I understand the Nadim points, there's a lot of subjective biased "popular judgement".
While from a security standpoint perspective "better safe than sorry" is a good statement, from a rights and fairness perspective that's a very bad. So further conversation is needed. Following DarkMatter removal i would love to bring to the attention of Mozilla the removal of a list of Companies that does as a main business other stuff, but for which there's "public credible evidences" that does also some kind of offensive security that goes "against people's safety" (as defined by Mozilla principles). I've analysed Intermediate CA list where DarkMatter is here https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts . In this list is possible to find the following company operating against "people's safety" and there's "credible evidences" they are doing so: * Saudi Telecom Company This company is publicly known to ask to surveil and intercept people as per "credible evidences" on: https://moxie.org/blog/saudi-surveillance/ https://citizenlab.ca/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ * German Rohde & Schwarz This company do produce, install and support surveillance systems for intelligence agencies in Regimes such as Turkmenistan: https://www.rferl.org/a/german-tech-firm-s-turkmen-ties-trigger-surveillance-concerns/29759911.html They sell solutions to intelligence agencies such as IMSI Catchers and massive internet surveillance tools: https://www.rohde-schwarz.com/en/solutions/aerospace-defense-security/overview/aerospace-defense-overview_229832.html * US "Computer Sciences Corporation" The CSC is a US Intelligence and Defense Contractors that does CNE (Computer Network Exploitation) like the WikiLeaks ICWatch show out Read the profile of a former employee of CSC, doing CNE like Snowden was doing: https://icwatch.wikileaks.org/docs/rLynnette-Jackson932c7871cb1e83f3%3Fsp=0ComputerSciencesCorporationCyberSecurityAnalystSystemsEngineerRemoteSystemAdministrator2008-09-01icwatch_indeed Additionally from their wikipedia they acknowledge working for US Intel: https://en.wikipedia.org/wiki/Computer_Sciences_Corporation CSC provided services to the United States Department of Defense,[23] law enforcement and intelligence agencies (FBI,[24] CIA, Homeland Security[23]), aeronautics and aerospace agencies (NASA). In 2012, U.S. federal contracts accounted for 36% of CSC total revenue.[25] * Australia's Attorney-General's Department The Australia's Attorney-General's Department is a government agencies that wants to permit the Australian Security Intelligence Organisation (ASIO) to hack IT systems belonging to non-involved, non-targeted parties. It operate against people safety and there's credible evidence of their behaviour in supporting ASIO to hack people, so they are very likely to abuse their intermediate CA: http://www.h-online.com/security/news/item/Australian-secret-services-to-get-licence-to-hack-1784139.html * US "National Geospatial-Intelligence Agency" https://www.nga.mil The NGA is a US Military Intelligence Agency, equivalent to NSA, but operating on space GEOINT and SIGINT in serving intelligence and defense US agencies. NGA is the Space partner of NSA: https://www.nsa.gov/news-features/press-room/Article/1635467/joint-document-highlights-nga-and-nsa-collaboration/ I think that no-one would object to shutdown an NSA operated Intermediate CA, i am wondering if Mozilla would consider this removal. Said that, given the approach that has been followed with DarkMatter about "credible evidence" and "people safety" principles, i would strongly argue that Mozilla should take action against the subject previously documented. I will open a thread on those newsgroup for each of those company to understand what's the due process and how it will compare to this. Fabio Pietrosanti (naif) Il giorno venerdì 22 marzo 2019 17:49:17 UTC+1, Nadim Kobeissi ha scritto: > What a strange situation. > > On the one hand, denying DarkMatter's CA bid because of these press > articles would set the precedent of refusing to accept the engagement and > apparent good faith of a member of the industry, based only on hearsay and > with no evidence. > > On the other hand, deciding to move forward with a good-faith, transparent > and evidence-based approach actually risks creating a long-term undermining > of public confidence in the CA inclusion process. > > It really seems to me that both decisions would cause damage to the CA > inclusion process. The former would make it seem discriminatory (and to > some even somewhat xenophobic, although I don't necessarily agree with > that) while the latter would cast a serious cloud of uncertainty above the > safety of the CA root store in general that I have no idea how anyone could > or will eventually dispel. > > As a third party observer I genuinely don't know what could be considered a > good move by Mozilla at this point. I want Mozilla to both offer good faith > and a transparent process to anyone who promises to respect its mission, > but I also want it to maintain the credibility and trust that it has built > for its CA store. For it to seem impossible for Mozilla to do both at the > same time seems deeply unfortunate and a seriously problematic setting for > the future of this process overall. > > I really wish that solid evidence of the claims being made against > DarkMatter is published (if it exists). That would be a great way for > Mozilla to make a unilaterally defensible position. > > Nadim Kobeissi > Symbolic Software • https://symbolic.software > Sent from Galaxy > > On Fri, Mar 22, 2019, 4:19 PM Benjamin Gabriel < > benjamin.gabr...@darkmatter.ae> wrote: > > > > > > > Benjamin Gabriel | General Counsel & SVP Legal > > Tel: +971 2 417 1417 | Mob: +971 55 260 7410 > > benjamin.gabr...@darkmatter.ae > > > > The information transmitted, including attachments, is intended only for > > the person(s) or entity to which it is addressed and may contain > > confidential and/or privileged material. Any review, retransmission, > > dissemination or other use of, or taking of any action in reliance upon > > this information by persons or entities other than the intended recipient > > is prohibited. If you received this in error, please contact the sender and > > destroy any copies of this information. > > > > On 2/24/19 11:08 AM, Nex wrote: > > > > > The New York Times just published another investigative report that > > mentions > > > DarkMatter at length, with additional testimonies going on the > > > record: > > > > Dear Nex, > > > > The New York Times article that you reference does not add anything new to > > the misleading allegations previously published in the Reuters article. It > > simply repeats ad-nauseum a false, and categorically denied, narrative > > about DarkMatter, under the guise of an investigative reporting on the > > alleged surveillance practices of governmental authorities of foreign > > countries. > > > > DarkMatter is strictly a commercial company which exists to provide > > cyber-security and digital transformation services to our customers in the > > United Arab Emirates, and the larger GCC and MENA regions. > > > > We have already noted that these misleading allegations about DarkMatter > > were originally planted by defamatory and false sources - in two (2) > > articles published on the internet - and are now repeatedly recycled by > > irresponsible journalists looking for a sensationalist angle on > > socio-political regional issues. And we have consistently, and > > categorically, denied and refuted all of the allegations about DarkMatter, > > including on this forum. [1][2] > > > > The fact that New York Times has chosen to recycle these refuted false > > narratives about DarkMatter, without reaching out to inquire on the real > > DarkMatter story, is unfortunate. At times like this - it is important to > > note that not all news reporting is based on factual or true events, and is > > sometimes based on undisclosed bias or in some instances on outright > > fraudulent reporting.[3][4][5][6][7][8] > > > > We continue to push for responsible journalism that is based on truth and > > verifiable facts. > > > > Regards, > > Benjamin Gabriel > > General Counsel, DarkMatter Group > > > > [1] > > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/QAj8vTobCAAJ > > [2] > > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VZf8xR-hAgAJ > > [3] https://theintercept.com/2016/02/02/a-note-to-readers/ > > [4] > > https://www.nytimes.com/2016/02/03/business/media/the-intercept-says-reporter-falsified-quotations.html > > [5] > > https://www.theguardian.com/media/2016/feb/02/the-intercept-fires-reporter-juan-thompson > > [6] > > https://www.nytimes.com/2013/05/05/public-editor/repairing-the-credibility-cracks-after-jayson-blair.html > > [7] > > https://www.nytimes.com/2003/05/11/us/correcting-the-record-times-reporter-who-resigned-leaves-long-trail-of-deception.html > > [8] https://en.wikipedia.org/wiki/The_New_York_Times_controversies > > > > > > > > > > > > > > > > > > > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
