The Boston Citgo sign, all 3,600 square LED feet of which has served as the backdrop to Red Sox games since 1965, is now officially a "pending landmark."

Spanish Surrealist Salvador Dalí spent much of the 1940s in the U.S., avoiding World War II and its aftermath. He was a well-known fixture on the art scene in Monterey, Calif. — and that's where the largest collection of Dalí's work on the West Coast is now open to the public.

Copyright 2016 Fresh Air. To see more, visit Fresh Air.

The middle of summer is when the surprises in publishing turn up. I'm talking about those quietly commanding books that publishers tend to put out now, because fall and winter are focused on big books by established authors. Which brings us to The Dream Life of Astronauts, by Patrick Ryan, a very funny and touching collection of nine short stories that take place in the 1960s and '70s around Cape Canaveral, Fla.

When the United Kingdom voted to leave the European Union last month, the seaside town of Port Talbot in Wales eagerly went along with the move. Brexit was approved by some 57 percent of the town's residents.

Now some of them are wondering if they made the wrong decision.

The June 23 Brexit vote has raised questions about the fate of the troubled Port Talbot Works, Britain's largest surviving steel plant — a huge, steam-belching facility that has long been the town's biggest employer.

Solar Impulse 2 has landed in Cairo, completing the penultimate leg of its attempt to circumnavigate the globe using only the power of the sun.

The trip over the Mediterranean included a breathtaking flyover of the Pyramids. Check it out:

President Obama is challenging Americans to have an honest and open-hearted conversation about race and law enforcement. But even as he sits down at the White House with police and civil rights activists, Obama is mindful of the limits of that approach.

"I've seen how inadequate words can be in bringing about lasting change," the president said Tuesday at a memorial service for five law officers killed last week in Dallas. "I've seen how inadequate my own words have been."

Mice watching Orson Welles movies may help scientists explain human consciousness.

At least that's one premise of the Allen Brain Observatory, which launched Wednesday and lets anyone with an Internet connection study a mouse brain as it responds to visual information.

The FBI says it is giving up on the D.B. Cooper investigation, 45 years after the mysterious hijacker parachuted into the night with $200,000 in a briefcase, becoming an instant folk figure.

"Following one of the longest and most exhaustive investigations in our history," the FBI's Ayn Dietrich-Williams said in a statement, "the FBI redirected resources allocated to the D.B. Cooper case in order to focus on other investigative priorities."

This is the first in a series of essays concerning our collective future. The goal is to bring forth some of the main issues humanity faces today, as we move forward to uncertain times. In an effort to be as thorough as possible, we will consider two kinds of threats: those due to natural disasters and those that are man-made. The idea is to expose some of the dangers and possible mechanisms that have been proposed to deal with these issues. My intention is not to offer a detailed analysis for each threat — but to invite reflection and, hopefully, action.

Pages

In Cyberwar, Software Flaws Are A Hot Commodity

Feb 12, 2013
Originally published on February 12, 2013 8:50 am

There have been security flaws in software as long as there has been software, but they have become even more critically important in the context of cyberweapons development.

In the past, security researchers who stumbled on a software flaw would typically report the flaw to the manufacturer of the software, so it could be fixed. That changed, however, when cyberweapon designers started looking at these flaws as vulnerabilities that could serve as a back door into a computer network. Most prized of all were "zero day vulnerabilities" — flaws whose existence was previously unknown.

Richard Bejtlich was a cyber specialist for the U.S. Air Force in the 1990s, a time when the U.S. military was going on the offense in the cyberwar. He remembers the day he realized how important a software vulnerability can be to a cyberweapons designer.

"Myself and a couple other guys, we found a zero day vulnerability in Cisco routing equipment," Bejtlich recalls. "And we looked at it, and we said, 'Did we really find this? Can we really get into these Cisco routers?' "

They could, and so Bejtlich and his colleagues reported it to Cisco. The company thanked him and said it would be fixed. Days later, he was talking to some friends who worked on the offensive side of the unit, and they had quite a different reaction to them reporting the bug to Cisco.

"They said, 'You did what? Why didn't you tell us? We could have used this to get into all these various hard targets,' " he says.

To Bejtlich, a software flaw was simply a mistake to be corrected. To a cyberweapons designer, however, it was a potential back door into the computer network he wanted to attack.

"We actually had a standing order after that," Bejtlich says, "that said, if you find something, you don't tell the vendor, you tell the offensive side, and they'll decide what to do about it."

Potential Dangers

A potential loser here, at least in the short run, is the consumer who may be stuck with a flawed piece of software because the government doesn't want anyone to know about the flaw, seeing it as something that could be exploited for the deployment of a cyberweapon.

ACLU technologist Christopher Soghoian, who is something of a privacy activist, says this is something people should know about.

"I don't think your average small business, medium-sized business or Fortune 500 company realizes what's going on here," Soghoian says. "I don't think they realize that their government knows about flaws that could be fixed, and is sitting on them and exploiting them against other people rather than having them fixed."

A good example would be the Stuxnet worm, used by the U.S. and Israel to attack computers controlling nuclear operations in Iran. The designers of Stuxnet took advantage of a software bug in the Microsoft Windows operating system, without alerting Microsoft to the flaw.

The demand for software vulnerabilities has grown to such an extent that the researchers who discover them no longer need to settle for a software vendor sending them a thank-you note, or even a small cash reward. In the context of escalating interest in cyberwar, there is now a growing global demand for the software vulnerabilities — the back doors — that allow an attacker to get inside his enemy's computer network.

"For every researcher who's doing the right thing [by alerting the vendor] and getting the modest gift," Soghoian says, "there are plenty of researchers who are selling these things for what they deem to be the true market value.

"And the true market value is whatever governments and their middlemen are willing to pay."

'It's Just Business'

Former Airman Bejtlich, now the chief security officer at Mandiant, a cybersecurity firm, is not in the business of selling vulnerabilities to the highest bidder, but he knows other cyber people who are.

"There seems to have been an explosion of interest in the last maybe two years," Bejtlich says, "where the hot thing to do is to found a company with five of your buddies who are all really good at finding vulnerabilities and just start making money."

Given that this interest is spurred by the development of secret cyberweapons research, the vulnerability market by necessity operates mostly in the shadows. When the vulnerability traders make a public appearance, it's usually at a conference where hackers and other cyber researchers gather to discuss their latest work.

A vulnerability seller named Donato Ferrante showed up recently at the "Suits and Spooks" conference in Arlington, Va. In an interview with NPR, Ferrante said he advertises his vulnerabilities through an email list. His clients see what vulnerabilities he has found in which products, but Donato gives only the barest of information about the flaws.

"If the customer wants [to] use the vulnerability, the customer needs to buy the vulnerability," Ferrante said. "This is just a sort of portfolio; then the customer needs to buy the details."

Ferrante's company, ReVuln, is the seller. For them, "it's business," he says.

An Unregulated Market

In the U.S., the National Security Agency and other branches of the U.S. military, law enforcement and intelligence agencies are among the biggest buyers of vulnerabilities. But there are other buyers, including any party with an interest in being able to penetrate an adversary's computer network.

Besides the U.S., other governments are also developing cyberweapons. Some private companies may have an interest in penetrating a rival company's network. For that matter, criminal organizations might be interested in purchasing vulnerabilities, or even groups plotting a cyberterrorist attack.

Not surprisingly, vulnerability sellers don't want to say much about their business. Asked where he is based, Ferrante simply says, "Europe," though in a subsequent email he clarifies that he operates out of Malta. He is not eager to describe the world in which he works.

"I don't see bad guys or good guys," Ferrante says. "It's just business."

After all, Ferrante says, ReVuln is only selling information. "The way the information is used is up to the customer; it's not up to us."

There is no regulation of the vulnerability market in the U.S. There is a law prohibiting the export of software that provides penetration capabilities that would enable the users to attack, deny, disrupt or otherwise impair the use of computer infrastructure or networks. But there is no mandatory reporting of vulnerability sales.

If the sellers are not aware of the use to which their vulnerabilities will be put, they may not be prosecutable.

"I am shocked that this has not been regulated," Bejtlich says. "It would be so easy for a legislator to say, 'We're going to do arms control. We're going to keep this out of the hands of the bad guys. You're going to need a license to have these tools.'

"Who's going to stand up and say, 'No, you have to have cyberweapons!' I mean, if you wanted to look for an easy way to have legislators appear to be doing something, this would be it," he says.

The vulnerability trade is just one example of many that indicates how developments in cyberwarfare, and the development of cyberweaponry, are proceeding so quickly that the thinking about how to manage this new domain of warfare is not keeping pace.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.