Unit 27
Science and Technology
Zero-day Vulnerabilities: World War on the Net
Aaron Portnoy started his hacking career when he was still in high school, and now he is the co-founder of a company called Exodus Intelligence. His company finds and sells “zero-day vulnerabilities,” meaning undetected bugs, or flaws, in applications or software. The term “zeroday” indicates that the bug is new and fresh, having existed for exactly zero days, so no one has 5
tried to fix it yet. Vulnerabilities in popular applications and operating systems are worth hundreds of thousands of dollars because the Internet is a war zone. In this war, bugs are weapons, and people like Portnoy are arms dealers. When a researcher at Exodus finds a vulnerability, he or she makes technical documentation that discloses what it does, where it exists, how to root it out, and so on. Most
10
importantly, Exodus provides clients with an exploit, which is the procedure they have to follow to actually initiate the bug and take advantage of it. Exodus’ clients come in two basic types, offensive and defensive. Playing for the defense are security firms and antivirus vendors who are looking for information they can integrate into their products, or who want to keep their clients updated on what threats are out there. On offense
15
are testers who use Exodus’ zero-days to stage simulated attacks on their own or other people’s networks.
108
