Vanity Fair has a great piece about zero day exploits, the black market for selling them (to mostly governments, including repressive regimes), how they’re used to spy, and how the whole thing came to be. The story, which is quite long, is built around a particular piece of sophisticated spyware discovered by a couple of researchers, and Apple’s “engineering feat” that patched against the exploits in just ten days.
[Update: Added link to article – Editor]
The piece clocks in at more than 6,500 words, or roughly 6,000 words than most people will read in today’s age of tl;dr. But boy, it’s a good read, and I encourage everyone to buckle down and gobble it up. Above and beyond the interesting info about security, this excellent piece of journalism helps highlight the need for end-to-end encryption and companies like Apple to champion it.
Here are some snippets to whet your appetite:
By 2010 a true black market for zero days was emerging beyond the usual black market. The turning point came when a French company named Vupen began to offer bounties for zero days, reportedly as much as $250,000. Vupen insisted its aim was keeping software safe, though many doubted that its intentions were so noble. Companies such as Hewlett-Packard and Microsoft responded with bounties of their own. Though far less than what Vupen and others were paying, these bounties offered white-hat hackers a way to make money while keeping their ethics intact. In addition, as former hackers, they might also end up with lucrative consulting contracts.
Apple managed to issue a “patch” to fix the three zero-day exploits just 10 days after the call, an engineering feat that surprised many of those involved. An Apple spokesman declined comment, but a Silicon Valley security consultant who works closely with the company says, “Apple had never seen anything like this—ever. This was an incredibly sophisticated nation-state attack, kind of breathtaking in its scope. This took a herculean effort on their part to patch it so fast. It was Katy-bar-the-door over there.”
“What these cyber-arms dealers have done is democratize digital surveillance,” says the A.C.L.U.’s Chris Soghoian. “The surveillance tools once only used by big governments are now available to anyone with a couple hundred grand to spend.” In fact, they may be coming to your iPhone sometime soon.
Go read it.