Transcription performed by Leah Hervoly www.leahtranscribes.com
[START OF RECORDING]
JACK: Hey, it’s Jack, host of the show. I’ve been making this show about cyber-crime for a few years now. I’ve interviewed attackers, defenders, black hats, white hats, law enforcement, even nation state actors. But there’s one type of person who always refuses to be interviewed for the show, and that’s people who find vulnerabilities and sell those exploits to governments or companies that will use it to attack people with.
This is the grey market for exploits. It’s completely legal since it’s often governments who buy the exploit, but it’s just very secretive. Maybe there’s NDAs behind each deal where the people who bought it want the exploit to remain as unknown as possible. On top of that, they don’t want anyone to know they just acquired it, because if someone buys an exploit for say, $100,000, it’s like buying a weapon. Someone can use that to access a victim’s device without them knowing. But that expensive weapon can instantly become worthless if it becomes known to the vendor and they create a patch for it. In fact, that’s where the name zero-day comes from, that vendors have known about the exploit for zero days. In this episode, we get a peek into the secret world of zero-day brokers. So come on, let’s check it out.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: So, first of all, who are you and what do you do?
NICOLE: I am Nicole Perlroth and I am a cyber-security and digital espionage reporter at The New York Times.
JACK: Wow, that sounds exciting. So, as you are a cyber-security reporter and digital espionage reporter, have you ever been a – or target of an attack because you were investigating something?
NICOLE: Yes. So, I have been a target and a victim, although I don’t know to what extent. So, I talk about how my first real experience with journalists being a legitimate target for nation state spies was within a year of joining the Times, the Chinese military – we actually still don’t know if it was the military or a contractor – hacked The New York Times. I was tipped off to it, [MUSIC] and to the Times’ eternal credit, they let me in bed with our security team and Mandiant, which wasn’t owned by FireEye yet, and the FBI, and for several months we watched the guy we called the Beijing Summer Intern roll into our systems at 10:30 in the morning Beijing time and roll out at 4:30 or 5:00 PM Beijing time in search of our sources.
They weren’t after me; they were actually after the sources for a colleague of mine, David Barboza’s stories about some of the corruption going on in China’s ruling families. Funny enough, his sources for those stories were just public documents. There was no real anonymous source, but nevertheless, they were crawling around our systems. One of the fears we had was that it might be a kind of destructive attack; they might try to shut down our printing. I had a big event like the election that year, so we really didn’t know what they were doing at first, and then slowly it became clear they were after our sources. So, that was my first front row seat to the lengths that nation states would go to try to get access to journalist sources.
JACK: Whoever got into The New York Times was in the network during the 2012 US presidential election, which you can probably imagine how much of a huge embarrassment it would be if the news room got taken down on the night of the election results. But whoever got in wasn’t there to sabotage the Times. This was an espionage attack. Malware was installed on a computer in The New York Times network which gave an attacker access to the network. From there, the attackers gained access to fifty-three computers belonging to New York Times employees. But the focus seemed to be looking through the reporters’ computers who covered China. This attack originated from a university in China, and the malware used seemed to be something that Chinese hackers use frequently. Once the Times found that this attacker was in the network, they were able to lock them out and clean the systems that were infected.
NICOLE: It was funny, actually; it was only later after we published that one of my colleagues said oh, by the way, I want – I meant to tell you that [00:05:00] I showed up at work one day and my entire computer was gone and all these wires were just sitting on my desk and there was just a note that said ‘Took your computer. It’s not going to return.’ It turned out, his computer had been used for – to stage some of the attacks on other accounts in the Times.
JACK: So, what’s a big news agency do when they discover that some unauthorized person is in their network connecting from China for at least four months? Because sometimes when a company admits that they were hacked, there’s some big public shaming that follows. It’s embarrassing to admit such things. Their stock could take a big tumble and executives could lose their jobs.
NICOLE: Well, it was so interesting because they didn’t want me talking about it, so I couldn’t actually talk about what I was doing beyond my immediate editor and his editor. There were only maybe three or four people in the news room who knew what I was working on for several months. But I never mentioned it in story meetings and that kinda thing because we were really keeping it quiet until we felt confident that we had eradicated them from our systems. [MUSIC] We had these last minute discussions at The New York Times and I remember some of the editors gut-checking and just asking wait, should we publish this story? What will The Wall Street Journal and The Washington Post say? I said, they’re not gonna say anything because there’s a very good chance that they were hacked, too. So, we came out. We decided to publish this story, and it changed everything. It was a time when so many companies had been infiltrated by Chinese hackers and their intellectual property had been stolen, and no one wanted to talk about it.
Everyone feared that it would put a scarlet letter on their brand or lower their stock price or lead to class action lawsuits. So, we were one of the first companies after Google’s hack in 2009, 2010 that came out and announced that we had been hacked by China and talked about what the hack looked like and who was behind it and what they were after. I remember within twenty-four hours, The Wall Street Journal and The Washington Post and a lot of journalists raised their hands on Twitter and said we were also hacked, we were also hacked. It was almost like you weren’t cool unless you had been hacked by China. It really helped shift the conversation I think away from victim-blaming to this is a gigantic problem. News rooms are facing it and American companies and Western companies all over the world are facing this, and it’s been going on for a really long time. We need to start talking about deterrents and penalties and defense.
JACK: The Times published an article titled Hackers in China Attacked the Times for the Last Four Months. Other news agencies started speaking up and admitted they were hacked by China, too. China saw people were blaming them and gave a public response to all these accusations.
HOST: [BACKGROUND TALK IN CHINESE] According to some investigative results which showed no proof and had groundless evidence and baseless conclusion, China had participated in online attacks. That is a totally irresponsible conclusion. China’s also a victim of online attacks. China’s laws clearly ban online attacks.
JACK: Well, it’s true that in 2012 when this happened, there was an agreement between the US and China that neither country would hack into companies in the other nation. So, this was against the rules laid down in the agreement, but it was clear from all these companies that were coming forward that China wasn’t respecting that agreement.
NICOLE: Since that happened, I’ve been a complete paranoid tinfoil hat person when it comes to protecting my sources.
JACK: This was a good lesson for her to learn because a few years later, Nicole became the target of online attacks.
NICOLE: [MUSIC] It was other stuff, then it was getting a security alert from our internal security team saying hey, someone on the dark web is advertising good money to anyone who can get them access to your phone and your e-mail account. This was a few years ago, but most people knew I was working on this book in this trade, and I don’t know whether it was related to the book or it was related to one particular story, or maybe I just pissed someone off on Twitter, but it’s never a good feeling to know that someone on the dark web is offering money to people to hack your phone or your computer. I would say that was probably one of the scariest things I went through.
JACK: Yikes, that is scary. But let’s talk about her book. Earlier this year, Nicole published a [00:10:00] book called This Is How They Tell Me the World Ends. I read it cover to cover and I thought I was tuned into this world, but even I was picking up my jaw off the floor sometimes. Nicole really did some top-notch investigations into the zero-day market. She wanted to find out who’s out there developing exploits and who they’re selling them to. So, we’re gonna use the term zero-day a lot in this episode, and I want you to understand what it is so you’re not lost. A zero-day exploit is basically a vulnerability in software that the makers of that software don’t know exists yet. It’s called zero-day because the vendor has been aware of it for zero days, which means the vendor is completely unaware of it, so it goes unfixed for some time. A zero-day is a working exploit that nobody knows about except the person who found it and whoever they give it to. Now, for Nicole to research this story, she traveled all over the world meeting with zero-day developers and brokers.
NICOLE: Okay, so, I went down to Argentina because I kept hearing over and over again that some of the best zero-day exploit developers were in the Southern Hemisphere, that they were in Argentina. So, I had met an Argentine hacker by the name of Cesar Cerrudo. He had approached me because he was really focused on smart cities and the vulnerabilities of smart cities. He had done this proof-of-concept hack of traffic lights where he had actually been able to hack into the traffic light system in DC and I believe Manhattan, too. So, I had worked with him on putting a story together, and I had the opportunity to talk to him a little bit about this Argentine exploit development scene that I kept hearing about. He said you should really come down and come to Ekoparty [MUSIC] which is a big hacking conference every year in Buenos Aires. So, that year I pitched my editors on doing a story about the conference and I went down. I stayed in Palermo which is a really nice, hip neighborhood in Buenos Aires. I stayed in this boutique hotel.
I was hanging out with these hackers and noticing that there were clearly people from front companies there who were interested in buying their zero-day exploits. I had talked to some of the godfathers of the Argentine hacking scene who really made clear that Argentina had become what they called the India of exploit development. That is, people outsource a lot of their software engineering to India and in their minds, Argentina had become this big outsourcing hub for exploit development. This is where governments and front companies and brokers came to purchase zero-day exploits that they could use for their stockpiles of offensive cyber-espionage tools. So, one night I went out, and I had always been really careful to bring basically pen and paper to these conferences. Ever since that Chinese hack, I realized that the biggest thing that I needed to protect was my sources and my conversations with sources, so I have been very old school about using pen and paper, about bringing [MUSIC] burner laptops and devices to these conferences. If I have to, I’ll use Signal, the encrypted messaging app, but usually with my most sensitive conversations – like, I have one source that we just meet up once a month on the same day at the same place and we don’t bring our devices and we don’t ever – about those meetings; we just show up with pen and paper and I take notes. That is how I protect those conversations.
But in this case I had brought a burner laptop down with me. I never opened it because it was so clunky and useless, and I just write quicker sometimes with pen and paper. I put it in the safe in my hotel room, and that night I had gone out by myself. I came home and the door to my hotel room was open, the safe was open, there was still the cash I had taken out from the Cueva sitting on a table, so no one had stolen anything. When I first saw the door open I thought oh, maybe they’re doing late turndown service or something, but the door to the safe was open with my laptop in it and my laptop was in a different position. I don’t know what happened, you know? Someone clearly opened the safe, they moved it around, they didn’t take any money, but they also left my door open. So, I never knew whether they actually did something or put something on the laptop or looked at the laptop and saw that there was nothing there, or whether they just left it open to scare me or send a message. But regardless, I just took it, put it in the plastic garbage bag that was sitting in the bathroom, brought it back down to the lobby, and threw it in the trash can.
JACK: You just threw the whole thing away.
NICOLE: [00:15:00] Yeah, I just threw the whole thing away. I mean, I never used it. It was this old PC and I had covered enough attacks to know that when someone goes to the extra trouble of planting something in your laptop, often they do it in places that can be very hard to wipe. I was down there by myself and I just was like you know what? I’m just gonna throw it away.
JACK: Okay, so as I was saying earlier, I cannot seem to find exploit developers to agree to an interview. Neither buyers or sellers are willing to talk. Now, I’m not talking about bug hunters who are looking for bugs to submit to companies for a bug bounty reward. I’ve interviewed them. Nor am I talking about the ethical hackers who just want to help make the world more secure by telling companies they’re vulnerable for free, and I have no problem finding people who find bugs to compete in a contest to win cash prizes for their bugs. The most elusive people who I can’t get on the show are people who look for vulnerabilities and then sell them to the highest bidder. Nicole has had that same experience many times, but she’s more determined to get responses and is willing to travel the world to talk to some of these people. Guess what? For this book, she did interview quite a few of these kind of people. But they’re really hard to find. Even though she was in Argentina at Ekoparty, she still had a hard time finding them.
NICOLE: One thing I did notice was there were a lot of young hackers there. I’m talking young like fifteen, fifteen-year-olds. When I would approach them and I would say I’m here, I’m trying to learn more about the exploit market, and they would just kind of scatter. I remember asking Federico Kirschbaum who is a friend and runs the conference and I got to know him very well when I was there, I said I really want to talk to someone who’s selling exploits to governments or brokers. We were standing in the middle of this square at the conference and he said just throw a stone; you’ll hit all – throw a stone in any direction and you’ll hit one. [MUSIC] But they didn’t want to talk to me. It was just a weird scene. It was just people with the skills demoing how they could hack cars or the latest app or enterprise applications on stage. Then after these people would demo what they did on stage, I would see them kind of swarmed by these people who clearly were representatives from governments.
I’ve been called out on this for saying some of them were Middle Eastern but I mean, some of them spoke Arabic. I kept running into them at the conference and I didn’t know where they had come from. They studiously avoided me but sometimes we’d end up in the same conversation, that kind of thing. I asked Fede, like why are they – if they’re interested in buying exploits, why are they going up to the people who just demoed their best exploit on stage? He said oh, they’re not interested in that; they want to know what they’re working on next or what their side hustle is, or what’s the thing they’re not going to demo on stage? Because they know it would make so much more money on the underground grey market for zero-day exploits. So, that made sense. I ultimately ended up sitting down with Ivan Arce who is one of the older godfathers of the scene. One thing that Ivan told me was the next generation has these other opportunities. [MUSIC] They don’t need to just work in the penetration testing business when they can make so much money selling a single zero-day exploit to a government or to a government broker.
They can do it tax-free, they don’t have to worry about Argentina’s inflation problems, they don’t have to – this isn’t taxable income, and it has this fun James Bond element to it. So, there is this entirely new generation of Argentina exploit developers who are not using this for penetration testing. But I found that they can make a lot of money and live pretty large in Buenos Aires by selling these capabilities under the table to governments or front companies or brokers. So, that is sort of how I told the story of the Argentina hacking scene, but none of those young Argentine exploit developers who sell them would talk to me. They really did studiously avoid me until maybe the very last day of the conference. Then later when the book came out, it was funny because some of them said oh, I thought – I would have told you more but I could have sworn you were a CIA agent or a fed.
JACK: So, let’s back up for a second; how did we get [00:20:00] here where our current world consists of people making exploits in secret and selling them to secret entities all under the table? Well, it wasn’t always like that. I think to understand how we got here, we should rewind to when Microsoft was still a young company.
NICOLE: [MUSIC] Microsoft was really, in particular, trying to play catch-up with Netscape on the internet. They really missed the boat on the internet. They dominated the PC market but they just didn’t see the internet coming. So, they were racing to catch up and they were just putting out this crap, these web servers and software that was just riddled with holes because they were more focused on speed and getting this stuff to market and catching up to Netscape than they were with security. So, hackers would find these holes and they told me in those days, there was no 1-800 number to call up Microsoft and say hey, I just used your web server to break into NASA. Those channels didn’t exist yet. Often when they would flag these problems for the companies, they would get ignored or they would get a sternly-worded letter back from the general council. So, they started just dumping these things on forums like Bugtraq which was sort of like an early version of Reddit. You would just dump what you found on Bugtraq and it was in part for the street cred and part to shame these vendors like Microsoft and some microsystems into fixing these holes.
It also gave – a lot of people on those forums were IT administrators, so it kind of gave them a heads-up to these flaws and they could help develop workarounds for their employers and customers. So, there was just – the relationship was very broken. It was only when Microsoft had these very public failures, when these giant worms like Nimda exploited Microsoft problems to essentially impact some of Microsoft’s biggest customers in government and Ford and others that Bill Gates really started to take security seriously. Since then, he wrote this famous memo. I think it was in 2002 called The Open Trustworthy Computing Memo where he said security will be critical to the internet and to software going forward, and we’re going to re-prioritize our organizational structure to make security a real priority. People laughed it off as a joke or a PR stunt, but slowly it became true. Microsoft really started putting channels in place to allow hackers to contact them with flaws.
I heard that they actually had a pretty interesting database where they would track these hackers’ personality quirks and flaws so they knew who to handle with kid gloves, who, if they brought you anything, you needed to stop what you were doing and take it very seriously, and who was just sort of trolling them. Then later, after Google was hacked by China and saw that security was going to be a huge challenge for these companies because now they didn’t have to just worry about fraud; they had to worry about military level criminals and hackers, they had to worry about nation states breaking into their systems. They started improving their security and offering bug bounties to [MUSIC] hackers who brought this code to them.
JACK: Okay, so, at that point we started to see that vulnerabilities were worth money. Microsoft was paying for bugs to get vulnerabilities fixed, but at the same time, nation states around the world were also trying to develop their own bugs and software to collect intelligence from foreign adversaries. So, it became a sort of arms race between governments and Microsoft. No matter what Microsoft offered for bug bounties, the governments were willing to pay a little bit more to get access to zero-day exploits within Microsoft tools. This creates a problem for software companies who want to make secure software.
NICOLE: They were never going to pay the rates that governments and brokers were going to be offering for these tools, right? Like, the going rate for a zero-day exploit that gets you into an iPhone’s IOS software remotely is $2.5 million, although I found one broker in researching the book called Crowdfense that now offers even more than that; they offered $3 million for that same capability, so we’re getting out-priced these days by other countries. But Apple was never going to be able to match that, and Apple was one of the last companies, major companies, in Silicon Valley to start offering a bug bounty for these tools. They offer a pretty good [00:25:00] price, but they’re never going to match government prices, nor would they really want to because they don’t want to incentivize their own security engineers from essentially leaving the company and making more money on the outside. There’s a very careful calculus at play.
JACK: Those are the options here; either you can be ethical and sell your bugs to software makers or you can shop around on the grey market where they’ll potentially buy vulnerabilities for much more. But still, you might be wondering what governments would even be interested in buying exploits? Well, I think to answer that, we should go back even further in time, before the internet was even here, back to the Ronald Reagan era. It was there where Nicole found an interesting story where all this started.
NICOLE: I was really worried. I had a lot of anxiety about doing this book because I wanted to have a character represent one slice of the industry, but the slice of the industry I really worried about was the US government because all of these programs are classified. Who was going to talk to me about the development of America’s offensive cyber-exploitation programs? I was really worried about this. One day I was at work and I was sitting at my cubicle desk and I was sort of ruing about this out loud, like god, who am I gonna get from the NSA to talk about this? John Markoff, who’s my predecessor at The New York Times, covered cyber-security for twenty-something years, said oh, you should just talk to the godfather of cyber-war.
[MUSIC] I was like, what? He’s like oh yeah, Jim Gosler. I think that’s his name. He was like, I’ll send you an e-mail with his name. So, he sends me this e-mail with this guy’s name. I’d never heard of him. I start asking around; no one in the InfoSec Twitter world had ever heard of him. But I start asking every time I had the opportunity to interview a US leader of one of these intelligence agencies over the last seven years. I would make a point to ask them who do you think – if you had to name one person who’s the godfather of American cyber-war, who would you say? They all without fail said oh, James Gosler. So, one day I called James Gosler and he had spent the bulk of his career at Sandia National Labs which is one of the nuclear labs that develops the components and evaluates the components that make its – make their way into our nuclear arsenal.
But he had also spent a large chunk of his career at the NSA and the CIA. So, he’s a terrific guy. I say this in the book; he looks like Santa Claus. When I told him that, he laughed and said some people would probably describe me more as Satan, but okay. He lives in Nevada out in the desert these days, outside Las Vegas, and he was retired by the time I got in touch with him. He was really careful to not tell me anything classified. But one thing he could point to was this operation called Project Gunman.
JACK: The French intelligence service told the US government that they found Russian bugs listening to their communications. They warned the US that we should assume the Russians are spying on us, too.
NICOLE: We started to suspect that someone had planted a bug inside the US embassy in Moscow or something worse than a bug. We started to suspect that the Soviets were essentially capturing all of our communications and even our unspoken communications. We were worried that there might be a mole at the embassy.
JACK: [MUSIC] This investigation was kicked off by the NSA and was code-named the Gunman Project. It started in 1983 but was signed and approved by President Ronald Reagan in 1984.
NICOLE: We looked around at our inventory and at that point, we were actually building a new embassy in Moscow which had become a total disaster because they were finding bugs in the concrete of the construction and it was clear that basically the entire new embassy was becoming a Soviet listening device and it was gonna be years before we were going to be confident that we could move in without just being surveiled 24/7. So, we knew we had to find the bug in the machinery inside the existing embassy. So, Reagan essentially approved this project. You get all of the embassy’s equipment, everything with a plug, back to Fort Meade from Moscow, to do it in a way that the Soviets would not have the ability to intercept the machinery en route back to Fort Meade and remove their bugs, and that we would x-ray and evaluate every last piece of equipment at the embassy at Fort Meade in search of the bug. [00:30:00] They gave it six months, and I think it took a hundred days just to get all that machinery back to Fort Meade without giving the Soviets any opportunity to intercept it as it was making its way back.
Then they tapped I think something like two dozen of the NSA’s best analysts to work out in this trailer in the parking lot at Fort Meade and basically search this gear for any evidence of a bug, and they were sure that it was going to be in the crypto-gear. But they went through all the crypto-gear and they put it through x-rays and they couldn’t find a bug. They went through the teleprinters and everything that had been bugged at the French embassy and they couldn’t find the bug. Then finally, they did an x-ray of a typewriter that – they had discovered sort of an extra coil sitting on the back and they ran it through the x-ray machine. Lo and behold, what they found in that coil was the most sophisticated exploit that we had ever seen. [MUSIC] It was a tiny magnetometer that recorded the slightest disturbance in the Earth’s magnetic field. Then next to it was a device that would catalogue and record each disturbance from each typewritten stroke, and then send it to a radio – via radio to a listening unit that was buried in the embassy’s chimney and relay it to the Soviets. The Soviets could turn it off when they’re – when they knew there were inspectors in the area.
By the time we found that bug and did a full inventory of all the typewriters at the embassy, we learned that the Soviets had been in Americans’ typewriters at embassies and consulates all over Russia for something like seven or eight years and had been capturing all of our communications in unencrypted form that way. So, what Jim Gosler told me was you need to go back and learn as much as you can about Project Gunman, because that was really our a-ha moment. Before that, we were just living in La-La Land. After that, we realized that if we did not catch up to the Soviets in terms of our own exploitation, if we weren’t trying to find a way to capture every last communication from every new technology that hit the market, we would probably lose the Cold War and worse, we would never catch up to the Soviets in terms of espionage capabilities. So, that is what kickstarted this off. What I learned from more general conversations with Jim Gosler and then others and then the Snowden documents, it was very clear that any time any new technology came on the market, the NSA was finding ways inside, ways to implant itself inside.
JACK: So, yeah, that was it. After the Gunman Project in 1984, it was clear to the US that the Soviets would go to great lengths to embed themselves in communication devices. So, the US government had to figure out ways to embed themselves in devices, too. At first, the US government wanted to figure out a way just to make a backdoor into US-made devices, but the tech community would always quickly point out how backdoors are vulnerable. So, the US government had to figure out how to find exploits in software and communication channels to break into them to collect their intelligence. Of course, it’s not just the US and Russia who go to great lengths to spy on other countries. There are many other countries in the world who either have or want this capability. But you might think doesn’t the NSA have their own research and development lab to create their own exploits? Well, yeah, they do. But things are changing over time.
NICOLE: Well, I think for a long time, the NSA didn’t play in the zero-day market. They had the best cryptographers and hackers and operations people in-house, so they didn’t have to play in this market. So, when I talked to one of the original zero-day brokers, what he said was the NSA didn’t really play in this market for a long time. The biggest business that these private exploit developers and brokers had was with other agencies who were trying to play the NSA’s game but didn’t have the same talent pool in-house. So, agencies like the CIA and some I had never heard of – like, the Missile Defense Agency I learned played in this market. I had never heard of the Missile Defense Agency until someone who sells zero-day exploits told me that they sold to the Missile Defense Agency.
I guess it makes sense because if you want to somehow perhaps interfere with North Korea’s missile launching tests, then you want to get into the missile systems. Or if you want to find out what the schedule is [00:35:00] for North Korea’s missile launches, you’d want to hack into the systems that contain details about the dates they plan these tests. So, it makes sense that they would be participating in this market. But for a long time, the NSA did not because they had a lot of these capabilities in-house. But then later, thanks to Snowden, we know that there was a line item added to their black budget, and it wasn’t very big; it was something like $25.1 million to buy these capabilities in 2013. We know that they have purchased these vulnerabilities from the outside.
JACK: We know the NSA was buying exploits from outside contractors, and they would do this very covertly, so there’s not much information about who they’re buying from or what they’re buying. After all, if we knew what they were buying, the software company would just patch it and would instantly make that million-dollar vulnerability worthless. But Nicole was able to talk with some former NSA employees to learn more.
NICOLE: [MUSIC] Yeah, so, some of the people I talked to were basically among the top hackers within Tailored Access Operations, the NSA’s hacking unit. Some of them, when I talked to their former colleagues, were described as the guy you’d go to for the impossible. When you cannot get into that terrorist’s cell phone, what do you do? You would go to one of these guys and they would find a way around it whether it was hacking their cleaning lady or their spouse or finding something in their house to plant a bug in, that kinda thing.
JACK: Okay, so there’s this group of people who were at the NSA who were one of the best that the NSA had for hacking into target computers. They saw this shift in the wind that the NSA was paying huge amounts for exploits while their pay was just government office salaries. On top of that, there was a lot of bureaucracy. They loved the mission but got frustrated with all the red tape that they constantly had to go through. It was slowing them down and frustrating them.
NICOLE: They left together and they started Vulnerability Research Labs. The goal was to develop really reliable click-and-shoot espionage tools for their former employer and for these other agencies, and then eventually Five Eyes. What they could do on the outside that they couldn’t do on the inside was really interesting. They were all American but being on the outside, they could buy zero-days from hackers in other countries. Then they would use their fuzz farms and their skills to essentially turns these into very slick, seamless click-and-shoot tools for their former employer and these other agencies.
One of the things they said was when they were in the agency, one of the biggest problems was when it came time to deploy a zero-day exploit that was sitting in their stockpile, oftentimes it didn’t work. It just didn’t work with that particular system or it crashed systems on the other end which is a big problem when you’re running these operations, because you don’t want to tip off the target. Obviously if your computer suddenly crashes for no reason, then you become suspicious if you’re a high-value, paranoid target. So, they really worked on the reliability and click-and-shoot elements of these tools and would turn over – develop this reputation for developing some of the easiest to use, most reliable tools that some of these agencies use.
JACK: Interesting stuff. Some of the best hackers within the NSA turned into independent contractors so they could work faster and make more money, but were on the outside? This is one of those things that someone like Microsoft is afraid of, too. If they pay too much for bugs, then some of their internal bug hunters might decide to quit but keep doing the same thing; just make more money on the outside. But I wonder what does it look like in the NSA when you’re trying to break into a foreign adversary? How do you know what top-secret tools you can use? Is there a list of what exploits the NSA has in their arsenal? Or is there a book of something to flip through to find what’s the right exploit for the job?
NICOLE: I have a hard time visualizing it, too. The only thing that I was really told was that basically they have a catalogue that – when they want to get into a certain system, they can check in and see what they have in their catalogue. But I don’t know if that catalogue is on a hard disc, I don’t know if it’s run by a certain secret software that no one else uses. I don’t know what it actually looks like exactly.
JACK: Yeah, and then the team at VRL, do they have to demonstrate it? Do they come in for training and [00:40:00] say alright, here’s how to use these things? There’s a whole…
NICOLE: Those are all great questions. I know they did do trainings, but one of the things that he told me was once they sold it, what they didn’t get to do is what they got to do at the agency which was they got to actually push the button and use it and see what it turned over on the other side. That is what you don’t get to do once you leave these agencies, is you don’t get to be involved in the actual mission. What they said was we just got these things working and then we threw it over the fence, and we didn’t really know how they got used. We used to work at that agency, so we had a good idea of how these were used, but as someone put it to me under Trump, they didn’t know if the use cases were changing or there was more leeway being given in terms of how these capabilities would get used or who they would get used against. It started to change their own moral calculus a little bit.
JACK: Yeah. Yeah, and that is an interesting question. I don’t know if we can – I don’t know where else to go with this interview because it’s just so great so far and wherever you go, it’s – I do love exploring all these ideas that come up.
NICOLE: Mm-hm. Don’t you feel weird even talking about it in the open on a microphone? This is – for whatever reason, this is Fight Club. No one talks about this.
JACK: [MUSIC] It does feel weird because it’s a really weird situation. Software companies like Microsoft take their security very seriously, but their own government is trying to find flaws in Microsoft products in order to collect intelligence from foreign adversaries, so it’s almost like the US government is enemies with Microsoft, especially since Microsoft has to do damage control of stuff that the NSA has known about for years.
NICOLE: We discovered Flame, which we believe was maybe the precursor to Stuxnet, that was either US-Israeli or just US or just Israeli that was being used to spy on Iranian systems. That utilized – that exploited the Microsoft software update mechanism which is the – such a point of trust between Microsoft and its customers. If you can’t trust that the prompt you’re getting that you need to update your software is coming from Microsoft and not the NSA or Unit 8200 in Israel or whoever, then that is a real problem for the company. When Flame was discovered and when it was discovered that it was exploiting the Microsoft software update mechanism, people inside Microsoft lost their heads. They could not believe that their own government potentially was exploiting their software and this communication channel, this trusted communication channel with customers to hack Iranian systems, that they would basically throw Microsoft under the bus in the name of espionage and battlefield preparations.
They were already reeling from that, and then the Snowden leaks didn’t improve the situation. At first, when The Guardian and others dropped those documents, the Prism slides, it looked like the NSA had some secret backdoor in Microsoft systems. Later we would learn that was not the case. But in terms of perception, it was a huge PR nightmare for the company and hugely destructive for the relationship between Microsoft and government and the fact that Microsoft couldn’t even come out and say wait a minute, no, we do not give the government real-time access to our servers, but we do comply with lawful requests. But we can’t tell you how many we get a year. They started fighting those battles in court. But over and over again when the NSA was hacked by Shadowbrokers; we don’t know who Shadowbrokers are, but we know that they dumped an exploit online that contained a zero-day in Microsoft’s code that the NSA had held onto for more than five years.
When I dug into that exploit and I interviewed people at the agency, they knew that that code – they likened it to fishing with dynamite. They knew that that code that they were using, which by the way was netting some of the best counterintelligence they got, they told me, would have been extremely dangerous in the hands of anyone else. Lo and behold, after it was hacked and dumped online by the Shadowbrokers, it was picked up by North Korea and it was picked up by Russia. It was used in a NotPetya attack which cost FedEx $400 million and decimated vaccine production lines at Merck and [00:45:00] set a – turned off the radiation monitoring systems at the Chernobyl nuclear site and took out the production lines in Tasmania, the Cadbury Egg chocolate factory. It was clear that by holding onto that code for that long, we were leaving Americans at risk if that ever got out, and it got out.
JACK: The other thing the US government is known to do sometimes is to go to software companies and try to get these companies to just give them secret access to their products.
NICOLE: What happened was I was part of a team at The New York Times with ProPublica and The Guardian that got access to the Snowden documents. It was clear that the NSA knew that there was a – that the NSA could break through this essentially weak random number generator and were pushing the international standard bodies that set encryption standards to use this weak random number generator that the agency could break. [MUSIC] So, I wrote about that, and then Joe Menn at Reuters did a subsequent story where he found out that actually, it appeared that the NSA might have actually been paying RSA to bake these weak number generators into some of their security products. So, still unclear what exactly happened there. But it looked like once again the US government was pushing this vulnerable system into commercial products because it enabled them to conduct espionage. Once again, it’s just another example of the trade-off that the US was willing to make in the name of national security but would have left Americans more vulnerable.
JACK: Like I was saying, it’s not just the US government that’s doing this. There’s governments all over the world now using computers and exploits to break into communication channels to collect intelligence. Some countries like China use these exploits to spy on their own people. North Korea uses these cyber-capabilities to make money by robbing banks and launching ransomware on the world. It seems like the cards are stacked against us when it comes to securing our lives. It’s very asymmetrical because if you become the target of a government cyber-attack, they pretty much have endless resources to get what they want, and you simply won’t be able to defend yourself effectively. Of course, when a government becomes so secretive, it becomes much less transparent. We know less and less about what they’re doing in cyber-space which means we have to trust them more and more. But look at some of our political leaders; they didn’t grow up with computers and they don’t understand the nuances of what goes on in the wires. So, I’m not confident that tech-illiterate leaders can lead effectively in the digital age.
We need people who understand this even at a basic level so they can make good decisions for our future. For the last few decades, countries around the world have been watching the US to see how they should act when conducting digital espionage. When you have the US doing things like developing exploits and sabotaging nuclear enrichment facilities only to deny that they had any involvement with it, that’s what other countries will see and follow and do, too. Nations around the world now are acting like there’s no consequence for hacking into foreign nations or companies or people. They’ll develop or buy exploits to use and keep them extremely secret. I don’t know, when the world is connected in the way it is now, it just seems like we’re all headed towards a major catastrophic digital disaster. That kind of thing freaks me out sometimes. So, I think I’ll sign off here and go make another backup of my digital life and store it in a Faraday cage and bury it underground somewhere.
(OUTRO): [OUTRO MUSIC] A big thank you to Nicole Perlroth for coming on the show and telling us about this. Look, her book is top-notch and amazing, and when you’re done with it, you’ll find yourself staring out the window contemplating the meaning of life. It’s thought-provoking and gives you an incredible peek into the esoteric world of zero-day brokers that no one has exposed before like the way she has. The book is called This Is How They Tell Me the World Ends. I’ll have an affiliate link to both Amazon and Audible in the show notes. If you’re new to Audible, you can get the book for free through my link. This show is made by me, the lone survivor, Jack Rhysider. Sound design was done by the synth known as Andrew Meriwether. Editing help this episode by the railroad veteran Damienne and our theme music is by the brotherhood of steel recruit, Breakmaster Cylinder. Even though – alright, I can’t think of a joke, so let’s try this; okay Google, [BEEP] tell me a joke.
GOOGLE: [00:50:00] Your privacy…
JACK: What? This is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]