The inside story of two crypto-anarchists and their quest to create ungovernable weapons, untouchable black markets, and untraceable money. ... Concerns about the police are justified for Wilson and Taaki, who have dedicated their careers to building some of the most controversial software ever offered to the public. Wilson gained notoriety last year as the creator of the world’s first fully 3D-printable gun, a set of CAD files known as the Liberator that anyone can download and print in the privacy of their home to create a working, lethal firearm. Taaki and his collaborators recently unveiled a prototype for a decentralized online marketplace, known as DarkMarket, that’s designed to be impervious to shutdown by the feds. ... The programming provocation they released a few hours ago is called Dark Wallet, a piece of software designed to allow untraceable, anonymous online payments using the cryptocurrency bitcoin. Taaki and Wilson see in bitcoin’s stateless transactions the potential for a new economy that fulfills the crypto-anarchist dream of truly uncontrollable money. ... “I believe in the hacker ethic. Empower the small guy, privacy and anonymity, mistrust authority, promote decentralized alternatives, freedom of information,” he says. “These are good principles. The individual against power.” ... According to a study published in May by the nonprofit Digital Citizens Alliance, more than 40,000 mostly illegal products are now listed for sale on the obscured corner of the Internet known as the dark web, more than twice as many as before the Silk Road bust. ... Wilson and Taaki intend Dark Wallet to be the most user-friendly method yet to spend bitcoins under the cover of anonymity’s shadow—without switching to a niche alternative coin or trusting any shady middleman.
The DOD of course has a long history of jump-starting innovation. Historically, it has taken the megafunding and top-down control structures of the federal government to do the kind of investing required to create important technology for the military. Digital photography, GPS, the Internet itself—all were nourished by defense contracts before being opened up to the private sector, which then turned them into billion-dollar industries. ... Now the flow has reversed. Defense has been caught in the throes of the same upheaval that has disrupted legacy industries, unseated politicians, and upended global dynamics. In the digital age, innovation more often comes from smaller entrepreneurs than from the hierarchical structures that were the hallmark of 20th-century government and business. ... Defense contracting is notorious for bureaucratic lethargy and technological backwardness. And executives are leery of appearing to be too close to the US government while they seek to expand overseas. Put bluntly, they don’t want to alienate potential customers. ... The Valley is a place where brainpower is its own kind of currency, and Carter, who holds a PhD in theoretical physics from Oxford, made an impression on the locals. ... somehow Carter must instill the seeds of a cultural and logistical overhaul that will make the modern military-industrial complex nimble enough to provide the kind of innovation and support its 21st-century fighting force needs.
It took years for the Internet to reach its first 100 computers. Today, 100 new ones join each second. And running deep within the silicon souls of most of these machines is the work of a technical wizard of remarkable power, a man described as a genius and a bully, a spiritual leader and a benevolent dictator. ... Linus Torvalds — who in person could be mistaken for just another paunchy, middle-aged suburban dad who happens to have a curiously large collection of stuffed penguin dolls — looms over the future of computing much as Bill Gates and the late Steve Jobs loom over its past and present. For Linux, the operating system that Torvalds created and named after himself, has come to dominate the exploding online world, making it more popular overall than rivals from Microsoft and Apple. ... But while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven’t been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. ... Linux has thrived in part because of Torvalds’s relentless focus on performance and reliability, both of which could suffer if more security features were added. Linux works on almost any chip in the world and is famously stable as it manages the demands of many programs at once, allowing computers to hum along for years at a time without rebooting. ... Yet even among Linux’s many fans there is growing unease about vulnerabilities in the operating system’s most basic, foundational elements — housed in something called “the kernel,” which Torvalds has personally managed since its creation in 1991.
Most gamblers were still asleep, and the gondoliers had yet to pole their way down the ersatz canal in front of the Venetian casino on the Las Vegas Strip. But early on the chilly morning of Feb. 10, just above the casino floor, the offices of the world’s largest gaming company were gripped by chaos. Computers were flatlining, e-mail was down, most phones didn’t work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt. ... Computer engineers at Las Vegas Sands Corp. (LVS) raced to figure out what was happening. Within an hour, they had a diagnosis: Sands was under a withering cyber attack. PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean. The company’s technical staff had never seen anything like it. ... The people who make the company work, from accountants to marketing managers, were staring at blank screens. “Hundreds of people were calling IT to tell them their computers weren’t working,” says James Pfeiffer, who worked in Sands’ risk-management department in Las Vegas at the time. Most people, he recalls, switched over to their cell phones and personal e-mail accounts to communicate with co-workers. Numerous systems were felled, including those that run the loyalty rewards plans for Sands customers; programs that monitor the performance and payout of slot machines and table games at Sands’ U.S. casinos; and a multimillion-dollar storage system. ... In an effort to save as many machines as they could, IT staffers scrambled across the casino floors of Sands’ Vegas properties—the Venetian and its sister hotel, the Palazzo—ripping network cords out of every functioning computer they could find, including PCs used by pit bosses to track gamblers and kiosks where slots players cash in their tickets. ... This was no Ocean’s Eleven. The hackers were not trying to empty a vault of cash, nor were they after customer credit card data, as in recent attacks on Target (TGT), Neiman Marcus, and Home Depot (HD). This was personal. The perpetrators wanted to punish the company, or, more precisely, its chief executive officer and majority owner, the billionaire Sheldon Adelson. Although confirming their conjectures would take some time, executives suspected almost immediately the assault was coming from Iran.
For eight years, Sepúlveda, now 31, says he traveled the continent rigging major political campaigns. With a budget of $600,000, the Peña Nieto job was by far his most complex. He led a team of hackers that stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware in opposition offices, all to help Peña Nieto, a right-of-center candidate, eke out a victory. ... Sepúlveda’s career began in 2005, and his first jobs were small—mostly defacing campaign websites and breaking into opponents’ donor databases. Within a few years he was assembling teams that spied, stole, and smeared on behalf of presidential campaigns across Latin America. He wasn’t cheap, but his services were extensive. For $12,000 a month, a customer hired a crew that could hack smartphones, spoof and clone Web pages, and send mass e-mails and texts. The premium package, at $20,000 a month, also included a full range of digital interception, attack, decryption, and defense. The jobs were carefully laundered through layers of middlemen and consultants. Sepúlveda says many of the candidates he helped might not even have known about his role; he says he met only a few. ... His teams worked on presidential elections in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela. ... He’s serving 10 years in prison for charges including use of malicious software, conspiracy to commit crime, violation of personal data, and espionage, related to hacking during Colombia’s 2014 presidential election.
The Blackwater of surveillance, the Hacking Team is among the world’s few dozen private contractors feeding a clandestine, multibillion-dollar industry that arms the world’s law enforcement and intelligence agencies with spyware. Comprised of around 40 engineers and salespeople who peddle its goods to more than 40 nations, the Hacking Team epitomizes what Reporters Without Borders, the international anti-censorship group, dubs the “era of digital mercenaries.” ... The Italian company’s tools — “the hacking suite for governmental interception,” its website claims — are marketed for fighting criminals and terrorists. ... “Privacy is very important,” Vincenzetti says on a recent February morning in Milan, pausing to sip his espresso. “But national security is much more important.” ... Between 2003 and 2004, Vincenzetti and two college friends worked in their dank, underground apartment and coded what would become the Hacking Team’s flagship software. Called the Remote Control System (RCS), it commandeers a target’s devices without detection, allowing a government to deploy malware against known enemies. (The product was later dubbed Da Vinci, then Galileo.) Think of it as a criminal dossier: A tab marked “Targets” calls up a profile photo, which a spy must snap surreptitiously using the camera inside the subject’s hacked device. Beside the picture, a menu of technologies (laptop, phone, tablet, etc.) offers an agent the ability to scroll through the person’s data, including email, Facebook, Skype, online aliases, contacts, favorite websites, and geographical location. Over time, the software enables government spooks to build a deep, sprawling portfolio of intelligence. ... A hacktivist known as Phineas Fisher had hijacked the Hacking Team’s official Twitter account and posted an ominous message: “Since we have nothing to hide, we’re publishing all our emails, files, and source code.” Following the message was a link to more than 400 gigabytes of the company’s most sensitive data.
One Thursday in January 2001, Maksym Igor Popov, a 20-year-old Ukrainian man, walked nervously through the doors of the United States embassy in London. While Popov could have been mistaken for an exchange student applying for a visa, in truth he was a hacker, part of an Eastern European gang that had been raiding US companies and carrying out extortion and fraud. A wave of such attacks was portending a new kind of cold war, between the US and organized criminals in the former Soviet bloc, and Popov, baby-faced and pudgy, with glasses and a crew cut, was about to become the conflict’s first defector. ... The once-friendly FBI agents threw Popov in an isolation room, then returned an hour later with a federal prosecutor, a defense attorney, and a take-it-or-leave-it offer: Popov was going to be their informant, working all day, every day, to lure his crime partners into an FBI trap. If he refused, he’d go to prison. ... Popov was shocked. He’d been played for a durak—a fool. He was placed under 24-hour guard at an FBI safe house in Fair Lakes, Virginia, and instructed to talk to his friends in Russian chat rooms while the bureau recorded everything. But Popov had some tricks of his own. He pretended to cooperate while using Russian colloquialisms to warn his associates that he’d been conscripted into a US government sting. ... There seemed no escape from a future of endless jail cells and anonymous American courtrooms. ... Except that in a backwater FBI office in Santa Ana, California, an up-and-coming agent named Ernest “E. J.” Hilbert saw that the government needed Popov more than anyone knew. ... They called the operation Ant City. Now that he was back online, Popov adopted a new identity and began hanging out in underground chat rooms and posting on CarderPlanet, portraying himself as a big-time Ukrainian scammer with an insatiable hunger for stolen credit cards. ... One thing Popov had always known about Eastern European hackers: All they really wanted was a job.
The United States Air Force, which runs the G.P.S. Master Control Station, in Colorado, calls G.P.S. “the world’s only global utility.” Wholly owned by the U.S. government, the system is available free to everyone, everywhere; an ISIS terrorist glancing at his phone for a position fix benefits from the Pentagon’s largesse as much as a commuter on I-95. Since the first G.P.S. satellite was launched, in 1978, the system has steadily become the most powerful of its kind. (Other countries have navigation satellite networks, but none are as dependable or as widely available.) There are now around seven G.P.S. receivers on this planet for every ten people. Estimates of the system’s economic value often run into the trillions of dollars. ... The Pentagon’s Defense Advanced Research Projects Agency recently determined that, within thirty seconds of a catastrophic G.P.S. shutdown, a position reading would have a margin of error the size of Washington, D.C. After an hour, it would be Montana-sized. Drivers might miss their freeway exits, but planes would also be grounded, ships would drift off course, commuter-rail systems would be tied up, and millions of freight-train cars with G.P.S. beacons would disappear from the map. ... Fortunately, a worldwide G.P.S. failure is unlikely. A hacker or terrorist would require either a weapon powerful enough to destroy the satellites or a way to infiltrate the heavily fortified Master Control Station. The bigger worry is spoofing, the transmission of a bogus G.P.S. signal that nearby receivers mistake for the real thing.
The group of European black-hat hackers who launched the attack against New York had spent much of the previous decade breaking into American corporate networks — credit-card companies, hospitals, big-box retailers — mostly for profit, and sometimes just because they could. When those attacks became routine, the group moved into more politically inclined hacks, both against and on behalf of various governments, rigging elections15 and fomenting dissent. In the summer of 2016, the hackers received an anonymous offer of $100 million to perform a cyberattack that would debilitate a major American city. ... to self-identified anarchists with a reflexively nihilistic will to power, the proposition had some appeal. Causing disruption was something that had been on their minds recently, as their conversations veered toward the problems with global capitalism, the rise of technocentrism, bitcoin, and the hubris required to nominate a man like Donald Trump. Their animus got more personal when American authorities arrested a well-respected white-hat hacker who had broken into an insulin pump in order to show the dangers of connecting devices without proper security. The black hats were on the opposite end of the ideological spectrum but had more empathy for their fellow hacker than they did for the American people, who, they felt, deserved a comeuppance ... The plan was to show how much of modern life in a city like New York could be disrupted by purely digital means. The hackers would get paid, but they also hoped their attack would dent America’s complacent faith in order and in the technology and political authority that undergirded it. As a bonus, their services would be in even greater demand.
For the members of Congress, who in 2002 provided almost $4 billion to modernize voting technology through the Help America Vote Act, or HAVA—Congress’s response to Bush v. Gore—this probably wasn’t the result they had in mind. But voting by computer has been a technological answer in search of a problem. Those World War II-era pull-lever voting machines may not have been the most elegant of contraptions, but they were easy to use and didn’t crash. Georgia, which in 2002 set out to be an early national model for the transition to computerized voting, shows the unintended consequences. It spent $54 million in HAVA funding to buy 20,000 touchscreen voting machines from Diebold, standardizing its technology across the state. Today, the machines are past their expected life span of 10 years. (With no federal funding in sight, Georgia doesn’t expect to be able to replace those machines until 2020.) The vote tabulators are certified to run only on Windows 2000, which Microsoft stopped supporting six years ago. To support the older operating system, the state had to hire a contractor to custom-build 100 servers—which, of course, are more vulnerable to hacking because they can no longer get current security updates. ... The voting technology business, after a frenetic decade of mergers, acquisitions, and renamings, is dominated by just a few companies: Election Systems & Software, or ES&S, and Dominion Voting Systems are the largest. Neither has much in common with the giants of computing. Apple, Dell, IBM, and HP have all steered clear of the sector, which generates, according to an analysis by Harvard professor Stephen Ansolabehere, about $300 million in annual revenue. For context, Apple generates about $300 million in revenue every 12 hours.
The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers. ... Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyberespionage division. ... To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.
There was a time, a few years back, when the most sophisticated cyber-warfare tools were still developed and used exclusively by the world’s most sophisticated cyber-warfare combatants: government spy agencies, such as the ultra-secret National Security Agency and its counterparts in Israel and other developed countries and their arch-rivals in China and Russia. The surveillance and monitoring capabilities that Edward Snowden unveiled to the world in 2013 were shocking and little understood, but an ordinary citizen could at least take comfort in the belief that, if he wasn’t a criminal or a spy, it was unlikely these tools would ever be used against him. ... That was then. ... last August, came the startling confirmation from Apple itself: a genuine remote jailbreak “in the wild,” the one discovered and identified by Marczak and the Lookout researchers. To everyone’s surprise it had been out there operating secretly for years. ... By 2010 a true black market for zero days was emerging beyond the usual black market. ... In this new black market few knew exactly who the buyers were, but it was widely assumed that many were governments looking for clever new ways to spy on their own citizenry.
On average, an American office worker sends and receives roughly 120 emails per day, a number that grows with each passing year. The ubiquity and utility of email has turned it into a fine-grained record of our day-to-day lives, rich with mundane and potentially embarrassing details, stored in a perpetual archive, accessible from anywhere on earth and protected, in some cases, by nothing more than a single password. In the case of Violeta Lagunes, her email login represented a point of vulnerability, a seam where the digital walls protecting her campaign were at the mercy of her human judgment — specifically, whether she could determine if a message from an apparently reputable source was real or fake. ... Not only will a working email password yield years of intraoffice chatter, invoices, credit-card bills and confidential memos; it can often be leveraged into control of other personal accounts — Twitter, Facebook, Amazon — and even access to company servers and internet domains.
America’s War with Russia’s greatest cybercriminal began in the spring of 2009, when special agent James Craig, a rookie in the FBI’s Omaha, Nebraska, field office, began looking into a strange pair of electronic thefts. ... The leading victim in the case was a subsidiary of the payments-processing giant First Data, which lost $450,000 that May. That was quickly followed by a $100,000 theft from a client of the First National Bank of Omaha. What was odd, Craig noticed, was that the thefts seemed to have been executed from the victims’ own IP addresses, using their own logins and passwords. Examining their computers, he saw that they were infected with the same malware: something called the Zeus Trojan horse. ... The ruse is known as a “man in the browser” attack. While you sit at your computer logging into seemingly secure websites, the malware modifies pages before they load, siphoning away your credentials and your account balance. Only when you log in from a different computer do you even realize the money is gone.
The ambition to create the version of the F-35 that I watched on the tarmac at Patuxent River—one that can make short takeoffs and vertical landings—was what got the fighter jet’s development under way in the 1980s. The Defense Advanced Research Projects Agency (Darpa), the Pentagon’s tech arm, began working at the Marine Corps’ behest on an improved version of the Harrier, a crash-prone vertical-landing jet of British design. According to a Pentagon history of the F-35, Darpa quietly sought assistance from a research and development arm of Lockheed Martin known as the Skunk Works. By the early 1990s, the Darpa-Skunk Works collaboration had produced preliminary concepts, and the Marine Corps began pressing Congress for funding. The Air Force and Navy insisted that they, too, needed stealthy, supersonic fighters to replace aging Cold War-era models. Out of this clamoring grew a consensus that the only way to afford thousands of cutting-edge fighters was to build a basic model that could be customized for each service. ... The degree of commonality among the three versions of the F-35—the shared features—turned out to be not the anticipated 70 percent but a mere 25 percent, meaning that hoped-for economies of scale never materialized. A pattern of continual reengineering resulted in billions of dollars in cost overruns and yearslong delays.
It is reasonable for executives to be anxious. Both Gregg Steinhafel and Beth Jacob, Target’s former chief executive and ex-information officer respectively, lost their jobs following the data breach. The average tenure of a CISO at a company is a little more than two years, according to the Ponemon Institute. This is partly due to the fact that these professionals are in such high demand, but also due to job insecurity of those in the role. ... The average cost of a data breach is $4m, according to security researcher Mr Ponemon, or around $158 for each compromised record. In fact, the figure can vary considerably.
A year ago a hacker stole $55 million of a virtual currency known as ether. This is the story of the bold attempt to rewrite that history. ... Rather than moving bitcoin from one user to another, the ethereum blockchain hosts fully functioning computer programs called smart contracts—essentially agreements that enforce themselves by means of code rather than courts. That means they can automate the life cycle of bond payments, say, or ensure that pharmaceutical companies can authenticate the sources of their drugs. Yet smart contracts are also new and mostly untested. Like all software, they are only as reliable as their coding—and Gün was pretty sure he’d found a big problem. ... Gün feared the bug could allow a hacker to make unlimited ATM-like withdrawals from the millions, even if the attacker, who'd have needed to be an investor, had only $10 in his account. ... This staggering amount of money lived inside a program called a decentralized autonomous organization, or DAO. Dreamed up less than a year earlier and governed by a smart contract, the DAO was intended to democratize how ethereum projects are funded. Thousands of dreamers and schemers and developers who populate the cutting edge of computer science, most of them young, had invested in the DAO.
The Cyber-Cassandras said this would happen. For decades they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world. ... Now, in Ukraine, the quintessential cyberwar scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality. ... And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyberassault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. ... In a public statement in December, Ukraine’s president, Petro Poroshenko, reported that there had been 6,500 cyberattacks on 36 Ukrainian targets in just the previous two months.
Whether the result of a programmer’s error or hackers working for a nation-state, data leaks are the new norm. So executives are coming to terms with the idea that it might be more economical to nip coding issues in the bud before they lead to bigger—and messier—problems down the road. ... But it’s not that simple. Too many organizations either don’t prioritize security or view it as an impediment to meeting product development and delivery deadlines. ... To Ormandy and the dozen or so ace computer crackers that make up Google’s Project Zero, there are no boundaries to their jurisdiction—anything that touches the Internet is fair game. Policing cyberspace isn’t just good for humanity. It’s good for business too.
They use phones to record video of a vulnerable machine in action, then transmit the footage to an office in St. Petersburg. There, Alex and his assistants analyze the video to determine when the games’ odds will briefly tilt against the house. They then send timing data to a custom app on an agent’s phone; this data causes the phones to vibrate a split second before the agent should press the “Spin” button. By using these cues to beat slots in multiple casinos, a four-person team can earn more than $250,000 a week. ... Determined to find a way to score one last payday before shutting down his enterprise, Alex reached out to Aristocrat Leisure, an Australian slot machine manufacturer whose vulnerable products have been his chief targets. ... ideally, a PRNG should approximate the utter unpredictability of radioactive decay.