More on this book
Community
Kindle Notes & Highlights
Read between
January 16 - March 17, 2024
Pegasus could even do what NSO called “room tap”: gather sounds and snapshots in and around the room using the phone’s microphone and video camera. It could deny targets access to certain websites and applications, grab screenshots off their phones, and record their every search and browsing activity. One of the biggest selling points was that the spyware was “battery conscious.” One of the few tells that you may have spyware on your device is a constantly draining battery. All that spying and siphoning can be a battery hog. But Pegasus came with a nifty trick. It could sense when it was
...more
“The walls have ears,” Niinisto joked, neglecting to mention that the Finns were investing in their own ears, too.
What NSO, Hacking Team, and other cyberarms dealers had done almost overnight was democratize the surveillance capabilities once reserved for the United States, its closest allies in Five Eyes, Israel, and its most sophisticated adversaries in China and Russia. Now any country with a million dollars could buy its way into this market, many with little to no regard for due process, a free press, or human rights.
It’s not easy, but I am doing this because I believe this is the most difficult way for anyone to express their patriotism to their country.”
Years later, I would learn that it was worse than that. Evenden’s colleagues at CyberPoint had not only installed spyware on Mansoor’s devices but hacked his wife’s devices too. They even had a code name for Mansoor, Egret—his wife was Purple Egret. And they had implanted themselves inside Mansoor’s baby monitor, watching and listening as his child slept. And, yes, I confirmed, they had listened to our call too.
NSO executives told me that if you rounded up every Pegasus target in the world, you would only fill a small auditorium. But in Mexico NSO targets were coming out of the woodwork, many of them outspoken critics of then Mexican president Enrique Peña Nieto, or journalists who had reported stories critical of him.
Recalling his words now, Marquis-Boire could only smile: “History sure has a way of coming to bite you in the ass.”
security was only as good as the weakest link.
As investigators sifted through their chats, they found one blaring red flag. Each had clicked on a link attached to the same menacing three-word message: “Go Kill Yourself.”
Legion Yankee was among the murkiest—and most prolific—of the more than two dozen Chinese hacking groups that NSA hackers tracked, as they raided intellectual property, military secrets, and
correspondence from American government agencies, think tanks, universities, and now the country’s most vibrant technology companies.
was Putin’s playbook through and through. The Kremlin had successfully outsourced cyberattacks to Russian cybercriminals for years. It was a strategy that was easily imported to China, where the state’s embrace of liberties and free markets had its limits. Those with any notable hacking skills weren’t so much recruited to the state’s hacking apparatus as they were conscripted.
“We didn’t think militaries were allowed to hack civilians in peacetime,” said Grosse. “We didn’t think that could be true because you assume the backlash would be so severe. Now, that’s the new international norm.”
Most laypeople assume hackers are after short-term payoffs: money, credit card information, or bribe-worthy medical information. But the most sophisticated attackers want the source code, the hieroglyphics created and admired by the engineering class. Source code is the raw matter for software and hardware. It is what tells your devices and apps how to behave, when to turn on, when to sleep, who to let in, who to keep out. Source code manipulation is the long game.
Code is often the most valuable asset technology companies have—their crown jewels—and yet when China’s contracted hackers started popping up across thirty-four Silicon Valley companies in late 2009, nobody had ever thought to secure it. Customer and credit card data merited fierce protection, but the vast majority of tech companies had left their source code repositories wide open.
Google’s Aurora attack elevated a fundamental question: Can any computer system be made totally secure?
Such rationalization was common in Silicon Valley, where tech leaders and founders have come to think of themselves as prophets, if not deities, delivering free speech and the tools of self-expression to the masses and thereby changing the world.
In Brin’s mind, what the Chinese had done attacking Google was essentially the same thing China had done to Yahoo. The only difference was that they hadn’t bothered to ask Google for access to its users’ information. The hack reeked of the totalitarianism of Brin’s Soviet upbringing, and he took it as a personal affront.
This would put the ball in Beijing’s court. China would have to do its own filtering to and from Hong Kong. Google would no longer do their dirty work. They knew that China would respond in kind. Most likely, the Communist Party would kick Google out of the market entirely. No American company had ever publicly called out Beijing for a cyberattack, even as Chinese hackers were pillaging American intellectual property in what Keith Alexander, the NSA director at the time, later called “the greatest transfer of wealth in history.”
Three years after Google’s attack, James Comey, then head of the FBI, put it this way: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”
Officials called up Google executives directly. Schmidt would later joke, referring to Hong Kong’s lack of censorship: “We told the Chinese, ‘You said it’s “One country, two systems.” We like the other system.’ They didn’t appreciate that either.”
A “new information curtain is descending across much of the world,” Secretary Clinton told an audience, before sounding the clearest warning shot yet on Chinese cyberattacks: “In an interconnected world, an attack on one nation’s networks can be an attack on all.”
Some called China’s move “the Great Cannon,” and it was a shot across the bow to anyone who thought Beijing might eventually tolerate anything less than total internet control.
By the time its checklist was complete, years later, Google’s mission would include one radical addition: neuter the world’s stockpiles of zero-day exploits and cyberweapons in the process.
Google weaponized its greatest resource: data—mountains of it—to search its code for errors.
Some scoffed at its Chrome awards, noting that the same exploit could earn three times that much in the government market. Why should hackers tell Google about defects in its systems, when they could make far more by staying quiet?
cyberarms market’s global headquarters: Washington, D.C.
In any market, there is a fool.
There are no copyright laws for zero-days, no patents on exploits.
The Pentagon had paid Computer Sciences Corporation—the same megacontractor that now owns VRL—$613 million to secure its systems. CSC, in turn, subcontracted the actual coding to a Massachusetts outfit called NetCracker Technology, which farmed it out to programmers in Moscow. Why? Greed. The Russians were willing to work for a third of the cost that U.S. programmers had quoted. As a result, the Pentagon’s security software was basically a Russian Trojan horse, inviting in the very adversary the Pentagon had paid hundreds of millions of dollars to keep out.
Microsoft wasn’t going to pay top dollar, it needed to create the conditions under which fixing a bug was more attractive than weaponizing it and selling it to governments.
By 2016 the company had even managed to sign on the most unlikely player of all: the Pentagon.
Getting picked up by the FBI seemed like the only logical end to hacking the Pentagon. It didn’t seem to matter that the Pentagon was actually inviting them to hack its systems.
convinced it was just another way for the government to track them. That seemed overly paranoid, but I had to admit they had a point.
But by then the government knew it had to do something. The previous year, the U.S. Office of Personnel Management—the very agency that stores the most sensitive data for millions of federal employees and contractors, including detailed personal, financial, and medical histories, Social Security numbers, even fingerprints—revealed that it had been hacked by Chinese hackers on a scale the government had never seen before. The Chinese had been inside OPM’s systems for more than a year by the time they were discovered in 2015.
With his urging, the Pentagon had expanded its bounty program from a tiny set of unclassified websites to far more sensitive systems like the F-15’s Trusted Aircraft Information Program Download Station (TADS), the system that collects data from video cameras and sensors in flight.
In the vast bureaucracy that was the Department of Defense, one agency was now paying hackers to patch its holes, while others were paying them far more to keep the world’s holes wide open.
Without the companies’ knowledge or cooperation, the Snowden revelations that fall showed that the NSA, and its British counterpart, GCHQ, were sucking up companies’ data from the internet’s undersea fiber-optic cables and switches.
It did not matter if Silicon Valley’s lawyers pushed back on the government’s secret orders for data; as the doodle made clear, the NSA was getting everything anyway.
Downey and hundreds of other Google engineers had just dedicated the previous three years to keeping China from hacking its customers, only to find out they’d been had by their own government.
At the closed-door meeting, Obama made the case for a balanced approach to privacy and national security. Cook listened intently, and when it came time to speak, he shared what he’d heard from Apple’s customers abroad. There was now a deep suspicion of America’s technology companies, he told the president. America had lost its halo on civil liberties, and it might be decades before it ever earned it back. Leaving anything open to surveillance was, in his mind, a civil liberties nightmare, not to mention bad business. People had a basic right to privacy, and if American companies couldn’t
...more
Journalists and hackers did the math: the FBI had just publicly copped to paying hackers $1.3 million for a way to bypass Apple’s security. And the FBI claimed it did not know what the underlying flaw was and had no plans to help Apple fix it. It was the first time in history that the government had openly copped to paying private hackers top dollar to turn over vulnerabilities in widely used technology.
The prices for zero-days were only going up. And so were the stakes. Nobody would talk about it. Or consider what it meant for our defense. There were no norms—none that anyone could articulate, anyway. And in that void we were establishing our own norms, ones I knew we would not want to live by when eventually—inevitably—our adversaries turned them back on us.
It was the first of many times I would hear those three little words—atado con alambre—over the next week. It was Argentine slang for “held together with wire” and encompassed the MacGyver-like nature of so many here who managed to get ahead with so little. It was Argentina’s hacker mantra.
Hackers weren’t hobbyists anymore. They weren’t playing a game. In short order, they had become the world’s new nuclear scientists—only nuclear deterrence theory did not so neatly apply. Cyberweapons didn’t require fissile material. The barrier to entry was so much lower; the potential for escalation so much swifter. Our own stockpile of cyber exploits and cyberweapons hardly deterred our adversaries from trying to acquire their own. What Iran, North Korea, and others could not develop on their own, they could now just buy off the market. The Gaucho might not sell them a way in, but there were
...more
“You need to dispose of your view, Nicole,” Arce told me. “In Argentina, who is good? Who is bad? The last time I checked, the country that bombed another country into oblivion wasn’t China or Iran.”
While Tehran could never hope to match America in conventional weapons or military spending, Olympic Games had shown Tehran that cyberweapons had just as much potential to exact destruction.
Stuxnet had hit what Iran valued most—its nuclear program—and Iran soon learned it could use cyber means to hit the United States where it would hurt most: American access to cheap oil, the economy, and our own sense of safety and military superiority.
They were making off with trillions of dollars’ worth of U.S. intellectual property, nuclear propulsion blueprints, and weaponry, costing the United States as many as a million jobs a year.
This is what the new era of asymmetrical cyberwarfare looked like. The United States could strike a country’s critical infrastructure with cyberattacks, but when foreigners retaliated, U.S. businesses would be left holding the bag.
