Forgot your password?
typodupeerror
Government Security

NSA Bought Exploit Service From VUPEN 81

Posted by Soulskill
from the they-get-by-with-a-little-help-from-vupen dept.
New submitter Reverand Dave writes "The U.S. government – particularly the National Security Agency – is often regarded as having advanced offensive cybersecurity capabilities. But that doesn't mean that they're above bringing in a little outside help when it's needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN. The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN's services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company's 'binary analysis and exploits service.'"
This discussion has been archived. No new comments can be posted.

NSA Bought Exploit Service From VUPEN

Comments Filter:
  • by CajunArson (465943) on Tuesday September 17, 2013 @03:53PM (#44876917) Journal

    It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

    • by goombah99 (560566) on Tuesday September 17, 2013 @04:07PM (#44877051)

      It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

      rubbish. I'd be more concerned if they didn't closely monitor all zero Day hacks. This is a SECURITY firm, not a backroom russian exploits dealer, they sell this advanced knowledge because people want to protect themselves and know what is coming. The weather service is not about weather warfare it's about advanced knowledge of what's coming. Insert car analogy here if that's insufficiently obvious.

      • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday September 17, 2013 @04:16PM (#44877159)

        This is a SECURITY firm, not a backroom russian exploits dealer, ...

        Bullshit.

        From TFA:

        VUPEN is one of a handful of companies that sell software exploits and vulnerability details.

        Just because they're French instead of Russian does not change the fact that they're selling exploits.

        • Just because they're French instead of Russian does not change the fact that they're selling exploits.

          The French exploits are being served with champagne and escargots, though.

      • Realistically, one could enter conjecture to the aspect that this is the reasoning behind why there was significant backlash against white hat folks for finding vulnerabilities, approaching the vendor and when vendor failed to respond with either a projected fix date or at least acknowledgment, the finder ended up going public with it. Vendor was probably awaiting an answer from the goberment on what to do and how to conduct the "NSA's" business.
      • by fuzzyfuzzyfungus (1223518) on Tuesday September 17, 2013 @04:42PM (#44877395) Journal
        VUPEN is to a backroom russian exploits dealer what a 'defense contractor' is to a 'gunrunner' or 'arms trafficker'. Same business; but the prices are higher and they pinkie swear that they would never, ever, sell to anybody who is wicked, though they aren't overly forthcoming about who they will sell to.
      • by dissy (172727)

        This is a SECURITY firm, not a backroom russian exploits dealer, they sell this advanced knowledge because people want to protect themselves and know what is coming. The weather service is not about weather warfare it's about advanced knowledge of what's coming. Insert car analogy here if that's insufficiently obvious.

        The differences is that (unfortunately) I can't enter my credit card number and have the weather service send a network of compromised lightning storm clouds and tornadoes to kill the guy that pissed me off on IRC.

    • Re: (Score:1, Flamebait)

      It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

      Hey. Stop being all logical and shit. We need to be yelling at them for being net.deities who spell billion trillion dollars on backdoors in all the things... then yelling at them for spending a billion trillion dollars on superfluous things like NOCs that look like the Enterprise bridge... and now we have to yell at them for being cost-effective by using exploits published by others.

      Get with the program: Everything the NSA does is bad! They can do no right. Even if they right now figured out a cure for can

    • by Virtucon (127420) on Tuesday September 17, 2013 @04:19PM (#44877187)

      VUPEN sells access to their vulnerabilities on a sliding scale and It's well known that governments buy services from them. That's not news, but for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems. It would seem to me money well spent if they did and at least closed up these holes or made VUPEN's job harder, making it tougher for these data stealing, scum sucking government agencies breaking into everything and anything.

      • by bill_mcgonigle (4333) * on Tuesday September 17, 2013 @04:52PM (#44877499) Homepage Journal

        for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems

        it's almost as if they've been persuaded not to, eh?

        • Or...there has been NO financial penalty for having any of these vulnerabilities, therefore, paying someone to find out how they are finding the vulnerabilities is just giving one of the CEO's Ferraris away.

      • by mTor (18585)

        That's not news, but for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems.

        Well, that's pretty obvious isn't it? They won't sell it to them because they'd quickly patch up exploits and make them useless. I'm pretty sure that all of their customers (government agencies, police etc) also have a clause in their contract that they can't even give a hint to ISVs about vulnerabilities t

        • by Virtucon (127420)

          Well so paying VUPEN is like paying a drug dealer then but the first taste isn't free. Why don't we just have a Drone take them out?

      • The NSA doesn't really "break into" servers, the will intercept your traffic and store the data in hidden facilitates normally located in hubs/data centers that make the backbone work. They can encrypt https traffic easily so everything your doing can see by them. Who cares are you scared? I bet you torrent files and use ABP you're the thief!
    • Re: (Score:3, Insightful)

      by Error27 (100234)

      This isn't the only way or even the main way that the NSA exploits systems.

      Things we know:
      1) The NSA collects SSL keys.
      2) The NSA can generate fake SSL keys.
      3) The NSA has performed MiTM attacks against Google and Microsoft.
      4) We know where many of the places are that the splice into the undersea cables.
      5) US embassies often have Echelon hardware for tracking satellite communication.
      6) The GCHQ stores three days of internet traffic (not metadata but everything).
      7) The NSA collects metadata from everything.

    • It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

      Oh [cisco.com] really? [theguardian.com] I don't see "everyone else" spending millions to deliberately subvert encryption standards [techcrunch.com], either.

      And since the CAs have been co-opted, SSL is laughable. Try Steve Gibson's cert "fingerprint" service [grc.com] and see for yourself. I tried it, and he gets a different cert for www.google.co.nz than I do. Is it the NSA? Who knows, but someone is up in my business >:-(

    • by AdamThor (995520)

      Eh, so the US subscribes to the 0-day list, maybe they just want to know if anyone is getting close to their magical backdoors?

      • by gottabeme (590848)

        If they knew it was a planted NSA backdoor, would they tell the NSA if someone found it? Or would they sell it to everyone else for a higher price first?

        I wonder if one of the big news outlets could subscribe through a front...then some interesting data might be "leaked"...

  • by Dunbal (464142) * on Tuesday September 17, 2013 @03:53PM (#44876921)
    Trust your government. That's what they meant by "trusted computing".
  • The NSA needs to know when the back doors it has built are uncovered. So it probably subscribes to a number of software security services that look for such stuff.

    • by segmond (34052)

      Or perhaps they want to know what other exploits are out there so they can further secure their own systems against those attacks.

      • by markhb (11721)
        Not to mention, they have a reasonable need to know which exploits (whether the NSA knew about them or not, and regardless of who created them) are being made public.
    • by Nyder (754090)

      The NSA needs to know when the back doors it has built are uncovered. So it probably subscribes to a number of software security services that look for such stuff.

      No, that is not what is happening. The NSA, because it doesn't have backdoors everywhere, have to buy 0 day exploits to gain access to systems.

      While NSA might be able to get some companies to put back doors in their software, they can't get most. So they have to use exploits to break into systems.

      This is actually common sense, we just have some proof of it now.

      • Ah, but what if the NSA is just spending a few million(?) to make you think that?
      • by PPH (736903)

        The NSA, because it doesn't have backdoors everywhere, have to buy 0 day exploits

        VUPEN sells exploit implementations? I thought they did security/vulnerability research and sold maintenance services, patches and related stuff.

        If you want to buy the actual exploit, you have to go onto the blacknet, warez boards or whatever you kids are calling them these days. Its a seperate market and no software security firm would risk their reputation by letting it be known that they sold exploits to the other side as well. Who would trust them to report the presence of their own exploit product on

      • by gottabeme (590848)

        The fact that NSA subscribes to VUPEN doesn't prove in any way, shape, or form that they do or do not have any backdoors in anything.

        The NSA (mostly) isn't stupid. They have the money to cover all their bases, so they do.

  • This is similar to being surprised that the NSA monitors money changing hands across the border. Not news. Obvious. Not a scandal.
  • Of course they buy exploits. Why wouldn't they? I would be somewhat surprised if they didn't leverage every available tool..
    • by nurb432 (527695)

      I would be disappointed if they didn't take advantage of every resource available. A "not invented here" mentality in a high stakes game gets you killed.

  • Does that make them "freedom exploits"?
  • If you are in a business you want to see what your competition are doing, especially if its just a matter of subscribing...

  • by dweller_below (136040) on Tuesday September 17, 2013 @05:15PM (#44877739)

    We finally found the NSA mentioned in the same sentence as an actual, tangible, external threat. And now we see that instead of attacking them, they are giving them money?!? How can they get confused on this? You ATTACK enemies. You HELP friends.

    The Exploit marketplace (here symbolized by VUPEN) is possibly the greatest threat to to existence of the internet. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is a great driving force reconfiguring the Internet for Attack, instead of Defense.

    VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

    It looks like the Exploit Marketplace was dreamed up, founded and sustained by the NSA. The leaked Black Budget showed that the NSA devotes huge resources to purchasing exploit. We have also learned that the NSA's budget included vast resources to create exploit:

    "The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs." (From last weeks New York Times and Guardian articles)

    So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace. The NSA is no longer debating the Equities issue (https://www.schneier.com/blog/archives/2008/05/dualuse_technol_1.html ) They have only token interest in defending the Internet.

    If we could just get the NSA out of the exploit market, the whole thing would probably collapse like 2008's Housing bubble.

    • by X.25 (255792)

      VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

      So, what you are saying is - NSA should do what US government considers 'act of war' (when done to their networks), to a company based in a friendly/allied country?

      I am sure noone will have problem with that.

  • Good (Score:4, Interesting)

    by the eric conspiracy (20178) on Tuesday September 17, 2013 @05:19PM (#44877787)

    I paid a visit to Northern Va a few weeks ago. The place was crawling with construction projects and high end malls.

    That I am paying for.

    Using Vupen actually sounds like a fairly efficient use of taxpayer money.

  • That way they cut out the middleman and get right to the motherload of personal information taken from people without their consent.

When in doubt, mumble; when in trouble, delegate; when in charge, ponder. -- James H. Boren

Working...