Sie sind auf Seite 1von 1

Co-branded page of top international stories, comment and analysis

l WEDNESDAY l APRIL 3 l 2013



The market for software that helps hackers penetrate computer systems


than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out what were allowed to do offensively. Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-controllawsforexploits.Itisgathering support, she says, because they can be used as digital weapons by despotic regimes.Forexample,theycouldbeused to monitor traffic on a dissidents smartphone. However, for a handful of reasons, new laws are unlikely to be effective. Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at Americas National Security Agency (NSA)whowentontofoundImmunity,a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws it is, after all, language expressed as strings of zeros and ones. Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesnt identify and fix the vulnerability, thereby rendering theexploitworthless.AsaFrenchexploit developerputsit,thoseliabletoberapidly detected are about as useful as a disposable gun that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computernetworksfromthemakintofinding unknown unknowns, says Kenneth Geers, a cyber-security specialist at Americas Naval Criminal Investigative Service. Several governments want firms to nerabilities.Tarsnapsbiggestpayoutwas just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupens boss, Chaouki Bekrar, balked, noting that he could get more elsewhere. Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that Americas spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspaceasanewbattledomain,saysMatt Georgy,headoftechnologyatEndgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups. OnMarch12ththeheadofthePentagons Cyber Command, General Keith Alexander, warned the Senate Armed ServicesCommitteethatstate-sponsored groups are stepping up efforts to steal and destroy data using cybertools purchased in illicit online markets. As an American military-intelligence official pointsout,governmentsthatbuyexploits are building the black market, thereby bankrolling dangerous R&D. For this reason,governmentsappearincreasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, saysChinaappearstobemovinginthisdirection. Developingexploitsin-housereduces the risk that a double-dealing vendor will resellcodemeanttobeexclusive.Evenso, the trade isnt likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory whos yourdaddy?notesPierreRoberge,boss of Arc4dia, a Quebec firm that sells exploitstospyagencies.Exploittradingwill continueaslongaspeoplepaybigmoney fortheopportunitytoutterthesamejoke thistimeattheexpenseofavictimwho has been hacked.
The Economist Newspaper Limited 2013

T IS a type of software sometimes described as absolute power or God. Small wonder its sales are growing.Packetsofcomputercode, known as exploits, allow hackers to infiltrate or even control computers running software in which a design flaw, called a vulnerability, has been discovered.Criminaland,toalesserextent,terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers,saysVenkatramanaSubrahmanian, a University of Maryland expert in these blackmarkets.Helikensthetransactions to selling a gun to a criminal. Just a dozen years ago the buying and sellingofillicitexploitswassorarethatIndiasCentralBureauofInvestigationhad not yet identified any criminal syndicates involvedinthetrade,saysR.K.Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced countrys computer systems, worries Colonel John Adams, head of the Marine Corps IntelligenceIntegrationDivisioninQuantico, Virginia. Exploits themselves are generally legal. Several legitimate businesses sell them.AMassachusettsfirmcalledNetragardlastyearsoldmorethan50exploitsto businesses and government agencies in America for prices ranging from $20,000 tomorethan$250,000.AdrielDesautels, Netragards founder, describes some of the exploits sold as weaponised. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government. More than half of exploits sold are now bought from bona fide firms rather

Code scrutiny under process at cyber-security arm of the Idaho National Laboratory. develop exploits. In 2010 a computer wormcalledStuxnetwasrevealedtohave attacked Irans nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably AmericaorIsrael),saysDavidLindahl,an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnetremainedundetectedforyearsby quietly erasing its tracks after planting sabotage charges at exactly the right placeinIransuranium-enrichmentcentrifuges, Mr Lindahl says. Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligenceforFrancesarmyuntil2009.Computerexpertswhoyearsagowouldreveal software vulnerabilities for mere prestige have realised that they were treating diamonds as pebbles, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in



Underground-market minimum price, $000 For exploits that provide hackers with control over: 0 100 200 300 400 500

Internet Explorer* Windows 8 Windows 7 iPhone 5 Chrome Android Windows Vista iPhone 3GS Windows XP Source: Operational Cryptography *Up to $500,000 and Computer Virology Lab

Laval. His lab is partly financed by Frances defence ministry to provide it with exploits. The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three mainfactors:howhardtheexploitistodevelop;thenumberofcomputerstowhich it provides access; and the value of those

computers. An exploit that can stealthily provide administrator privileges to a distantcomputerrunningWindowsXP,a no-longer-fashionableoperatingsystem, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart). Software firms also buy exploits to identifyandrepairvulnerabilitiesintheir products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 peoplewhopointedoutflawsinitsencryption software for online PC backups. To develop better defences for its clients computer systems, HP, an American giant, has spent more than $7m since 2005 buyinghundredsofzerodays,asundiscovered exploits are also known in hacker slang.(Oncediscovered,anexploitsdays arenumbered,literally:itbecomesaone day, then a two day, and so on until the vulnerability it exploits is patched.) Such bug bounty schemes, however,willstruggletocompetewithbuyers who want to exploit rather than seal vul-


The troubling bankruptcy in a troubled business

WILL the bankruptcy of Suntech, a big Chinese solar-panel maker, spark a round of consolidation in the global solar industry? The early signs are dim. Under a charming and tech-savvy founder, Shi Zhengrong, Suntech was a pioneer. It was the first Chinese solar firm to go public, in 2005. Buoyed by official credit and subsidies, it briefly became the worlds largest solar-panel manufacturer by volume. Now Suntech has become a dirty word among sun-worshippers. On March 15th it missed a payment on $541m-worth of convertible bonds. On March 18th local banks holding the firms debt lost patience and sued it. Shortly afterwards a local court declared it bankrupt and ordered debt restructuring to begin. Suntech stumbled because it ran ahead of the pack. Jenny Chase of Bloomberg New Energy Finance (BNEF), a research firm, argues that solar technology is advancing so quickly that it creates a lastmover advantage. She calculates that new photovoltaic (PV) manufacturing plants become obsolete within five years. Another advantage for upstarts is that they can exploit the collapse in global silicon prices, the most important raw material for solar panels. Older firms like Suntech had no choice but to pay $400 or more per kg in 2008. Many signed long-term fixed-price contracts. When prices recently touched just $16 per kg, they were as sore as a sunburnt neck. Solar kit keeps getting cheaper and more efficient. So Suntechs younger Chinese rivals, such as Jinko and Hareon, report much lower costs. They also appear to be less heavily indebted. In theory, as firms with unprofitable and outdated assets go under, leaner ones should flourish. But such consolidation has yet to happen.

Sunset for Suntech

Sanctions have hit Irans oil industry the hardest. International traders are wary of dealing with the country. Irans total production is a quarter less than the 3.6m barrels per day it pumped in 2011. REUTERS


Around the block

Suntech Power Holdings headquarters in Wuxi, China. Several Chinese solar firms are losing money.

How Iranian companies manage to keep trading with foreigners

ITS all about the documents, says Sajad, a manager of an Iranian shipping firm. Iran is in the printing business now. He is referring to the lengths to which Iranian companies go to circumvent sanctions. In this case, the documents are faked to make Iranian oil look as if it came from Iraq. Iraq exports a lot of oil through Iran by lorry. Iranians who handle Iraqi documents can easily copy and reuse them. The past 15 months have been grim for Iranian businesses which trade with the outside world. America has tightened sanctions against Irans financial system; the European Union has put an embargo on its oil; and international traders are wary of dealing with the country. But Iranian businesses are used to fighting for survival. The Islamic Republic has faced sanctions of one sort or another since its creation in 1979. Parts for Irans ageing civilian airliners trickle in from the black market. A host of sanctioned products, from industrial chemicals to anti-aircraft missiles, come from China. Almost any good can be found in Iran, at a price. Amir, a manager in a mining business, says he regularly meets British and German suppliers in Turkey, to obtain the most advanced equipment to tap Irans mineral wealth. Foreign firms are terrified of doing something illegal, but in the end they are businessmen, he says. The Europeans send our cargoes to Dubai, documented as the final destination. From there we are in charge. Amir uses Gulf middlemen to change the documents, for a fee of 3-5%, before the goods are shipped to Bandar Abbas, Irans largest port. Because few international banks deal with sanctioned Iranian institutions, Iranian importers have to find roundabout ways of paying suppliers. Amir uses a network of Iranian go-betweens who own companies in South Africa and Malaysia to pay his suppliers Western banks. He says 30% of his revenues are spent on avoiding sanctions not counting the time involved. The sanctions have hit Irans oil industry the hardest. Irans government depends on oil for more than half of its revenue, but exports have fallen and grown more volatile. The countrys total production is a quarter less than the 3.6m barrels per day it pumped in 2011. One way of keeping sales going is to dress up Iranian oil as Iraqi. Another trick is to move Iranian oil onto foreign tankers on the open sea. Once crews have switched off their ships tracking beacons, this is all but undetectable. The oil is sold at a discount. Fujairah, in the United Arab Emirates (UAE), is a big market for Iranian oil. Business is down, says Sajad, but European firms still trade with Iran, using Swiss subsidiaries which broker deals with the Iranians and collect the crude using tankers under the flag of a third country. The sanctions have been a fillip for the few institutions still handling Iranian money. One foreign bank charges 5% on cash moving in or out of Iran, says an Iranian shipping source. Normal business rates are a fraction of a percent, but Iranian firms have little choice. Sometimes the fear of sanctions is more effective than the sanctions themselves. A customer in the UAE owed $1.3m to Sajads shipping firm but would only send it in costly small instalments. Sajad flew to the Gulf to pick up the balance in cash. I was nervous about what I would say to customs from either country if they checked my suitcase, he says. I decided I would tell the truth. I am not a criminal. But no one did.
The Economist Newspaper Limited 2013

The global solar-panel glut is now vast. Manufacturers have at least 60GW of crystalline-silicon cell and module capacity, but demand this year is expected to be just 37GW. BNEF forecasts that, even with robust demand in China and Japan, global PV demand will reach only 52GW in 2015. On the heels of the Suntech bankruptcy, Robert Bosch, a German auto-parts giant, announced that it would pull out of the solarmanufacturing business. Despite having sunk over $2.5 billion into this sector, the firm said it saw no path to profits. Outside China, more bankruptcies and exits are likely. A shake-out in China is also overdue. Debt-to-equity ratios at Chinese solar firms are nearly 80%,

in contrast with typical levels closer to 50% at global and Taiwanese rivals. Nearly all of the hundreds of Chinese solar firms are losing money. Alas, no clean-up is on the horizon, if recent news is a guide. Just before Suntech declared bankruptcy, Zhou Weiping, a former manager at Guolian Development Group, a state-owned enterprise, was appointed as its president. That suggests that the local government of Wuxi, where Suntech is based, will not allow it to go under. Chinas reluctance to let the walking dead expire could hurt the solar industry for years. Sunlight may kill vampires, but not zombies.
The Economist Newspaper Limited 2013