Zero hour – A booming trade in bugs is undermining cyber-security | Books & arts

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

This Is How They Tell Me The World Ends. By Nicole Perlroth. Bloomsbury; 528 pages; $21 and £14.99

IF YOU DISCOVER that a favourite vending-machine dispenses free chocolate when its buttons are pressed just so, what should you do? The virtuous option is to tell the manufacturer, so it can fix it. The temptation is to gorge. More lucrative still might be to sell the trick to others—including those with larger appetites and fewer scruples. But when the weaknesses of a system can be bought and sold, the results can be calamitous, as “This Is How They Tell Me The World Ends” shows.

Nicole Perlroth, a cyber-security correspondent for the New York Times, has produced an engaging and troubling account of “zero-day exploits”. An exploit is a piece of code that takes advantage of a vulnerability in software, typically to gain access or do harm. A zero-day exploit is rarer: it targets a hitherto undiscovered—and therefore undefended—blind spot.

Twenty years ago, exploits for Windows software yielded “pennies on the dollar”, a former hacker recalls. But as software became ubiquitous—running utilities, nuclear plants and warplanes—it grew more alluring. Zero-days became the “blood diamonds of the security trade”, says Ms Perlroth, fetching six or seven figures depending on their target and potency.

Such price signals worked as you would expect. Young men—in this story, there are few women—who once unearthed bugs for fun found a rich seam in governments eager to acquire and stockpile zero-days for use against their rivals. A high-minded hacker could choose to sell the fruits of his labour to defenders rather than attackers, as software companies began offering ever-larger “bug bounties”. Google even matched bounties that hackers donated to charity; one German whizz thus lavished funds on kindergartens in Togo, schools in Ethiopia and solar plants in Tanzania.

The trouble is that spiritual rewards tend to pale beside pecuniary ones. “If we wanted to volunteer, we’d help the homeless,” sneers Chaouki Bekrar, the French founder of Vupen, one of many brokers that bought exploits from hackers and sold them, at spiralling prices, to intelligence…