Teenage Hacker ‘Cosmo the God’ Sentenced by California Court

Cosmo the God in a park near his Long Beach home. Photo: Sandra Garcia/Wired

The 15 year-old UG Nazi hacker known as Cosmo* or Cosmo the God was sentenced in juvenile court on Wednesday in Long Beach, California. According to Cosmo, he pleaded guilty to multiple felonies in exchange for probation, encompassing all the charges brought against him, which included charges based on credit card fraud, identity theft, bomb threats, and online impersonation.

Over the course of 2012, Cosmo and his group UG Nazi took part in many of the highest-profile hacking incidents of the year. UG Nazi, which began as a politicized group that opposed SOPA, took down a bevy of websites this year, including those for NASDAQ, CIA.gov, and UFC.com. It redirected 4Chan’s DNS to point to its own Twitter feed. Cosmo pioneered social engineering techniques that allowed him to gain access to user accounts at Amazon, PayPal, and a slew of other companies. He was arrested in June, as a part of a multi-state FBI sting.

Portrait of a Full-Time Bug Hunter — Abdul-Aziz Hariri

Photo: Abdul-Aziz Hariri

It might seem to some that $500 or even $3,000 is a paltry sum to earn for spending days looking for a security hole in software. Even $20,000 for a bug is chump change if you have a genius zero-day on your hands that could sell on the exploit black market for four times that amount.

But, as security researcher Charlie Miller points out, it all depends on where you’re standing. A $1,000 bounty for a researcher in New York won’t go as far as the same amount paid to a researcher in India or even in Indiana. But for some, bug hunting can actually bring in a good wage.

Abdul-Aziz Hariri earned more than enough to live on doing freelance bug hunting, during a period when he couldn’t find a job.

Hariri, a 27-year-old Lebanese-Canadian, began submitting bugs full-time after he emigrated from Lebanon to Canada in January 2010 and couldn’t find work. He did it full-time for a year and a half until he found a corporate job doing malware analysis.

Hariri, who has a computer science degree from the University of Balamand in Lebanon, worked eight to 10 hours a day and submitted about 140 bug reports to HP TippingPoint’s Zero Day Initiative bug bounty program during that period. He says he often worked a few days at a time, finding an average of two to three bugs, then would take a break and rest a couple of days.

“You already know you’re getting like $5,000 [for those bugs], so you can just take a break,” he says. He earned more than $50,000 the first year, raking in about $2,000-$2,500 per bug report, and only stopped in 2011 after he found his current job.

After he hit the $50,000 mark, he qualified for ZDI’s Platinum reward, which earned him a $20,000 bonus, plus a free trip to Las Vegas to attend the Black Hat and DefCon hacker conferences, as well as free enrollment in a training class at Black Hat. Hariri turned down the trip because he had his full-time job by then, so ZDI gave him the money that would have paid for his trip and class instead, which came out to another $8,000 on top of his bonus.

He sold vulnerabilities both to ZDI and to a bounty program run by the security firm iDefense, focusing on bugs in server-side applications rather than client-side bugs. These weren’t the most lucrative category of bugs, but he says he focused on them because they were easier to find and he needed a steady and quick income.

By his own admission, the initial bug reports he submitted to ZDI were “pretty bad.”

“I sent them proof-of-concept without in-depth analysis [of the vulnerability],” he says. His 18th report was so disorganized and incomplete, even he didn’t fully understand the nature of the bug he was reporting.

So Aaron Portnoy, head of the ZDI program at the time who recently launched an independent bounty-paying company called Exodus Intelligence, sent him back an in-depth and lengthy analysis of the bug.

“He didn’t know what he was doing,” Portnoy says. “So I spent the weekend and reversed all of what his bug was, got it to trigger with one packet, and reversed exactly what it was.” He then sent Hariri his analysis with a note saying, “Here’s what your bug is, here’s how I debugged it, here’s how I reversed it. Try to give us better information next time.”

Hariri says he learned a lot from the analysis and began submitting better reports. When Portnoy and a colleague later offered a bug-hunting class at a conference in Montreal, Hariri signed up for it.

Hariri says his experience freelance bug hunting gave him great training for his current job as a malware analyst.

“It improved my technical skills,” he says. “They gave me a lot of tips on reverse-engineering and how to debug stuff. It has definitely made [my job] a lot easier.”

With Millions Paid in Hacker Bug Bounties, Is the Internet Any Safer?

Security researcher “Pinkie Pie” demonstrated the exploit he developed for attacking Google’s Chrome browser earlier this year. Photo: Kim Zetter/Wired

The night before the end of Google’s Pwnium contest at the CanSecWest security conference this year in Vancouver, a tall teen dressed in khaki shorts, tube socks and sneakers was hunkered down on a hallway bench at the Sheraton hotel hacking away at his laptop.

With a $60,000 cash prize on the line, the teen, who goes by the hacker handle “Pinkie Pie,” was working hard to get his exploit for the Chrome browser stabilized before the close of the competition.

The only other contestant, a Russian university student named Sergey Glazunov, had already made off with one $60,000 prize for a zero-day exploit that attacked 10 different bugs.

Finally, with just hours to go before the end of the three-day competition, Pinkie Pie achieved his goal and dropped his exploit, a beauty of a hack that ripped through six zero-day vulnerabilities in Chrome and slipped out of the browser’s security sandbox.

Google called both hacks “works of art,” and within 24 hours of receiving each submission, had patched all of the bugs that they exploited. Within days, the company had also added new defensive measures to Chrome to ward off future similar attacks.

Google’s Pwnium contest is a new addition to its year-round bug bounty programs, launched in 2010, that are aimed at encouraging independent security researchers to find and report security vulnerabilities in Google’s Chrome browser and web properties, and to get paid for doing so.

Vendor bounty programs like Google’s have been around since 2004, when the Mozilla Foundation launched the first modern pay-for-bugs plan for its Firefox browser. (Netscape tried a bounty program in 1995, but the idea didn’t spread at that time.) In addition to Google and Mozilla, Facebook and PayPal have also launched bug bounty programs, and even the crafts site Etsy got into the game recently with a program that pays not only for new bugs, but also retroactively for previously reported bugs, to thank researchers who contributed to the site’s security before the bounty program began.

The Mozilla Foundation has paid out more than $750,000 since launching its bounty program; Google has paid out more than $1.2 million.

But some of the biggest vendors, who might be expected to have bounty programs, don’t. Microsoft, Adobe and Apple are just three software makers who have been criticized for not paying independent researchers for bugs they have found, even though the companies benefit greatly from the free work done by those who uncover and disclose security vulnerabilities.

Microsoft says its new BlueHat security program, which pays $50,000 and $250,000 to security pros who can devise defensive measures for specific kinds of attacks, is better than paying for bugs.

“I don’t think that filing and rewarding point issues is a long-term strategy to protect customers,” Microsoft security chief Mike Reavey said recently.

All of which begs the question: Eight years down the line, have bug bounty programs made browsers and web services more secure? And is there any way to really test that proposition?

Security Science

There’s no scientific method for determining if software is more secure than it used to be. And there’s no way to know how much a bounty program has improved the security of a particular software program, as opposed to other measures undertaken by software makers. Security isn’t just about patching bugs; it’s also about adding defensive measures — such as browser sandboxes — to mitigate entire classes of bugs. The combination of these two make software more secure.

But everyone interviewed for this story says the anecdotal evidence strongly supports the conclusion that bounty programs have indeed improved the security of software. And more than this, the programs have yielded other security benefits that go far beyond the individual bugs they’ve helped fix.

In the most obvious sense, bounty programs make software more secure simply by the fact that they reduce the number of security holes hackers can attack.

“There’s a finite number of bugs in these products, so every time you can knock out a bunch of them, you’re in a better place,” says top security researcher Charlie Miller, who’s responsible for finding a number of high-profile vulnerabilities in Apple’s iPhone and other products.

But one of the biggest indications that bounty programs have improved security is the decreasing number of bug reports that come in, according to Google.

“It’s a hard measurement to take, but we’re seeing a fairly sustained drop-off in the number of incoming reports we’re receiving for the Chromium program,” says Chris Evans, information security engineer at Google who leads the company’s Chromium vulnerability rewards program as well as its new Pwnium contest, launched this year.

Google has its own internal fuzzing program to uncover security vulnerabilities, and the rate at which that team is finding bugs has dropped, too, Evans says. Google recently asked some of its best outside bug hunters why bug reports had declined and was told it was just “harder to find” vulnerabilities these days. Harder-to-find bugs for researchers also means harder-to-find bugs for hackers.

Bounty programs also improve security by encouraging researchers to disclose bugs responsibly — that is, passing the information to vendors first, so that they can release a patch to customers before the information is publicly disclosed. And they help mend the fractious relationship that has long existed between researchers and vendors.

In 2009, Miller and fellow security researchers Alex Sotirov and Dino Dai Zovi launched a “No More Free Bugs” campaign to protest freeloading vendors who weren’t willing to pay for the valuable service bug hunters provided and to call attention to the fact that researchers often got punished by vendors for trying to do a good deed.

Farewell to Threat Level Editor Ryan Singel

Photo: Ariel Zambelich/Wired

Ryan Singel, the co-founder and editor of this blog, is leaving us Friday after 10 years writing for Wired.com. He’s moving on to focus on his start-up, Contextly, which among other things powers the nifty “Related Links” box at the bottom of every Wired.com story.

Ryan co-founded Threat Level in 2006 with Kevin Poulsen, the blog’s first editor. Originally known as 27bstroke6, this was Wired’s first news blog, and it continues tackling security, privacy, crime and intellectual property in the online world.

During his tenure as writer, and then editor, Threat Level received a gaggle of awards and recognitions, from Webby Awards to twice being named in Time Magazine’s Top 25 list of blogs.

Contextly, which Ryan founded more than a year ago, is a San Francisco startup providing websites and blogs with tools to help them show off their best content to readers, and increase page views and the number of views per reader. In addition to Wired, the company’s clients include Cult of Mac and Wall St. Cheat Sheet.

“It’s gotten to the point that there’s enough interest and there’s so many fun things we want to build out that, in order to do that, I have to dedicate myself full-time. There’s just not enough hours in the day,” he said.

Singel’s pooch “Little.” Photo: Peter McCollough/Wired

“Ryan is a true hybrid — a journalist who knows the scene, and knows how to code. He’s broken big stories and fought for consumers in sharp columns challenging the telecom industry. And he’s been a smart and tireless pioneer of digital reporting methods,” said Evan Hansen, Wired.com’s editor in chief.

“From his start at Wired, Ryan has embodied fully the promise and potential of online journalism,” said Poulsen, now Wired.com’s news editor. “He brought courage, curiosity, fairness, and a clear-eyed dedication to the truth to the job every day. And as an editor, he brought out the best in his writers.”

One of Ryan’s biggest scoops was in 2006, when he obtained and published documents that were sealed in San Francisco federal court that apparently showed that AT&T was funneling Americans’ electronic communications to the National Security Agency. Even today, those documents remain the focal point of the Electronic Frontier Foundation’s eavesdropping lawsuit against the government.

Ryan, who graduated with a bachelor’s in English at Vassar College in 1995 and the University of Chicago in 1999 with a master’s in humanities, is best known among his colleagues for donning newsboy caps and complaining about the casual cruelty of San Francisco motorists that he had dodged on his bike ride to the office.

As one of the few editors who grasps the subject matter as much or more than the writers reporting to him, Ryan will be sorely missed here.

He said Threat Level was founded on the idea that it would be “a tool for journalism” and not a soap box.

“It wasn’t just a tool for mouthing off,” he said. “It values getting things right, quoting people and picking up the phone. I think that’s a big part of the success for the blogs at Wired generally.”