Where People Go When They Want to Hack You

00:34:39
https://www.youtube.com/watch?v=TLPHmHPaCiQ

摘要

TLDRThis video delves into the shadowy world of zero day vulnerabilities and their market, which spans from legal bug bounty programs to illicit dark web sales. Zero days are undiscovered security flaws that hackers exploit before software developers can patch them. The video highlights how these vulnerabilities are traded among hackers, governments, and corporations, who often use them for cyber espionage or warfare. High-profile examples like Stuxnet and Operation Triangulation illustrate their power to disrupt systems like nuclear facilities or infiltrate personal devices undetected. Experts discuss the moral complexity and lack of regulation surrounding this marketplace, posing significant ethical and security challenges. The market is a murky blend of white (legal), gray (government use), and black (criminal activities) sectors, each with its own motivations and consequences. The video suggests that while zero days pose significant risks, they are also leveraged by governments for security benefits. However, the interstitial nature of this market makes it difficult to enforce regulations or ethical practices, creating a persistent and global cybersecurity dilemma.

心得

  • 💻 Zero day vulnerabilities are critical flaws that go undetected before being exploited.
  • 🤖 The zero day market is complex, involving legal, gray, and black transactions.
  • 🔐 High-profile zero day attacks, like Operation Triangulation, demonstrate their global impact.
  • 🌐 Governments frequently participate in the zero day market for cyber defense and espionage.
  • ⚖️ Ethical and legal regulations for zero days are limited, creating challenges.
  • 💰 Zero days are highly valuable, often traded for significant sums of money.
  • 🛡️ Companies use bug bounty programs to legally purchase vulnerabilities.
  • 📱 Zero day exploits can infiltrate anything from phones to nuclear facilities.
  • 🤝 Brokers facilitate transactions between hackers and buyers in secrecy.
  • 🕵️‍♂️ Law enforcement and regulators struggle to curb zero day trades.
  • 🎯 Both criminals and governments can exploit zero day vulnerabilities to achieve their aims.
  • 🛠️ Security measures struggle to keep up with the rapidly evolving zero day market.

时间轴

  • 00:00:00 - 00:05:00

    The video opens by mocking the cinematic portrayal of hacking as simply typing furiously on a keyboard. In reality, breaking into good cybersecurity systems requires access to secret vulnerabilities known as 'zero days'. These secrets are part of a hidden market where the world’s best hackers trade information for huge sums of money, involving a myriad of players including governments and criminal organizations, competing for powerful data.

  • 00:05:00 - 00:10:00

    The video explains the security concept comparing it to a wall guarding valuable data. Most hacking attempts exploit vulnerabilities or trick people to bypass these defenses. A 'zero day' is a flaw unknown to the creators of software and can be exploited with devastating effect before any fix is available. Discovering these flaws often demands skills superior to those of the original programmers, and a thriving marketplace exists for selling these secrets.

  • 00:10:00 - 00:15:00

    Initially, hackers often disclosed vulnerabilities to companies for free, but were frequently met with threats of legal action. This led to anonymous sharing of zero days among hackers for prestige while punishing companies. Over time, this shifted to a monetized market, where individuals and institutions pay handsomely for zero day exploits, leading to the rise of brokers who manage these high-stakes transactions covertly and efficiently.

  • 00:15:00 - 00:20:00

    The video provides an example of a complex iPhone hack involving a zero day chain named 'Operation Triangulation', illustrating how zero days can lead to complete control over a device without the user's knowledge. The hack's sophistication and expense, with exploits being priced at millions, underscore a market driven predominantly by governments rather than mere financial motivations, highlighting the strategic value of these exploits.

  • 00:20:00 - 00:25:00

    Discusses how zero day acquisitions transcend the legal ambiguity between white, gray, and black markets, with different entities exploiting these loopholes for various ends, whether for cybersecurity improvements or cybercrime. The distinction between these market levels blurs as countries' regulations diverge, and international markets allow cross-border exchanges of these potent digital tools.

  • 00:25:00 - 00:34:39

    The video concludes with a reflection on the zero day market's moral complexities and its role as an indispensable component of both criminal and state operations. Though attempts to regulate or eliminate these markets are complicated by secrecy and interdependence between sectors, their persistence is inevitable as long as vulnerabilities exist, continuously shaping cybersecurity landscapes worldwide.

显示更多

思维导图

视频问答

  • What is a zero day vulnerability?

    A zero day vulnerability is a previously unknown flaw in a system's code, which leaves it open to exploitation before it can be patched.

  • How are zero days used in hacking?

    Hackers use zero day vulnerabilities to exploit systems and gain unauthorized access, often for espionage or cyber warfare.

  • What is the zero day market?

    The zero day market is where hackers, governments, and corporations buy and sell information about zero day vulnerabilities.

  • Why are zero days valuable?

    Zero days are valuable because they offer a way to bypass security measures and exploit systems before they can be patched.

  • How are zero days sold?

    Zero days can be sold on legal bug bounty programs, gray markets involving governments, or black markets for criminal activities.

  • What are some famous zero day exploits?

    Famous zero day exploits include Stuxnet, which targeted Iranian nuclear facilities, and Operation Triangulation, which targeted iPhones.

  • Why is the zero day market controversial?

    It's controversial because it involves trading potentially harmful cyber weapons that can be used for spying and attacks.

  • How do governments use zero days?

    Governments use zero days for national security purposes, including both defensive measures and offensive cyber espionage.

  • What is Operation Triangulation?

    Operation Triangulation is a complex zero day exploit chain aimed at iOS devices, allowing silent infiltration and control.

  • Who regulates the zero day market?

    There are minimal regulations on the zero day market, making it difficult to control or prevent unethical sales.

查看更多视频摘要

即时访问由人工智能支持的免费 YouTube 视频摘要!
字幕
en
自动滚动:
  • 00:00:00
    [Music]
  • 00:00:01
    how do you hack something we all know
  • 00:00:03
    the answer you sit by the computer and
  • 00:00:06
    Bash the
  • 00:00:07
    keyboard some numbers and symbols fly
  • 00:00:09
    across the screen if the bashing is
  • 00:00:11
    intensive enough success you're in it
  • 00:00:15
    works on the movies and TV shows it
  • 00:00:17
    should work the same in real
  • 00:00:22
    life it doesn't no matter how hard you
  • 00:00:26
    try no matter how many keyboards you
  • 00:00:28
    break you are not going to break break
  • 00:00:30
    good cyber security for that you need
  • 00:00:33
    something special a
  • 00:00:36
    secret and to get that secret you have
  • 00:00:39
    to become part of the deepest and
  • 00:00:41
    darkest community on the
  • 00:00:43
    internet forget your dark web
  • 00:00:45
    marketplaces and hacker forums it's
  • 00:00:48
    deeper than that it's a space whose
  • 00:00:51
    entire existence rests on its covertness
  • 00:00:54
    where the world's best hackers trade
  • 00:00:56
    secrets for lifechanging sums of money
  • 00:00:59
    where government Mega corporations and
  • 00:01:01
    criminal cartels compete over Snippets
  • 00:01:04
    of information that can change the world
  • 00:01:07
    welcome to the zero day
  • 00:01:12
    [Music]
  • 00:01:20
    Market you're standing in front of a
  • 00:01:23
    high and strong
  • 00:01:25
    wall how do you get to the other side
  • 00:01:29
    walls like this are are all over the
  • 00:01:30
    Internet they guard the data of
  • 00:01:32
    companies Nations institutions even
  • 00:01:35
    people like you when somebody purchases
  • 00:01:38
    a gadget or an app the wall is included
  • 00:01:40
    in the price people are paying for not
  • 00:01:43
    getting
  • 00:01:44
    hacked but how do you hack things then
  • 00:01:48
    how do you get to the other side of that
  • 00:01:50
    wall smaller walls can be scaled or
  • 00:01:53
    broken through that's what things like
  • 00:01:55
    SQL injections and dos
  • 00:01:58
    do most w have an even easier access
  • 00:02:01
    just talking your way in that's called
  • 00:02:04
    social
  • 00:02:04
    engineering but for some even the
  • 00:02:07
    strongest brute force or the cleverest
  • 00:02:09
    infiltration is not going to work you
  • 00:02:12
    need a better way in you come closer and
  • 00:02:15
    inspect the bricks maybe one of them is
  • 00:02:18
    cracked or protrudes just enough to give
  • 00:02:21
    you a foothold maybe it can be moved to
  • 00:02:23
    reveal a secret passage Windows 10 and
  • 00:02:26
    Mac OS X some of the most popular
  • 00:02:29
    operational system systems out there
  • 00:02:30
    have around 80 million lines of code if
  • 00:02:33
    each line was a brick you could build
  • 00:02:35
    nearly 300 M of wall with them 300 mil
  • 00:02:40
    80 million bricks what's the chance that
  • 00:02:43
    one of them has a flaw in the code a
  • 00:02:47
    flawed brick is a bug a vulnerability
  • 00:02:49
    that can be used and exploited a hole in
  • 00:02:52
    the system you can slip through the
  • 00:02:54
    companies that build walls don't want
  • 00:02:56
    flawed bricks the income of those
  • 00:02:58
    companies depend on on shipping a secure
  • 00:03:01
    product they have entire departments
  • 00:03:03
    dedicated to finding flaws in the code
  • 00:03:05
    and pay Hefty sums of money to anyone
  • 00:03:07
    who can reveal a bug and whenever a
  • 00:03:09
    company finds a vulnerability in its
  • 00:03:10
    software IT issues a patch a fix that
  • 00:03:13
    replaces the brick and removes the
  • 00:03:16
    vulnerability so the importance of a
  • 00:03:18
    security flaw is measured by how long
  • 00:03:21
    ago it was discovered weak old bugs are
  • 00:03:23
    as good as patched two or 3 days old
  • 00:03:26
    ones are probably being exploited by
  • 00:03:28
    every wannabe hack out there and the
  • 00:03:30
    patch is already on the
  • 00:03:32
    way but if a company has no idea a bug
  • 00:03:35
    exists in other words if it had known
  • 00:03:38
    about a bug for zero days it's a whole
  • 00:03:41
    other story a useful zero day is the
  • 00:03:45
    Holy Grail of hacking a secret
  • 00:03:47
    vulnerability that can be exploited to
  • 00:03:49
    breach the security of a device or an
  • 00:03:51
    app or an entire network not only are
  • 00:03:54
    you slipping right through the wall
  • 00:03:57
    nobody even suspects you're doing it
  • 00:04:00
    but good zero days are hard to come by
  • 00:04:03
    to find one you have to be better at
  • 00:04:04
    spotting flaws than every single
  • 00:04:06
    engineer hired by the wall Building
  • 00:04:08
    Company and even then you may spend
  • 00:04:11
    years staring at the code and looking
  • 00:04:13
    for a useful flaw or you can look for
  • 00:04:16
    someone who already did
  • 00:04:18
    that this is bug track a mailing list
  • 00:04:21
    that dates back to the early '90s and
  • 00:04:23
    the place you can find thousands of what
  • 00:04:25
    used to be zero days for a long time
  • 00:04:29
    hackers really had very little interest
  • 00:04:31
    in money and in the beginning when they
  • 00:04:33
    would find zero exploits and when I say
  • 00:04:35
    the beginning I'm talking about um
  • 00:04:37
    mainly the 9s they would go to the
  • 00:04:40
    companies that had written this sloppy
  • 00:04:42
    software like HP Oracle Microsoft Sun
  • 00:04:48
    Microsystems and they would say hey I
  • 00:04:50
    found this bug in your software it's a
  • 00:04:52
    zero day by the way this is Nicole peor
  • 00:04:55
    she's a New York Times journalist who
  • 00:04:56
    spent years investigating the zero day
  • 00:04:58
    Marketplace and a lot of what we know
  • 00:05:00
    about its history comes from her
  • 00:05:02
    reporting to create this story We
  • 00:05:04
    reached out to experts like her who have
  • 00:05:06
    actual hands-on experience finding and
  • 00:05:09
    contacting them is a bit more difficult
  • 00:05:10
    than it looks the only reason we can do
  • 00:05:13
    this is you our viewers and we are
  • 00:05:15
    thankful for every token of appreciation
  • 00:05:18
    you can give be it a like a subscribe or
  • 00:05:21
    a comment a small gesture can go a long
  • 00:05:24
    way so the early hackers would attempt
  • 00:05:26
    to contact the companies and notify them
  • 00:05:29
    about zero in their
  • 00:05:30
    software and the companies instead of
  • 00:05:33
    looking at this as oh thank you for the
  • 00:05:35
    free quality assurance uh often replied
  • 00:05:39
    with a letter from their general counsel
  • 00:05:41
    saying if you poke around our software
  • 00:05:42
    again we'll see to it that you go to
  • 00:05:45
    prison so bug track you create a Snappy
  • 00:05:49
    handle you hide behind a proxy you take
  • 00:05:51
    your zero day and mail it to thousands
  • 00:05:53
    of hackers across the world the
  • 00:05:55
    community gets valuable information the
  • 00:05:58
    company gets punished and you you get
  • 00:05:59
    street
  • 00:06:00
    cred sharing and exploring zero days was
  • 00:06:03
    a major part of the early hacker culture
  • 00:06:05
    and a source of Pride for many but as
  • 00:06:08
    the years went by this state of things
  • 00:06:10
    began changing into something
  • 00:06:13
    unrecognizable there is a wall and you
  • 00:06:16
    really really need to get to the other
  • 00:06:18
    side you have money you have connections
  • 00:06:21
    you have resources all you need is a
  • 00:06:24
    hint you go to bug track and look for
  • 00:06:27
    names there is pneumonics Alf one pack
  • 00:06:30
    nisy scores upon scores of handles a lot
  • 00:06:34
    of very skilled people who do a lot of
  • 00:06:36
    work for free but maybe some of them
  • 00:06:38
    would like a bit of
  • 00:06:40
    compensation you choose one an email a
  • 00:06:44
    polite well-measured
  • 00:06:45
    offer and a sum more than they earn in a
  • 00:06:49
    year more than the software company is
  • 00:06:51
    willing to pay for the same bug there
  • 00:06:54
    are very few problems a bottomless
  • 00:06:56
    budget can't solve years pass
  • 00:07:00
    you do the same again and again you
  • 00:07:03
    establish stronger connections
  • 00:07:05
    relationships networks some of the
  • 00:07:07
    people are reliable others not so much
  • 00:07:11
    you keep the reliable ones close the
  • 00:07:13
    Dangerous Ones even closer you are not
  • 00:07:16
    the only one buying and your contacts
  • 00:07:19
    are not the only one selling a market
  • 00:07:21
    begins to form and grow just by sending
  • 00:07:24
    some emails you get zero days that can
  • 00:07:26
    bypass any wall and even if you have a a
  • 00:07:29
    problem finding sellers there might be a
  • 00:07:32
    solution to that middlen emerge zero day
  • 00:07:35
    Brokers companies with Shady names and
  • 00:07:38
    even shadier backgrounds willing to help
  • 00:07:40
    you in your struggle they can find
  • 00:07:42
    whoever you need and conduct the
  • 00:07:44
    transaction they will even confirm if
  • 00:07:46
    the merchandise works and vouch for its
  • 00:07:49
    Effectiveness they're very much a
  • 00:07:51
    matchmaking service right government
  • 00:07:53
    right could go and and you know post
  • 00:07:55
    even you know anonymously on on Reddit
  • 00:07:57
    or you know some underground Forum hey I
  • 00:07:59
    want to go buy an exploit right but but
  • 00:08:01
    then you're dealing with some unknown um
  • 00:08:03
    some unknown party you have issues
  • 00:08:05
    around escrow all right you know both
  • 00:08:07
    trust from the buyer side and Trust From
  • 00:08:10
    the seller side and so these exploit
  • 00:08:13
    brokers work as middleman and
  • 00:08:15
    matchmakers they're holding stuff in
  • 00:08:17
    escrow and then they're confirming the
  • 00:08:18
    vulnerability or holding funds in escrow
  • 00:08:20
    and then confirming the vulnerability
  • 00:08:22
    actually works in many cases before even
  • 00:08:24
    brokering brokering the deal and then of
  • 00:08:27
    course for all those Services they take
  • 00:08:28
    a percentage off
  • 00:08:30
    so you buy a snippet of information from
  • 00:08:32
    a broker or an anonymous hacker online
  • 00:08:35
    you confirm that the vulnerability works
  • 00:08:37
    and you develop an exploit a piece of
  • 00:08:39
    malware that can reliably turn one
  • 00:08:41
    flawed piece of code into a safe Passage
  • 00:08:44
    through the
  • 00:08:45
    wall time to use
  • 00:08:48
    it what you are looking at now is an
  • 00:08:51
    exploit not an actual one but a
  • 00:08:53
    reconstruction a researcher managed to
  • 00:08:55
    piece together after scraping the
  • 00:08:57
    remains of an attack on his phone
  • 00:09:00
    it's designed to infect iPhones through
  • 00:09:02
    an invisible iMessage the user never
  • 00:09:05
    gets the notification not even a blip on
  • 00:09:07
    the screen a snippet of code just slips
  • 00:09:10
    in and stays completely silent it begins
  • 00:09:13
    working through a particular bug a flaw
  • 00:09:16
    that existed in Apple software for
  • 00:09:18
    decades a remnant of a function that has
  • 00:09:20
    long been discontinued a deformed brick
  • 00:09:23
    that once supported a wall but no longer
  • 00:09:26
    does after slipping through the code
  • 00:09:29
    takes over a small part of the phone's
  • 00:09:30
    memory just enough to get some minor
  • 00:09:33
    things done using this memory the
  • 00:09:36
    message finds another larger hole in the
  • 00:09:38
    wall another zero day through which an
  • 00:09:41
    even more malicious code can be brought
  • 00:09:43
    through it's unexploitable from outside
  • 00:09:46
    but once you're in you can use it the
  • 00:09:49
    new code is more potent and it begins a
  • 00:09:51
    war on the phone's native systems a
  • 00:09:54
    short battle rages under the fingers of
  • 00:09:56
    the unsuspecting user until the invading
  • 00:09:58
    code you uses yet another vulnerability
  • 00:10:01
    one that allows it to bypass all
  • 00:10:03
    defenses in several seconds the iPhone
  • 00:10:06
    is
  • 00:10:07
    conquered finally one more vulnerability
  • 00:10:10
    is used to gain access and take over the
  • 00:10:13
    Safari browser now the phone is at the
  • 00:10:15
    mercy of the Intruder and will report
  • 00:10:18
    everything the owner does sees or Hears
  • 00:10:21
    A String of four zero days an entire
  • 00:10:23
    attack chain tied together by some very
  • 00:10:26
    well-written code giving you
  • 00:10:27
    unrestricted access to any iPhone on the
  • 00:10:30
    planet the researchers called this chain
  • 00:10:32
    operation triangulation a weird name for
  • 00:10:35
    an attack that has four prongs not three
  • 00:10:38
    but who are we to judge weird naming
  • 00:10:41
    aide these exploits are incredibly
  • 00:10:43
    potent and Incredibly dangerous and to
  • 00:10:46
    get that sort of capability you have to
  • 00:10:48
    pay the
  • 00:10:50
    price just like with almost anything on
  • 00:10:53
    an open market the price is a reflection
  • 00:10:55
    of the
  • 00:10:56
    usefulness one of the very few glimpses
  • 00:10:59
    we get into the cost of a tax like
  • 00:11:00
    operation triangulation is a list by
  • 00:11:03
    zerodium a major broker company that
  • 00:11:05
    actually publishes its
  • 00:11:07
    prices according to zerodium a zero day
  • 00:11:10
    that allows you to bypass a phone's
  • 00:11:12
    passcode or a pin nowadays is up to
  • 00:11:15
    $100,000 a zero day that allows you to
  • 00:11:18
    access their chat application a web
  • 00:11:20
    browser or an email could cost up to a
  • 00:11:22
    half a million zero days that give you
  • 00:11:25
    access to somebody's phone without any
  • 00:11:27
    interaction on their part can that2 to
  • 00:11:30
    $2.5
  • 00:11:32
    million so millions of dollars to break
  • 00:11:35
    into a phone and that's not even
  • 00:11:37
    counting the salaries of the small army
  • 00:11:39
    of hackers who wrote the exploit making
  • 00:11:42
    the zero day
  • 00:11:43
    usable these are not the amounts of
  • 00:11:45
    money you pay to keep tabs on your
  • 00:11:46
    cheating fiance the people who use these
  • 00:11:49
    attacks aim a lot higher the biggest
  • 00:11:52
    demographic of buyers um you know on
  • 00:11:54
    open markets is is probably governments
  • 00:11:56
    I mean I I you know they they have they
  • 00:11:59
    have money that cyber criminals you know
  • 00:12:01
    can't touch um you know or can't
  • 00:12:03
    possibly you know can't possibly Mass
  • 00:12:05
    even some these larger ransomware gangs
  • 00:12:06
    and the value right that they get out of
  • 00:12:08
    the um you know out of the intelligence
  • 00:12:10
    that they gain with these zero days is
  • 00:12:13
    not measured in dollars and cents either
  • 00:12:15
    some zero days are harmless you know you
  • 00:12:17
    find a mistake in the code and it might
  • 00:12:20
    be in a system which is not widely used
  • 00:12:23
    or if it's even used by some Niche
  • 00:12:26
    audience it's not uh that interesting
  • 00:12:28
    not worth your effort to break into that
  • 00:12:31
    system but the systems that hackers and
  • 00:12:34
    nation states spend a lot of time on
  • 00:12:36
    right now are iPhone software Android
  • 00:12:41
    software software that touches critical
  • 00:12:43
    infrastructure software that touches um
  • 00:12:47
    like I said you know cryptocurrency
  • 00:12:50
    systems uh wallets that could get you a
  • 00:12:52
    lot of cash uh in cryptocurrency we may
  • 00:12:55
    never know the actual cost of operation
  • 00:12:57
    triangulation there's only a small
  • 00:12:59
    handful of broker companies that publish
  • 00:13:01
    their prices and countless more that
  • 00:13:03
    don't the actual cost of a zero day let
  • 00:13:06
    alone an exploit can vary a lot a good
  • 00:13:10
    example of that is Operation zero a
  • 00:13:12
    broker that popped up just a few years
  • 00:13:14
    ago in September 2023 it offered the
  • 00:13:17
    highest price for an exploit that has
  • 00:13:18
    ever been recorded $20 million for an
  • 00:13:21
    attack chain things like operation
  • 00:13:23
    triangulation could cost at least as
  • 00:13:26
    much or even more all of that to give
  • 00:13:29
    give you access to a phone a small
  • 00:13:31
    device that tracks its users but some
  • 00:13:34
    targets of such attacks are
  • 00:13:36
    bigger zero day bought for a similar
  • 00:13:38
    price might net you an entrance to a
  • 00:13:40
    desktop computer or an industrial
  • 00:13:43
    controller or an entire network that
  • 00:13:45
    maintains infrastructure of a factory a
  • 00:13:47
    military base a
  • 00:13:51
    city stuck net one of the most advanced
  • 00:13:54
    examples of malware used a string of
  • 00:13:56
    four zero days to enter an Iranian
  • 00:13:59
    nuclear facility and disable
  • 00:14:01
    it not Peta the most damaging Cyber
  • 00:14:04
    attack ever recorded used one single
  • 00:14:07
    zero day to paralyze an entire country
  • 00:14:09
    for several days causing billions of
  • 00:14:11
    dollars worth of damage to International
  • 00:14:13
    companies that operated
  • 00:14:15
    there the phone of Jamal kosagi a
  • 00:14:18
    journalist murdered by the Saudi Arabian
  • 00:14:20
    government in 2018 was monitored and
  • 00:14:23
    tracked by the government after
  • 00:14:24
    infecting his devices through zero days
  • 00:14:29
    so far we've been comparing a zero Day
  • 00:14:31
    to a flaw in a wall a brick that reveals
  • 00:14:34
    a hidden entrance this comparison is
  • 00:14:36
    quite harmless maybe a bit too harmless
  • 00:14:40
    a zero day could also be compared to a
  • 00:14:42
    weapon or more correctly a material from
  • 00:14:45
    which a weapon can be made a more
  • 00:14:48
    powerful weapon than almost anything in
  • 00:14:50
    the world with the right set of zero
  • 00:14:53
    days a government can wage cyber war
  • 00:14:55
    against both competing governments and
  • 00:14:57
    its own citizens for for a government
  • 00:14:59
    with enough funds to buy such a
  • 00:15:01
    collection and enough skilled Personnel
  • 00:15:03
    to correctly exploit it any security is
  • 00:15:06
    no longer an
  • 00:15:08
    obstacle and most of these zero days
  • 00:15:10
    have at some point been traded on the
  • 00:15:12
    zero day Market they were bought sold
  • 00:15:15
    and
  • 00:15:15
    shared this happens every day right
  • 00:15:18
    there under the noses of law enforcement
  • 00:15:20
    regulators and corporations that can't
  • 00:15:23
    and won't do anything to fight
  • 00:15:25
    it why how is trading zero days even
  • 00:15:29
    legal and why nobody treats it with at
  • 00:15:31
    least a fraction of the seriousness
  • 00:15:33
    people treat the sale of weapons of mass
  • 00:15:36
    destruction well the answer to that is a
  • 00:15:39
    bit
  • 00:15:41
    complicated the zero day Market is a
  • 00:15:43
    sprawling structure with several levels
  • 00:15:46
    and a huge variety of players it seems
  • 00:15:49
    harmless on the surface nowadays unlike
  • 00:15:51
    20 or 30 years ago lots of companies
  • 00:15:54
    offer bug Bounty programs they pay for
  • 00:15:57
    any vulnerabilities found in their
  • 00:15:58
    software encouraging hackers to earn
  • 00:16:00
    their income legally and make the
  • 00:16:02
    internet more secure in the process some
  • 00:16:05
    firms and researchers do the same but
  • 00:16:07
    independently they look for bugs on the
  • 00:16:09
    code of popular software and notify the
  • 00:16:11
    vendors sometimes they get paid in any
  • 00:16:14
    case they get exposure the corporate
  • 00:16:17
    version of hacker street cred this is
  • 00:16:20
    how the White Market works the tip of
  • 00:16:22
    the iceberg something most people mean
  • 00:16:25
    when they talk about zero days but there
  • 00:16:28
    is a level below that the part of the
  • 00:16:30
    market where companies don't have catchy
  • 00:16:32
    names and aren't too fond of being
  • 00:16:34
    noticed where researchers don't atise
  • 00:16:37
    their findings and a lot of them get
  • 00:16:39
    redacted you can go search LinkedIn um
  • 00:16:43
    and find people that are um you know
  • 00:16:45
    hiring contractors right that are hiring
  • 00:16:47
    for vulnerability research um you know
  • 00:16:51
    requiring security clearance that's not
  • 00:16:53
    an anomaly in the US but make no mistake
  • 00:16:55
    about it right all all all governments
  • 00:16:57
    are are either researching these or
  • 00:16:59
    purchasing them and probably some
  • 00:17:02
    combination thereof this is the gray
  • 00:17:04
    Market strictly speaking it's not legal
  • 00:17:07
    but it's not illegal either the
  • 00:17:10
    governments are investing in research
  • 00:17:11
    and hiding what they find from the
  • 00:17:13
    public they pay the hackers for their
  • 00:17:15
    silence and use the zero days for spying
  • 00:17:17
    and cyber warfare it's hard to
  • 00:17:19
    comprehend morally dubious and entirely
  • 00:17:23
    unregulated but there's a level below
  • 00:17:26
    that too finally we the black mark which
  • 00:17:29
    is sometimes governments if there are
  • 00:17:31
    international regulations limiting their
  • 00:17:34
    ability to buy du the exploits on the
  • 00:17:37
    gray Market a lot of illegal activity
  • 00:17:39
    goes on on black market and the value is
  • 00:17:43
    much higher than white Market could be
  • 00:17:44
    10 to 100 times as high for exploits as
  • 00:17:47
    on the White Market so you will find a
  • 00:17:50
    lot of international crime networks and
  • 00:17:52
    organizations some Rog governments
  • 00:17:55
    non-state actors of various types
  • 00:17:57
    operating there illicitly
  • 00:17:59
    recently the world witnessed a very
  • 00:18:01
    telling example of exactly that this is
  • 00:18:04
    an app called move it a file transfer
  • 00:18:06
    protocol similar to Wi transfer or one
  • 00:18:08
    drive it has a boring interface and a
  • 00:18:11
    moderate market share safe to say you've
  • 00:18:14
    probably never used it unless you worked
  • 00:18:17
    at a major corporation or government
  • 00:18:19
    office before 2023 most of its clients
  • 00:18:22
    were the big shots the likes of shell
  • 00:18:24
    Sony and the US Department of energy in
  • 00:18:27
    June 2023 three Klo a major ransomware
  • 00:18:31
    gang acquired a zerod day vulnerability
  • 00:18:33
    in Move It software immediately it was
  • 00:18:36
    used to breach the service and steal the
  • 00:18:38
    data of all its clients and what
  • 00:18:41
    resulted was the largest ransomware
  • 00:18:43
    attack in recent years kops list
  • 00:18:45
    includes over 22,000 companies and
  • 00:18:48
    nearly 90 million people more than the
  • 00:18:51
    population of such countries as Germany
  • 00:18:53
    or France Kap began extorting the
  • 00:18:55
    companies threatening to release their
  • 00:18:57
    secrets if they didn't pay Ransom we'll
  • 00:19:00
    never know how many companies budged but
  • 00:19:02
    the payouts quite certainly made a lot
  • 00:19:04
    of criminals very very rich all thanks
  • 00:19:07
    to one single zero
  • 00:19:12
    day so it started with nation states and
  • 00:19:15
    their
  • 00:19:16
    contractors and like most of these
  • 00:19:18
    techniques and tools it has now migrated
  • 00:19:21
    to cyber criminals and over the past few
  • 00:19:25
    years we've seen cyber criminals use
  • 00:19:26
    zero day exploits in various r
  • 00:19:28
    ransomware attacks um or hacks of
  • 00:19:31
    cryptocurrency exchanges or wallets and
  • 00:19:33
    that kind of thing so that's the black
  • 00:19:36
    part of the zero day Market with it the
  • 00:19:38
    whole thing seems quite neat and
  • 00:19:40
    organized you have the good guys who
  • 00:19:42
    work openly and hunt for zero days to
  • 00:19:45
    expose them and make everyone safer you
  • 00:19:47
    have governments and Shady companies who
  • 00:19:49
    trade zero days to stay on top of the
  • 00:19:51
    cyber warfare game and you have the
  • 00:19:53
    criminal organizations that buy zero
  • 00:19:55
    days to steal data you can read all
  • 00:19:58
    about this on Wikipedia or well
  • 00:20:01
    anywhere but this structure is clear
  • 00:20:03
    only from the surface when you begin
  • 00:20:06
    looking at the market closer the lines
  • 00:20:08
    begin to blur and things get
  • 00:20:14
    worse let's get back to operation
  • 00:20:16
    triangulation an exploit that used 4
  • 00:20:19
    zero days to gain access to any
  • 00:20:21
    iPhone this operation was discovered
  • 00:20:24
    after researchers at kasperski a Russian
  • 00:20:26
    cyber security company accidentally
  • 00:20:28
    detected its traces on their phones the
  • 00:20:31
    researchers admitted it is the most
  • 00:20:33
    complex and most advanced attack they've
  • 00:20:36
    ever dealt with it has all the telltale
  • 00:20:38
    signs of a state- sponsored hacker Army
  • 00:20:41
    and a very powerful one at that at the
  • 00:20:44
    same time the Federal Security Service
  • 00:20:47
    the Russian analog of America's NSA
  • 00:20:49
    announced discovering the same attack
  • 00:20:51
    patterns on thousands of phones of
  • 00:20:53
    Russian government officials the service
  • 00:20:56
    said they managed to identify the
  • 00:20:57
    attacker a American intelligence
  • 00:20:59
    agencies who spied on Russian citizens
  • 00:21:02
    in this unparalleled International
  • 00:21:04
    attack according to the FSB such an
  • 00:21:07
    attack had to be coordinated with apple
  • 00:21:09
    which would not allow bugs like those to
  • 00:21:11
    remain in their systems without any
  • 00:21:13
    reason but then there is Operation zero
  • 00:21:17
    the company which offered $20 million
  • 00:21:19
    for the same attack chain hinting that
  • 00:21:21
    the attack is more than possible without
  • 00:21:24
    Apple's input just like with most
  • 00:21:26
    vendors we know very little about
  • 00:21:28
    operation zero but one thing we know and
  • 00:21:31
    it's a thing the company is out louded
  • 00:21:32
    and proud about is that it sells its
  • 00:21:35
    exploits only to Russian intelligence
  • 00:21:37
    agencies and companies another thing we
  • 00:21:39
    know is that it was founded by a former
  • 00:21:41
    employee of kasperski the same company
  • 00:21:44
    that was later attacked by operation
  • 00:21:48
    triangulation for a citizen of the
  • 00:21:50
    United States selling a zero day to
  • 00:21:52
    zerodium which would pass it on to the
  • 00:21:54
    NSA would be the work on the gry market
  • 00:21:57
    to sell the same bug to operation zero
  • 00:22:00
    the citizen would have to enter the
  • 00:22:01
    black market and for a Russian hacker
  • 00:22:05
    who discovered the same zero day the
  • 00:22:07
    situation would be strictly reversed
  • 00:22:09
    contacting operation zero would make
  • 00:22:11
    them a millionaire and contacting
  • 00:22:12
    zerodium would likely land them in jail
  • 00:22:16
    but only a small minority of hackers
  • 00:22:18
    live in the United States or Russia
  • 00:22:20
    every country in the world aims to get
  • 00:22:21
    an edge in cyberspace and each one of
  • 00:22:24
    them sets its own rules in accordance
  • 00:22:26
    with its alignment each one has its own
  • 00:22:28
    white gray and black markets and thanks
  • 00:22:31
    to the world being as interconnected as
  • 00:22:33
    it is absolutely nothing prevents one
  • 00:22:36
    government from reaching out to a black
  • 00:22:37
    market of another governments that are
  • 00:22:40
    not looking for morally dubious uh
  • 00:22:43
    things generally use gray and white
  • 00:22:46
    markets uh to get those types of
  • 00:22:48
    vulnerabilities if they go in the black
  • 00:22:50
    market It's really because they can't
  • 00:22:52
    get to it in any other way and it gets
  • 00:22:56
    pretty complicated
  • 00:23:01
    both zerodium and operation zero are
  • 00:23:03
    pretty straightforward they sell to
  • 00:23:05
    their governments and are transparent
  • 00:23:07
    about it but when it comes to Brokers
  • 00:23:10
    those two are an
  • 00:23:12
    exception most companies that trade in
  • 00:23:14
    zero days work entirely in the shade
  • 00:23:17
    what they sell and who they sell to and
  • 00:23:19
    who works for them is a total secret and
  • 00:23:22
    from what we know they often use that to
  • 00:23:24
    blur the lines between the markets even
  • 00:23:26
    more either on accident or not entirely
  • 00:23:30
    so they may actually um you know sell to
  • 00:23:34
    not sanctioned regimes because that
  • 00:23:35
    would obviously be illegal but they
  • 00:23:37
    probably aren't doing like as much due
  • 00:23:40
    diligence as you might otherwise you
  • 00:23:42
    know want um and they might even in some
  • 00:23:44
    cases um you know through that lack of
  • 00:23:47
    due diligence be working with you know
  • 00:23:49
    some possibly unwittingly with some
  • 00:23:51
    cyber promote but then we have these
  • 00:23:53
    high-profile incidents where groups like
  • 00:23:55
    hacking team which was based in Milan
  • 00:23:57
    Italy um um get hacked themselves and we
  • 00:24:01
    say oh they're selling to uh African
  • 00:24:05
    nations that have
  • 00:24:06
    horrific human rights records or to
  • 00:24:10
    Russia which might not have initially
  • 00:24:11
    fit these hackers uh moral calculus on
  • 00:24:15
    who's a good country who's a Bad Country
  • 00:24:16
    who has free press and who doesn't and
  • 00:24:19
    thanks to all this secrecy and all of
  • 00:24:21
    this blurring imposing any kind of
  • 00:24:23
    regulation on the zero day Market or
  • 00:24:25
    even going after anybody who crosses the
  • 00:24:27
    line becomes nearly impossible a
  • 00:24:30
    Prosecuting somebody who is you know
  • 00:24:33
    themselves Anonymous and who facilitates
  • 00:24:35
    Anonymous purchases is very complicated
  • 00:24:38
    even when you know the part is involved
  • 00:24:41
    and no one likes doing that um because
  • 00:24:43
    they also want to see Brokers as sources
  • 00:24:45
    of information so for them it's better
  • 00:24:47
    to give the broker immunity and get them
  • 00:24:50
    to C up whatever they know about uh the
  • 00:24:53
    deal then to go after them and make
  • 00:24:56
    additional uh parties within interest to
  • 00:24:58
    cover everything up even more that's why
  • 00:25:00
    they're not very likely to be
  • 00:25:02
    prosecuted and this is how the zero day
  • 00:25:05
    Market operates with no regulation with
  • 00:25:08
    no prosecution always on the border of
  • 00:25:10
    legality and morality it is sprawling
  • 00:25:13
    and complex and at the same time mostly
  • 00:25:16
    invisible and entirely
  • 00:25:18
    opaque for people who first learn about
  • 00:25:21
    it it's difficult to have any kind of
  • 00:25:23
    positive reaction after all we are
  • 00:25:25
    speaking about the underground sale of
  • 00:25:27
    weapons that can be and sometimes are
  • 00:25:29
    used against every one of us so an urge
  • 00:25:33
    to regulate or straight up ban can be
  • 00:25:35
    overwhelming no matter how difficult or
  • 00:25:37
    impossible that might seem but there can
  • 00:25:40
    be a different perspective on this a
  • 00:25:43
    perspective held by a lot of people who
  • 00:25:45
    used to work in intelligence agencies
  • 00:25:47
    and witness what governments use their
  • 00:25:48
    zero days for yeah this one's a rather
  • 00:25:51
    you know complex one for me um you know
  • 00:25:53
    I don't speak purely from opinion a
  • 00:25:55
    little bit of it's from experience um I
  • 00:25:57
    think it's known at this point uh you
  • 00:25:59
    know that I'm a Former Intelligence
  • 00:26:00
    professional and a former government
  • 00:26:02
    hacker right um and so you know I've
  • 00:26:05
    seen firstand the value of um you know
  • 00:26:08
    the value of retaining an oday um purely
  • 00:26:11
    for uh you know purely for offensive
  • 00:26:13
    purposes of course there's a risk there
  • 00:26:15
    right and that's why the US government
  • 00:26:17
    um you know has the vulnerability
  • 00:26:18
    equities process um where you know very
  • 00:26:21
    smart people um very smart and very
  • 00:26:23
    educated people from across different
  • 00:26:25
    agencies in the government meet about
  • 00:26:27
    zer days that we have knowledge of and
  • 00:26:30
    may have may or may not have weaponized
  • 00:26:31
    may be available for sale what have you
  • 00:26:34
    and discuss the um you know the value of
  • 00:26:37
    using it for intelligence versus the
  • 00:26:40
    value of making our infrastructure safe
  • 00:26:42
    right and and globally infrastructure
  • 00:26:44
    say it it's it's a bit complex for me I
  • 00:26:46
    I I absolutely can't side with the folks
  • 00:26:49
    that say all zero days are equ that's
  • 00:26:53
    that can't be that that can't be the
  • 00:26:56
    case what you're looking looking at now
  • 00:26:58
    is a theoretical exploit of a
  • 00:27:00
    vulnerability in PHP a scripting
  • 00:27:02
    language that forms the backbone of the
  • 00:27:04
    internet both the visible one such as
  • 00:27:07
    the page you are on right now and the
  • 00:27:10
    invisible one the dark web a place
  • 00:27:12
    you've probably heard of websites and
  • 00:27:15
    servers there are based on the same
  • 00:27:16
    principles as regular websites and they
  • 00:27:19
    are susceptible to the same
  • 00:27:21
    vulnerabilities sometime in late 2023
  • 00:27:24
    somebody somewhere discovered a cracked
  • 00:27:27
    brick in the wall that forms a part of
  • 00:27:30
    PHP we don't know who that was and why
  • 00:27:32
    they did it maybe they found the zero
  • 00:27:34
    day themselves maybe they bought it on
  • 00:27:36
    the
  • 00:27:37
    market and then they took that cracked
  • 00:27:39
    brick and turned it into a passage with
  • 00:27:42
    that passage they could have accessed
  • 00:27:44
    any server overtake any website in the
  • 00:27:47
    world but the website they did attack
  • 00:27:49
    looked like this it's the dark web blog
  • 00:27:53
    of lock bit one of the largest criminal
  • 00:27:55
    organizations in the world and several
  • 00:27:58
    years of their existence lock bit
  • 00:28:00
    attacked thousands of people and
  • 00:28:01
    extorted billions after stealing their
  • 00:28:03
    data and demanding Ransom at the height
  • 00:28:06
    of their activity they comprised almost
  • 00:28:08
    half of the entire ransomware Market in
  • 00:28:10
    the world in early 2024 lock bit was
  • 00:28:14
    taken down their whole infrastructure
  • 00:28:17
    spanning dozens of servers and the
  • 00:28:19
    accounts of hundreds of cimber criminals
  • 00:28:21
    was taken over by a combined task force
  • 00:28:23
    of law enforcement from 11 countries
  • 00:28:25
    they hit the gang so hard that it
  • 00:28:28
    practically had to recreate itself a new
  • 00:28:30
    and might never return to the top of the
  • 00:28:32
    food chain and this entire operation was
  • 00:28:36
    most likely conducted thanks to a zero
  • 00:28:39
    day so yes it can be difficult to admit
  • 00:28:43
    but sometimes the governments and law
  • 00:28:45
    enforcement agencies just do their job
  • 00:28:48
    and sometimes that job requires a
  • 00:28:51
    well-placed
  • 00:28:52
    exploit well it could be unethical but
  • 00:28:55
    the problem is it works both ways yes
  • 00:28:58
    could facilitate governments looking to
  • 00:29:00
    spy on opposition members journalist and
  • 00:29:03
    and so forth and there are many
  • 00:29:05
    campaigns constantly attacking
  • 00:29:07
    governments and companies for doing
  • 00:29:09
    exactly that it could also be the RSE it
  • 00:29:12
    could be other governments going after
  • 00:29:14
    the oppressive governments and trying to
  • 00:29:17
    cause them problems uh it could also be
  • 00:29:20
    private initiatives looking for exploits
  • 00:29:22
    to attack these governments such as what
  • 00:29:26
    Anonymous Affiliates we doing against
  • 00:29:28
    Russia during the war with Ukraine so if
  • 00:29:30
    you start going after this Market it
  • 00:29:32
    will end up hurting both sides and more
  • 00:29:34
    likely the government will win anyway in
  • 00:29:37
    that scenario because they have more
  • 00:29:39
    money to spend they're not operating at
  • 00:29:42
    a risk when they those markets they will
  • 00:29:45
    use third parties who they'll burn but
  • 00:29:47
    they'll then they'll find somebody else
  • 00:29:50
    so everything is a lot blurrier than it
  • 00:29:52
    might seem the zero day Market is a huge
  • 00:29:54
    Tangled mass of legal and moral
  • 00:29:56
    questions of companies that sell to
  • 00:29:58
    criminals and governments alike of
  • 00:30:01
    agencies that seek exploits and pay
  • 00:30:03
    millions but call it illegal to use the
  • 00:30:05
    same exploits against them of criminals
  • 00:30:08
    attacking governments and governments
  • 00:30:10
    attacking criminals and of hackers who
  • 00:30:13
    are the source of it all people who earn
  • 00:30:15
    their living staring into the
  • 00:30:18
    [Music]
  • 00:30:21
    wall most of the zero day Market is
  • 00:30:23
    completely secret but after all we know
  • 00:30:26
    about it right so somebody is definitely
  • 00:30:29
    breaking the first rule of Fight
  • 00:30:31
    Club sometimes it's former government
  • 00:30:33
    employees who say as much as they can
  • 00:30:36
    without crossing the
  • 00:30:37
    line sometimes it's brokers who want to
  • 00:30:40
    attract attention both from potential
  • 00:30:42
    sellers and buyers and sometimes it's
  • 00:30:45
    hackers themselves who decide to talk
  • 00:30:48
    despite what others tell them as I
  • 00:30:51
    document in the book there are various
  • 00:30:52
    cases where um certain uh Brokers there
  • 00:30:57
    was a very famous One based in uh
  • 00:31:00
    Thailand I don't know where he is now
  • 00:31:02
    the gr he's a very well-respected member
  • 00:31:05
    of the hacking
  • 00:31:06
    Community um spoke to a Forbes reporter
  • 00:31:11
    a friend of mine Andy Greenberg at one
  • 00:31:14
    point and thought he was speaking off
  • 00:31:16
    the Record basically the gr shared a lot
  • 00:31:18
    of information Priceless uh you know
  • 00:31:22
    some rules of the game at one point even
  • 00:31:25
    posed for a photo next to a duffel bag
  • 00:31:27
    with which I don't know whether there
  • 00:31:29
    was actual cash in it but it looked like
  • 00:31:32
    there was Cash in it I don't know if it
  • 00:31:33
    was real or not and from what I
  • 00:31:36
    understand after that appeared he was
  • 00:31:39
    visited by Thai police and basically
  • 00:31:42
    according to friends and colleagues of
  • 00:31:44
    his um lost half his business because
  • 00:31:47
    there were a lot of governments who had
  • 00:31:48
    been buying zero days from him who said
  • 00:31:50
    I don't want to do business with someone
  • 00:31:53
    who's going to pose next to a bag a deel
  • 00:31:55
    bag of cash in Forbes Magazine that is
  • 00:31:58
    the antithesis of who I want to be
  • 00:32:01
    working with and so that became a very
  • 00:32:04
    um public example to other zero day
  • 00:32:08
    Brokers that they would do well to keep
  • 00:32:11
    their mouth
  • 00:32:13
    shut we tried contacting grug for this
  • 00:32:16
    story and it seems he learned his lesson
  • 00:32:20
    just like almost any zero day seller or
  • 00:32:22
    broker you can find on the internet some
  • 00:32:24
    of them have public profiles some reveal
  • 00:32:26
    some details of their operations some
  • 00:32:29
    even share their names but the
  • 00:32:31
    overwhelming majority have to operate
  • 00:32:34
    through multiple layers of encryption
  • 00:32:36
    and when you get to that point of
  • 00:32:37
    secrecy there's just no way to know who
  • 00:32:40
    you're dealing with and frankly it's
  • 00:32:41
    dangerous for you to do to know and
  • 00:32:43
    that's why it's done particularly in
  • 00:32:45
    that way so the reason why no one wants
  • 00:32:48
    to talk about this is one you know their
  • 00:32:51
    customers
  • 00:32:53
    require um complete
  • 00:32:55
    discretion no one no government
  • 00:32:58
    wants to purchase a zero day from
  • 00:33:01
    someone who's out there mouthing off
  • 00:33:05
    about what they have who they're selling
  • 00:33:08
    it to you know they they need to be able
  • 00:33:11
    to trust these people to keep these
  • 00:33:14
    sales quiet so discretion is is critical
  • 00:33:18
    which is why while we know a lot about
  • 00:33:20
    the zero day Market there's much more we
  • 00:33:22
    don't and probably never will even
  • 00:33:25
    despite the impact it has and will have
  • 00:33:27
    on our lives so there you go the zero
  • 00:33:30
    day Market the digital underworld full
  • 00:33:33
    of elite hackers and horrific Secrets a
  • 00:33:36
    world that sometimes spills into our
  • 00:33:38
    reality causing massive harm but also a
  • 00:33:42
    world that is inseparably intertwined
  • 00:33:44
    with ours with ties That simply can't
  • 00:33:47
    and probably won't be
  • 00:33:49
    broken the walls are built by people and
  • 00:33:53
    as long as that happens some bricks in
  • 00:33:55
    them will be
  • 00:33:56
    flawed and as long as there are flawed
  • 00:33:59
    bricks there will be people who will pay
  • 00:34:01
    money to have them
  • 00:34:02
    found and so the zero day Market will
  • 00:34:06
    persist we hope you enjoyed this short
  • 00:34:09
    dive into another extremely complicated
  • 00:34:11
    topic we're very thankful to nle peror
  • 00:34:14
    whose book on zero days served as an
  • 00:34:16
    inspiration for this story don't
  • 00:34:19
    hesitate to give a chance to our other
  • 00:34:20
    explainers we cover all things cyber and
  • 00:34:23
    usually upload one every other week stay
  • 00:34:26
    informed and have a nice stay
标签
  • zero day
  • cybersecurity
  • hacking
  • marketplace
  • vulnerabilities
  • exploits
  • cyber warfare
  • malware
  • information security
  • dark web