The FBI's WikiLeaks Mole

Sunday 11 August 2013

When he met Julian Assange for the first time, Sigurdur Thordarson admired the WikiLeaks founder’s attitude and quickly signed up to the cause. But little more than a year later, Thordarson was working as an informant spying on WikiLeaks for the US government — embroiling himself as a teenager in one of the most complicated international events in recent history.

In a series of interviews with Slate, Thordarson has detailed the full story behind how, in an extraordinary sequence of events, he went from accompanying Assange to court hearings in London to secretly passing troves of data on WikiLeaks staff and affiliated activists to the FBI. The 20-year-old Icelandic citizen’s account is partly corroborated by authorities in Iceland, who have confirmed that he was at the center of a diplomatic row in 2011 when a handful of FBI agents flew in to the country to meet with him — but were subsequently asked to leave after a government minister suspected they were trying to “frame” Assange.

Thordarson, who first outed himself as an informant in a Wired story in June, provided me with access to a pseudonymous email account that he says was created for him by the FBI. He also produced documents and travel records for trips to Denmark and the United States that he says were organized and paid for by the bureau.

The FBI declined to comment on Thordarson’s role as an informant or the content of the emails its agents are alleged to have sent him. In a statement, it said that it was “not able to discuss investigative tools and techniques, nor comment on ongoing investigations.” But emails sent by alleged FBI agents to Thordarson, which left a digital trail leading back to computers located within the United States, appear to shine a light on the extent of the bureau’s efforts to aggressively investigate WikiLeaks following the whistle-blower website’s publication of classified US military and State Department files in 2010.

Late last month, Army intelligence analyst Bradley Manning was convicted on counts of espionage, theft, and computer fraud for passing the group the secrets. During the Manning trial, military prosecutors portrayed Assange as an “information anarchist,” and now it seems increasingly possible that the US government may next go after the 42-year-old Australian for his role in obtaining and publishing the documents. For the past 14 months, Assange has been living in Ecuador’s London Embassy after being granted political asylum by the country over fears that, if he is sent to Sweden to face sexual offense allegations, he will be detained and subsequently extradited to the United States.

Meanwhile, for more than two years, prosecutors have been quietly conducting a sweeping investigation into WikiLeaks that remains active today. The FBI’s files in the Manning case number more than 42,000 pages, according to statements made during the soldier’s pretrial hearings, and that stack of proverbial paper likely continues to grow. Thordarson’s story offers a unique insight into the politically-charged probe: Information he has provided appears to show that there was internal tension within the FBI over a controversial attempt to infiltrate and gather intelligence on the whistle-blower group. Thordarson gave the FBI a large amount of data on WikiLeaks, including private chat message logs, photographs, and contact details of volunteers, activists, and journalists affiliated with the organization. Thordarson alleges that the bureau even asked him to covertly record conversations with Assange in a bid to tie him to a criminal hacking conspiracy. The feds pulled back only after becoming concerned that the Australian was close to discovering the spy effort.


It was 2010 when the saga began in Reykjavik, Iceland. Thordarson, then just 17, says that before his first encounter with Assange, he knew little about the man beyond a few YouTube videos he’d watched about WikiLeaks. But he went to hear Assange speak at a conference hosted by an Icelandic university, and the teenager was impressed. After the event, a journalist Thordarson knew introduced him to Assange, and the pair struck up a relationship that led to Thordarson doing some volunteer work for the organization. Before long, he was on the edges of WikiLeaks’ small, tight-knit inner circle.

At that time, the group was sitting on the explosive files it had received from Manning that included a video showing a US helicopter attack that resulted in the deaths of 12 civilians, among them two employees of the Reuters news agency.

Thordarson, a blond-haired stocky figure with a baby face, was present while WikiLeaks staff and volunteers in Reykjavik were preparing the video for publication. When it was published by WikiLeaks in April 2010, under the name Collateral Murder, it catapulted the organization into the international spotlight and provoked an angry response from government officials in Washington.

The then-teenager, known as “Siggi” to his friends, was around at the height of that backlash. He was given administrative privileges to moderate an Internet chat room run by WikiLeaks. And when Assange relocated from Iceland to England, Thordarson came to visit. He even accompanied the WikiLeaks founder to court appearances in London as he fought extradition to Sweden over allegations of sexual assault.

Thordarson looked up to Assange, viewing him as a friend. The WikiLeaks chief, he says, treated him well — helping him find a lawyer in 2010, not long after the pair had met, when he says he was wrongly accused by Icelandic police of breaking into a business premises. But signs that Thordarson had a proclivity for brushes with the law did not appear to trigger alarm bells early on at WikiLeaks — though perhaps they should have, because he was certainly not any ordinary volunteer. Unlike many drawn to WikiLeaks, Thordarson does not seem to have been principally motivated by a passion for the cause of transparency or by the desire to expose government wrongdoing. Instead, he was on the hunt for excitement and got a thrill out of being close to people publishing secret government documents.

As a child, Thordarson led a fairly normal middle-class life in Reykjavik, enjoying social studies and chemistry at school. His father worked as a sales manager at a painting firm, and his mother ran a hair salon. But as he entered his teenage years, he says, he began to feel that he could not connect with others in his peer group. He went to college to study computer science and psychology — but claims he was suspended after hacking into a college computer system.

By mid-2011, Thordarson’s thirst for adventure, combined with his interest in hacking, would irreversibly complicate his relationship with WikiLeaks. In June of that year, the Anonymous-linked hacker group LulzSec brought down the website of the CIA. Thordarson says that he and other WikiLeaks staff were amused by the incident, and he decided to reach out to the hackers to establish contact. Thordarson claims that, using the aliases “Q” and “Penguin X,” he set up a line of communication between WikiLeaks and LulzSec. During the series of exchanges that followed, Thordarson says he “suggested” that his group wanted assistance to find evidence of anti-WikiLeaks sentiment within the Icelandic government’s Ministry of Finance, which had thwarted an attempt by DataCell, a company that processes WikiLeaks donations, to purchase a large new data center in Reykjavik. (In early 2011, DataCell’s founder questioned whether the Icelandic government had deliberately prevented the deal because it was “afraid of letting WikiLeaks here into the country.”)

“That was basically the first assignment WikiLeaks gave to LulzSec,” Thordarson alleges, “to breach the Icelandic government infrastructure.”

Lady Liberty

Wednesday 1 May 2013

The Statue of Liberty is getting a facelift, though the changes aren’t only cosmetic. An upgraded "state of the art" security system will help keep Lady Liberty safe when it reopens soon. But what does the system entail, and could it involve a controversial new face-recognition technology that can detect visitors’ ethnicity from a distance? I tried to find out — and a New York surveillance company tried to stop me.

Face recognition was first implemented at the Statue of Liberty in 2002 as part of an attempt to spot suspected terrorists whose mug shots were stored on a federal database. At the time, the initiative was lambasted by the American Civil Liberties Union, which said it was so ineffective that “Osama Bin Laden himself” could easily dodge it.

But the technology has advanced since then: Late last year, trade magazine Police Product Insight reported that a trial of the latest face-recognition software was being planned at the Statue of Liberty for the end of 2012 to “help law enforcement and intelligence agencies spot suspicious activity.” New York surveillance camera contractor Total Recall Corp. was quoted as having told the magazine that it was set for trial at the famed tourist attraction software called FaceVACS, made by German firm Cognitec. FaceVACS, Cognitec boasts in marketing materials, can guess ethnicity based on a person’s skin color, flag suspects on watch lists, estimate the age of a person, detect gender, “track” faces in real time, and help identify suspects if they have tried to evade detection by putting on glasses, growing a beard, or changing their hairstyle. Some versions of face-recognition software used today remain ineffective, as investigators found in the aftermath of the Boston bombings. But Cognitec claims its latest technology has a far higher accuracy rating — and is certainly more advanced than the earlier versions of face-recognition software, like the kind used at the Statue of Liberty back in 2002. (It is not clear whether the face-recognition technology remained in use at the statue after 2002.)

Liberty Island took such a severe battering during Sandy that it has stayed closed to the public ever since — thwarting the prospect of a pilot of the new software. But the statue, which attracts more than 3 million visitors annually according to estimates, is finally due to open again on July 4. In March, Statue of Liberty superintendent Dave Luchsinger told me that plans were underway to install an upgraded surveillance system in time for the reopening. “We are moving forward with the proposal that Total Recall has come up with,” he said, adding that “[new] systems are going in, and I know they are state of the art.”

When it came to my questions about face recognition, though, things started to get murky. Was that particular project back on track? “We do work with Cognitec, but right now because of what happened with Sandy it put a lot of different pilots that we are doing on hold,” Peter Millius, Total Recall’s director of business development, said in a phone call. “It’s still months away, and the facial recognition right now is not going to be part of this phase.” Then, he put me on hold and came back a few minutes later with a different position — insisting that the face-recognition project had in fact been “vetoed” by the Park Police and adding that I was “not authorized” to write about it.

That was weird, but it soon got weirder. About an hour after I spoke with Total Recall, an email from Cognitec landed in my inbox. It was from the company’s marketing manager, Elke Oberg, who had just one day earlier told me in a phone interview that “yes, they are going to try out our technology there” in response to questions about a face-recognition pilot at the statue. Now, Oberg had sent a letter ordering me to “refrain from publishing any information about the use of face recognition at the Statue of Liberty.” It said that I had “false information,” that the project had been “cancelled,” and that if I wrote about it, there would be “legal action.” Total Recall then separately sent me an almost identical letter — warning me not to write “any information about Total Recall and the Statue of Liberty or the use of face recognition at the Statue of Liberty.” Both companies declined further requests for comment, and Millius at Total Recall even threatened to take legal action against me personally if I continued to “harass” him with additional questions. (You can read the full correspondence here.)

Linda Friar, a National Park Service spokeswoman, confirmed that the procurement process for security screening equipment is ongoing, but she refused to comment on whether the camera surveillance system inside the statue was being upgraded on the grounds that it was “sensitive information.” So will there be a trial of new face-recognition software — or did the Park Police “cancel” or “veto” this? It would probably be easier to squeeze blood from a stone than to obtain answers to those questions. “I’m not going to show my hand as far as what security technologies we have,” Greg Norman, Park Police captain at Liberty Island, said in a brief phone interview.

The great irony here, of course, is that this is a story about a statue that stands to represent freedom and democracy in the modern world. Yet at the heart of it are corporations issuing crude threats in an attempt to stifle legitimate journalism — and by extension dictate what citizens can and cannot know about the potential use of contentious surveillance tools used to monitor them as they visit that very statue. Whether Cognitec's ethnicity-detecting face recognition software will eventually be implemented at Lady Liberty remains to be seen. What is certain, however, is that the attempt to silence reporting on the mere prospect of it is part of an alarming wider trend to curtail discussion about new security technologies that are (re)shaping society.

This article first appeared at Slate.

The Barrett Brown Saga

Friday 22 March 2013

Until the moment the FBI burst through his door, it had been much like any other day for Barrett Brown.

The 31-year-old writer and activist, closely affiliated to the Anonymous hacking collective, had been joking around late at night in an internet webcam chat room with a few friends. But the conversation abruptly halted when Brown's video feed blacked out. Amid a flurry of commotion and cries of "get down," a troupe of armed agents surged into his apartment in Dallas, Texas, and handcuffed him face down on the floor.

Since that evening, on 12 September last year, Brown has been in a Texas jail awaiting a looming trial that could land him several decades behind bars. He stands accused of committing 17 offences in total, including aiding and abetting aggravated identity theft, making internet threats, and retaliation against a federal law enforcement officer. But it is no ordinary, open and shut case. It is a bizarre saga that involves a web of secrets, scandals, covert informants and some of the most widely publicised computer hacking conspiracies in recent history.

US authorities have made it clear in indictments lodged against Brown that they view him as a menace to society — an anti-government anarchist agitating for violent revolution. But supporters claim he is being subjected to heavy-handed prosecution, comparing his plight to that of Matthew Keys, the Reuters social media editor accused last week of conspiring with Anonymous, and Aaron Swartz, the prominent internet freedom activist who committed suicide in January while facing a host of controversial hacking charges. In reality, neither side is the full story.

Brown, just short of 6 feet tall, skinny with sandy brown hair, grew up in an affluent part of Dallas County, the son of a wealthy Texas real estate developer. He is a somewhat eccentric character — a college dropout firebrand with a history of drug addiction and a penchant for ranting, red wine and cigarettes.

Before he crossed paths with the FBI, Brown was a prolific writer who had contributed to publications including Vanity Fair, the Guardian, the Huffington Post and satirical news site the Onion. He had a short stint in politics as the director of communications for an atheist group called Enlighten the Vote, and he co-authored a well-received book mocking creationism, Flock of Dodos, which the Harvard law professor Alan Dershowitz compared to works by celebrated authors Thomas Paine and Mark Twain.

"I really just wanted to write humour and was absolutely on track to doing so until a couple events and thoughts in 2009," Brown told me in August last year, shortly before his arrest. What changed his trajectory was that he immersed himself in what he would sometimes jokingly term "this computer shit" — a strange and chaotic world of online activism.

There were a number of factors involved, each of them closely connected. It began when Brown hatched the idea for an internet thinktank he named Project PM, in 2009, dedicated to investigating private government contractors working in the secretive fields of cybersecurity, intelligence and surveillance. Then, in 2010, WikiLeaks published thousands of classified US government documents. And at around the same time Anonymous exploded onto the world stage, attacking the Church of Scientology and defending WikiLeaks by declaring cyberwar on payment processors like Paypal and Visa, which had blocked the whistleblower website's funding sources after pressure from US politicians.

Brown saw a conflation of interests between Project PM, WikiLeaks and Anonymous. He believed WikiLeaks was doing a "tremendous service to humanity" by releasing classified government information, and he was inspired by Anonymous, which he viewed as "unprecedented" because of the way it brought people on the internet together as a force for political change.

Before long, Brown had directly affiliated himself with Anonymous, and by early 2011 he was working alongside some its most skilled hackers as a sort of de facto press officer. He had no hacking ability, but instead put his flair for writing and rhetoric to use. He would send out missives to his media contacts and do televised interviews in which he would rail against murky government cybersecurity initiatives that he said Anonymous would expose.

Some within the diffuse community of Anonymous took an instant dislike to Brown, accusing him of being a paranoid egomaniac who was seeking fame and hogging the limelight. But he rarely gave his critics a second glance because, as far as he was concerned, he had more pertinent issues to deal with — on one occasion embroiling himself in a surreal public spat with a Mexican drug cartel over a kidnapped activist.

"We have hit upon things here that really do matter — that haven't been given due consideration," he would bark in his distinctive, rapid-fire baritone southern drawl. "The battlefield is the information flow."

Brown's interviews, some aired as "exclusives" on major US TV news networks like NBC, grabbed attention. He viewed himself as engaged in what he would refer to as "information operations," almost like a military propaganda campaign. Hackers would sometimes obtain data and then pass it on to him. He would spend days and nights hunkered down in his small uptown Dallas apartment poring through troves of hacked documents, writing blog posts about US government intelligence contractors and their "misplaced power" while working to garner wider media coverage.

When servers belonging to the American security thinktank Stratfor were infiltrated by the hackers in December 2011, for instance, Brown alerted reporters across the world. He told the Times that millions of stolen emails, later published by WikiLeaks, could prove to be "the smoking gun for a number of crimes of extraordinary importance". It was mostly hyperbole, of course, but he was a skilled operator. He knew how to get headlines, especially headlines that would rile his adversaries.

By becoming a public advocate for hackers implicated in major computer crimes, however, Brown was in extremely shaky legal territory. He had developed a close relationship with an Anonymous splinter group called AntiSec — a volatile, militant outfit that had evolved out of LulzSec, another Anonymous offshoot which took credit for a series of prominent attacks on government websites and multinational corporations over a 50-day rampage in the summer of 2011.

AntiSec became highly active toward the end of 2011, hacking Stratfor and then later a Virginia-based law firm involved in defending a US marine who had played a key role in a massacre of civilians during the Iraq war. The group dumped thousands of Stratfor customers' credit card numbers online and posted a large trove of emails obtained from the law firm, collaterally exposing personal details about victims of sexual assault in the process.

It appeared that the hackers were becoming increasingly callous and equally careless, veering from the "vigilantes for good" image they liked to project of themselves.

Brown said that the credit card leak was a "public relations blunder" that had caused internal conflict between the hackers. One party had been "blindsided" by the data dump, according to Brown, and one of the team quit the group and "went dark" because of it.

"I wasn't informed of the leak or the nature of the leak," he told me at the time. "I do defend them for it and I will take responsibility for defending them. But if I had my way it would have been done differently. I have no... they don't need me, basically, so they don't ask my opinion."

But by then it was too late: Brown's relationship with AntiSec had pinned a law enforcement target on his back. A few months after the hack on Stratfor, he was raided for the first time by the FBI. He was not arrested, but some of his property, including his laptop computer, was confiscated as evidence.

On the same day, 6 March 2012, an explosive Fox News story outed a core member of both AntiSec and LulzSec as an FBI informant. "Sabu," real name Hector Monsegur, 29, had been "turned" nine months earlier by the authorities after being traced to his New York apartment.

In order to escape jail, Monsegur, a notorious loudmouth elite hacker who was considered a ringleader of the groups, had been covertly cooperating with the FBI to help build cases against, and track down, his former partners. It was an extraordinary development that shook the hacking community and made front page news internationally.

Prosecutors, likely assisted at least in part by evidence gleaned by Monsegur, have since accused Brown of aiding and abetting the transfer of the credit card numbers obtained from Statfor's servers in a case of aggravated identity theft. The hackers used the credit cards to fraudulently donate hundreds of thousands of dollars to charities including the Red Cross and Save the Children.

Brown, who denies all of the charges against him, is also accused of a separate fraud-related offence that carries up to 15 years imprisonment for copying and pasting a hyperlink in a chat room to a file that allegedly included within it some 5,000 Stratfor credit card details. This has caused an outcry among some activists, with secret-spilling website Cryptome — which published the same link Brown is accused of sharing — posting a statement likening the charge to "official chilling of free speech online" and criticising "over-reaching indictments."

The spiralling debacle eventually took its toll on Brown. The FBI seizure of his property and the revelation about Monsegur, whom he angrily branded a "degenerate pussy traitor," seemed pivotal.

When I spoke to him earlier in 2011 he had appeared optimistic — as if he felt he was riding the crest of an unstoppable wave. He would talk enthusiastically about "spiritual change" taking place due to revolutions sweeping the Arab world, and explain how young Anonymous hackers he knew had assisted activists in the Middle East by providing them with tools to counter government surveillance and tracking. But by spring 2012, his mindset seemed to alter, his mood darker and at times almost anguished.

"We're losing hope in the idea of trying to convince the American people to pay attention to something that matters," he lamented in April, speaking on the phone from Dallas. "To some extent we are all the enemy, all of us have failed."

Brown was frustrated that mainstream media outlets were not covering stories he felt deserved attention. He would complain that reporters would often approach him and ask about the personalities of some of the more prominent hackers, like Monsegur, but ignore the deeper issues about governments and private contractors contained in documents that had been hacked.

Complicating matters further, as a recovering heroin addict, Brown was taking Suboxone, a prescription drug used to treat opiate withdrawal. This was having an impact on his health, perhaps amplified by the cyclone of drama engulfing him. One day in August, he told me he had broken down in tears. "All of it gets to be too much," he wrote in an email.

Three weeks later, Brown would be in jail. He had posted online a series of videos in which he appeared to issue threats directed at a named FBI agent, whom he accused of harassing his mother, and demanded that his previously seized property be returned. In the videos he looked frazzled, pale and on edge. He concluded with a lengthy tirade, saying he feared drug cartel "assassin squads" were out to get him and warning government officials not to come near his apartment.

"I will shoot all of them and kill them if they come," he said, looking blankly straight into the camera. "It was pretty obvious I was going to be dead before I was forty or so — so I wouldn't mind going out with two FBI sidearms like a fucking Egyptian Pharaoh."

Within hours of the video appearing, agents charged through his door and pinned him to the floor. For the FBI, it was clearly the final straw. Brown had moved from publishing long blog screeds blasting shady security firms to making violent threats. Hyperbole or not, a line had been crossed. His time was up.

When the moment finally came, Brown can't have been too surprised. He suspected that one day he was going to end up carted off to a dingy jail cell, he just didn't know exactly when or in what circumstances. He had accepted his fate fairly soon after becoming involved with Anonymous.

"I'll probably be charged or indicted," he told me during one interview in early 2012. "I just hope that a trial will bring more media attention to the issues that brought me here in the first place."

Brown is due to face two separate trials, the first of which is scheduled to begin on 3 September.

Last I heard from him he was doing all right.

"How's everything?" he wrote in short message. "I seem to be in prison."


This article first appeared in the Guardian.

Mass Interception

Thursday 21 February 2013

Every day, billions of emails and phone calls flow through communications networks in countries across the world. Now, one American company has built technology capable of spying on them all — and business is booming.

Verint, a leading manufacturer of surveillance technologies, is headquartered in Melville, New York, in a small cluster of nondescript buildings that also includes the office of a multinational cosmetics supplier and some electronics companies.

Among Verint’s products are unremarkable security cameras and systems that enable call center managers to monitor their workers. But it also sells some of the world’s most sophisticated eavesdropping equipment, creating a line of spy tools designed to help governments and intelligence agencies snoop on communications across an entire country.

Verint sells what it calls “monitoring centers” that “enable the interception, monitoring, and analysis of target and mass communications over virtually any network.” These systems are designed to be integrated within a country’s communications infrastructure and, according to Verint’s website, are currently used in more than 75 nations.

The technology Verint designs doesn’t just target specific criminal groups or terrorists. It can be tailored to intercept the phone calls and emails of millions of everyday citizens and store them on vast databases for later analysis.

Verint boasts in its marketing materials that its “Vantage” monitoring center enables “nationwide mass interception” and “efficiently collects, analyzes, and exposes threats from billions of communications.” And if that’s not enough to satisfy spy agencies’ thirst for intelligence, Verint has more to offer. The company says it can also help governments automatically identify people from the sound of their voice using speech identification software, intercept the cellular and satellite mobile phone communications of “mass populations over a wide area” using a covert portable device, and provide data-mining tools to build detailed profiles about criminals and other “negative influencers” in real time.

The National Security Agency in the United States has reportedly purchased Verint snooping equipment, as have authorities in Mexico. However, the use of such technology in the US is a legally contentious issue. Mass monitoring of solely domestic calls and emails would be prohibited under the Fourth Amendment, which protects against unwarranted searches and seizures. But a controversial clause in a 2008 amendment to the Foreign Intelligence and Surveillance Act means mining communications as they pass between the United States and countries of interest like Pakistan and Yemen can be deemed technically permissible.

(Other countries have few regulations in this area, if any at all. Libyan dictator Muammar Gaddafi was able to get his hands on French mass surveillance gear in 2006, which was subsequently used domestically to indiscriminately track dissidents and other regime opponents.)

With revenues of more than an estimated $840 million in 2012 according to public accounts, Verint has at least 16 offices in countries including Japan, China, Russia, Israel, Australia, Canada, Germany, France, the United Kingdom, and the Philippines.

The company’s accounts reveal that its communications intelligence solutions have generated a significant proportion of revenue and have been selling better than ever in recent years. Between 2006 and 2011, for instance, Verint’s annual communications intelligence sales rocketed by almost 70 percent from $108 million to $182 million. And 2012 looks to be another good year, with a projected increase of about 13 percent looking likely based on the figures published for the first three quarters. Most of the company’s communications surveillance sales in 2012 were made in the Americas (53 percent). EMEA (Europe, the Middle East, and Africa) comprise approximately a 27 percent of its sales, and APAC (Asia-Pacific region) a further 20 percent.

I contacted Verint to seek more information about its advanced eavesdropping tools. In particular, I wanted to know whether it follows the U.S. government’s "Know Your Customer" guidelines, which are designed to help businesses avoid selling goods to countries or customers where they might have an “inappropriate end-use.” But Verint declined to answer a series of detailed questions for this story and turned down an interview request. A public relations representative acting on behalf of the company told me that “due to the sensitive nature of these solutions, they [Verint] tend not to seek deeper coverage of this area of the business.”

Governments across the world are using Verint’s technology to sift through masses of intercepted communications — that much is certain. The rest, at least for now, remains a tight-lipped secret.

Cyberwar's Secret Trade

Wednesday 16 January 2013

Behind computer screens from France to Fort Worth, Texas, elite hackers hunt for security vulnerabilities worth thousands of dollars on a secretive unregulated marketplace.

Using sophisticated techniques to detect weaknesses in widely used programs like Google Chrome, Java, and Flash, they spend hours crafting “zero-day exploits” — complex codes custom-made to target a software flaw that has not been publicly disclosed, so they can bypass anti-virus or firewall detection to help infiltrate a computer system.

Like most technologies, the exploits have a dual use. They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud. Now, as cyberwar escalates across the globe, there are fears that the burgeoning trade in finding and selling exploits is spiralling out of control — calls for new laws to rein in the murky trade.

Some legitimate companies operate in a legal gray zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world. Authorities can use them covertly in surveillance operations or as part of cybersecurity or espionage missions. But because sales are unregulated, there are concerns that some gray market companies are supplying to rogue foreign regimes that may use exploits as part of malicious targeted attacks against other countries or opponents. There is also an anarchic black market that exists on invite-only Web forums, where exploits are sold to a variety of actors — often for criminal purposes.

The importance of zero-day exploits, particularly to governments, has become increasingly apparent in recent years. Undisclosed vulnerabilities in Windows played a crucial role in how Iranian computers were infiltrated for surveillance and sabotage when the country’s nuclear program was attacked by the Stuxnet virus (an assault reportedly launched by the United States and Israel). Last year, at least eight zero days in programs like Flash and Internet Explorer were discovered and linked to a Chinese hacker group dubbed the “Elderwood gang,” which targeted more than 1,000 computers belonging to corporations and human rights groups as part of a shady intelligence-gathering effort allegedly sponsored by China.

The most lucrative zero days can be worth hundreds of thousands of dollars in both the black and gray markets. Documents released by Anonymous in 2011 revealed Atlanta-based security firm Endgame Systems offering to sell 25 exploits for $2.5 million. Emails published alongside the documents showed the firm was trying to keep “a very low profile” due to “feedback we've received from our government clients.” (In keeping with that policy, Endgame didn’t respond to questions for this story.)

But not everyone working in the business of selling software exploits is trying to fly under the radar — and some have decided to blow the whistle on what they see as dangerous and irresponsible behaviour within their secretive profession.

Adriel Desautels, for one, has chosen to speak out. The 36-year-old “exploit broker” from Boston runs a company called Netragard, which buys and sells zero days to organizations in the public and private sectors. (He won’t name names, citing confidentiality agreements.) The lowest-priced exploit that Desautels says he has sold commanded $16,000; the highest, more than $250,000.

Unlike other companies and sole traders operating in the zero-day trade, Desautels has adopted a policy to sell his exploits only domestically within the United States, rigorously vetting all those he deals with. If he didn’t have this principle, he says, he could sell to anyone he wanted — even Iran or China — because the field is unregulated. And that’s exactly why he is concerned.

“As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” he says. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.”

Desautels says he knows of “greedy and irresponsible” people who “will sell to anybody,” to the extent that some exploits might be sold by the same hacker or broker to two separate governments not on friendly terms. This can feasibly lead to these countries unwittingly targeting each other’s computer networks with the same exploit, purchased from the same seller. “If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops — it’s the same concept,” he says.

The position Desautels has taken casts him as something of an outsider within his trade. France’s Vupen, one of the foremost gray-market zero-day sellers, takes a starkly different approach. Vupen develops and sells exploits to law enforcement and intelligence agencies across the world to help them intercept communications and conduct “offensive cyber security missions,” using what it describes as “extremely sophisticated codes” that “bypass all modern security protections and exploit mitigation technologies.”

Vupen’s latest financial accounts show it reported revenue of about $1.2 million in 2011, an overwhelming majority of which (86 percent) was generated from exports outside France. Vupen says it will sell exploits to a list of more than 60 countries that are members or partners of NATO, provided these countries are not subject to any export sanctions. (This means Iran, North Korea, and Zimbabwe are blacklisted — but the likes of Kazakhstan, Bahrain, Morocco, and Russia are, in theory at least, prospective customers, as they are not subject to any sanctions at this time.)

“As a European company, we exclusively work with our allies and partners to help them protect their democracies and citizens against threats and criminals,” says Chaouki Bekrar, Vupen’s CEO, in an email. He adds that even if a given country is not on a sanctions list, it doesn’t mean Vupen will automatically work with it, though he declines to name specific countries or continents where his firm does or does not have customers.

Vupen’s policy of selling to a broad range of countries has attracted much controversy, sparking furious debate around zero-day sales, ethics, and the law. Chris Soghoian of the ACLU — a prominent privacy and security researcher who regularly spars with Vupen CEO Bekrar on Twitter — has accused Vupen of being “modern-day merchants of death” selling “the bullets for cyberwar.”

“Just as the engines on an airplane enable the military to deliver a bomb that kills people, so too can a zero day be used to deliver a cyberweapon that causes physical harm or loss of life,” Soghoian says in an email. He is astounded that governments are “sitting on flaws” by purchasing zero-day exploits and keeping them secret. This ultimately entails “exposing their own citizens to espionage,” he says, because it means that the government knows about software vulnerabilities but is not telling the public about them.

Some claim, however, that the zero-day issue is being overblown and politicized. “You don’t need a zero day to compromise the workstation of an executive, let alone an activist,” says Wim Remes, a security expert who manages information security for Ernst & Young.

Others argue that the U.S. government in particular needs to purchase exploits to keep pace with what adversaries like China and Iran are doing. “If we’re going to have a military to defend ourselves, why would you disarm our military?” says Robert Graham at the Atlanta-based firm Errata Security. “If the government can’t buy exploits on the open market, they will just develop them themselves.” He also fears that regulation of zero-day sales could lead to a crackdown on legitimate coding work. “Plus, digital arms don’t exist — it’s an analogy. They don’t kill people. Bad things really don’t happen with them.”


So are zero days really a danger? The overwhelming majority of compromises of computer systems happen because users failed to update software and patch vulnerabilities that are already known about. However, there are a handful of cases in which undisclosed vulnerabilities — that is, zero days — have been used to target organizations or individuals.

It was a zero day, for instance, that was recently used by malicious hackers to compromise Microsoft’s Hotmail and steal emails and details of the victims' contacts. Last year, it was reported that a zero day was used to target a flaw in Internet Explorer and hijack Gmail accounts. Noted “offensive security” companies such as Italy’s Hacking Team and the England-based Gamma Group are among those to make use of zero-day exploits to help law enforcement agencies install advanced spyware on target computers — and both of these companies have been accused of supplying their technologies to countries with an authoritarian bent. Tracking and communications interception can have serious real-world consequences for dissidents in places like Iran, Syria, or the United Arab Emirates. In the wrong hands, it seems clear, zero days could do damage.

This potential has been recognized in Europe, where Dutch politician Marietje Schaake has been crusading for groundbreaking new laws to curb the trade in what she calls “digital weapons.” Speaking on the phone from Strasbourg, France*, Schaake tells me she’s concerned about security exploits, particularly where they are being sold with the intent to help enable access to computers or mobile devices not authorized by the owner. She adds that she is considering pressing for the European Commission, the EU’s executive body, to bring in a whole new regulatory framework that would encompass the trade in zero days, perhaps by looking at incentives for companies or hackers to report vulnerabilities that they find.

Such a move would likely be welcomed by the handful of organizations already working to encourage hackers and security researchers to responsibly disclose vulnerabilities they find instead of selling them on the black or gray markets. The Zero Day Initiative, based in Austin, Texas, has a team of about 2,700 researchers globally who submit vulnerabilities that are then passed on to software developers so they can be fixed. ZDI, operated by Hewlett-Packard, runs competitions in which hackers can compete for a pot of more than $100,000 in prize funds if they expose flaws. “We believe our program is focused on the greater good,” says Brian Gorenc, a senior security researcher who works with the ZDI.

Yet for some hackers, disclosing vulnerabilities directly to developers lacks appeal because greater profits can usually always be made elsewhere. When I ask Vupen’s Bekrar what he thinks of responsible disclosure programs, he is critical of “lame” rewards on offer and predicts that for this reason an increasing number of skilled hackers in the future will “keep their research private to sell it to governments.” It may also be the case that, no matter what the financial incentive, for some it will always be more of a thrill to shun the “responsible.” So even if regulators internationally were to somehow curb exploit sales, it’s likely it would only have a tangible impact on legitimate companies like Vupen, Endgame, Netragard, and others. There would remain a burgeoning black market, in which vulnerabilities are sold off to the highest bidder. This market exists in an anarchic pocket of the Internet, a sort of Wild West, where legality is rarely of paramount importance — as former Washington Post reporter Brian Krebs recently found out for himself.

Krebs, who regularly publishes scoops about zero days on his popular blog, has on several occasions been besieged by hackers after writing about vulnerabilities circulating on the black market. Krebs says his website came under attack last year after he exposed a zero day that was being sold on an exclusive, invite-only Web forum. “They don’t like the attention,” he says. The hackers were able to find Krebs’ home IP address. Then, they began targeting his Internet connection and taunting him. Krebs was eventually forced to change his router and has since signed up for a service that helps protect his online identity. But he says he still receives malware by email “all the time.”

It’s difficult to imagine how the aggressive black market that Krebs encountered could ever be efficiently curtailed by laws. That is why the best way for vulnerabilities to be fully eliminated — or at least drastically reduced — would perhaps be to place a greater burden on the software developers to raise standards. If only developers would invest more in protecting user security by designing better, safer software and by swiftly patching security flaws, the zero-day marketplace would likely be hit by a crushing recession.

At present, however, that remains an unlikely prospect. And unfortunately it seems there’s not a great deal you can do about it, other than to be aware of the risk.

“Most organizations are one zero day away from compromise,” Krebs says. “If it’s a widely used piece of software, you’ve just got to assume these days that it’s got vulnerabilities that the software vendors don’t know about — but the bad guys do.”

This article first appeared at Slate.