8/12/2019 apelcto.txt

1/3

aaron portnoy started his hacking career whenhe was still in high school, at the Massachusetts Academyof Math & Science in Worcester, which not coincidentallywas the institution he hacked. He did it asfollows: Portnoy had a friend call one of the dorms, posingas tech support. The students were more than happyto give him their passwords. Hiding behind those

borrowed accounts and routing his approach throughproxies in various foreign countries, Portnoy wormedhis way into the schools network through a bug in thesystem thats technically known as a vulnerability, oreven more technically as a zero-day. I had access toevery email, grades, everything,he says. They hada number of issues with their configurations that allowedme to just kind of spread everywhere.Showing what in retrospect seems like considerablerestraint, Portnoy tweaked the schools website to saysomething uncomplimentary about another student.Then he got out. Later the school brought in tech experts

to trace the intrusion, but they could never quitetrack it back to him.So naturally Portnoy did it again the next year andgot caught. The academy encouraged him to find analternative venue for his education. It didnt really matter.He graduated from a local high school instead andwent on to Northeastern University. It was all excellentpreparation for what he does for a living now: researchingand selling software vulnerabilities, which sincehis high school days have become one of the worldsnewer and more controversial commodities.Portnoy, now 28, is the co-founder of a two-year-oldcompany in Austin called Exodus Intelligence. Its mission

statement reads, Our goal is to provide clients withactionable information, capabilities, and context for ourexclusive zero-day vulnerabilities.Which meanstranslated from the quasi-paramilitary parlance thatsendemic to the software-security industrythat ExodusIntelligence finds and sells bugs, specifically thekind of bugs that could potentially give a third partyaccess to a computer, the same way Portnoy got access tohis high schools network. Theyre worth a lot of money.Vulnerabilities in popular applications and operatingsystems have been known to change hands for hundredsof thousands of dollars each.

Theyre worth a lot because although you wouldn

tknow to look at it, the Internet is a war zone. Even as

it gets outwardly ever glossier and more social and eagerto please, below that surface the Net is becoming ahostile, contested territory where private companies,law enforcement, criminals, the military and variousinternational intelligence agencies are engaged in constantlow-level cyberwarfare. This conflict only occasionallybecomes visible to the naked eyein May, forexample, when the U.S. indicted five members of theChinese army for stealing data from American companies,including Westinghouse and Alcoa. That wasntan anomaly; its the norm, and its getting more normal

all the time. Retired Army general Keith Alexander,who formerly headed both the NSA and U.S. CyberCommand, has called Chinas ongoing electronic theft

8/12/2019 apelcto.txt

2/3

of American intellectual property the greatest transferof wealth in history.Two weeks ago several securityfirms confirmed that a group believed to be backed bystarted buying up vulnerabilities of all kinds; anothercompany, TippingPoint, launched a similar programin 2005. Both programs were created as alternatives tothe increasingly active and chaotic exchange of zerodays

on the open marketessentially they acted as safezero-day disposal facilities, a bit like radioactive-wasterepositories. If you found a bug, instead of selling it tothe highest bidder, who would do God knows whatwith it, you could sell it to iDefense or TippingPoint fora reliable price, and they would alert their clients to theproblem and work with the software vendor to get thebug patched. iDefense and TippingPoint had somethingelse in common too: they both, in successive years, 2005and 2006, hired an intern named Aaron Portnoy.Portnoy in no way resembles Matthew Broderick inWarGames. Hes a confident, affable, articulate guy who

makes good eye contact and just happens to be a supercyberintrusionsexpert. In 2006, Portnoy dropped out ofNortheastern to work at TippingPoint full time, then in2012 he left to go into the vulnerabilities business on hisown. Exodus Intelligence joined a small, elite field thatincludes Vupen, which is based in the south of France;Revuln in Malta; Netragard in the U.S.; and Telus inCanada. (Netragard wins for best corporate motto: Weprotect you from people like us.) Exodusheadquartersare in an office park in Austin, which it shares with accountantsand real estate agents. The place is spartaneven by tech-startup standards: theres exactly one pieceof interior decoration, a pirate flag tacked up on a wall.

Its nine inhabitants spend their days banging onsoftware looking for ways in: browsers, email clients,instant-messaging clients, Flash, Java, industrial controlsystems, anything an attacker could use as an entrypoint. One thing we try to maintain is a capability inevery major backup software out there, because thatsone of the juiciest targets,Portnoy says. If you get onan enterprise network, what is an administrator goingto want to protect? Their important information. Whatdo they use to protect that? Backup software.When a researcher at Exodus finds a vulnerability,he or she types it up in a professional-looking reportalong with technical documentation that explainswhat it does, where it lives, what it gets you, how tospot it, what versions of the software it works on, howone could mitigate it and so on. Most important, Exodusprovides you with an exploit, which is the procedureyoud have to follow to actually trigger the bug and takeadvantage of it. Every single vulnerability that we giveour customers comes with a working exploit,Portnoysays. If we cant exploit it, we dont even bother tellinganyone. Its not worth it.Voil, one freshly mintedzero-day vulnerability.(A note on that term, zero-day: it refers to a bugsfreshness. Bugs, like fish, dont age well, and zero-day

means that the bug has been public for exactly zerodays, hence no one has tried to fix it yet. The term isso ubiquitous that it has gone from adjective to noun:

8/12/2019 apelcto.txt

3/3

Portnoy sells zero-days.)Portnoy takes pride in the superior quality and effectivenessof Exodusexploits. We try to make themas nasty and invasive as possible,he explains. We tout