The governmental role in this digital free-for-all is more secretive. Although the idea of the Bush administration wheedling its way into corporate networks conjures images of high-tech spying, the United States, according to a source with ties to the government, is less interested in using black-market code for espionage than for stockpiling munitions in the event of cyberwar. "These things are powerful," seconds Charlie Miller, a security researcher and former National Security Agency employee, who hacked a MacBook Air in less than two minutes at a competition earlier this year. "And compared with the price of a jet fighter, they're very cheap."
The purchases are a bulwark against the belief -- widely held in government, computer-security, and intelligence circles -- that the Chinese are treating American corporations as giant R&D labs, taking advantage of security holes to sneak into corporate databases and copy trade secrets and other fruits of technological innovation. Of course, the Russians are also quite sophisticated, so much so that one prolific seller told me that as an American citizen he's concerned: "It's like there's this global fight, and the competitors' skill levels are increasing. Russians have had hack schools for years; the Chinese started [one] recently. The capability gap for the [U.S.] is starting to be unmanageable."
According to the consultant who snared Marester, his quarry's skills appear quite sophisticated. His wares, if they performed as advertised, could help a hacker take down machines running that particular software anywhere in the world. His real name is Steve Rigano; he's a self-employed network consultant from Grenoble, France, who works full time at HP, where he is listed in the switchboard and maintains an hp.com email address. He told me that he saw nothing wrong with offering tools and techniques that targeted the company providing his paycheck.
A self-taught hacker, Rigano says he discovered the vulnerabilities and coded the exploits on his own time, which he says is none of HP's business. "I have the right to sell what I want," he says. He told me he attracted mostly Chinese and Russian buyers, but claimed he never found takers for the HP or SAP "vulns" and exploits. He said he stopped selling black-market code in January but didn't explain why.
An HP spokeswoman admitted the company has a rogue employee in France and said it was investigating along with the FBI. When I told Rigano this, he became incensed. "This is real bullshit," he said, and threatened to sue anyone who claimed he was the target of any investigation.
He may be right: It's possible the company has been investigating another Gallic code crasher whose online nickname is t0t0, and who in May 2007 posted offers for SAP 0days that were traceable through HP's network. By connecting his various aliases with email addresses he has used over the years, I was able to track t0t0 to Paris's Institut Supérieur d'Electronique, France's premier high-tech college, where it appears he's an instructor. T0t0 didn't respond to repeated interview requests.
In keeping with the adage there's no honor among hackers, Rigano called t0t0 a thief. Bragging he once worked with the Russian arm of Phrack, a notorious hacker group, Rigano sabotaged rivals' PCs and intercepted emails -- felonies in most places -- that show t0t0 stealing exploit code to sell on the black market. (Even worse, he thought t0t0 might not be French at all, but Belgian.) "Fucking guy," he said.
Email
Digg
StumbleUpon
Facebook
Buzz Up!
LinkedIn
