Computer hacking has always been a pursuit driven more by geeky passion than a quest for profits. But it is now becoming a pathway to earning serious money.
A decade ago, a skilled hacker who discovered a software security flaw had two choices: he could tell the company about the problem, or he could publish his findings. The former brought the risk that the company could quietly fix the problem, yielding nothing for the clever hacker who brought it to light. The latter brought praise from his peers, but also possible accusations that he was aiding criminals.
Yet as governments and defence groups focus more on cyber arms, a market has developed for the talents of hackers. Intelligence agencies, defence contractors and criminal gangs are all willing to pay to find out about security flaws – and ways to exploit them.
This market has “been around in a commercial sense for a decade, but in the last three or four years has been much more organised as a standalone business,” says Gunter Ollmann of security firm Damballa.
Now, a potentially lucrative career awaits for skilled researchers – or even teenagers – who can challenge the vulnerabilities of some of the world’s best-known websites.
The world inhabited by the cyber-arms firms is almost entirely out of sight. But a close-up view of one them came after a hacking attack on US security contractor HBGary Federal this year. Tens of thousands of internal documents were published on the web, including presentations from another company, Endgame Systems.
In essence, the documents contained Endgame’s price list. On offer: a year’s supply of 25 previously unknown software vulnerabilities for $2.5m, complete with instructions for exploiting the flaws. Another $2m bought a global list of systems that ran the faulty software. Endgame didn’t respond to a request for comment.
Money is not the sole motivation. Others have political goals. At one extreme is Anonymous, the global hacking collective that attacked HBGary, and WikiLeaks creator Julian Assange. At the other are those who work for the government.
Peiter Zatko, once known as Mudge, was part of a hacking group that emerged in the 1990s called the Cult of the Dead Cow. Once an acquaintance of Mr Assange, Mr Zatko now serves as a programme manager for the Pentagon’s Defense Advanced Research Projects Agency.
In a sign of the new possibilities for hackers, the prankster-turned-official gave a keynote speech at the annual Black Hat security conference in Las Vegas in August.
“I was really frustrated with how the government was handling cyber. I thought, ‘let me jump inside and see how to fix it’,” Mr Zatko told the crowd, whose members grew enthusiastic as he announced a plan for getting Darpa money to small groups of technologists.
“I’m sure Assange has more Facebook ‘Likes’,” conference founder Jeff Moss says. “But there’s no career in being Assange and there are a lot of legal bills. If you’re in college and trying to figure out what to do, Mudge did it.”