More on this book
Community
Kindle Notes & Highlights
Read between
September 11 - September 15, 2022
Putin laid down only two rules for Russia’s hackers. First, no hacking inside the motherland. And second, when the Kremlin calls in a favor, you do whatever it asks. Otherwise, hackers had full autonomy. And oh, how Putin loved them.
The crux of Putin’s foreign policy was to undercut the West’s grip on global affairs. With every hack and disinformation campaign, Putin’s digital army sought to tie Russia’s opponents up in their own politics and distract them from Putin’s real agenda: fracturing support for Western democracy and, ultimately, NATO—the North Atlantic Treaty Organization—the only thing holding Putin in check.
The former director of the NSA, Keith Alexander, famously called Chinese cyberespionage the “greatest transfer of wealth in history.” The Chinese were stealing every bit of American intellectual property worth stealing and handing it to their state-owned enterprises to imitate.
Starting in 2016, the U.S. National Security Agency’s own cyber arsenal—the sole reason the United States maintained its offensive advantage in cyberspace—was dribbled out online by a mysterious group whose identity remains unknown to this day. Over a period of nine months a cryptic hacker—or hackers; we still don’t know who the NSA’s torturers are—calling itself the Shadow Brokers started trickling out NSA hacking tools and code for any nation-state, cybercriminal, or terrorist to pick up and use in their own cyber crusades.
The public’s understanding of what was transpiring was—to put it mildly—a mismatch to the gravity of the situation, and to the impact those leaks would soon have on the NSA, on our allies, and on some of America’s biggest corporations and smallest towns and cities.
On June 27, 2017, Russia fired the NSA’s cyberweapons into Ukraine in what became the most destructive and costly cyberattack in world history. That afternoon Ukrainians woke up to black screens everywhere. They could not take money from ATMs, pay for gas at stations, send or receive mail, pay for a train ticket, buy groceries, get paid, or—perhaps most terrifying of all—monitor radiation levels at Chernobyl. And that was just in Ukraine.
The Russians had used the NSA’s stolen code as a rocket to propel its malware around the globe. The hack that circled the world would cost Merck and FedEx, alone, $1 billion.
We could now control our entire lives, economy, and grid via a remote web control. And we had never paused to think that, along the way, we were creating the world’s largest attack surface.
The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable.
The documents were littered with NSA claims that the agency's hackers had access to nearly every piece of commercial hardware and software on the market. The agency appeared to have acquired a vast library of ways into every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android, BlackBerry, computer, and operating system.
Finding a zero-day is a little like
entering God mode in a video game.
Greenwald was still reeling from a Times decision a decade earlier to delay publication of a 2004 story detailing how the NSA was wiretapping American phone calls without the court-approved warrants ordinarily required for domestic spying. The Times had held the story for a year after the Bush administration argued that it could jeopardize investigations and tip off suspected terrorists.
The same exploits hackers had once happily traded for free, or dumped online to shame vendors into releasing a patch, started taking on higher monetary values as a new group of mystery buyers began creating a market for their finds and giving hackers far more reasons—much more profitable reasons—to quietly sell the holes they found than turn them over to vendors to be sealed shut.
The same bugs that Watters was paying hackers $400 for? These mystery callers were willing to pay iDefense $150,000 for a single bug, so long as iDefense kept the sale quiet and didn’t tip anyone else off.
“The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”
Charlie cut off communications with Google and took his exploit to the New York Times, which wrote about his discovery. And he vowed never to give Google, or anyone else for that matter, another free bug. Google’s Android executives had just started a movement, even if they didn’t know it yet.
The most moral option for any hacker—going straight to the vendor—still generated the worst outcomes. How could that be?
they agreed to fight back, and they gave their campaign a name: No More Free Bugs.
Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.
The quote perfectly encapsulates Gosler’s take on American intelligence agencies’ belated response to advances in technology and its endless potential for exploitation, espionage, and destruction.
Gunman was different. “A-plus. Technically brilliant,” Gosler would tell me. The Soviets weren’t relying on a well-placed bug or cable tap; they had found a way to embed in the typewriters themselves, pilfering every keystroke before Americans even had a chance to encrypt their messages. In intelligence jargon, this would become known as “hacking the end points,”
“Reflections on Trusting Trust,” and his conclusion was this: unless you wrote the source code yourself, you could never be confident that a computer program wasn’t a Trojan horse.
That year, 2013, the NSA claimed that it planned to “reach full operating capability for SIGINT access to a major Internet Peer-to-Peer voice and text communications system.” The Snowden leaks did not say which system, but Skype was the obvious suspect. It also claimed to have “complete enabling for the two leading encryption chip makers used in Virtual Private Network and Web encryption devices.” In other words, the NSA was making fools of anyone who believed they could thwart spies using off-the-shelf encryption tools like VPNs—
The “kernel” is the nerve center of any computer system. It manages communications between a computer’s hardware and software. In a machine’s pecking order, the kernel is at the very top, allowing anyone with secret access to it to take full control of the device.
“The race to the bare metal.”
With the arrival of Facebook in 2004, it was often hard to see where the NSA’s efforts ended and Facebook’s platform began.
Until then, it was all about breaking an algorithm. It was about math. Suddenly it was about killing people. That’s when things changed. There was no going back.”
Chinese hackers were not just engaged in traditional state espionage; they were pilfering intellectual property from every major company in the Fortune 500, American research laboratories, and think tanks.
Mike McConnell, the former director of national intelligence, would later tell me, “In looking at any computers of consequence—in government, in Congress, at the Department of Defense, aerospace, companies with valuable trade secrets—we’ve not examined one yet that has not been infected,” by China.
Nobody seemed to be asking what all this breaking and entering and digital exploitation might mean for the NSA’s sponsors—American taxpayers—who now relied on NSA-compromised technology not only for communication but for banking, commerce, transportation, and health care. And nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they were rendering America’s critical infrastructure—hospitals, cities, transportation, agriculture, manufacturing, oil and gas, defense; in short, everything that undergirds our modern
...more
it was a wake-up call for every chief information officer in America; they were collateral damage in an escalating global cyberwar.
With Stuxnet under way in June 2009, the Obama administration created a dedicated Cyber Command at the Pentagon for offensive cyberattacks. More hacking—not better defenses—was the Pentagon’s response to the Russian attacks on its own classified networks.
Described internally as “an intelligence command and control” that would enable “industrial-scale exploitation,” Turbine was designed to operate “like the brain.” The Turbine robot was part of a broader “Owning the Net” NSA initiative and if all went well, officials believed it could ultimately supplant humans in operating the NSA’s vast digital spiderweb.
The world had changed in the thirty-odd years since Gunman. It was no longer the case that Americans used one set of typewriters, while our adversaries used another. Thanks to globalization, we now all relied on the same technology. A zero-day exploit in the NSA’s arsenal could not be tailored to affect only a Pakistani intelligence official or an al-Qaeda operative. American citizens, businesses, and critical infrastructure would also be vulnerable if that zero-day were to come into the hands of a foreign power, cybercriminal, or rogue hacker.
no amount of government lobbying can halt globalization when it came to technology.
The NSA’s answer to this problem was a system called Nobody But Us (NOBUS). The premise behind NOBUS was that low-hanging fruit—vulnerabilities that could easily be discovered and abused by American adversaries—should be fixed and turned over to vendors for patching. But more advanced exploitation—the kind of advanced zero-days the agency believed only it had the power, resources, and skills to exploit—would remain in the agency’s stockpile and be used to spy on American enemies or degrade their systems in the case of a cyberwar.
VRL had found a powerful niche, weaponizing zero-days and selling the agencies turnkey hacking tools that worked across a wide range of systems.
VRL made a point of selling its hacking tools only to American agencies. And for most employees, that was all they needed to know.
In their eagerness to pay top dollar for more and better zero-day exploits and spy tools, U.S. spy agencies were helping drive a lucrative and unregulated cyberarms race, one that gradually stopped playing by American rules.
The NSA was expressly forbidden from using these tools on Americans. The governments approaching Immunity, Eren’s new venture, and their competitors were far less constrained. Sure, there were many who planned to use these exploits to spy on foreign adversaries and terrorists, but increasingly they were looking for tools to spy on their own people.
Every former-NSA-hacker-turned-contractor he knew, around the Beltway or overseas, was now getting the equivalent of a purple and black briefing. Everyone was told to talk up the defensive elements of their work to nosy reporters like me, and never, ever, to speak of the offensive work they were doing for their government clients.
had always assumed that the stories I wrote about Hacking Team had helped shed a brighter light on a seedy industry. Occasionally the coverage would be cited by European regulators and human rights lawyers who vowed to investigate, to change export rules, to take a harder look at the cyberweapons trade. But as I sifted through the leaks, I could see that the coverage had had the opposite effect: it had functioned as advertisement,
What NSO, Hacking Team, and other cyberarms dealers had done almost overnight was democratize the surveillance capabilities once reserved for the United States, its closest allies in Five Eyes, Israel, and its most sophisticated adversaries in China and Russia. Now any country with a million dollars could buy its way into this market, many with little to no regard for due process, a free press, or human rights.
In Saudi Arabia, Google was now hosting an app that allowed men to track and control the movements of their female family members. In the States, Google contracted with the Pentagon on a program—code-named Maven—to improve imaging for military drone strikes, prompting dozens of Google employees to quit in protest. Google’s advertising had long been a sore subject for the company, but after the 2016 election, it became clear that the company had profited off advertising on sites that peddled blatant disinformation and conspiracy theories.
Google’s YouTube algorithms were radicalizing American youth, particularly angry young white men. Even YouTube Kids programming came under fire after journalists discovered that videos encouraging children to commit suicide were slipping through Google’s filters.
Google had one big edge on the Zerodiums of the world. Brokers required omertà. Google’s bounty hunters were free to discuss their work openly and avoid the shadier side of the business.
The Pentagon had paid Computer Sciences Corporation—the same megacontractor that now owns VRL—$613 million to secure its systems. CSC, in turn, subcontracted the actual coding to a Massachusetts outfit called NetCracker Technology, which farmed it out to programmers in Moscow. Why? Greed. The Russians were willing to work for a third of the cost that U.S. programmers had quoted. As a result, the Pentagon’s security software was basically a Russian Trojan horse, inviting in the very adversary the Pentagon had paid hundreds of millions of dollars to keep out.
Infecting Microsoft’s updates was the Holy Grail for hackers, and a nightmare for Redmond. In any other hands, Flame could have taken down the global economy, critical infrastructure, hospitals, the grid. The discovery of Flame by
Russian researchers at Kaspersky was a disaster for Microsoft. It sent Redmond’s hackers into the war room for weeks. Flame was a beast of a virus—at 20 megabytes, twenty times the size of most malware—and yet it had been hiding in plain sight. Nobody at Microsoft discovered it until four years later.
