew up out of correcting its rare deficiencies and combating its fascinating diseases. Those were the great days of lily-painting. I have been looking at some old Sears Roebuck catalogues, and they bring everything back so clear.

First you bought a Ruby Safety Reflector for the rear, so that your posterior would glow in another car’s brilliance. Then you invested thirty-nine cents in some radiator Moto Wings, a popular ornament which gave the Pegasus touch to the machine and did something godlike to the owner. For nine cents you bought a fan-belt guide to keep the belt from slipping off the pulley. You bought a radiator compound to stop leaks. This was as much a part of everybody’s equipment as aspirin tablets are of a medicine cabinet. You bought special oil to stop chattering, a clamp-on dash light, a patching outfit, a tool box which you bolted on the running board, a sun visor, a steering-column brace to keep the column rigid, and a set of emergency containers for gas, oil and water - three thin, disc-like cans which reposed in a case on the running board during long, important journeys - red for gas, gray for water, green for oil. It was only a beginning. After the car was about a year old, steps were taken to check the alarming disintegration. (Model T was full of tumors, but they were benign.) A set of anti-rattlers (ninety-eight cents) was a popular panacea. You hooked them on to the gas and spark rods, to the brake pull rod, and to the steering-rod connections. Hood silencers, of black rubber, were applied to the fluttering hood. Shock absorbers and snubbers gave ‘complete relaxation’. Some people bought rubber pedal pads, to fit over the standard metal pedals. (I didn’t like these, I remember.) Persons of a suspicious or pugnacious turn of mind bought a rear-view mirror; but most Model T owners weren’t worried by what was coming from behind because they would soon enough see it out in front. They rode in a state of cheerful catalepsy. Quite a large mutinous clique among Ford owners went over to a foot accelerator (you could buy one and screw it to the floor board), but there was a certain madness in these people, because the Model T, just as she stood, had a choice of three foot pedals to push, and there were plenty of moments when both feet were occupied in the routine performance of duty and when the only way to speed up the engine was with the hand throttle.

Gadget bred gadget. Owners not only bought ready-made gadgets, they invented gadgets to meet special needs. I myself drove my car directly from the agency to the blacksmith’s, and had the smith affix two enormous iron brackets to the port running board to support an army trunk.

People who owned closed models builded along different lines: they bought ball grip handles for opening doors, window anti-rattlers, and de-luxe flower vases of the cut-glass anti-splash type. People with delicate sensibilities garnished their car with a device called the Donna Lee Automobile Disseminator - a porous vase guaranteed, according to Sears, to fill the car with la faint clean odor of lavender’. The gap between open cars and closed cars was not as great then as it is now: for $11.95, Sears Roebuck converted your touring car into a sedan and you went forth renewed. One agreeable quality of the old Fords was that they had no bumpers, and their fenders softened and wilted with the years and permitted the driver to squeeze in and out of tight places.

Tires were 30 x 3 1/2, cost about twelve dollars, and punctured readily. Everybody carried a ]iffy patching set, with a nutmeg grater to roughen the tube before the goo was spread on. Everybody was capable of putting on a patch, expected to have to, and did have to.

During my association with Model T’s, self-starters were not a prevalent accessory. They were expensive and under suspicion. Your car came equipped with a serviceable crank, and the first thing you learned was how to Get Results. It was a special trick, and until you learned it (usually from another Ford owner, but sometimes by a period of appalling experimentation) you might as well have been winding up an awning. The trick was to leave the ignition switch off, proceed to the animal’s head, pull the choke (which was a little wire protruding through the radiator) and give the crank two or three nonchalant upward lifts. Then, whistling as though thinking about something else, you would saunter back to the driver’s cabin, turn the ignition on, return to the crank, and this time, catching it on the downstroke, give it a quick spin with plenty of That. If this procedure was followed, the engine almost always responded - first with a few scattered explosions, then with a tumultuous gunfire, which you checked by racing around to the driver’s seat and retarding the throttle. Often, if the emergency brake hadn’t been pulled all the way back, the car advanced on you the instant the first explosion occurred and you would hold it back by leaning your weight against it. I can still feel my old Ford nuzzling me at the curb, as though looking for an apple in my pocket. In zero weather, ordinary cranking became an impossibility, except for giants. The oil thickened, and it became necessary to lack up the rear wheels, which for some planetary reason, eased the throw.

The lore and legend that governed the Ford were boundless. Owners had their own theories about everything; they discussed mutual problems in that wise, infinitely resourceful way old women discuss rheumatism. Exact knowledge was pretty scarce, and often proved less effective than superstition. Dropping a camphor ball into the gas tank was a popular expedient; it seemed to have a tonic effect both on man and machine. There wasn’t much to base exact knowledge on. The Ford driver flew blind. He didn’t know the temperature of his engine, the speed of his car, the amount of his fuel, or the pressure of his oil (the old Ford lubricated itself by what was amiably described as the ‘splash system’). A speedometer cost money and was an extra, like a windshield-wiper. The dashboard of the early models was bare save for an ignition key; later models, grown effete, boasted an ammeter which pulsated alarmingly with the throbbing of the car. Under the dash was a box of coils, with vibrators which you adjusted, or thought you adjusted. Whatever the driver learned of his motor, he learned not through instruments but through sudden developments. I remember that the timer was one of the vital organs about which there was ample doctrine. When everything else had been checked, you had a look at the timer. It was an extravagantly odd little device, simple in construction, mysterious in function. It contained a roller, held by a spring, and there were four contact points on the inside of the case against which, many people believed, the roller rolled. I have had a timer apart on a sick Ford many times. But I never really knew what I was up to, I was just showing off before God. There were almost as many schools of thought as there were timers. Some people, when things went wrong, just clenched their teeth and gave the timer a smart crack with a wrench. Other people opened it up and blew on it. There was a school that held that the timer needed large amounts of oil; they fixed it by frequent baptism. And there was a school that was positive it was meant to run dry as a bone; these people were continually taking it off and wiping it. I remember once spitting into a timer; not in anger, but in a spirit of research. You see, the Model T driver moved in the realm of metaphysics. He believed his car could be hexed.

One reason the Ford anatomy was never reduced to an exact science was that, having ‘fixed’ it, the owner couldn’t honestly claim that the treatment had brought about the cure. There were too many authenticated cases of Fords fixing themselves - restored naturally to health after a short rest. Farmers soon discovered this, and it fitted nicely with their draft-horse philosophy: ‘Let ‘er cool off and she’ll snap into it again.’

A Ford owner had Number One Bearing constantly in mind. This bearing, being at the front end of the motor, was the one that always burned out, because the oil didn’t reach it when the car was climbing hills. (That’s what I was always told, anyway.) The oil used to recede and leave Number One dry as a clam flat; you had to watch that bearing like a hawk. It was like a weak heart - you could hear it start knocking, and that was when you stopped to let her cool off. Try as you would to keep the oil supply right, in the end Number One always went out. ‘Number One Bearing burned out on me and I had to have her replaced,’ you would say, wisely; and your companions always had a lot to tell about how to protect and pamper Number One to keep her alive.

Sprinkled not too liberally among the millions of amateur witch doctors who drove Fords and applied their own abominable cures were the heaven sent mechanics who could really make the car talk. These professionals turned up in undreamed-of spots. One time, on the banks of the Columbia River in Washington, I heard the rear end go out of my Model T when I was trying to whip it up a steep incline onto the deck of a ferry. Something snapped; the car slid backwards into the mud. It seemed to me like the end of the trail. But the captain of the ferry, observing the withered remnant, spoke up.

‘What’s got her?’ he asked.

‘I guess it’s the rear end,’ I replied listlessly. The captain leaned over the rail and stared. Then I saw that there was a hunger in his eyes that set him off from other men.

‘Tell you what,’ he said casually, trying to cover up his eagerness, ‘let’s pull the son of a bitch up onto the boat, and I’ll help you fix her while we’re going back and forth on the river.’

We did just this. All that day I plied between the towns of Pasco and Kenniwick, while the skipper (who had once worked in a Ford garage) directed the amazing work of resetting the bones of my car.

Springtime in the heyday of the Model T was a delirious season. Owning a car was still a major excitement, roads were still wonderful and bad. The Fords were obviously conceived in madness: any car which was capable of going from forward into reverse without any perceptible mechanical hiatus was bound to be a mighty challenging thing to the human imagination. Boys used to veer them off the highway into a level pasture and run wild with them, as though they were cutting up with a girl. Most everybody used the reverse pedal quite as much as the regular foot brake - it distributed the wear over the bands and wore them all down evenly. That was the big trick, to wear all the bands down evenly, so that the final chattering would be total and the whole unit scream for renewal.

The days were golden, the nights were dim and strange. I still recall with trembling those loud, nocturnal crises when you drew up to a signpost and raced the engine so the lights would be bright enough to read destinations by. I have never been really planetary since. I suppose it’s time to say goodbye. Farewell, my lovely!

(Source: wesjones.com)