NSA contracted with notorious French spy-tech company VUPEN

Michael from Muckrock sez, ""Documents requested by MuckRock from the National Security Agency show it had a contract with the French security researcher VUPEN whose founder and CEO Chaouki Bekrar puckishly touts himself as the 'Darth Vader of Cybersecurity.' While the NSA redacted the price of the subscription, VUPEN is apparently hoping the year-long contract is a sign of things to come: It recently tweeted it was setting up shop in Maryland."

VUPEN are also the war criminals who flog zero-day exploits to repressive governments with terrible human-rights records to help them spy on dissidents.

Naturally, it was a no-bid contract.

NSA's contract with VUPEN, 'Darth Vader of Cybersecurity' (Thanks, Michael!)

Notable Replies

  1. Looks like they flogged their zero-day exploits to one more repressive government.

  2. I agree selling exploits makes you scum -- as does contracting with someone who sells them -- but that's one big step short of "war criminal", which I think has something to do with conduct in a war.

  3. We will need potent systems of disclosure to recover from the tremendous damage done to the US and the Internet by the NSA. Many of the actions of the NSA have rendered our existing systems of disclosure impotent. Both whistle-blowing and it's near kin vulnerability disclosure have been severely damaged.

    Once, a security researcher could publish information on a vulnerability with relative impunity. Now, every publication comes with a substantial risk of jail. The NSA has worked hard to create and sustain vulnerability on the internet. They consider exploit to be their fundamental right and duty. I have no proof that the NSA tampering has extended to pushing for the prosecution of Independent security researchers. But, the current attitudes toward vulnerability publication are dang convenient for the NSA. Just as the current attitudes toward whistle blowing have supported their unbridled excess.

    So, it is dang strange to see the NSA supporting the VULPEN group. They should be natural enemies. I would expect the NSA to do all in their power to destroy VULPEN. The revelation that the NSA provides material support for VULPEN indicates that the NSA approves of the widespread creation and hoarding of exploit. Could it be that the NSA's real objective is to destroy the internet? Could it be that they don't care who does it, as long as the Internet is destroyed?

  4. Hello,

    Regardless of what you think about VUPEN and companies like them, I am unsure of why anyone is surprised VUPEN sold a subscription to a US federal government agency. It is not hard to believe they would have contracts with similar agencies in other NATO countries, and possibly some of the ASEAN and OAS nations as well. After all, I don't think their typical client is the Boy Scouts.

    Regards,

    Aryeh Goretsky

  5. For what its worth, lots of us in the security community were never really all that enthusiastic about the cult of full disclosure to begin with. As they say, there's no honor amongst thieves. Not that all who found/disclosed software vulnerabilities were bad actors but there certainly have been plenty all along.

    Associating vulnerability disclosure with whistle blowing is nonsense. Software vulnerabilities are not automatic signs of wrong doing or illegal/unethical actions on the parts of those who create and publish software.

Continue the discussion bbs.boingboing.net

11 more replies

Participants