The Washington Post has recently reported on the exploits of Luigi Auriemma, 32, and Donato Ferrante, 28, two Italian hackers that work from the island of Malta, searching for flaws in computer codes that they can sell to countries that want to break into the computer systems of foreign adversaries. The Post is relying upon information disclosed by The New York Times. While hacktivism is condemned, cyberpiracy is the favored choice of nations, especially the US.
Governments will pay hundreds of thousands of dollars to learn about these vulnerabilities and exploit them. Hacktivism has been defeated by cyberpiracy.
Until a few years ago, the market for coding flaws was limited to companies like Microsoft and Apple, which just wanted to find them and fix them. But ten years ago, the Mozilla Foundation was already paying a bounty for the detection of bugs festering in its Firefox browser. Since then Google, Facebook and PayPal have begun offering compensation to hackers as an incentive to share what they’ve found. It’s essentially bribery in reverse.
Last month, Microsoft set the going rate at $150,000. But Apple bought a threatened zero-day exploit of its iOS operating system for $500,000.
The merchandising of flaws is described as “zero days.” Companies pay up because they know they have “zero days” to mount a defense ahead of the hackers, once the flaw comes to light. In cyberwarfare, governmental buyers seek “zero-day exploits,” in which they can utilize the flaws before the victim knows they exist. An attack can extend for almost a year before the weaknesses are noted.
Foreign governments have been inspired by the success of a joint effort of the United States and Israel three summers ago to conduct an offensive against Iran’s nuclear enrichment program by means of a computer worm known as “Stuxnet.”
The United States is one of the buyers of programming flaws, as confirmed by Edward J. Snowden, the former NSA consultant who leaked classified documents. Snowden’s intentions were, to all accounts, altruistic.
The biggest buyers, besides the US, are Israel, Britain, Russia, India, and Brazil. The Center for Strategic and International Studies in Washington says intelligence services in the Asian Pacific and Middle East are also part of the action. North Korea is also in the market.
Brokers set up deals between sellers and buyers for a 15 percent cut of the sale price. Hackers can barter for a deal that affords them royalties for every month the flaws are not unearthed.
A broker does not need to be subtle. Emails with subject lines like “Need code execution exploit urgent” read like Nigerian 409 scams in which the sons of deposed leaders desperately need to transfer funds to overseas accounts with the help of the recipient.
The hackers in Malta utilize a company called ReVuln, which specializes in finding back doors to industrial control systems that regulate water treatment facilities, oil and gas pipelines and power plants.
An enterprise entitled Vupen allows customers to browse its catalog of exploits for an annual subscription of $100,000, not including the purchase price for every exploitation.
Of course governments assert that they are exploiting the pregnabilities of their adversaries in order to preserve and protect their national security. But there may be some justification for this pretext, as the world becomes progressively insecure.
But hacktivism can encompass high-minded, albeit larcenous, purposes in the uncovering and unveiling of secrets, of which cyberpirates are bereft.
Snowden, 28, Bradley Manning, 25, are described as “hacktivists” that work to find flaws in the systems used by the Pentagon and elsewhere as a form of civil disobedience. Their avowed intent is to make information free to everyone. Now Snowden is on the run for turning over documents to The Washington Post and UK’s The Guardian that were related to top-secret U.S. surveillance programs. A look at more idealistic hacktivists is found in a Time Magazine article entitled “The Geeks Who Leak” (June 24, 2013).
Hacktivists are akin to war protestors in the Vietnam era that believed that living in peace and not war was man’s natural state. Hacktivists are technophiles that regard transparency and personal privacy as the foundations of a free society. Secrecy and surveillance therefore constitute despotism. Snowden denounces surveillance as “turnkey tyranny.” Thus hacktivism can be carried out in the name of human rights and information ethics.
The late Aaron Schwartz went even further than the others. He was a renowned hacker and co-founder of Reddit, an organization dedicated to public release of private documents in the belief that following unjust laws was injustice. Faced with charges of downloading academic papers from MIT and the digital library JSTOP, he took his life at 26.
Bradley Manning, the intelligence analyst who released hundreds of thousands of documents to Wikileaks, wrote to a hacker friend three years earlier that without information the public is unable to make informed decisions. By definition, all information belonged in the public domain.
More than 4.4 million Americans hold top secret security clearances in the military and intelligence communities.
The terms hacktivism and hacktivist were coined in 1996 by a member of the Cult of the Dead Cow known as “Omega.” Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacking group founded in 1984 in Lubbock, Texas.
Hacktivists are defined by their adoption of lexical warfare. “Lexical” is generally a referent to the use of language, in this case computer language. It can mean, by extension, anyone who communicates via some form of language. Hacktivism combines programming skills with critical thinking.
Some definitions of hacktivism include acts cyberterrorism. Others regard it as technological assaults carried on to effect social or political change. Freenet, for example, metamorphoses political thought into code.
More radical approaches encompass cybercrime, which adopts malicious or destructive methods of undermining the security of the Internet—all purportedly to advance a technical, economic, or political platform.
The Pentagon has formally recognized cyberspace as a “new domain in warfare,” according to William J. Lynn, US Deputy Secretary of Defense. The Economist has similarly described cyberspace as “the fifth domain of warfare.”
Businesses like those established by Auriemma and Ferrante signal the replacement of arms dealers with cyberweapons’ salesmen. As with the older forms of the arms race, the US is trying to keep pace with its adversaries, although Iran has replaced the USSR as the principal malefactor.
While the US government prosecutes hacktivists, it rewards cyberpirates. As in days of yore, the US has gone over to the side of capitalism against ideology. And the hacktivists have lost the war.
By: Tom Ukinski