Darknet Diaries - 98: Zero Day Brokers
Episode Date: August 3, 2021Zero day brokers are people who make or sell malware that’s sold to people who will use that malware to exploit people. It’s a strange and mysterious world that not many people know a lot... about. Nicole Perlroth, who is a cybersecurity reporter for the NY Times, dove in head first which resulted in her writing a whole book on it.Affiliate link for book: This is How They Tell Me The World Ends (https://www.amazon.com/gp/product/1635576059/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1635576059&linkCode=as2&tag=tunn01-20&linkId=0aa8c966d98b49a7927bfc29aac76bbe)Audiobook deal: Try Audible Premium Plus and Get Up to Two Free Audiobooks (https://www.amazon.com/Audible-Free-Trial-Digital-Membership/dp/B00NB86OYE/?ref_=assoc_tag_ph_1485906643682&_encoding=UTF8&camp=1789&creative=9325&linkCode=pf4&tag=tunn01-20&linkId=31042b955d5e6d639488dc084711d033)SponsorsSupport for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.Support for this show comes from Privacy.com. Privacy allows you to create anonymous debit cards instantly to use for online shopping. Visit privacy.com/darknet to get a special offer.View all active sponsors.Sources Nicole’s Book: This is How They Tell Me the World Ends https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html
Transcript
Discussion (0)
Hey, it's Jack, host of the show. I've been making this show about cybercrime for a few years now.
I've interviewed attackers, defenders, black hats, white hats, law enforcement, even nation-state actors.
But there's one type of person who always refuses to be interviewed for the show.
And that's people who find vulnerabilities and sell those exploits to governments or companies that will use it to attack people with.
This is the gray market for exploits.
It's completely legal since it's often governments who buy the exploit,
but it's just very secretive.
Maybe there's NDAs behind each deal,
where the people who bought it want the exploit to remain as unknown as possible.
And on top of that, they don't want anyone to know they just acquired it.
Because if someone buys an exploit for, say, $100,000,
it's like buying a weapon. Someone can use that to access a victim's device without them knowing.
But that expensive weapon can instantly become worthless if it becomes known to the vendor,
and they create a patch for it. In fact, that's where the name Zero Day comes from,
that vendors have known about the exploit for zero days. In this episode, we get a peek into the secret world of zero day brokers. So come on,
let's check it out. These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy. Take control of your data
and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to join deleteme.com
slash darknetdiaries and use promo code darknet
at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and
enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information
Security world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and
find links to their webcasts to get some world-class training. That's blackhillsinfosec.com.
blackhillsinfosec.com.
So first of all, who are you and what do you do?
I am Nicole Kraleroth, and I am a cybersecurity and digital espionage reporter at The New York Times.
Wow, that sounds exciting.
So as you are a cybersecurity reporter and digital espionage reporter, have you ever been a victim or target of an attack because you are investigating something? Yes. So I have been a target and a victim, although I don't know to what extent.
So I talk about how my first real experience with journalists being a legitimate target for nation state spies
was within a year of joining the Times, the Chinese military, we actually still don't
know if it was the military or a contractor, hacked the New York Times.
And I was tipped off to it.
And to the Times' eternal credit, they let me embed with our security team and Mandiant,
which wasn't owned by FireEye yet, and the FBI.
And for several months, we watched the guy we called the Beijing summer intern
roll into our systems at 10.30 in the morning Beijing time
and roll out at 4.30 or 5 p.m. Beijing time in search of our sources. They weren't after me.
They were actually after the sources for a colleague of mine, David Barbo says stories about
some of the corruption going on in China's ruling families. And funny enough, his sources for those
stories were just public documents. There was no real anonymous source.
But nevertheless, they were crawling around our systems.
And one of the fears we had was that it might be a kind of destructive attack.
They might try to shut down our printing ahead of a big event like the election that year.
So we really didn't know what they were doing at first.
And then slowly it became clear they were after our sources. So that was my first front row seat to the lengths that nation states would go to try to get access to journalist sources.
Whoever got into the New York Times was in the network during the 2012 U.S. presidential election, which you can probably imagine how much of a huge embarrassment
it would be if the newsroom got taken down on the night of the election results. But whoever got in
wasn't there to sabotage the Times. This was an espionage attack. Malware was installed on a
computer in the New York Times network, which gave an attacker access to the network. And from there,
the attackers gained access to 53 computers. And from there, the attackers gained
access to 53 computers belonging to New York Times employees. But the focus seemed to be looking
through the reporters' computers who covered China. And this attack originated from a university in
China, and the malware used seemed to be something that Chinese hackers use frequently. Once the
Times found
that this attacker was in the network, they were able to lock them out and clean the systems that
were infected. It was funny, actually. It was only later after we published that one of my
colleagues said, oh, by the way, I meant to tell you that I showed up at work one day and my entire
computer was gone and all these wires were just sitting on my desk. And there was
just a note that said, took your computer. You know, it's not going to return. And it turned
out his computer had been used to stage some of the attacks on other accounts in the Times.
So what's a big news agency do when they
discovered that some unauthorized person is in their network connecting from China
for at least four months? Because sometimes when a company admits that they were hacked,
there's some big public shaming that follows. It's embarrassing to admit such things.
Their stock could take a big tumble and executives could lose their jobs.
Well, it was so interesting because they didn't want me talking about it.
So I couldn't actually talk about what I was doing beyond my immediate editor and his editor.
There were only maybe three or four people in the newsroom who knew what I was working on for several months.
But I never mentioned it in
story meetings and that kind of thing because we were really keeping it quiet until we felt
confident that we had eradicated them from our systems. We had these last minute discussions
at the New York Times. And I remember some of the editors gut checking and just asking, wait, should we publish this story?
What will the Wall Street Journal and the Washington Post say?
And I said, they're not going to say anything because there's a very good chance that they were hacked too.
And so we came out, we decided to publish this story and it changed everything. It was a time when so many companies had been infiltrated by Chinese hackers
and their intellectual property had been stolen and no one wanted to talk about it.
Everyone feared that it would put a scarlet letter on their brand
or lower their stock price or lead to class action lawsuits.
So we were one of the first companies after Google's hack in 2009, 2010, that on Twitter and said, we were also hacked.
We were also hacked. It was almost like you weren't cool unless you had been hacked by China.
So it really helped shift the conversation, I think, away from victim blaming to this is a gigantic problem and newsrooms are facing it and American companies and Western companies all over the world
are facing this, and it's been going on for a really long time, and we need to start talking
about deterrence and penalties and defense. So the Times published an article titled
Hackers in China Attacked the Times for the Last Four Months. Other news agencies started speaking
up and admitted they were hacked by China too.
China saw people were blaming them
and gave a public response to all these accusations.
According to some investigative results,
which showed no proof and had groundless evidence
and baseless conclusion,
China had participated in online attacks.
That is a totally irresponsible conclusion. China is also a victim of online attacks. That is a totally irresponsible conclusion. China is also a victim of online
attacks. China's laws clearly ban online attacks. Well, it's true that in 2012, when this happened,
there was an agreement between the US and China that neither country would hack into companies
in the other nation. So this was against the rules laid down
in the agreement. But it was clear from all these companies that were coming forward that China
wasn't respecting that agreement. And since that happened, I've been a complete paranoid
tinfoil hat person when it comes to protecting my sources. And this was a good lesson for her
to learn because a few years later, Nicole became the target of online attacks.
It was other stuff.
Then it was getting a security alert from our internal security team saying, hey, someone on the dark web is advertising good money to anyone who can get them access to your phone and your email account.
And this was a few years ago,
but most people knew I was working on this book in this trade.
And I don't know whether it was related to the book
or it was related to one particular story
or maybe I just pissed someone off on Twitter.
But it's never a good feeling to know that someone on the dark web
is offering money to people to hack your phone or your computer. So I would say that was probably one of the scariest
things I went through. Yikes, that is scary. But let's talk about her book. Earlier this year,
Nicole published a book called This Is How They Tell Me The World Ends. I read it cover to cover,
and I thought I was tuned into this world, but even I was picking up my jaw off the floor sometimes. Nicole really did some top-notch
investigations into the zero-day market. She wanted to find out who's out there developing
exploits and who they're selling them to. So we're going to use the term zero-day a lot in this
episode, and I want you to understand what it is so you're not lost. A zero-day exploit is basically
a vulnerability in software that the makers of that software don't know exists yet.
It's called zero-day because the vendor has been aware of it for zero days, which means the vendor
is completely unaware of it, so it goes unfixed for some time. So a zero-day is a working exploit
that nobody knows about except the person who found it and whoever they give it to. Now for
Nicole to research this story,
she traveled all over the world,
meeting with zero-day developers and brokers.
Okay, so I went down to Argentina
because I kept hearing over and over again
that some of the best zero-day exploit developers
were in the Southern Hemisphere,
that they were in Argentina.
So I had met an Argentine hacker
by the name of Cesar Cerrudo. He had approached me because he was really focused on smart cities and the vulnerabilities of smart cities. And he had done this proof of concept hack of traffic lights, where he'd actually been able to hack into the traffic light system in DC and I believe Manhattan too.
And so I had worked with him on putting a story together. And I had the opportunity to talk to
him a little bit about this Argentine exploit development scene that I'd kept hearing about.
And he said, you should really come down and come to Echo Party, which is a big
hacking conference every year in Buenos Aires.
So that year, I pitched my editors on doing a story about the conference and I went down
and I stayed in Palermo, which is a really nice kind of hip neighborhood in Buenos Aires.
I stayed in this boutique hotel.
I was hanging out with these hackers and noticing that there were clearly people
from front companies there
who were interested in buying their zero-day exploits.
And, you know, I talked to some of the sort of godfathers
of the Argentine hacking scene
who really made clear that Argentina had become
what they called the India of exploit development.
That is, people outsource a lot of their software engineering to India.
And in their minds, Argentina had become this big outsourcing hub for exploit development.
This is where governments and rent companies and brokers came to purchase zero-day exploits that they could use for their stockpiles of offensive
cyber espionage tools. So one night I went out and I'd always been really careful to
bring basically pen and paper to these conferences. Ever since that Chinese hack, I realized that
the biggest thing that I needed to protect was my sources and my conversations with sources.
So I have been very old school about using pen and paper, about bringing burner laptops and devices to these conferences.
If I have to, I'll use Signal, the encrypted messaging app. But usually with my most sensitive conversations,
I have one source that we just meet up once a month on the same day at the same place and we
don't bring our devices and we don't ever email about those meetings. We just show up with pen
and paper and I take notes. And that is how I protect those conversations. But in this case,
I had brought a burner laptop down with me.
I never opened it
because it was so clunky and useless
and I just write quicker sometimes with pen and paper.
And I'd put it in the safe in my hotel room.
And that night I'd gone out by myself
and I came home
and the door to my hotel room was open.
The safe was open.
There was still the cash I'd taken out from the Cueva sitting on a table.
So no one had stolen anything.
And when I first saw the door open, I thought, oh, maybe, you know, they're doing late turndown service or something.
But the door to the safe was open with my laptop in it and my laptop was in a different position.
And so I don't know what happened. Someone clearly opened the safe.
They moved it around. They didn't take any money, but they also left my door open. So I never knew
whether they actually did something or put something on the laptop or looked at the laptop
and saw that there was nothing there or whether they just left it open to scare me or
send a message. But regardless, I just took it, put it in the plastic garbage bag that was sitting
in the bathroom, brought it back down to the lobby and threw it in the trash can.
This whole thing away.
Yeah, I just threw the whole thing away. I mean, I never used it. It was like this old PC and I had covered enough
attacks to know that when someone goes to the extra trouble of planting something in your laptop
often they do it in places that can be very hard to wipe. And I was sort of down there by myself
and I just was like, you know what, I'm just going to throw it away.
Okay. So as I was saying earlier, I cannot seem to find exploit developers to agree to an interview.
Neither buyers or sellers are willing to talk.
Now, I'm not talking about bug hunters
who are looking for bugs to submit to companies for a bug bounty reward.
I've interviewed them.
Nor am I talking about the ethical hackers
who just want to help make the world more secure
by telling companies they're vulnerable for free.
And I have no problem finding people who find bugs to compete in a contest to win cash prizes for their bugs. The most elusive people who
I can't get on the show are people who look for vulnerabilities and then sell them to the highest
bidder. Nicole has had that same experience many times, but she's more determined to get responses
and is willing to travel the world to talk to some of these people. And guess what? For this book, she did interview quite a few of these kind of people,
but they're really hard to find. Even though she was in Argentina at Echo Party,
she still had a hard time finding them. One thing I did notice was there were a lot of young young hackers there. You know, I'm talking young, like 15, you know, 15 year olds.
And when I would approach them, and I would say, you know, I'm here, I'm trying to learn more about
the exploit market. And they would just kind of scatter.
And I remember asking Federico Kirschbaum, who is a friend and runs the conference,
and I got to know him very well while I was there.
I said, I really want to talk to someone who's selling exploits to governments or brokers.
And we were standing in the middle of the square at the conference.
And he said, just throw a stone.
You'll hit all of it.
You throw a stone in any direction and you'll hit one.
But they didn't want to talk to me.
So it was just a weird scene. I mean, it was just people with the skills, you know, demoing how they could hack cars or, you know, the latest app or or enterprise applications on stage.
And then after these people would demo what they did on stage,
I would see them kind of swarmed by these people
who clearly were representatives from governments.
And I've been called out on this
for saying some of them were Middle Eastern,
but I mean, some of them spoke Arabic.
I kept running into them at the conference and I didn't know where they had come from.
And they studiously avoided me.
But, you know, sometimes we'd end up in the same conversation, that kind of thing.
And I asked Betty, like, why are they, you know, if they're interested in buying X-Plates, why are they going up to the people who just demoed their best exploit on stage?
And he said, oh, they're not interested in that.
They want to know what they're working on next or what their side hustle is or what's the thing they're not going to demo on stage
because they know it would make so much more money on the underground gray market for zero-day exploits.
So that made sense. And I ultimately ended up
sitting down with Yvonne Arce, who is one of the older godfathers of this scene.
One thing that Yvonne told me was, the next generation has these other opportunities.
They don't need to just work in the penetration testing business when they can make so much money selling a single zero-day exploit to a government or to a government broker.
You know, they can do it tax-free. They don't have to worry about Argentina's inflation problems.
They don't have to, you know, this isn't like taxable income. And it has this fun James Bond element to it.
So there is this entirely new generation
of Argentina exploit developers
who are not using this for penetration testing,
but have found that they can make a lot of money
and live pretty large in Buenos Aires
by selling these capabilities under the table
to governments or front companies or brokers.
So that is sort of how I told the story of the Argentina hacking scene.
But none of those young Argentine exploit developers who sell them would talk to me.
They really did studiously avoid me until maybe the very last day of the conference.
And then later when the book came out, it was funny because some of them said, oh, I thought I would have told you more, but I could have sworn you were a CIA agent or a Fed.
We're going to pause for a quick break.
We'll be right back.
Stay with us.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate
is critical for protecting you and your users from account takeover, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches, successful fishes,
or infostealer infections.
Get your free Darknet exposure report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
So let's back up for a second.
How did we get here, where our current world consists of people making exploits in secret
and selling them to secret entities all under the table?
Well, it wasn't always like that.
And I think to understand how we got here, we should rewind to when Microsoft was still a young company.
Microsoft was really, in particular, trying to play catch up with Netscape on the internet.
You know, they really missed the boat on the internet.
They dominated the PC market, but they just didn't see the internet coming.
And so they were racing to catch up and they were just putting out this crap.
These web servers and software that was just riddled with holes because they were more focused on speed and just getting this stuff to market and catching up to Netscape than they were with security.
And so hackers would find these holes.
And they told me, you know, in those days, there was no 1-800 number to call up Microsoft and say, hey, just used your web server to break into NASA.
Those channels didn't exist yet.
And often when they would flag these problems for the companies,
they would get ignored or they would get a sternly worded letter
back from the general counsel.
So they started just dumping these things on forums like BugTrack,
which was sort of like an early version of Reddit.
And you would just dump what you found on BugTrack, which was sort of like an early version of Reddit. And you would just dump what you found on BugTrack.
And it was, you know, in part for the street cred,
in part to shame these vendors like Microsoft and Sun Microsystems
into fixing these holes.
It also gave like a lot of people on those forums were IT administrators.
So it kind of gave them a heads up to these flaws
and they could help develop workarounds
for their employers and
customers
so the relationship was
very broken and
it was only when Microsoft just had
these very public
failures when these giant
worms like Nimda,
you know, exploited Microsoft problems
to essentially, you know,
impact some of Microsoft's biggest customers
in government and Ford and others,
that Bill Gates really started to take security seriously.
And since then, you know, he wrote this famous memo,
I think it was in 2002, called the Open Trustworthy Computing Memo, where he said, security will be critical to the internet and to software going forward. And we're going to reprioritize our organizational structure to make security a real priority.
And people laughed it off as a joke or a PR stunt.
But slowly, it became true. Microsoft really started putting channels in place to allow
hackers to contact them with flaws. I heard that they actually had a pretty interesting
database where they would track these hackers' personality quirks and flaws. So they knew who
to sort of handle with kid gloves, who, you know, if they brought you anything, you needed to
stop what you were doing and take it very seriously, and who was just sort of trolling them.
And, you know, then later, after Google, you know, was hacked by China and saw that security was going to be a huge challenge for these
companies because now they didn't have to just worry about fraud. They had to worry about low
level criminals and hackers. They had to worry about nation states breaking into their systems.
They started improving their security and offering bug bounties to hackers who brought this code to them.
Okay, so at that point, we started to see that vulnerabilities were worth money.
Microsoft was paying for bugs to get vulnerabilities fixed.
But at the same time, nation states around the world were also trying to develop their own bugs in software to collect intelligence from foreign adversaries.
So it became a sort of arms race between governments and Microsoft.
No matter what Microsoft offered for bug bounties,
the governments were willing to pay a little bit more to get access to zero-day exploits within Microsoft tools.
This creates a problem for software companies who want to make secure software.
They were never going to pay the rates that governments and brokers were going to be offering
for these tools, right?
Like the going rate for a zero-day exploit that gets you into an iPhone's iOS software
remotely is $2.5 million, although I found one broker in researching the book called
Crowdfence that now offers even more than that. They offer
$3 million for that same capability. So we're getting outpriced these days by other countries.
But Apple was never going to be able to match that. And Apple was one of the last
companies, major companies in Silicon Valley to start offering a bug bounty for these tools.
And they offer a pretty good price,
but they're never going to match government prices,
nor would they really want to
because they don't want to incentivize
their own security engineers
from essentially leaving the company
and making more money on the outside.
So there's a very careful calculus at play.
So those are the options here. Either you can be ethical
and sell your bugs to software makers, or you can shop around on the gray market. Well, they'll
potentially buy vulnerabilities for much more. But still, you might be wondering what governments
would even be interested in buying exploits? Well, I think to answer that, we should go back
even further in time before the internet was even here, back to the Ronald Reagan era.
It was there where Nicole found an interesting story where all this started.
I was really worried. I had a lot of anxiety about doing this book because I wanted to have a character represent one slice of the industry. But the slice of the industry I really worried about was the US government, because all of these programs are classified. And who was going to talk to me about the development
of America's offensive cyber exploitation programs. And so I was really worried about this.
And one day I was at work, and I was sitting at my cubicle desk and I was sort of
rooing about this out loud.
I was like, God, who am I going to get from the NSA to talk about this?
And John Markoff, who's my predecessor at the New York Times,
covered cybersecurity for 20 something years,
said, oh, you should just talk to the godfather of cyber war.
I was like, what?
He's like, oh yeah, Jim Gosler. I think that's his name.
And he's like, I'll send you an email with his name. So he sends me this email, this guy's name.
I'd never heard of him. And I start asking around. No one in the sort of infosec Twitter world had
ever heard of him. But I start asking every time I had the opportunity to interview a U.S. leader of one of these intelligence agencies
over the last seven years, I would make a point to ask them, who do you think, if you had to name
one person who's the godfather of American cyber war, who would you say? And they all without fail
said, oh, James Gosler. So one day I Gosselaar and he had spent the bulk of his
career at Sandia National Labs, which is one of the nuclear labs that develops the components
and evaluates the components that make their way into our nuclear arsenal. But he had also spent
a large chunk of his career at the NSA and the CIA.
And so he's a terrific guy.
I say this in the book, he looks like Santa Claus.
And when I told him that, he laughed and said, you know, some people would probably describe me more as Satan, but okay.
And he lives in Nevada, out in the desert these days, outside Las Vegas.
And he was retired by the time I got in touch with him.
And he was really careful to not tell me anything classified.
But one thing he could point to was this operation called Project Gunman.
The French intelligence service told the U.S. government that they found Russian bugs listening to their communications.
And they warned the U.S. that we should assume the Russians are spying on us, too.
We started to suspect that someone had planted a bug inside the U.S. embassy in Moscow or something worse than a bug.
We started to suspect that the Soviets were essentially capturing all of our communications and even our unspoken communications.
And we were worried that there might be a mole at the embassy.
This investigation was kicked off by the NSA and was codenamed the Gunman Project.
It started in 1983, but was signed and approved by President Ronald Reagan in 1984. We, you know, looked around at our inventory.
And at that point, we were actually building a new embassy in Moscow, which had become a total
disaster because they were finding bugs in the concrete of the construction. And it was clear
that basically the entire new embassy was becoming a Soviet listening device. And it
was going to be years before we were going to be confident that we could move in without just
being surveilled 24-7. So we knew we had to find the bug in the machinery inside the existing
embassy. And so Reagan essentially approved this project. You get all of the embassy's equipment, everything with a plug, back to Fort Meade from Moscow to do it in a way that the Soviets would not have the ability to intercept the equipment at the embassy at Fort Meade in search of the bug.
And they gave it six months.
And I think it took 100 days just to get all that machinery back to Fort Meade without giving the Soviets any opportunity to sort of intercept it as it was making its way back. And then they tapped, I think something like two dozen of
the NSA's best analysts to work out in this trailer in the parking lot at Fort Meade and
basically search this gear for any evidence of a bug. And they were sure that it was going to
be in the crypto gear. But they went through all the crypto gear and they put it through x-rays and
they couldn't find a bug. And they went through the telepr gear and they put it through x-rays and they couldn't find a bug.
And they went through the teleprinters and everything that had been bugged at the French FSC and they couldn't find the bug. And then finally, they did an x-ray of a typewriter that they discovered sort of an extra coil sitting on the back and they ran it through the x-ray machine.
And lo and behold, what they found in that coil was the most sophisticated exploit that we had ever seen.
It was a tiny magnetometer that recorded the slightest disturbance in the Earth's magnetic
field. And then next to it was a device that would sort of catalog and record each disturbance from each typewritten stroke and then send it to a radio via radio to a listening unit that was buried in the embassy's chimney and and relay it to the Soviets could turn it off when they knew there were inspectors in the area.
And by the time we found that bug and did a full inventory of all the typewriters at the embassy, we learned that the Soviets had been in Americans' typewriters at embassies and consulates all over Russia for something like seven or eight years.
And had been capturing all of our communications
in unencrypted form that way.
And so what Jim Gosselaar told me was,
you need to go back and learn as much as you can
about Project Gunman
because that was really our aha moment.
Before that, we were just living in la-la land.
After that, we realized that if we did not
catch up to the Soviets in terms of our own exploitation,
if we weren't trying to find a way to capture every last communication from every new technology
that hit the market, we would probably lose the Cold War. And worse, you know, we would never
catch up to the Soviets in terms of espionage capabilities. So that is what kickstarted this off.
And, you know, what I learned from more general conversations with Jim Gosler and then others and then the Snowden documents,
it was very clear that anytime any new technology came on the market, you know, the NSA was finding ways inside, ways to implant itself inside.
So yeah, that was it. After the gunman project in 1984, it was clear to the U.S. that the Soviets
would go to great lengths to embed themselves in communication devices. So the U.S. government had
to figure out ways to embed themselves in devices too. And at first, the U.S. government wanted to
figure out a way just to make a backdoor into U.S.-made devices. But the tech community would always quickly point out how backdoors
are vulnerable. So the U.S. government had to figure out how to find exploits and software
and communication channels to break into them to collect their intelligence. And of course,
it's not just the U.S. and Russia who go to great lengths to spy on other countries.
There are many other countries in the world who either have or want this capability.
But you might think,
doesn't the NSA have their own research
and development lab to create their own exploits?
Well, yeah, they do.
But things are changing over time.
Well, I think for a long time,
the NSA didn't play in the zero-day market.
They had the best cryptographers and hackers
and operations people in-house.
So they didn't have to play in this market.
And so when I talked to one of the original zero-day brokers, what he said was,
the NSA didn't really play in this market for a long time.
The biggest business that these private exploit developers and brokers had was with other agencies who were trying to play the NSA's game,
but didn't have the same talent pool in-house. So agencies like the CIA and some I had never
heard of, like the Missile Defense Agency, I learned played in this market. I had never heard
of the Missile Defense Agency until someone who sells zero-day exploits told me that they sold to the Missile Defense Agency.
And I guess it makes sense because if you want to somehow perhaps interfere with North Korea's missile launching tests, then you want to get into the missile systems. Or if you want to find out what the schedule is
for North Korea's missile launches,
you'd want to hack into the systems that contain details
about the dates they plan these tests.
So it makes sense that they would be participating in this market.
But for a long time, the NSA did not
because they had a lot of these capabilities in-house.
But then later, thanks to Snowden,
we know that there was a line item added to their black budget and it wasn't very big.
It was something like $25.1 million to buy these capabilities in 2013. So we know that they have purchased these vulnerabilities from the outside.
So we know the NSA was buying exploits from outside contractors, and they would do this
very covertly. So there's not much information about who they're buying from or what they're
buying. After all, if we knew what they were buying, the software company would just patch it
and would instantly make that million dollar vulnerability worthless.
But Nicole was able to talk with some former NSA employees to learn more.
Yeah, so some of the people I talked to were basically among the top hackers within tailored access operations, the NSA's hacking unit.
Some of them, when I talked to their former colleagues, were described
as the guy you'd go to for the impossible. When you could not get into that terrorist's cell phone,
what do you do? And you would go to one of these guys and they would find a way around it,
whether it was hacking their cleaning lady or their spouse or
finding something in their house to plant a bug in, you know, that kind of thing.
Okay, so there's this group of people who were at the NSA who are one of the best that the NSA had
for hacking into target computers. They saw this shift in the wind that the NSA was paying huge
amounts for exploits, while their pay was just
government office salaries. On top of that, there was a lot of bureaucracy. They loved the mission,
but got frustrated with all the red tape that they constantly had to go through.
It was slowing them down and frustrating them. And they left together and they started Vulnerability Research Labs. And the goal was to develop really reliable
click and shoot espionage tools for their former employer and for these other agencies,
and then eventually Five Eyes. And what they could do on the outside that they couldn't do on the inside was really interesting.
You know, they were all American. But being on the outside, they could buy zero days from hackers in other countries. And then they would use their buzz farms and their skills to essentially
turn these into very slick, seamless click click-and-shoot tools for their former employer
and these other agencies.
And one of the things they said was,
when they were in the agency,
one of the biggest problems was
when it came time to deploy a zero-day exploit
that was sitting in their stockpile,
oftentimes it didn't work.
It just didn't work with that particular system
or it crashed systems on the other end, which is a big problem when you're running these operations because you don't want
to tip off the target. And, you know, obviously if your computer suddenly crashes for no reason,
then you become suspicious if you're a high value paranoid target. So they really worked on sort of
the reliability and click and shoot elements of these tools and would turn over,
you know, develop this reputation for developing some of the easiest to use,
most reliable tools that some of these agencies use.
Interesting stuff. Some of the best hackers within the NSA turned into independent contractors
so they could work faster and make more money but were on the outside and
this is one of those things that someone like microsoft is afraid of too if they pay too much
for bugs then some of their internal bug hunters might decide to quit but keep doing the same thing
just make more money on the outside but i wonder what does it look like in the nsa when you're
trying to break into a foreign adversary how do you know what top secret tools you can use?
Like, is there a list of what exploits
the NSA has in their arsenal?
Or is there a book of something to flip through
to find what's the right exploit for the job?
I have a hard time visualizing it too.
The only thing that I was really told was
that basically they have a catalog,
you know, that when they want to get into a certain system, they can
check in and see what they have in their catalog. But I don't know if that catalog is on a hard
disk. I don't know if it's, you know, run by a certain secret software that no one else uses.
I don't know. I don't know what it actually looks like.
And then the team at VRL, do they have to demonstrate it? Do they come in for training and say, all right, here's how to use these things?
Those are all great questions. I know they did do trainings. But one of the things that they told me was, you know, once they sold it, what they didn't get to do is what they got to do at the agency, which was they got to actually push the button and use it and see what it turned over on the other side. That is what you don't get to do
once you leave these agencies is you don't get to be involved in the actual mission.
So what they said was, we just got these things working and then we threw it over the fence and
then we didn't really know how they got used. I mean, we used to work at that agency,
so we had a good idea of how these were used.
But as someone put it to me under Trump,
they didn't know if the use cases were changing
or there was more leeway being given
in terms of how these capabilities would get used
or who they would get used against.
And so it started to change their own moral calculus a little bit.
Yeah. Yeah. And that, that is an interesting question.
I don't know if we can, I don't know where else to go with this interview,
because it's just so great so far and wherever you go,
I do love exploring all these ideas that come up.
And don't you feel weird even talking about it in the open on a microphone?
I mean, this is like, for whatever reason, this is Fight Club.
You know, no one talks about this.
It does feel weird because it's a really weird situation.
Software companies like Microsoft take their security very seriously.
But their own government is trying to find flaws in Microsoft products
in order to collect intelligence from foreign adversaries. So it's almost like the U.S.
government is enemies with Microsoft, especially since Microsoft has to do damage control of stuff
that the NSA has known about for years. We discovered Flame, which we believe was maybe
a precursor to Stuxnet, but was either US-Israeli or just US or just Israeli
that was being used to spy on Iranian systems.
And that utilized, that exploited
the Microsoft software update mechanism,
which is such a point of trust
between Microsoft and its customers.
If you can't trust that the prompt you're getting,
that you need to update your software is coming from Microsoft and not the NSA or
unit 8200 in Israel or whoever, then that is a real problem for the company.
So when Flame was discovered and when it was discovered that it was exploiting the Microsoft software update mechanism, people inside Microsoft lost their heads. channel with customers to hack Iranian systems, that they would basically throw Microsoft under
the bus in the name of espionage and battlefield preparation. So they were already reeling from
that. And then, you know, the Snowden lakes didn't improve the situation. You know, at first,
when the Guardian and others dropped those documents, the prison slides, you know, it looked like the NSA had some secret backdoor in Microsoft systems.
Later, we would learn that was not the case. and hugely destructive for the relationship between Microsoft and government
and the fact that Microsoft can even come out
and say, wait a minute, no,
we do not give the government, you know,
real-time access to our servers,
but we do comply with lawful requests,
but we can't tell you how many we get a year.
You know, they started fighting those battles in court.
But, you know, over and over again, like when the NSA was hacked by shadow brokers,
we don't know who shadow brokers are, but we know that they dumped an exploit online that contained
a zero day in Microsoft's code that the NSA had held onto for more than five years.
And when I dug into that exploit and I interviewed people at the agency,
they knew that that code, you know, they likened it to fishing with dynamite.
They knew that that code that they were using, which by the way, was netting some of the best
counterintelligence they got, they told me, would have been extremely dangerous in the hands of anyone else. And lo
and behold, after it was hacked and dumped online by the shadow brokers, it was picked up by North
Korea and it was picked up by Russia. And it was used in the NotPetya attack, which cost FedEx,
you know, $400 million and decimated vaccine production lines at Merck and turned off the radiation monitoring systems
at the Chernobyl nuclear site
and took out the production lines in Tasmania
at a Cadbury chocolate factory.
So it was clear that by holding on to that code for that long,
we were leaving Americans at risk if that ever got out and it got out.
The other thing the U.S. government is known to do sometimes is to go to software companies and try to get these companies to just give them like secret access to their products.
What happened was I was part of a team at The New York Times with ProPublica and The Guardian that got access to the Snowden documents.
And it was clear that the NSA knew that the NSA could break through this essentially weak random number generator.
And we're pushing the sort of international standard bodies that set encryption standards to use this weak random
number generator that the agency could break. And so I wrote about that. And then Joe Mann at
Reuters did a subsequent story where he found out that actually, it appeared that the NSA might have
actually been paying RSA to bake these weak number generators into some of their security products.
And so still unclear what exactly happened there.
But, you know, it looked like once again, the U.S. government was sort of pushing this vulnerable system into commercial products because it enabled them to conduct espionage.
And, you know, once again, it's just another example of sort of the trade-off
that the U.S. was willing to make in the name of national security,
but would have left Americans more vulnerable.
And like I was saying, it's not just the U.S. government that's doing this.
There's governments all over the world now using computers and exploits
to break into communication channels to collect intelligence.
And some countries, like China, use these exploits to spy on their own people.
And North Korea uses these cyber capabilities to make money
by robbing banks and launching ransomware on the world.
It seems like the cards are stacked against us when it comes to securing our lives.
It's very asymmetrical, because if you become the target of a government cyber attack,
they pretty much have endless resources to get what they want,
and you simply won't be able to defend yourself effectively.
And of course, when a government becomes so secretive, it becomes much less transparent.
We know less and less about what they're doing in cyberspace,
which means we have to trust them more and more.
But look at some of our political leaders.
They didn't grow up with computers, and they don't understand the nuances of what goes on in the wires.
And so I'm not confident that tech-illiterate leaders can lead effectively in the digital age.
We need people who understand this, even at a basic level, so they can make good decisions for our future.
And for the last few decades, countries around the world have been watching the U.S.
to see how they should act when conducting digital espionage.
And when you have the U.S. doing things like developing exploits and sabotaging nuclear enrichment facilities only to deny that they had any involvement with it, that's what other countries will see and follow and do too.
Nations around the world now are acting like there's no consequence for hacking into foreign nations or companies or people.
They'll develop or buy exploits to use and keep them extremely secret.
And I don't know, when the world is connected in the way it is now,
it just seems like we're all headed towards a major catastrophic digital disaster.
And that kind of thing freaks me out sometimes.
So I think I'll sign off here and go make another backup of my digital life and store it in a Faraday cage and bury it underground somewhere.
A big thank you to Nicole Perlroth for coming on the show and telling us about this.
Look, her book is top-notch and amazing, and when you're done with it, you'll find yourself staring out the window,
contemplating the meaning of life.
It's thought-provoking and gives you an incredible peek into the esoteric world of zero-day brokers
that no one has exposed before, like the way she has.
The book is called This Is How They Tell Me The World Ends.
I'll have an affiliate link to both Amazon and Audible
in the show notes, and if you're new to Audible,
you can get the book for free through my link. This show is made by me, the lone survivor, Jack Recider. Sound design was
done by the synth known as Andrew Merriweather. Editing helped this episode by the railroad
veteran Damien. And our theme music is by the Brotherhood of Steel Recruit, Breakmaster Cylinder.
And even though, all right, I can't think of a joke. So let's try this. Okay, Google. Tell me a joke.
Your privacy.
What?
This is Dark Knight Diaries.