Hackers have been dubbed "modern day merchants of death" by Google
Yves Eudes

PARIS – In 140 characters of hacker jargon, French security company Vupen tweeted on Oct. 30, 2012 that they had discovered a security flaw in Windows 8 and that they were selling it to the highest bidder.

Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8

— VUPEN Security (@VUPEN) October 30, 2012

Microsoft had just launched its new operating system for computers, phones and tablets. Thanks to this “vulnerability” (also called a “zero-day exploit”), Vupen – or another team of hackers – could create a malware to hijack any Windows 8 device remotely.

The firm, based in Montpellier, France, is famous in the field of software hacking. In March 2011, during the Pwn2Own hacker challenge held at the CanSecWest security conference in Vancouver, Canada, Vupen won by using a weakness in Apple’s Safari browser to hijack a Macbook.

At the time, Vupen’s co-founder, Chaouki Bekrar, had told Zdnet: "The victim visits a web page, he gets owned. No other interaction is needed."

Vupen did it again at the 2012 Pwn2Own challenge when it successfully hacked Google Chrome and Microsoft's Internet Explorer 9. Google had offered a $60,000 reward for Chrome-specific exploits, and full details of zero-day exploits used, but Chaouki Bekrar created controversy by refusing Google’s offer. He said he would be withholding the details of the exploit to sell to his better paying customers. Google replied by calling him “an ethically challenged opportunist.”

@cbekrar Some things are done solely for the purpose of making the Internet safer—despite the spin from ethically challenged opportunists.

— Justin Schuh (@justinschuh) August 10, 2011

Who are these high-paying customers? When hackers find an exploit (or flaw), they are supposed to inform the software vendor or a security company that will verify the exploit and find a way to patch the software’s flaws. For a long time, software vendors enjoyed these services for free, but in the 2000s, U.S. hackers launched a movement to get paid. Since then, many software, Internet and telecommunication companies have been publishing the going rate they are willing to pay for security vulnerabilities: from $100 to $20,000 depending on complexity or originality.

But some companies have chosen a more lucrative market. They deal in “offensive security” – a euphemism for spying and data theft. Instead of working with software vendors, these firms sell their exploits to the highest bidder, which are usually official organizations: police, army, secret services. These organizations use the exploits to track delinquents, monitor companies, foreign governments or their own citizens.

Some countries also use these tools to sabotage servers. This is what happened in Iran in 2010 when a uranium enrichment plant was attacked by the Stuxnet malware virus, which was assumably created by the U.S. and Israel. Because of this risk, countries need to be constantly aware of newly detected flaws in software and networks – and for this they turn to the private sector.

In the U.S., weapon manufacturers such as Raytheon and Northrop Grumman have opened “offensive computer security” departments. Several American companies have specialized in this field as well. The most famous is Immunity, based in Miami Beach, which organizes every year a security conference called “Infiltrate.” Immunity sells software packages with various infiltration methods, including fake websites that mimic Amazon, LinkedIn or Hotmail to trap the user.

Shady middlemen

There are new actors on this highly lucrative market – exploit brokers. They buy zero-day exploits from independent hackers and resell them to the highest bidder. The two best-known brokers are Netragard, from Massachussets and The Grugq, a South-African living in Bangkok, Thailand, who claims to make hundreds of thousands of dollars a year.

European firms are very active on this market. Gamma Group, an Anglo-German company sells software called Finfisher, which can remotely activate a smartphone"s microphone to spy on conversations. The British government has announced that it would limit the sale of Finfisher, but that it wouldn't ban it. There is also a firm in Italy called the Hacking Team. But the most famous European company is Vupen.

On its official website, Vupen claims that it doesn’t sell its products to just anyone. The firms says it respects the embargos enforced by the EU, the UN and the U.S., and only deals with “trusted” States, members of NATO, Anzus (in the Pacific region) and Asean (in the Asian region), as well as special “partner States” – meaning it still has plenty of countries to work with.

Despite these precautions, Vupen and other offensive security companies are making many enemies. In the U.S., the libertarian hackers, privacy rights organizations, security companies and Internet giants like Google have launched campaigns in which offensive security firms are compared to weapons smugglers, “modern-day merchants of death.”

These activists and organizations are saying that the offensive security systems always end up – one way or another – into the hands of authoritarian regimes, which use them extensively.

Canadian researcher Morgan Marquis-Boire, who works for Google, says he found spyware made by the Hacking Team in Dubai, in the laptop of an opponent to the regime, and also on a pro-democratic website in Morocco. He believes the two countries are exploiting a vulnerability discovered by Vupen. Marquis-Boire also says that the Finfisher spyware was sold to the Egyptian police, and also turned up in Bahrain, Kuwait, Turkmenistan, Ethiopia and Brunei.

The libertarian groups believe these companies are a threat to civil liberties – even when they are in the hands of western countries – and that democratic nations shouldn't use such tools.

U.S. activist Christopher Soghoian, of the American Civil Liberties Union (ACLU), accused his own government of being the best client of these zero-day salesmen: "Google and Microsoft can't outbid the U.S. government – they will never win a bidding war with the army, navy or NSA.”

He also says that Western countries are playing a dangerous game and warned of a risk of “blowback,” saying that weaponized zero-day exploits sold by Vupen to a foreign government could be sold over and over again, without any control – to be later used against the Western countries that bought them in the first place.

Eric Filiol, a former French secret services agent and cryptography expert doesn't agree. He says that Vupen is “one of France's technological jewels.” He believes that “Chaouki Bekrar is a true CEO and a patriot, working for his country.” Yes, he knows Vupen sells his exploits to foreign countries, “but that’s a good thing, it brings in foreign currencies.”

Support Worldcrunch
We are grateful for reader support to continue our unique mission of delivering in English the best international journalism, regardless of language or geography. Click here to contribute whatever you can. Merci!

Thousands of Tunisians gathered in the capital of Tunis

Hannah Steinkopf-Frank, Bertrand Hauger and Anne-Sophie Goninet

👋 Laphi!*

Welcome to Monday, where post-Merkel Germany looks set shift to a center-left coalition, San Marino and Switzerland catch up with the rest of Europe on two key social issues, and a turtle slows things down at a Japan airport. Meanwhile, we take an international look at different ways to handle beloved, yet controversial, comic books and graphic novels characters.

[*Aymara, Bolivia]

🌎  7 THINGS TO KNOW RIGHT NOW

Social Democrats narrowly win German elections: Germany's center-left party claimed a narrow victory in the federal election, beating the CDU party of outgoing chancellor Angela Merkel by just over 1.5%, according to preliminary results. SPD leader Olaf Scholz has claimed a mandate to form a government with the Greens and Liberals, in what would be Germany's first three-way ruling coalition. Germany's capital city Berlin will also get its first female mayor.

Switzerland says yes to same-sex marriage: Nearly two-thirds of Swiss voters approved the proposal to legalize same-sex marriage in a referendum, making it one of the last countries in Western Europe to do so.

San Marino voters back legal abortion: More than 77% voted in support of legalizing abortion up to 12 weeks of pregnancy in San Marino in a historic referendum for the predominantly Catholic tiny city-state, which was one of the last places in Europe that still criminalized abortion.

COVID update: Australian authorities announced they will gradually reopen lockdowned Sydney, with a system that will give vaccinated citizens more freedom than the unvaccinated. Meanwhile, Thailand will waive its mandatory quarantine requirement in Bangkok and several other regions for vaccinated travellers in November. In Brazil, a fourth member of President Jair Bolsonaro's delegation to the United Nations has tested positive to COVID-19.

Power shortages in China spread: Tight coal supplies and toughening emissions standards have led to power shortages in northeastern China, forcing numerous factories including many supplying Apple and Tesla to halt production.

Strong earthquake hits Crete, at least one killed: An earthquake of magnitude 6 struck the Greek island of Crete, with reports that at least one person was killed and several injured after buildings collapsed.

Turtle causes delays at Tokyo airport: A wandering turtle forced the Tokyo Narita airport to close its runway for twelve minutes, delaying five planes, including an All Nippon Airways plane featuring ... a sea turtle-themed fuselage.

🗞️  FRONT PAGE

"Neck and neck," titles German daily Augsburger Allgemeine about the tight results of the federal election, which according to preliminary results, is set to be won by the center-left party SPD led by Olaf Sholz by just over 1.5%. It was the country's tightest race in years, and will likely lead to long, complicated negotiations to form a coalition government.


💬  LEXICON

Magal

On Sunday, hundreds of thousands of Muslim pilgrims from Senegal, but also from elsewhere in Africa, Europe, and the United States, converged to the great Mosque of Touba, as part of the Grand Magal. The annual pilgrimage, a Wolof word meaning celebration, marks the date French colonial authorities exiled spiritual leader and founder of the Senegalese Mouride Brotherhood Sheikh Amadou Bamba.

📰  STORY OF THE DAY

Cancel Tintin? Spotting racist imagery in comics around the world

From the anti-Semitic children's books of Nazi Germany to the many racist caricatures of Asian, African or Indigenous people in the 20th century, comics have long contained prejudiced, sexist and xenophobic stereotypes. These publications have been rightfully criticized but some are pushing back, saying that this kind of unwarranted "canceling" threatens freedom of expression. Here are examples from three countries around the world about how people are handling the debate and sketching the future of comics.

🔥📚 The Adventures of Tintin and The Adventures of Asterix both emerged in French-speaking Europe during the 20th century and quickly developed global audiences. But the comic books have also been called out for controversial depictions of certain groups, including North American Indigenous peoples. And as Radio-Canada recently reported, one group of French-speaking schools in Ontario found the texts so offensive that they decided to go ahead and burn the books. The report, not surprisingly, stirred up a pretty fiery debate on the issues of free speech and what some refer to as "cancel culture."

🤠 In a more progressive model for rethinking cartoons with long — and complicated — legacies, Lucky Luke in France is taking a different direction. Telling the story of a cowboy in the Wild West, the series is notably lacking in terms of diversity. But in 2020, well-known French cartoonists Julien Berjeaut (known as Jul) and Hervé Darmenton (known as Achdé) took on the challenge of a more inclusive Lucky Luke. With its 81st album, Un Cow-Boy Dans Le Coton (A Cowboy in High Cotton), they changed the perspective to focus on recently freed Black slaves.

🇯🇵 Outside of France and Belgium, Japan arguably has the largest market for graphic novels, or manga, which first developed in the late 19th century. And like their European counterparts, certain manga titles have been accused of using racist tropes. One example is the character Mr. Popo, a genie from the popular Dragon Ball series who has been cited for having offensive features. In the meantime, more and more mangaka (creators of manga) are expanding beyond these traditional representations, including in their depictions of women, who are over-sexualized in many mangas.


➡️ Read more on Worldcrunch.com

📣 VERBATIM

"Still now, I am terrified."

— In mid-August, Afghan news anchor Beheshta Arghand interviewed Mawlawi Abdulhaq Hemad, a high-ranking Taliban representative, for TOLOnews. A historic moment for the female presenter, just days after the Islamic fundamentalist group took over Afghanistan. Now exiled in Albania, Arghand tells the BBC in a moving testimony why she had to flee to Albania and how she, like many in her country, has lost everything.

✍️ Newsletter by Anne-Sophie Goninet, Jane Herbelin, Clémence Guimier & Bertrand Hauger


Support Worldcrunch
We are grateful for reader support to continue our unique mission of delivering in English the best international journalism, regardless of language or geography. Click here to contribute whatever you can. Merci!
THE LATEST
FOCUS
TRENDING TOPICS
MOST READ