http://www.thoughtcrime.org/blog/saudi-surveillance/
Last week I [Moxie Marlinspike] was contacted by an agent of Mobily, one
of two telecoms operating in Saudi Arabia, about a surveillance project
that they’re working on in that country. Having published two reasonably
popular MITM tools, it’s not uncommon for me to get emails requesting
that I help people with their interception projects. I typically don’t
respond, but this one (an email titled “Solution for monitoring
encrypted data on telecom”) caught my eye.
I was interested to know more about what they were up to, so I wrote
back and asked. After a week of correspondence, I learned that they are
organizing a program to intercept mobile application data, with specific
interest in monitoring:
Mobile Twitter
Viber
Line
WhatsApp
I was told that the project is being managed by Yasser D. Alruhaily,
Executive Manager of the Network & Information Security Department at
Mobily. The project’s requirements come from “the regulator” (which I
assume means the government of Saudi Arabia). The requirements are the
ability to both monitor and block mobile data communication, and
apparently they already have blocking setup. Here’s a sample snippet
from one email:
From: Yasser Alruhaily <…….. .. [email protected]>
Date: Thursday, May 2, 2013 1:04 PM
Subject: Re: As discussed last day .further discussion
we are working in defining a way to deal with all such requirements
from regulator and it is not only for Whatsapp, it is for whatsapp,
line, viber, twitter etc..
So, what we need your support in is the following:
is there any technical way that allow for interception these
traffic?
Is there any company or vendor could help us on this regard?
is there any telecom company they implement any solution or
workaround?
One of the design documents that they volunteered specifically called
out compelling a CA in the jurisdiction of the UAE or Saudi Arabia to
produce SSL certificates that they could use for interception. A
considerable portion of the document was also dedicated to a discussion
of purchasing SSL vulnerabilities or other exploits as possibilities.
Their level of sophistication didn’t strike me as particularly
impressive, and their existing design document was pretty confused in a
number of places, but Mobily is a company with over 5 billion in
revenue, so I’m sure that they’ll eventually figure something out.
What’s depressing is that I could have easily helped them intercept
basically all of the traffic they were interested in (except for Twitter
– I helped write that TLS code, and I think we did it well). They later
told me they’d already gotten a WhatsApp interception prototype working,
and were surprised by how easy it was. The bar for most of these apps is
pretty low.
In The Name Of Terror
When they eventually asked me for a price quote, and I indicated that I
wasn’t interested in the job for privacy reasons, they responded with this:
I know that already and I have same thoughts like you freedom and
respecting privacy, actually Saudi has a big terrorist problem and they
are misusing these services for spreading terrorism and contacting and
spreading their cause that’s why I took this and I seek your help. If
you are not interested than maybe you are on indirectly helping those
who curb the freedom with their brutal activities.
So privacy is cool, but the Saudi government just wants to monitor
people’s tweets because… terrorism. The terror of the re-tweet.
But the real zinger is that, by not helping, I might also be a
terrorist. Or an indirect terrorist, or something.
While this email is obviously absurd, it’s the same general logic that
we will be confronted with over and over again: choose your team. Which
would you prefer? Bombs or exploits. Terrorism or security. Us or them.
As transparent as this logic might be, sometimes it doesn’t take much
when confirming to oneself that the profitable choice is also the right
choice.
If I absolutely have to frame my choices as an either-or, I’ll choose
power vs. people.
Culture Over Time
I know that, even though I never signed a confidentiality agreement, and
even though I simply asked questions without signaling that I wanted to
participate, it’s still somewhat rude of me to publish details of
correspondence with someone else.
I’m being rude by publishing this correspondence with Mobily, not only
because it’s substantially more rude of them to be engaged in
massive-scale eavesdropping of private communication, but because I
think it’s part of a narrative that we need to consider. What Mobily is
up to is what’s currently happening everywhere, and we can’t ignore that.
Over the past year there has been an ongoing debate in the security
community about exploit sales. For the most part, the conversation has
focused on legality and whether exploit sales should be regulated.
I think the more interesting question is about culture: what do we in
the hacker community value and prioritize, and what is the type of
behavior that we want to encourage?
Let’s take stock. One could make the case that the cultural origins of
exploit sales are longstanding. Since at least the 90’s, there has been
an underlying narrative within the hacker community of not “blowing up”
or “killing” bugs. A tension against that discipline began with the
transition from a “hacker community” to a “security industry,” and the
unease created by that tension peaked in the early 2000’s, manifested
most clearly by the infamous AntiSec movement.
Fundamentally, AntiSec tried to reposition the “White Hat” vs “Black
Hat” debate by suggesting that there are no “White Hats,” only “Green
Hats” – the color of money.
As someone who also regretted what money had done to the hacker
community, I was largely sympathetic with AntiSec. If I’m really honest
with myself, though, my interest in the preservation of 0day was also
because there was something fun about an insecure internet at the time,
particularly since that insecurity predominantly tended to be leveraged
by a class of people that I generally liked against a class of people
that I generally disliked.
In short, there was something about not publishing 0day that signaled
affiliation with the “hacker community” rather than the “security industry.”
The Situation Today
In many ways, it’s possible that we’re still largely operating based on
those original dynamics. Somewhere between then and now, however, there
was an inflection point. It’s hard to say exactly when it happened, but
these days, the insecurity of the internet is now more predominantly
leveraged by people that I dislike against people that I like. More
often than not, that’s by governments against people.
Simultaneously, the tension between “0day” vs “publish” has largely
transformed into “sell secretly” vs “publish.” In a sense, the AntiSec
narrative has undergone a full inversion: this time, there are no “Black
Hats” anymore, only “Green Hats” – the color of money.
There are still outliers, such as Anonymous (to the extent that it’s
possible to be sympathetic with an unguided missile), but what’s most
significant about their contribution is that they’re not using 0day at all.
Forgetting the question of legality, I hope that we can collectively
look at this changing dynamic and perhaps re-evaluate what we culturally
reward. I’d much rather think about the question of exploit sales in
terms of who we welcome to our conferences, who we choose to associate
with, and who we choose to exclude, than in terms of legal regulations.
I think the contextual shift we’ve seen over the past few years requires
that we think critically about what’s still cool and what’s not.
Maybe this is an unpopular opinion and the bulk of the community is
totally fine with how things have gone (after all, it is profitable).
There are even explicitly patriotic hackers who suggest that their
exploit sales are necessary for the good of the nation, seeing
themselves as protagonists in a global struggle for the defense of
freedom, but having nothing to do with these ugly situations in Saudi
Arabia. Once exploits are sold to US defense contractors, however, it’s
very possible they could end up delivered directly to the Saudis (eg,
eg, eg), where it would take some even more substantial handwaving to
think that they’ll serve in some liberatory way.
For me at least, these changes have likely influenced what I choose to
publish rather than hold, and have probably caused me to spend more time
attempting to develop solutions for secure communication than the type
of work I was doing before.
It’s Happening
Really, it’s no shock that Saudi Arabia is working on this, but it is
interesting to get fairly direct evidence that it’s happening. More to
the point, if you’re in Saudi Arabia (or really anywhere), it might be
prudent to think about avoiding insecure communication tools like
WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate
secure replacements), because now we know for sure that they’re watching.
For the rest of us, I hope we can talk about what we can do to stop
those who are determined to make this a reality, as well as the ways
that we’re already inadvertently a part of that reality’s making.
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mx.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: [email protected]
