HOUSE_OVERSIGHT_018335.jpg

safe, “unconnected” neighbor.'4? The heat transfer had a simple message: Nothing is safe. Why put such effort, worthy of the deepest physics problems, into the challenge of sneaking into a cellphone undetected? Well, for Seaborn and Dullien, the drive was part of a “discover and publish” effort to keep the overall system clean. It is better to hack, discover and patch than to be hacked, and remain undiscovered. But these “good guy” engineers are racing against different, equivalently sophisticated, less- decently inspired teams. The development and sale of zero-day bugs is, after all, a business. Modern versions of Cap’n Crunch whistles crack access to some of the most essential financial, political and security data stores on the planet. As the power and value of hacking targets has increased, so has the price of the exploits. Public “zero day markets” sponsored by companies like Google and Microsoft pay hundreds of thousands of dollars to researchers who discover holes in their systems. “Better to find them ourselves,” the thinking goes. Though that does not always make the embarrassment less acute when holes are spotted. At one of the most carefully watched public hacking competitions in early 2015, for instance, a skinny, smiling South Korean named Jung Hoon Lee took home $225,000 in prize money by pwning a series of some of the most important, common programs on the planet, Apple’s web browser Safari and Google’s Chrome among them. These systems had been constructed at the cost of hundreds of millions of dollars. They‘d been assembled under the gaze of some of the best PhD-led computer scientists in the world. Jung Hoon Lee’s exploits ran through their complete defenses in less than a minute. 144 As good and fast as someone like Lee might be, he’s nothing compared to what the best hackers do. They don’t work in public or compete in hotel ballrooms. They don’t brag. And they develop ideas that make $225,000 look like a bargain. These successors to the Warez Dudes work for cybercriminal billionaires, for intelligence agencies, and even (often) just for themselves. They help find and deploy the sorts of really deep system exploits that enable brazen cyber thefts of millions of pieces of personal data or attacks like the Stuxnet virus, which caused thousands of Iranian nuclear centrifuges to vibrate themselves apart. And they do still more: Most of the attacks we've talked about so far occur in installed, running boxes. But the companies that make those boxes oversee a whole, vulnerable process of building and testing and designing and installing them. And it’s here, with billion dollar budgets at work, that some exploit teams make and leave vulnerabilities that they can later, ruthlessly exploit. Every step of that gestation — from sneaking secrets into early code bases to intercepting and rewiring routers as they ship overseas — is now an opportunity for secret control. Or for unanticipated risk, for “emergent 143 In a video: For a description of this exploit see Mordechai Guri, Matan Monitz, Yisroel Mirski, Yuval Elovici, “BitWhisper: Covert Signaling Channel between Air- Gapped Computers using Thermal Manipulations” (2015) available on arXiv:1503.07919 [cs.CR] 144 Jung Hoon Lee’s exploits: “Chrome, Firefox, Explorer, Safari Were All hacked at Pwn20Own Contest”, PC World via IDG News Service Mar 20, 2015 103 HOUSE_OVERSIGHT_018335