Photo: Dylan Love
There’s a scary, and perfectly legal, way that hackers are making money these days. They find holes in popular software like Google Chrome, Firefox and Internet Explorer and sell them to spies in this country and others.They aren’t breaking the law as long as they are only selling to NATO-approved countries. But (by most standards) they aren’t behaving ethically because they don’t disclose the holes to the software makers. They don’t want those holes fixed.
There’s a fascinating story in Forbes today about one of the most visible hacker teams, a French firm called Vupen.
They came to media attention earlier this month when they entered the annual Pwn2Own hackathon contest sponsored by HP’s TippingPoint. Google organised a rival contest, paying out $60,000 to two hackers who found holes in its Chrome browser. Google required the hackers to share their hacking techniques so Google could fix the holes. HP’s Pwn2Own didn’t ask the hackers to tell their secrets.
So Vupen ignored Google’s contest and participated in HP’s, saying, “We wouldn’t share this with Google for even $1 million,” Forbes reports. Instead they sell those exploits to governments to use how they wish — such as spying on citizens.
The practice has led privacy advocates like Chris Soghoian at the Open Society Foundations, to call firms like Vupen a “modern-day merchant of death,” selling “the bullets for cyber war.”
If you like horror stories, read more about it on Forbes.