A newly released contract obtained by Freedom of Information Act clearinghouse Muckrock shows the NSA bought software exploits from a French computer security company called Vupen. Vupen is an active player in the market for information about vulnerabilities in software and tools used to exploit them, its founder Chaouki Bekrar boasts on his twitter profile that he is the "Darth Vader of Cybersecurity."
The private market for unpatched vulnerabilities, also known as "zero-days," freaks out a lot of privacy geeks. It's basically arms dealing for cyberwar: intelligence agencies, law enforcement, and who knows who else, can buy the exploits to spy on people without them, or even the company that makes the software, realizing they're using flawed programs. In a profile of Vupen, Forbes' Andy Greenberg wrote: "In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret."
ACLU privacy expert Christopher Soghoian speculated that it's not that Vupen's hackers are better than the NSA's, but that the NSA just wanted to see what all of Vupen's other clients had access to.
Likely reasons for NSA subscription to VUPEN's 0day exploits: know what capabilities other govs can buy, and false flag, deniable cyber ops.— Christopher Soghoian (@csoghoian) September 16, 2013
There are times when US special forces use AK47s, even though they have superior guns available. Same for NSA's VUPEN purchase. Deniability.— Christopher Soghoian (@csoghoian) September 16, 2013