In an article over the weekend, the New York Times dove into the underworld of computer hackers and the black market on which they sell their secrets. Two Italian gentleman named Luigi Auriemma, 32, and Donato Ferrante, 28, are hackers that spend countless hours finding vulnerabilities in software and then selling them to the highest bidder.
Just a few years ago, hackers like Mr. Auriemma and Mr. Ferrante would have sold the knowledge of coding flaws to companies like Microsoft and Apple, which would fix them. Last month, Microsoft sharply increased the amount it was willing to pay for such flaws, raising its top offer to $150,000.
But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”
“Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries,’ ” said Howard Schmidt, a former White House cybersecurity coordinator. “The problem is that we all fundamentally become less secure.”
To show just how lucrative this market has become, brokers are now cropping up in order to match buyers and sellers, for a 15% cut of the profits of course.
A broker’s approach need not be subtle. “Need code execution exploit urgent,” read the subject line of an e-mail sent from one contractor’s intermediary last year to Billy Rios, a former security engineer at Microsoft and Google who is now a director at Cylance, a security start-up.
“Dear Friend,” the e-mail began. “Do you have any code execution exploit for Windows 7, Mac, for applications like Browser, Office, Adobe, SWF any.”
“If yes,” the e-mail continued, “payment is not an issue.”
While the market for these vulnerabilities is large with companies like Microsoft, Google, Facebook, and the like paying hefty fees, they all pale in comparison to the dollars spent by the godfather of the game, the American government. Surprisingly or maybe not so surpisingly, the U.S. government is at the nexus of this secretive, hacker-driven, black market. The role of law enforcer and law breaker are bent in the shady underworld as the line between legal and illegal is blurred. One of the Italian hackers summed it up quite succinctly.
“Unfortunately,” he said, “dancing with the devil in cyberspace has been pretty common.”