Hacking Team, an on-line company without security

20clt-foto-reuters-passante-131070Until some days ago, the Milanese company Hacking Team (HT) was considered one of the global leaders of the malware market. Its products – those particular software used in order to put under tight surveillance computers and smartphones of activists, political militants and journalists – were most requested by police and secret services all over the world. Then, on the evening of July 5, a devastating computer exploit badly hit its systems.

400 GB of data were stolen from the servers of the company headed by the CEO David Vincenzetti and published online through torrents. Among the material that was published, there are “crown jewels” like the source code of the RCS – an acronym for Remote Control System –, a spearhead HT product that was the fruit of a 10 years’ work and R&D investments. But there is more. In the leaks’ list other most precious files appear, like the so-called 0day: vulnerabilities in the code of some programs – in this case the most popular Adobe Flash Player and Microsoft Internet Explorer – that in the right hands become beacons used to perform exploits and take the control of a computer.

As the news spread, the web is in turmoil. The company management states to have lost control of its spyware and, through a press release, suggests the possibility that anyone could resort to it. The biggest global generalist networks cover the event by providing a wide coverage and in-depth analyses. And when Wikileaks, on July 10, makes it possible to consult and browse the internal company mailing system – including more than a million of emails – through a search engine, some embarrassing events come to light. Like the illegal export of «offensive security» software to Sudan, a State hit by a weapon embargo, because of the systematic human rights violation carried out by its government. Or like the business relationships maintained with private firms, in spite of the HT company policy, according to which the company products were in the exclusive availability of state bodies. Lastly, the shady connections with the Presidency of the Council of Ministers and the Italian secret services, whose help may have been fundamental in circumventing the bans on exports of the Ministry of Economic Development, letting the Milanese company to keep doing business undisturbed.

controllo2But, once Pandora’s box was opened, other stories came to the surface, too. Like the one of Claudio Agosti. For a lot of people, to see his name in that database and discover in his past a business relationship with HT was a surprise. Because Vecna (this is the nickname by which everyone knows him on the web) is a pro-privacy activist, a very famous one in Italy and abroad. A hacker of highest technical profile, cryptography expert and vice-president of Hermes (a research center involved in the development of technologies devised to safeguard web users’ privacy and anonymity), Claudio decided to tell to the Manifesto Italian daily some aspects of his professional life in HT, the reasons that induced him to call it quits and his impressions about the effects that this leak could generate.

When did you start work for HT ? Why did you join them? Which was your role?

I joined HT in 2005 in order to work in IT security. I was doing “penetration testing”. Simply put, the clients asked us to perform a computer exploit against their infrastructure, in order to locate the vulnerabilities inside their networks. I joined them because I believed that I would have enjoyed that work: I was dealing with the security of the systems and of the users, and I thought it to be a way to look to how that process worked in a professional way.

But you were a pro-privacy activist already back then. Didn’t you think that the profile of the company you were working for was incompatible with your morals? In 2005 HT had been commercializing for one year trojan and spyware software for the Italian postal police.

controllo3-512x341It is easy now to see the thing with linearity, more difficult when you were an insider. I was not involved in that project, I did not know the clients to which the malware was sold and I never worked, not even after then, in this field. I knew that there was that prototype in research and development…but understanding the implications that it would have had in some years in the future was impossible for me at the time. Moreover, back then I was far more worried about mass surveillance than focused one, addressed on a single «target».

Moreover, let’s consider that in 2005 the possibility to get some exploits was far greater than today: in those years everyone involved in offensive security was convinced that the violation of a specific target would have been possible with a little work. The HT product lowered the “barrier to entry” of computer exploits. Such was its true innovative range and in its way, a revolutionary one. We are talking about a tool that made the attacks – which before were only executable by technically acknowledged people – executable by agents carrying out simple procedures. That is an analysis that I can do today, with more experience, but that at the time was completely inconceivable to me. Instead, back then I believed that the effectiveness of this technology would have been always inferior to the capacity of an expert hacker, able to perform an attack. I was wrong. Such technologies enter the organizational pyramid of those companies that are already able to pay for get them. And give them a new power.

But if you were already aware of these things, why did you not publicly talk about them before?

The answer is simple: because I had nothing to say. I did discover what was happening in HT from the Citizen Lab (a Canadian research institute that has been involved for years in exposing the malware industry [A/N]) reports, or by rumors reported in the IT security community.

When did you left HT and why?

controllo4-512x392I joined it hoping to perform research and development activities about security issues. I wanted to explore fields of interest to me, and I hoped to do that with a company paying me to do what I would have done, otherwise, in my free time. I ended up doing some simple operative tasks instead. The investment on malware was raising and that was not the kind of research I would have liked to start. In the spring of 2006 I started to look for another job, until I found an interesting opportunity in June.

How much those who work in the 0day and security market are compromised? How are they close and dependent on the military, secret services and police background? To what extent can they choose who to benefit with their work?

I do not know. I tried to understand that market a couple of years later, but it was a matter of circles in which you could get in only on two conditions: you either had many 0days to sell or a lot of money to buy them. I did have neither one nor the other…

Please define a 0day attack.

We are talking about an attack that exploits some software bugs, that can be easily patched if the developers are aware of them. It is a plus to know these bugs, and to write software that could exploit them in order to access applications: and because of this, groups of people dedicated to look for them, turn them into stable and repeatable attacks and sell them do exist. Some call them «digital weapons»: it sounds like a correct definition to me, considering what kind of use has been made of them in the last 10 years and the value they acquired.

A 0day is the core of the computer exploit and, once it has been performed, one can access the compromised machine. The access is exploited for intelligence, spying and internal networks’ attack purposes. The name 0day hails from their being known since 0 days, and able to exploit programming flaws that are not yet known. In the HT case, the 0days were bought and resold as infection beacons: they were integrated in the product, that is – so that the field agent could use it without having the otherwise necessary technical know-how.

controllo5-512x342Coming back to your question I believe, however, that who works in this market has no margin of action. Surely, unless he is a double agent that sells the asset, swears to keep it a secret and then burns it by making it public and therefore unusable. But it is an eventuality that I would tend to exclude because, if we look at the background of the companies operating in this sector, we immediately realize that they are players that are strongly linked with military and intelligence organizations.

The 400 GB of data that were leaked from the HT servers completely exposed their activity and company framework. In a post on Medium you claimed that this form of “radical transparency […] is essential in this phase of exponential growth of the digital power. Until we are going to improve our laws». It looks to me that this statement of yours presents both a risk and a contradiction at the same time. On one hand, the radical transparency is the philosophical bedrock on which the accumulation regime of the big Internet Companies is based, too. On the other hand it is precisely based on the lack – or the progressive dismantling – of a legal framework, addressed to safeguard individual and collective privacy. Don’t you think that resorting to such strategies could give way to potentially more dangerous scenarios than those hinted by the HT event?

With «radical transparency» I do not mean the same concept professed by the companies that profit from the users’ behavior analysis. With this expression, instead, I refer to a massive, unedited and uncritical publication of the data. A “massive leak”, as the Wikileaks cablegate has been. And, as I did specify in the post you quoted, I do not deem it to be a sacred idea and not even a right one itself.

Yet I do believe we find ourselves in a situation in which the laws and the users, companies and citizens’ awareness are at an extremely underdeveloped stage. And it is for this reason that a leak like the one that hit HT – a real trauma if we consider the consequences it had – is, on balance, a good thing for everyone.

For 5 years I have been an active developer of GlobaLeaks, a platform that works in order to facilitate confidential communication between sources – also known as whistleblowers – and journalists able to mediate the diffusion of information. What we do promote is a better process than radical transparency. And it is for this reason that my post on Medium ends with this sentence: “if you are part of an ambiguous and unregulated business become a whistleblower, before someone totally exposes you”.

controllo1-512x384This is a call of mine to disclose what happens in similar environments, in which certainly many people have doubts, that yet are often watered down by ideology and money. Without people available to take this responsibility, the society do not have any knowledge, nor any incentives to update and improve itself. And in this kind of scenarios, if it is not you, an insider, to be a whistleblower… well, you run the risk that someone else would do that in your place, maybe resorting to radical transparency, that is. And when this will happen there will be no review, no overview, but only a great damage to those exposed to public shaming.

In conclusion, radical transparency remains a last resort for me, but when a market like HT’s gets exposed to public, then you are legitimated to think that, all in all, it is better that way. The fact that its technology was used in order to restrict some fundamental rights was never a problem for the company management. Moreover, when the issue of applying restrictions to the use of the tool arose, the solution that was adopted by the management was that of wheel and deal under the counter with top institutional echelons.

The only thing that may delegitimate radical transparency is an advancement in the whistleblowing culture, a journalist capacity to review complex material, even some that cannot be easily given media coverage) and a greater legal protection for who exposes himself, releases secret information and takes the floor for public interest.

But who should guarantee for this legal protection? That same State that, as it unequivocally emerges from the leaks, was helping HT to circumvent the export bans issued by the Ministry of Economic Development?

I do not have an answer. Similar tools will always be used by military and intelligence, even in the presence of a strong restriction of their use in conventional inquiries. Yet, the tireless defense by HT of its own Italian character emerges from the leaks: a feature that is presented over and over again to the Italian institutions as a form of guarantee.

A guarantee about what?

21clt1fotinapiccolaA guarantee for the State to exercise a greater control on the management of their technologies and the uses that may be done of it. This looks an important element, on which to ponder about, according to me. To what extent an espionage or counterespionage agency can perform its tasks by relying on a foreign resource on which it does not exercises full control? I think that every State is considering the issue, and that such a dynamics could bring about a nationalization of these technologies. This makes us understand a couple of things. First, that digital conflicts are just at the beginning. Second, that a State really willingly to protect its citizens should never exploit technologies that leave the population vulnerable to 0day attacks. The declaration by Cameron some months ago, that one according to with it was unacceptable for Whatsapp communication to be unreadable by British services, was going in that direction.