Published time: September 17, 2013 21:53
AFP Photo / Jim Watson
The latest revelation regarding the National Security Agency doesn’t come courtesy of Edward Snowden. A Freedom of Information Act request has confirmed the NSA contracted a French company that makes its money by hacking into computers.
It’s no secret that the United States government relies on an
arsenal of tactics to gather intelligence and wage operations
against its adversaries, but a FOIA request filed by Muckrock’s
Heather Akers-Healy has confirmed that the list of Uncle Sam’s
business partners include Vupen, a French-based security company
that specializes in selling secret codes used to crack into
Muckrock published on Monday a copy of a contract between the NSA
and Vupen in which the US government is shown to have ordered a
one-year subscription to the firm’s “binary analysis and exploits
service” last September.
That service, according to the Vupen website, is sold only to
government entities, law enforcement agencies and computer
response teams in select countries, and provides clients with
access to so-called zero-day exploits: newly-discovered security
vulnerabilities that the products’ manufacturers have yet to
discover and, therefore, have had zero days to patch-up.
“Major software vendors such as Microsoft and Adobe usually
take 6 to 9 months to release a security patch for a critical
vulnerability affecting their products, and this long delay
between the discovery of a vulnerability and the release of a
patch creates a window of exposure during which criminals
can rediscover a previously reported but unpatched vulnerability,
and target any organization running the vulnerable software,”
Vupen says elsewhere on their website.
Last year, Vupen researchers successfully cracked Google’s Chrome
browser, but declined to show developers how they did so — even
for an impressive cash bounty.
“We wouldn’t share this with Google for even $1
million,” Vupen CEO Chaouki Bekrar told Forbes’ Andy
Greenberg of the Chrome hack in 2012. “We don’t want to give
them any knowledge that can help them in fixing this exploit or
other similar exploits. We want to keep this for our
And why the NSA and other clients may benefit from being privy to
these vulnerabilities, knowing how to exploit security holes in
adversarial systems is a crucial component to any government’s
Last month, the Washington Post published excerpts from the
previously secretive “black budget,” a closely guarded ledger listing the
funding requests made by America’s intelligence community
provided by NSA leaker Edward Snowden. According to that
document, a substantial goal of the US in fiscal year 2013 was to
use a portion of $52.6 billion in secretive funding towards
improving offensive cyber-operations.
The portion of the contract obtained by Muckrock where the cost
of the subscription is listed has been redacted, but a Vupen
hacker who spoke to Greenberg last year said deals in the
five-figures wasn’t uncommon.
“People seem surprised to discover that major government
agencies are acquiring Vupen’s vulnerability intelligence,”
Bekrar wrote in an email to Information Week’s Matthew Schwartz
after the NSA contract with his signature was published.
“There is no news here, governments need to leverage the most
detailed and advanced vulnerability research to protect their
infrastructures and citizens against adversaries.”
Critics of Vupen and its competitors see government-waged
cyber-operations in a different light, however. Christopher
Soghoian of the American Civil Liberties Union’s Speech, Privacy
and Technology Project has spoken outright against companies that
sell exploits and have equated the computer codes being sold for
big money as a new sort of underground arms trade fueling an
international, online battle. To Greenberg last year, Soghoian
described Vupen as a “modern-day merchant of death”
selling “the bullets for cyberwar,” and upon publishing of
the NSA contract called the company a “cyber weapon