Dirty Business

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race BY Nicole Perlroth. New York: Bloomsbury. 528 pages. $24.
The cover of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

“I always said when this business got dirty, I’d get out,” Adriel Desautels told me late one summer evening in 2019.

Desautels was a cyberweapon merchant who looked like a milkman. He had an unruly head of curls, frameless glasses, a gap between his front teeth, and a penchant for quoting the astrophysicist Carl Sagan. His original hacker alias, Cyanide, never sat well. He’d eventually change it to the more sensible “Simon Smith.” But in a faceless business, looks meant little. Everyone who was anyone in the game knew Desautels was one of the country’s preeminent zero-day brokers.

When I first started digging into the zero-day trade, Desautels’s name was everywhere. But not in the ignominious sense. He seemed to be the one man with a moral compass in an industry that had none. I wanted to understand the nuts and bolts of the trade, but I also wanted to know how someone with such an interest in truth and transparency could play in a world shrouded in so much darkness. While other zero-day brokers seemed to relish their inscrutable Darth Vader reps, Desautels had stepped into the light. He seemed to understand something about his reputation that newer players on the market did not: it was his true currency. As a result, his clients—three-letter US government agencies, Beltway contractors, and fixers who did not tolerate ostentation, double dealers, or stealth—trusted him.

Like Eren, Evenden, and so many others in this game, he never sought the zero-day market. It found him. He’d discovered a zero-day in Hewlett-Packard software back in 2002, and in what was now a familiar story, HP threatened to sue him for it under computer crime and copyright laws. Instead of rolling over, Desautels fought back, hired a lawyer at the Electronic Frontier Foundation, and together they forced the company to retract its threats, apologize, and set a new precedent for how companies should approach vulnerability research. It never occurred to him that the case would put him on the map. The year was 2002. iDefense’s bug program was still sputtering up. He didn’t even know a market for vulnerabilities existed until he took a call from an unknown number.

“What do you have to sell?” the man asked him. The question was a confounding one.

“I’m not sure what you mean,” he replied. “Like security services?” “No, I’m looking to buy exploits,” the man told him.

To Desautels, the notion of buying an exploit seemed ridiculous. Why would anyone buy one, when they could just download it off BugTraq or Full Disclosure or any other number of hacker mailing lists? But the man persisted. “Just tell me what you’re working on.”

It just so happened that Desautels had been working on a clever zero-day MP3 exploit for fun. If he sent anyone a digital MP3 song file, and they played it, the zero-day would give him full access to their machine. Before he could even finish explaining how the exploit worked, the man interrupted. “I’ll buy it. How much?”

Desautels still couldn’t tell whether he was being serious. “Sixteen thousand!” he replied, as a joke.


One week later, his check arrived in the mail. He stared at it for a good long while and then quickly came to the conclusion Sabien and so many others around the Beltway were coming to: this could be a big business.

At the time, his penetration-testing company, Netragard, was just getting established. The company was more involved, let’s say, than the competition. “Everything else on the market was crap,” he told me. Netragard did the kind of in-depth hacking tests that made sure clients wouldn’t be hacked by people like him. That was the motto: “We Protect You From People Like Us.” Most other pen-testers did a basic scan of a company’s network and handed back a report with a list of things to upgrade and fix. That’s all most businesses wanted anyhow. They simply wanted to check off boxes on a compliance checklist. But in terms of keeping actual hackers out, the tests were useless. Desautels compared competitors’ practices to “testing a bulletproof vest with a squirt gun.” In his book, they were con artists, bilking clients for tens, sometimes hundreds, of thousands of dollars, and failing to keep hackers out. When Netragard performed a penetration test, they actually hacked you. They forged documents, hacked security keypads and work badges. When tried-and-true digital methods didn’t work, they sent hackers up their client’s freight elevators to grab a badge off a secretary’s desk, bribed cleaning ladies, and broke into chief executives’ offices. It was all covered in their contract. They called it their “get out of jail free card” and Netragard soon made a name for itself breaking into Las Vegas casinos, pharma companies, banks, and the big national labs.

He figured he could fund Netragard’s business by selling zero-day exploits on the side and keep the venture capitalists at bay. The next time he got a call from the broker who paid $16,000 for his MP3 zero-day, he doubled his asking price. The next time, he doubled it again to $60,000. He just kept upping the asking price until he met resistance. Soon, he was selling zero-days for more than $90,000 a pop. By then iDefense had emerged with its measly $100 price lists. Desautels didn’t know why anyone would sell to iDefense when they could go through what Desautels calls the “invisible, legitimate black market” and live off a single paycheck for years.

I asked Desautels if he had any qualms about how his exploits were used. He never told me the names of his buyers, only that he sold exclusively to US entities in the “public and private sector”—in other words, three-letter US agencies, defense contractors and occasionally security companies looking to test his zero-days against their own software. September 11 still felt fresh, and he told himself that his exploits were being used for good—to track terrorists and child predators. He started telling friends that if they had a zero-day exploit, he could help them sell it. iDefense and the bug bounty programs paid crap, he told them, compared to the five- and six-figure payments his buyers were offering. Pretty soon he was brokering more exploits than he was developing.

Excerpted from This How They Tell Me the World Ends, by Nicole Perlroth. Copyright © Nicole Perlroth 2020. Published by Bloomsbury USA. Reprinted with permission.