More on this book
Community
Kindle Notes & Highlights
Read between
October 30 - November 5, 2022
By the time the Shadow Brokers started dribbling out the NSA’s cyberweapons, I had been closely tracking the agency’s offensive program for four years—ever since I’d caught a privileged glimpse of it in documents leaked by former NSA contractor Edward J. Snowden.
On June 27, 2017, Russia fired the NSA’s cyberweapons into Ukraine in what became the most destructive and costly cyberattack in world history.
The hack that circled the world would cost Merck and FedEx, alone, $1 billion. By the time I visited Kyiv in 2019, the tally of damages from that single Russian attack exceeded $10 billion, and estimates were still climbing. Shipping and railway systems had still not regained full capacity. All over Ukraine, people were still trying to find packages that had been lost when the shipment tracking systems went down. They were still owed pension checks that had been held up in the attack. The records of who was owed what had been obliterated.
Security researchers had given the attack an unfortunate name: NotPetya.
“We are now living in a totally different era,” he told me. “There is now only Life before NotPetya and Life after NotPetya.”
What had saved Ukraine is precisely what made the United States the most vulnerable nation on earth. Ukraine wasn’t fully automated. In the race to plug everything into the internet, the country was far behind.
And with the next election steadily approaching, Putin and Trump met once more, this time in Osaka in June 2019, where they chuckled together like old college buddies. When a reporter asked Trump if he would warn Russia not to meddle in 2020, Trump sneered and waved his finger jovially at his friend: “Don’t meddle in the election, President.”
The documents were littered with references to NSA backdoors in nearly every piece of commercial hardware and software on the market. The agency appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system.
Stuxnet—as the computer worm came to be called—had been discovered in bits and pieces in 2010 as it slithered its way through computers around the globe, using an unheard-of number of zero-day exploits, seven to be precise. Some were clearly designed to infect hard-to-reach—even offline—computers. One Microsoft zero-day allowed the worm to invisibly spread from an infected USB flash drive onto a computer undetected. Others allowed it to crawl across the network from there, climbing ever higher up the digital chain of command in search of its final destination: Iran’s Natanz nuclear plant,
...more
And so, in 2003, iDefense became the first shop to publicly open its doors to hackers and start paying bounties for zero-day bugs.
Hackers, McManus explained, aren’t in it for money. At least, not in the beginning. They are in it for the rush, the one that comes with accessing information never meant to be seen. Some do it for power, knowledge, free speech, anarchy, human rights, “the lulz,” privacy, piracy, the puzzle, belonging, connection, or chemistry, but most do it out of pure curiosity.
The New Hacker’s Dictionary, which offers definitions for just about every bit of hacker jargon you can think of, defines hacker as “one who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.”
“Trustworthy Computing is more important than any other part of our work,” Gates wrote in his now infamous memo. “Computing is already an important part of many people’s lives. Within 10 years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if [chief information officers], consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”
“The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”
In February 2016 I flew to St. Louis to see Charlie in person. (He had to postpone our meeting twice because he was too busy appearing on CSI: Cyber.) We’d first met years earlier at a rooftop hacker party in Vegas, and he was just how I’d remembered him: tall, skinny, with sharp features and serious eyes, his mouth dripping with sarcasm. That first night we met in Vegas, he was dressed in an all-white hip-hop tracksuit. It was hard envisioning him as a math PhD.
From Redmond to Silicon Valley, technology executives at Microsoft, Adobe, Google, Oracle, and Cisco combed through Charlie’s paper with a mix of alarm and agitation. He had only confirmed what executives had long suspected: their own government was perfectly willing to throw them, and their customers, under the bus in the name of national security.
The enemy is a very good teacher. —THE DALAI LAMA
Instead, he credits his colleagues and bosses in the intel world and a host of New Age management gurus. Gosler frequently cites Malcolm Gladwell—“The Outlier is fantastic!” he told me, more than once. Gordon Moore and Andy Grove, two former chief executives of Intel, were his heroes. Grove’s book Only the Paranoid Survive is his bible. But his all-time favorite is Price Pritchett, the organizational management guru. For years, anytime intelligence officials visited Gosler’s office at CIA headquarters in Langley, they were greeted with the following Pritchett quote on the wall: Organizations
...more
“You could still find vulnerabilities, sure, but your ability to guarantee no other vulnerabilities existed was becoming impossible.” He paused for emphasis. “That’s important, Nicole. You could no longer make the statement that any of these microcontrolled systems were vulnerability-free.”
The possibilities were endless. An attacker could gain “unauthorized access to classified data by exploiting a pre-programmed weakness due to careless design or implementation” or plant “a ‘trap door’ in the computer application or in the programming and operating systems supporting the application.”
the blame game that followed, the 9/11 Commission and other lawmakers—many of whom had voted to slash intelligence budgets over the previous decade—would all agree: intelligence had been at fault. The intelligence community needed more resources, more legal authorities, more data, more machines, and more people to ensure that nothing like 9/11 ever happened again. The Patriot Act was signed, and later the Foreign Intelligence Surveillance Act was amended to expand the government’s ability to conduct electronic surveillance without court orders. Annual intelligence budgets surged to $75 billion
...more
Even as American officials were publicly accusing China of embedding trapdoors in Huawei’s products, my Times colleague David Sanger and I learned from leaked classified documents that the NSA had pried its way into Huawei’s headquarters in Shenzhen, years ago, stolen its source code, and planted its own backdoors in the company’s routers, switches, and smartphones.
“The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we came in; we’re computer professionals. We cause accidents.”
Once the worm was on that first Natanz computer, a second Microsoft Windows zero-exploit kicked in—though technically, this second exploit wasn’t a zero-day at all. It had been detailed in the obscure Polish hacking magazine Hakin9, which TAO and Unit 8200 hackers apparently kept close tabs on, but nobody at Microsoft or in Iran had bothered to read.
Inside the confines of his lab, Langner’s team infected computers with Stuxnet to see what the worm would do. “And then some very funny things happened,” he recalled. “Stuxnet behaved like a lab rat that didn’t like our cheese. Sniffed but didn’t want to eat.”
The mastery of the code suggested that this was not the work of some cybercriminal thug. This was the work of a well-resourced nation-state. And it had been designed, Langner concluded, to “drive the maintenance engineers crazy.”
“The biggest number of targets for such an attack are not in the Middle East,” Langner said. “They are in Europe, Japan, and the United States. We will have to face the consequences, and we better prepare right now.”
In 2013 the NSA added a new $25.1 million line item to its classified black budget. That was how much it planned to start spending each year to procure “software vulnerabilities from private malware vendors.” By one estimate, that would enable the agency to purchase as many as 625 zero-days a year, in addition to the vulnerabilities the agency was developing in-house.
A man got to have a code. —OMAR LITTLE, THE WIRE
The closest the United States has ever gotten to controlling the export of hacking tools and surveillance technology is the Wassenaar Arrangement. Named for the Dutch town where the arrangement was originally signed in 1996, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was designed to replace the previous set of Cold War norms used by Western states to keep weapons and military technology from making their way to Russia, China, and their communist satellites. Wassenaar’s goal was to control the sale of conventional weapons systems and
...more
But what really pissed off Aitel’s superiors is what he did after he left the Fort. He co-authored a book with several well-known hackers called The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. It became a bible for aspiring hackers. In it, Aitel detailed specific exploits and attack methodologies that his former bosses felt went too far in disclosing NSA spycraft. At Fort Meade, they put up a dartboard with Aitel’s face on it and encouraged his successors to aim right between his eyes.
In 2002, Aitel started his security company, Immunity, from his apartment in Harlem and began consulting with the big financial services companies. But soon he developed an automated exploitation tool called Canvas that allowed his customers to test genuine threats—some known, some zero-day exploits Aitel developed himself—on their systems to mimic the techniques of advanced nation-states and cybercriminals.
“You would see people picked up by the same make and model of Renault that we knew belonged to the secret police, and you’d never see them again,” Eren told me. “People would scream their names, their relatives’ names, and their telephone numbers out the back of the car, so at least their families would know their fates. I came of age in this era.”
The vast majority of sellers, Desautels told me, were in the United States, Europe, and Romania. He had a guy in Romania who could hack just about anything, and never tell anyone about it.
The leaked emails also made clear just how little serious thought was given to the potential abuse of Hacking Team’s products. In one email in which Vincenzetti seemed to predict the future, he joked “Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! ☺.”
You can’t stop the gears of capitalism. But you can always be a pain in the ass. —JARETT KOBAK, I HATE THE INTERNET
Google’s engineers in Zurich—or “Zooglers,” as they called themselves—referred to their offices as the “real Mountain View” for its Alpine backdrop.
“We had never thought we could be hacked by the Chinese military,” Adkins said. “That seemed so outside the realm of what companies could be expected to handle.” “We didn’t think militaries were allowed to hack civilians in peacetime,” said Grosse. “We didn’t think that could be true because you assume the backlash would be so severe. Now, that’s the new international norm.”
Many a tech CEO had come to think of himself as the rightful heir to Steve Jobs, whose megalomania was excused as a byproduct of his ability to deliver. But Jobs was in a class of his own, and when other tech CEOs followed suit, they often invoked the same language of enlightenment to justify their own relentless expansion into the world’s fastest-growing, albeit authoritarian, internet market.
After authorities revoked Vupen’s global export license, Bekrar packed up and moved his Montpelier offices to the cyberarms market’s global headquarters: Washington, D.C. He took a page from the disgraced military contractor Blackwater and rebranded Vupen as Zerodium. He set up a slick new website and, in an unprecedented move, started advertising the prices he was paying for zero-day exploits, in exchange for hackers’ silence.
“The first rule of [the] 0-days biz is to never discuss prices publicly,” Bekrar wrote in messages to reporters. “So guess what: We’re going to publish our acquisition price list.” He offered to pay $80,000 for exploits that could defeat Google’s Chrome browser, $100,000 for Android exploits. The top prize, $500,000, was reserved for the iPhone. As the number of Zerodium customers went up, so did Bekrar’s payouts. In 2015 Zerodium tweeted out a $1 million offer for the gold mine: a remote jailbreak of the iPhone, which entailed a chain of zero-day exploits that would enable his government
...more
But Google had one big edge on the Zerodiums of the world. Brokers required omertà. Google’s bounty hunters were free to discuss their work openly and avoid the shadier side of the business.
The NSA-GCHQ code name for these attacks was Muscular. On one level, it was helpful in explaining that the companies were not willing accomplices. “It provided us a key to finally understand what was going on,” Brad Smith, Microsoft’s president, told Wired magazine. “We had been reading about the NSA reportedly having a massive amount of data. We felt that we and others in the industry had been providing a small amount of data. It was hard to reconcile, and this was a very logical explanation.”
“Bypassing that system is illegal for a good reason,” Hearn wrote. “Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process.” In the absence of that, he added, “We therefore do what internet engineers have always done—build more secure software.”
There was another benefit to publicizing Project Zero’s work. They were sending a message to skeptical customers and governments—especially those that had come to see Google as complicit in NSA surveillance—that Google took their security seriously. The exposure also helped lure the world’s top exploit developers to defense.
The release of atom power has changed everything except our way of thinking … the solution to this problem lies in the heart of mankind. If only I had known, I should have become a watchmaker. —ALBERT EINSTEIN
Years later, Daniel still winced at just how close American officials had come that night to retaliating. “It was a critical lesson that in cyber, the first assessment is almost always wrong.”
Top of mind for Panetta and everyone else paying attention that year was Iran. “Like nuclear weapons, eventually they’ll get there,” Jim Lewis, a former government official and cybersecurity expert, told me in early 2014.
“The attack went off in a big way, and yet we got no support from fellow movie studios, no support from the mayor of Los Angeles, no support from then attorney general Kamala Harris,” Michael Lynton, Sony’s former CEO and chairman, told me later. Five years after the event, he was still embittered, and it wasn’t hard to see why. “I realized Hollywood is a ‘community’ in name only. Nobody lent a helping hand. But in a funny way, I really don’t blame them, because from a distance, no one really understood how damaging or difficult the situation was.”
Almost immediately, the Chinese cyber theft that had ravaged American businesses over the previous decade plummeted. Security firms reported a 90 percent dropoff in Chinese industrial cyberattacks. For eighteen months, the world’s first cyberarms-control agreement appeared to stick. As ballet dancer Misty Copeland performed for the Chinese delegation and singer Ne-Yo belted out “Because of You” that evening in September, the Chinese leader smiled and clapped. Xi appeared genuine. But then came Trump, who turned the table over with tariffs and the trade war. If it weren’t for that, some
...more
