Hackers get rich as spy agencies pay for bugs they find in software
Business is booming for geeks as countries and intelligence agencies pay handsomely for flaws they discover in software that can be exploited
On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs - not the island's many beetle varieties, but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.
The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of such vulnerabilities to countries that want to break into the computer systems of foreign adversaries. The two will not reveal the clients of their company, ReVuln, but big buyers of services like theirs include the US National Security Agency, which seeks the flaws for America's growing arsenal of cyberweapons, and US adversaries like the Iranian Revolutionary Guard.
All over the world, from South Africa to South Korea, business is booming in what hackers call "zero days", the coding flaws in software like Microsoft's Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
Just a few years ago, hackers like Auriemma and Ferrante would have sold the knowledge of coding flaws to companies like Microsoft and Apple, which would fix them. Last month, Microsoft sharply increased the amount it was willing to pay to a maximum of US$150,000.
Increasingly, however, the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran's nuclear programme with a worm that became known as Stuxnet.
The flaws get their name from the fact that once discovered, "zero days" exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A "zero-day exploit" occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.
"Governments are starting to say, 'In order to best protect my country, I need to find vulnerabilities in other countries'," former White House cybersecurity co-ordinator Howard Schmidt said. "The problem is we all fundamentally become less secure."
Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free, in exchange for a T-shirt or perhaps for an honourable mention on a company's website. Even today, so-called patriotic hackers in China regularly hand over the information to the government.
Now, the market for information on vulnerabilities has turned into a gold rush. Disclosures by Edward Snowden, the former NSA consultant who revealed US spying, made it clear the US is among the buyers of programming flaws. But it is hardly alone.
Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Asia-Pacific countries, including Malaysia and Singapore, are buying, too, according to the Centre for Strategic and International Studies in Washington.
To link sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15 per cent cut. Some hackers get a deal collecting royalty fees for every month their flaw lies undiscovered, according to several people involved in the market.
Many technology companies have started "bug bounty" programmes in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves - or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programmes to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared.