Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

I think it's interesting how one of the main technical arguments for
denying DarkMatter's root inclusion request -- the misissuance of
certificates with 63-bit identifiers instead of 64-bit identifiers, also
affected Google, Apple and Godaddy, and to a much greater extent:

https://www.thesslstore.com/blog/mass-revocation-millions-of-certificates-revoked-by-apple-google-godaddy/

Google, Apple and GoDaddy didn't face any repercussions due to this,
obviously. Although, to quote from the above article:

"The point, obviously, isn’t to vilify Google – just to, once again, point
out the subjectivity of a lot of these decisions."

I'm sure there's a lot that I'm still missing, but from my perspective I
think it's pretty appalling how Mozilla has sunk low enough for DarkMatter
to have a legitimate claim of bias and unfair practice, and I hope
DarkMatter get the fair treatment they deserve, actually.

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from my phone

On Tue, Jul 16, 2019, 10:38 PM Benjamin Gabriel <
benjamin.gabr...@darkmatter.ae> wrote:

> Message Body (6 of 6)  APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS
>
> 1) Violation of Anti-Trust Laws:
>
> The Module Owner’s discretionary decision, when taken into context with
> the comments of other Mozilla Peers employed by other Browsers and/or
> competing Certificate Authorities, are intended to result in the types of
> unfair competition that are prohibited under the United States Sherman Act,
> the United States Federal Trade Commission Act, the Canadian Competition
> Act, the European Union Anti-Trust Policies, and the United Arab Emirates
> Competition Laws.
>
> a) Notwithstanding to the assertions for a decision “made on a collective
> assessment of all the information at hand”, the Module Owner, and Mozilla
> staff, have blatantly ignored, or failed to acknowledge and consider, the
> impact of anti-competitive comments made by Mr. Ryan Sleevi, a Google
> employee, with regard to the Applicants’ Root Inclusion request.
>
> > “I highlight this, because given the inherently global nature of the
> Internet, there is no technical
> > need to work with local CAs, and, with a well-run root store, all CAs
> provide an equivalent level
> > of protection and security, which rests in the domain authorization."
> [1]
>
> The above statement is quite startling in that it is being made by a
> representative of a dominant market power as an argument against the
> inclusion of a new economic participant’s entry into the global CA market
> place. In light of the fact that representative has tried to justify a
> technical non-compliance to support revocation of the Applicants’ Root
> Inclusion (note that significantly higher number of users were at risk due
> to the same serial entropy violations of his own employer Google) [2], and
> considering that this representative was a key player in the demonstration
> of dominant Browser market power against a significant CA global business
> [3], the Applicants have a reasonable basis to believe that the distrust
> discussion are more likely to be motivated by economic considerations that
> preserve incumbent parties market domination and monopolization.
>
> b) Additionally, the Module Owner, and Mozilla staff, have blatantly
> ignored, or failed to acknowledge and consider, the Applicants’ response to
> the Google Representative in their decision-making process. The General
> Counsel of DarkMatter asserted unambiguously in the public discussion as
> follows:
>
> We are of the view that CA monopolies are inherently bad for the internet
> in that they unfairly exploit market power. The result is a fundamental
> right to Internet security and privacy being deliberately priced out of
> reach for a significant population of the world.  We ask you, what can be
> more of an anti-competitive monopoly than a "well run store" (read
> Google/Mozilla) that does not take into consideration that sovereign
> nations have the fundamental right to provide digital services to their own
> citizens, utilizing their own national root, without being held hostage by
> a provider situated in another nation.” [4]
>
> The above discussions are highly relevant to the decision-making process,
> considering that the Module Owner is aware of the significant economic
> investment the Applicants have made in progressing the Root inclusion
> requests over the past two years.  In fact, the Applicants have received
> further communications from other relevant Browser Stores indicating that
> their respective decision to permit the Applicants to participate in the
> global CA business ecosystem will be based and influenced by the Mozilla
> Module Owner’s highly subjective discretionary decision. The entire global
> internet traffic is controlled by four (4) Browser Root Stores (Mozilla,
> Microsoft, Google and Apple). As Reuters pointed out in its July 4 story,
> three (3) of those Browser Stores will likely adopt and enforce this
> 

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

Dear Ryan,

In outlining the two paths that I presented at the end of my previous
email, I made sure to illustrate the choice between them as one that comes
repeatedly -- a conscious choice that every time produces a small,
incremental improvement, often through a tiresome and onerous process.
Indeed I was trying to support slow, grinding iterations towards the better
-- and that's not at all something that sounds to me like sticking out for
only the perfect solution. And indeed I supported the subjective and
deliberative path as often necessary and wise when time is of the essence.
I find it very surprising that you seem to believe that I was arguing for
perfection -- quite the opposite, in fact.

I do still believe that when we fall back to relying on mainstream news
articles, with no obvious fallback in procedure, then it's reasonable for
people like me to chime in and wonder about a potential lack of rigor.
Every potential participant in this thread comes with their own
misconceptions and lack of information, and I'm no exception, but I still
find that my original source of concern holds. My impression at least is
that it's produced a worthwhile and valuable discussion for everyone (in no
small part thanks to your own time and effort). And of course, I don't mean
to admonish anyone here with the points of discussion that I've raised, and
I would certainly like to think that nobody feels admonished by anyone else
so far in this thread.

I am very glad that others are working slowly on the long term effort for
better policy. I think these issues are fundamental to the Internet's
safety and hope that I'll be able to help out more one day in whatever way
I can volunteer.

Thank you,

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office


On Wed, Jul 10, 2019 at 9:59 PM Ryan Sleevi  wrote:

>
>
> On Wed, Jul 10, 2019 at 3:17 PM Nadim Kobeissi 
> wrote:
>
>> Many times in this discussion, we have all been offered a choice between
>> two paths. The first path would be to examine difficult problems and
>> shortcomings together and attempting to present incremental--often
>> onerous--improvements. The second path would be to just say that someone
>> should trust us based on years of subjective experience. In many, many
>> cases, the latter really is a wise thing to say and a correct thing to say
>> (and I truly mean this); it offers a path through which judicious decisions
>> are often made. Furthermore, it is often a necessary path to take when time
>> is of the essence. But it is seldom the rigorous path to take, seldom the
>> path that serves future engineers and practitioners in the field, and
>> seldom the path that gives institutions the foundation and the standing
>> that they will need in the decades to come.
>>
>
> Hi Nadim,
>
> There's a phrase to capture the essence of what you propose doing. It is
> that the perfect is the enemy of the good. Wikipedia even helpfully
> contains a useful quote in the context of Robert Watson-Watt.
>
> It is important that, while these flaws are recognized and being worked
> on, there is still a duty of care and community responsibility. There's
> clearly a school of thinking, which you appear to be advocating, that the
> best solution when something is less than perfect is to not do it at all,
> since doing nothing is the only 'fair' choice. Perhaps that's not your
> intent, but I want to highlight, you've repeatedly admonished the folks who
> have spent years into understanding and improving the ecosystem that
> they're not doing enough, or that it isn't rigorous enough.
>
> By way of analogy, which is admittedly a poor way to argue, it would be
> akin to someone arguing that out-of-band writes should not be fixed,
> because fixing OOB writes is not rigorous, and instead it should be
> rewritten in Rust. While it's certainly true that rewritting in Rust is
> likely to improve things, that's a bit of what we in the industry term a
> "long term" effort. In the mean time, as pragmatic professionals who care
> about security, long-term participants on this list are approaching both
> pragmatic and long-term solutions.
>
> There's not much I can say about the claimed lack of rigor. It appears
> that you were not familiar with long-standing policies or discussions, the
> means of approaching both the short-term risks and the long-term, the
> efforts to ensure consistency and reliability, and the acknowledged
> near-term gaps that necessitate a pragmatic approach. It's a bit like
> arguing that, since you have an OOB Write, the best path to take is to
> either do nothing to fix it, and in fact continue writing more code in
> unsafe languages, or do nothing until you replace it all. Neither, of
> course, are paths of rigor, and neither are paths that serve future
> engineers and practitioners in the field, nor do they give foundation and
> standing to the trust and safety of users.
>
> A different parallel to take would be that ignoring these 

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

Dear Ryan,

Thanks very much for this very insightful email. There really is a lot that
I and others don't know about how these decisions are made.

The silver lining here is that we agree on where some of the gaps are in
this process, and that Mozilla, Google and others are working on filling in
these gaps, as you say. I would argue that the existence of so many
conflicts of interests, intricacies and complexities between the multiple
stakeholders in such decisions make it more urgent to fill in these gaps
quickly and completely.

If the existing documentation are insufficient in order to provide a full
set of distinguishers on the intricacies of this process, then it stands to
reason that they should be improved. If a certain terminology is too broad,
it stands to reason that it can be made less broad. If layman's terms are
deployed for non-layman concepts, it stands to reason that this should be
modified and its underlying concept elucidated. If incompetent auditors
cannot be differentiated from competent auditors, it stands to reason that
this can be addressed. If areas exist where conflicts of interests are
likely, it stands to reason that policies can be expanded to avoid these
conflicts of interests from occurring.

So long as we can continue to point to specific problems and shortcomings,
which you do masterfully and to great public service in your email, it will
always stand to reason that we can improve our policies such that the gaps
are filled. And again, it's wonderful that Mozilla, Google etc. are working
on this.

Many times in this discussion, we have all been offered a choice between
two paths. The first path would be to examine difficult problems and
shortcomings together and attempting to present incremental--often
onerous--improvements. The second path would be to just say that someone
should trust us based on years of subjective experience. In many, many
cases, the latter really is a wise thing to say and a correct thing to say
(and I truly mean this); it offers a path through which judicious decisions
are often made. Furthermore, it is often a necessary path to take when time
is of the essence. But it is seldom the rigorous path to take, seldom the
path that serves future engineers and practitioners in the field, and
seldom the path that gives institutions the foundation and the standing
that they will need in the decades to come.

I sincerely appreciate the formidable passion with which you argue for your
positions, and am glad that someone like you holds the responsibility that
you do.

Thank you,

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office


On Wed, Jul 10, 2019 at 8:42 PM Ryan Sleevi  wrote:

>
>
> On Wed, Jul 10, 2019 at 2:15 PM Nadim Kobeissi via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Indeed I would much rather focus on the rest of the elements in the
>> Mozilla
>> Root Store Policy (
>>
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
>> )
>> which are less vapidly authoritarian than the single clause you quote, and
>> which focus more on a set of audits, confirmations and procedures that
>> give
>> everyone a fair chance at proving the honesty of their role as a
>> certificate authority. For example, I find policy points 2.2 (Validation
>> Practices), 3.1.1 (Audit Criteria) and 3.1.4 (Public Audit Information) to
>> be much more of a fertile ground for future discussion.
>>
>
> I appreciate that attempt to focus. However, it does again fundamentally
> misunderstand things in ways that are critical in demonstrating why this
> discussion is not productive or fruitful, and your suggestions are quite
> misguided.
>
> For example, judging by your replies, it seems you may not understand
> audits, what they are, or how they work.
>
> During an audit, someone who agrees to a voluntary set of professional
> standards, such as a Chartered Public Accountant, agrees to perform an
> audit using a specific set of Principles and Criteria. The Principles are
> very broad - for example, the three principles are "CA Business Practices
> Disclosure", "Service Integrity", and "CA Environmental Controls". These
> don't tell you very much at all, so then there are individual Criteria.
>
> However, the Criteria are very broad: for example: "The CA maintains
> controls to provide reasonable assurance that its Certification Practice
> Statement (CPS) management processes are effective."
>
> Now, you may not realize, but "reasonable assurance" and "effective" are
> not layman's terms, but refer to specific procedures that vary by country
> and professional standards (e.g. AICPA standards like the AT series or CPA
> Canada standards like CSAE)
>
> Durin

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

Dear Ryan,

Thank you very much for pointing out that in the examples listed by Fabio,
none of them actually control the private key. I did not know this and
assumed that the opposite would be the case for at least some of the
entities listed.

I am indeed a new participant and I have an infinitesimal amount of
experience in this specific topic compared to you, who does this for a
living indeed as a guardian for one of the most important entities on the
Internet. But I did make effort a few months ago, at the outset of this
discussion, to understand how the CA process works, and I do not believe
that citing the clause "Mozilla MAY, at its sole discretion, decide to
disable (partially or fully) or remove a certificate at any time and for
any reason" is a particularly insightful way in which to veer the
discussion back towards policy, except if the intent is to outline that the
policy does technically allow Mozilla to do whatever it wants, policy be
damned.

Indeed I would much rather focus on the rest of the elements in the Mozilla
Root Store Policy (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/)
which are less vapidly authoritarian than the single clause you quote, and
which focus more on a set of audits, confirmations and procedures that give
everyone a fair chance at proving the honesty of their role as a
certificate authority. For example, I find policy points 2.2 (Validation
Practices), 3.1.1 (Audit Criteria) and 3.1.4 (Public Audit Information) to
be much more of a fertile ground for future discussion.

Finally, I don't think anyone here has expressed interest in those "pay to
play" schemes, as you call them. Rather, my argument is that the continued
dismissal of auditing practices and transparent procedures, especially by
substituting them with newspaper reports that offer no evidence, is not a
good path to take for Mozilla. This is especially true when this dismissal
is largely cushioned with such elements as "you didn't see that Mozilla has
as clause that lets it do anything for any reason", "after 30 years of
experience, we decided that trust is subjective" and that it's
"unfortunate" to ask for due process as the main gatekeeper for what is
perhaps the most critical deliberative process for the safety of the world
wide web.

With my sincere appreciation for your continued engagement,

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office


On Wed, Jul 10, 2019 at 7:33 PM Ryan Sleevi  wrote:

>
>
> On Wed, Jul 10, 2019 at 1:07 PM Nadim Kobeissi via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> I would like to support the statements made by both Fabio and Scott to the
>> extent that if Mozilla is to go forward with this decision, then I fully
>> expect them to review their existing CAs and to revoke onto OneCRL every
>> one of them that has some news report of blog post linking them to
>> nefarious activities without evidence. The examples given by Fabio (Saudi
>> Telecom, Australia's Attorney General Department, etc.) seem to have as
>> much "evidence" (if not more) than DarkMatter out there. Will they also be
>> revoked? And if not, why not? In fact, why didn't Mozilla itself bring
>> this
>> up before Fabio and Scott chimed in?
>>
>
> Hi Nadim,
>
> I realize you're a new participant in this Forum, and thus are not very
> familiar with PKI or how it works. As I responded, Fabio's remarks
> misunderstand both Mozilla Policy and how CAs work and operate, as well as
> audits and controls. I realize this may be confusing for new participants,
> and I hope my drawing attention to your confusion can help you learn more.
>
> Similarly, as a new participant, you probably aren't familiar with how
> root programs work, based on your replies. For example, Mozilla's policy
> has always contained a very explicit provision:
> Mozilla MAY, at its sole discretion, decide to disable (partially or
> fully) or remove a certificate at any time and for any reason.
>
> I realize you may be unhappy with that language, based on your replies,
> but it's important to recognize that Mozilla is tasked with, among other
> things, the safety and security of its users. However, as noted, it may
> remove them for any reason, even those without security requirements.
> Mozilla understandably strives to balance this in its mission, but I think
> it's important to recognize that it's a very clear policy which every CA
> trusted or applying to be trusted must acknowledge and agree with.
>
> It's also unfortunate that you seem to be looking for objective controls
> here. In the 30 years of PKI discussions, one of the key themes in both the
> legal and technical analysis is that trust is, functionally, a subjecti

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

I would like to support the statements made by both Fabio and Scott to the
extent that if Mozilla is to go forward with this decision, then I fully
expect them to review their existing CAs and to revoke onto OneCRL every
one of them that has some news report of blog post linking them to
nefarious activities without evidence. The examples given by Fabio (Saudi
Telecom, Australia's Attorney General Department, etc.) seem to have as
much "evidence" (if not more) than DarkMatter out there. Will they also be
revoked? And if not, why not? In fact, why didn't Mozilla itself bring this
up before Fabio and Scott chimed in?

As I predicted, we are now in a situation where DarkMatter can correctly,
and at length, chide Mozilla for a short-sighted and illegitimate
implementation of a critical process. It doesn't please me to be unable to
find any holes in Scott's email; on the contrary, it worries me. Because we
are now in a position where Mozilla can't defend its decision making
against an entity that may in the end still turn out to be involved in
aggressive surveillance and hacking behavior, despite the current lack of
evidence.

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office


On Wed, Jul 10, 2019 at 6:43 PM Scott Rea  wrote:

> G’day Folks,
>
> DigitalTrust first learned of the Mozilla decision via Reuters. We believe
> this is emblematic of Mozilla’s approach to our application which appears
> to have been predetermined from the outset.
>
> We believe yesterday’s decision is unfair and demonstrates an anti-UAE
> bias where a 2016 media report referring to a single claimed event that
> aims to falsely implicate DarkMatter (and repeatedly echoed over a span of
> 4 years) has now outranked Mozilla’s established process of demonstrated
> technical compliance. This very same compliance has been met by
> DigitalTrust for three consecutive years with full transparency.
>
> The emerging principle here seems to be that 508 WebTrust audit controls
> are not sufficient to outweigh a single media allegation referring to work
> we as well as DarkMatter simply don’t do. In fact DarkMatter’s work is
> focused on the exact opposite of the false claim as evidenced by the
> continuous work to protect all internet users, for example through on-going
> disclosure of zero day vulnerabilities to the likes of Cisco, Sony, ABB and
> others.
>
> Mozilla’s new process, based on its own admission, is to ignore technical
> compliance and instead base its decisions on some yet to be disclosed
> subjective criterion which is applied selectively.  We think everybody in
> the Trust community should be alarmed by the fact that the new criterion
> for inclusion of a commercial CA now ignores any qualification of the CA or
> its ability to demonstrate compliant operations. We fear that in doing so
> Mozilla is abandoning its foundational principles of supporting safe and
> secure digital interactions for everyone on the internet.  This new process
> change seems conveniently timed to derail DigitalTrust’s application.
>
> By Mozilla’s own admission, DigitalTrust is being held to a new standard
> which seems to be associated with circular logic – a media bias based on a
> single claimed event that aims to falsely implicate DarkMatter is then used
> to inform Mozilla’s opinion, and the media seizes on this outcome to
> substantiate the very same bias it aimed to introduce in the first place.
> Additionally, in targeting DigitalTrust and in particularly DarkMatter’s
> founder Faisal Al Bannai, on the pretense that two companies can’t operate
> independently if they have the same owner, we fear another dangerous
> precedent has been set.
>
> What’s at stake here is not only denial of the UAE’s Roots but also
> Mozilla’s denial of the UAE’s existing issuing CAs. This means the nation’s
> entire Public Trust customer base is now denied the same digital
> protections that everyone else enjoys.
>
> We fear that Mozilla’s action to apply this subjective process selectively
> to DigitalTrust effectively amounts to incremental tariffs on the internet
> with Mozilla de-facto promoting anti-competitive behavior in what was once
> a vaunted open Trust community.  Mozilla is now effectively forcing the UAE
> to protect its citizens by relying on another nation or commercial CA –
> despite DigitalTrust meeting all of Mozilla’s previously published criteria
> – thus protecting a select number of operators and excluding or forcing
> newcomers to pay a premium without the added benefit of control.
>
> In conclusion we see only two possible paths going forward.
>
> Under the first path, we demand that Mozilla’s new standard be explicitly
> disclosed and symmetrically applied to every other existing member of the
> Mozilla Trust Program, with immediate effect. This would cover, based on
> the precedent of the DigitalTrust case, any CA deemed to be a risk to the
> Trust community, despite lacking substantive evidence. This would suggest

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

Dear Nex,

I doubt that anyone seriously believes that "reporters are lying out of their 
teeth." It is far more likely that the reporters are working within the realm 
of reason and covering things as they see them. So far all the actors in this 
appear to be behaving in ways that make sense given their perspectives on the 
issue, which are wildly different.

I am pointing to the fact that the journalistic reporting on this matter has so 
far operated under a fundamentally different dimension of rigor than the one I 
would assume is necessary for making this sort of decision with regards to the 
Mozilla CA process. For example, Reuters can allow itself to publish an article 
that kicks off with the claim that Mozilla blocked the United Arab Emirates 
government (not DarkMatter!), from becoming an "Internet security guardian" or 
"Internet security gatekeeper", and that Mozilla claimed to have "credible 
evidence" for doing this. In the Reuters world, this isn't egregious because it 
still covers the gist of what's going on and communicates it abstractly to a 
mainstream global audience. It's not "lying" as much as it is lacking in rigor.

Similarly, the Intercept bills itself as an "adversarial journalism" outfit and 
has had a serious anti-surveillance and activist bent from day one. That's not 
at all a bad thing, and their work is important. But it's still the case that 
it doesn't meet the standard of objectivity and evidence that I would 
personally prefer to see mandated in such decisions.  

My contention is that, similarly as I wouldn't base my decision on which 
dentist to go to for a root canal on an article in People magazine, Mozilla 
shouldn't base these decisions on reporting from the New York Times or the 
Intercept. People magazine's profile of a brilliant dentist is likely a fair 
one all things considered, but it's still not how informed decisions should be 
made. Another example: I wouldn't expect the mayor of a village to decide to 
ban video games from being sold based on him reading in the town newspaper that 
they cause violence and addiction. Maybe they do, maybe they don't -- it's just 
that such decisions shouldn't be made based on that kind of source material.

I agree that not all of the sources on the DarkMatter story were anonymous and 
I was incorrect in implying that this was the case. But I still believe that it 
is in everyone's interest to, moving forward, improve our objective procedures 
such that they are applicable, relevant and sufficient, and to place more value 
on evidence. I personally hope that evidence shows up that proves every single 
one of the claims against DarkMatter true, just so that we can actually finally 
know for sure and leave this behind us once and for all!

I want to reiterate that I am not trying to defend DarkMatter here. My interest 
lies in trying to warn about a potential for decay in objective and correct 
procedure, especially when it comes to something this important. My contentions 
are likely to be unpopular with all sides: they don't excuse DarkMatter, they 
criticize a legitimately brilliant vanguard of Internet freedom (Mozilla), etc. 
etc. -- I'm sorry for having to make you all put up with this; I just genuinely 
think it's important to not dismiss these concerns and to keep them in mind for 
next time.

On Wednesday, July 10, 2019 at 9:45:07 AM UTC+2, Nex wrote:
> I think that dismissing as baseless investigations from 9 different
> reporters, on 3 different newspapers (add one more, FP, if consider
> this[1]) is misleading. Additionally, it is just false to say all the
> articles only relied on anonymous sources (of which they have many, by
> the way), but there are clearly sources on record as well, such as
> Simone Margaritelli and Jonathan Cole for The Intercept, and Lori Stroud
> for Reuters.
> 
> While obviously there is no scientific metric for this, I do think the
> number of sources (anonymous and not) and the variety of reporters and
> of newspapers (with their respective editors and verification processes)
> do qualify the reporting as "credible" and "extensively sourced".
> 
> Additionally, details provided by sources on record directly matched
> attacks documented by technical researchers. For example, Lori Stroud
> talking details over the targeting of Donaghy, which was also proven in
> Citizen Lab's "Stealth Falcon" report. Lastly, Reuters reporters make
> repeated mentions of documents they had been able to review supporting
> the claims of their sources. Unless you have good reasons to believe
> reporters are just lying out of their teeth, I don't see how all of this
> can't be considered credible.
> 
> [1]
> https://foreignpolicy.com/2017/12/21/deep-pockets-deep-cover-the-uae-is-paying-ex-cia-officers-to-build-a-spy-empire-in-the-gulf/
> 

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

I wanted to supplement my previous email with an observation on how this
decision is already being covered by the same news outlet that are being
cited in the case against DarkMatter.

Reuters wrote this article:
https://www.reuters.com/article/us-usa-cyber-mozilla/mozilla-blocks-uae-bid-to-become-an-internet-security-guardian-after-hacking-reports-idUSKCN1U42CA



The article makes the following claims:

- Mozilla blocked the United Arab Emirates government (not DarkMatter!),
from becoming an "Internet security guardian" or "Internet security
gatekeeper", as a result of the Reuters report on DarkMatter. I have no
idea what that means.
- Mozilla blocked the United Arab Emirates from becoming a "globally
recognized Internet security watchdog". Again, I am not sure what that
means or how that represents DarkMatter's attempts to justify its CA status.
- Mozilla cited the existence of "credible evidence" to Reuters, despite us
establishing in this thread that no evidence whatsoever has been presented
so far and that we're still waiting for it.

This is a sad and frustrating irony. These sources are being cited as
sufficient for a decision to be made with regards to DarkMatter, and then
they proceed to cover *the decision itself* in a way that is sensationalist
and that starts blurring lines from the very first paragraph.

That said, I recognize that this was a difficult decision.

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office


On Tue, Jul 9, 2019 at 6:19 PM Nadim Kobeissi 
wrote:

> Dear Wayne,
>
> I fully respect Mozilla's mission and I fully believe that everyone here is
> acting in good faith.
>
> That said, I must, in my capacity as a private individual, decry what I
> perceive as a dangerous shortsightedness and lack of intellectual rigor
> underlying your decision. I do this as someone with a keen interest in
> Internet freedom issues and not as someone who is in any way partisan in
> this debate: I don't care for DarkMatter as a company in any way whatsoever
> and have no relationship with anyone there.
>
> I sense enough urgency in my concerns to pause my work schedule today and
> respond to this email. I will do my best to illustrate why I sense danger
> in your decision. Essentially there are three specific points I take issue
> with:
>
> -
> 1: Waving aside demands for objective criteria.
> -
> You say that "if we rigidly applied our existing criteria, we would deny
> most inclusion requests." Far from being an excuse to put more weight (or
> in this case, perhaps almost all weight) on subjective decision making,
> this should be a rallying cry for Mozilla to investigate why it is that an
> objective and democratic decision-making process is failing, and what can
> be done to make it work better. Waving aside objective procedures as
> "checklists" dismisses a core procedural element of how such critical
> decisions should be made in the future and is explicitly undemocratic and
> therefore dangerous.
>
> -
> 2: Calling allegations "credible" and "extensively sourced" with almost no
> basis whatsoever.
> -
> You cite four articles: two are from the Intercept, one is from Reuters and
> one is from the New York Times. You claim that the fact that they are years
> apart bolsters their credibility; why is this the case? In fact, these
> articles all parrot almost exactly the same story, with some minor
> additions, updates and modifications. They all almost read like the same
> article, despite their temporal distribution. Furthermore, the notion that
> the articles are "extensively sourced" is simply incorrect: all of the
> articles are based on anonymous sources and none of them provide a shred of
> evidence, which is why we are in this debate to begin with (or so I've been
> thinking).
>
> It should also be noted that both The Intercept and the New York Times have
> published misleading and incorrect information many times in their history.
> The Intercept in particular has a very spotty credibility record.
>
> It is also is not difficult to theorize how a politically trendy topic
> (cyberattacks) against the world's most easy-to-villainize company (an
> Arabic offensive cybersecurity company operating within a true monarchic
> state) would be appealing to American journalists. This sort of thing isn't
> new, and American "digital rights" groups have previously linked malicious
> cyberattacks to Middle Eastern countries without providing something that
> is even close to the same standard of evidence that they almost always
> provide when naming American or European actors.
>
> Is is indeed unfortunate that this issue was dealt with in a single
> paragraph: I would have expected it to be the brunt of the email given its
> 

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

Dear Wayne,

I fully respect Mozilla's mission and I fully believe that everyone here is
acting in good faith.

That said, I must, in my capacity as a private individual, decry what I
perceive as a dangerous shortsightedness and lack of intellectual rigor
underlying your decision. I do this as someone with a keen interest in
Internet freedom issues and not as someone who is in any way partisan in
this debate: I don't care for DarkMatter as a company in any way whatsoever
and have no relationship with anyone there.

I sense enough urgency in my concerns to pause my work schedule today and
respond to this email. I will do my best to illustrate why I sense danger
in your decision. Essentially there are three specific points I take issue
with:

-
1: Waving aside demands for objective criteria.
-
You say that "if we rigidly applied our existing criteria, we would deny
most inclusion requests." Far from being an excuse to put more weight (or
in this case, perhaps almost all weight) on subjective decision making,
this should be a rallying cry for Mozilla to investigate why it is that an
objective and democratic decision-making process is failing, and what can
be done to make it work better. Waving aside objective procedures as
"checklists" dismisses a core procedural element of how such critical
decisions should be made in the future and is explicitly undemocratic and
therefore dangerous.

-
2: Calling allegations "credible" and "extensively sourced" with almost no
basis whatsoever.
-
You cite four articles: two are from the Intercept, one is from Reuters and
one is from the New York Times. You claim that the fact that they are years
apart bolsters their credibility; why is this the case? In fact, these
articles all parrot almost exactly the same story, with some minor
additions, updates and modifications. They all almost read like the same
article, despite their temporal distribution. Furthermore, the notion that
the articles are "extensively sourced" is simply incorrect: all of the
articles are based on anonymous sources and none of them provide a shred of
evidence, which is why we are in this debate to begin with (or so I've been
thinking).

It should also be noted that both The Intercept and the New York Times have
published misleading and incorrect information many times in their history.
The Intercept in particular has a very spotty credibility record.

It is also is not difficult to theorize how a politically trendy topic
(cyberattacks) against the world's most easy-to-villainize company (an
Arabic offensive cybersecurity company operating within a true monarchic
state) would be appealing to American journalists. This sort of thing isn't
new, and American "digital rights" groups have previously linked malicious
cyberattacks to Middle Eastern countries without providing something that
is even close to the same standard of evidence that they almost always
provide when naming American or European actors.

Is is indeed unfortunate that this issue was dealt with in a single
paragraph: I would have expected it to be the brunt of the email given its
importance, and it is impossible to qualify that reporting as "credible"
and "extensively sourced" so summarily.

-
3: Culminating in an argument that simply boils down to "the people's
safety", a trope that is often overused and that leads to undemocratic
behavior.
-

We don't know if DarkMatter is an evil spying empire that doesn't care
about the rights and dignity of private citizens or not. We don't know if
they're setting up shell companies to mislead Mozilla's CA vetting
procedures or not. In fact, it's been months where no new information has
arisen and I would like to repeat that I do not _at all_ discount the
possibility that all of the allegations may turn out to be completely true.

But instead of making effort towards resolving this uncertainty, or, in
case that's not possible, create procedures to deal with it, we see it
being wielded in order to increase the subjectivity of the decision making
that gatekeeps some of the most fundamental issues of Internet security and
to legitimize shoddy thinking.

Individually, your apparent decision against DarkMatter doesn't bother me.
It is the decision making process itself however that risks setting a
dangerous precedent that is already taking shape in other parts of the tech
community, where major decisions are predicated on gut feeling and notions
of safety that are almost by design impossible to elucidate, and where
much-needed objectivity, vetting and reasoned behavior is relegated to
one-shot paragraphs that barely come with an apology.

In conclusion: perhaps it is exactly because DarkMatter are so incredibly
easy to demonize that we are so temporarily blind to an infinitely more
dangerous and terrifying lapse of judgement: one that may come from much
closer to home. I don't mind if DarkMatter loses out here, but 

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

That article doesn’t seem to say anything new about Dark Matter that hasn’t 
been reported before, doesn’t present evidence and doesn’t cite sources. 
Furthermore the article appears to allege that Dark Matter “discussed” 
potentially targeting The Intercept, not that it “tried to hack several of 
their employees”. To wit, from the article:

"It is not clear if an attack against The Intercept was ever carried out."

I understand the concerns regarding Dark Matter but uncertainty shouldn’t lead 
to this level of low quality arguments. I still hope that stronger evidence 
against Dark Matter will come forward so that this can be settled once and for 
all.

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office

> On Jun 21, 2019, at 7:43 PM, coop...@gmail.com wrote:
> 
> This thread hasn't been updated in a while so I'm not sure what the status is 
> of dark matter being accepted but I thought this was a relevant update. The, 
> US based reporting agency The Intercept recently issued a report claiming 
> that Dark Matter has tried to hack several of their employees. 
> https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/
> 
> I'm sure that Dark Matter will claim this is "fake news" as they have 
> previously, but I'm not inclined to believe that The Intercept would publish 
> a story of this magnitude without fact checking and unless they were 100% 
> sure of it. At this point I feel that there is a preponderance of evidence 
> that Dark Matter are bad faith actors and would significantly diminish the 
> trustworthiness of the CA system if they were to be included.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

What a strange situation.

On the one hand, denying DarkMatter's CA bid because of these press
articles would set the precedent of refusing to accept the engagement and
apparent good faith of a member of the industry, based only on hearsay and
with no evidence.

On the other hand, deciding to move forward with a good-faith, transparent
and evidence-based approach actually risks creating a long-term undermining
of public confidence in the CA inclusion process.

It really seems to me that both decisions would cause damage to the CA
inclusion process. The former would make it seem discriminatory (and to
some even somewhat xenophobic, although I don't necessarily agree with
that) while the latter would cast a serious cloud of uncertainty above the
safety of the CA root store in general that I have no idea how anyone could
or will eventually dispel.

As a third party observer I genuinely don't know what could be considered a
good move by Mozilla at this point. I want Mozilla to both offer good faith
and a transparent process to anyone who promises to respect its mission,
but I also want it to maintain the credibility and trust that it has built
for its CA store. For it to seem impossible for Mozilla to do both at the
same time seems deeply unfortunate and a seriously problematic setting for
the future of this process overall.

I really wish that solid evidence of the claims being made against
DarkMatter is published (if it exists). That would be a great way for
Mozilla to make a unilaterally defensible position.

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from Galaxy

On Fri, Mar 22, 2019, 4:19 PM Benjamin Gabriel <
benjamin.gabr...@darkmatter.ae> wrote:

>
>
> Benjamin Gabriel | General Counsel & SVP Legal
> Tel: +971 2 417 1417 | Mob: +971 55 260 7410
> benjamin.gabr...@darkmatter.ae
>
> The information transmitted, including attachments, is intended only for
> the person(s) or entity to which it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance upon
> this information by persons or entities other than the intended recipient
> is prohibited. If you received this in error, please contact the sender and
> destroy any copies of this information.
>
> On 2/24/19 11:08 AM, Nex wrote:
>
> > The New York Times just published another investigative report that
> mentions
> > DarkMatter at length, with additional testimonies going on the
> > record:
>
> Dear Nex,
>
> The New York Times article that you reference does not add anything new to
> the misleading allegations previously published in the Reuters article.  It
> simply repeats ad-nauseum a false, and categorically denied, narrative
> about DarkMatter, under the guise of an investigative reporting on the
> alleged surveillance practices of governmental authorities of foreign
> countries.
>
> DarkMatter is strictly a commercial company which exists to provide
> cyber-security and digital transformation services to our customers in the
> United Arab Emirates, and the larger GCC and MENA regions.
>
> We have already noted that these misleading allegations about DarkMatter
> were originally planted by defamatory and false sources - in two (2)
> articles published on the internet - and are now repeatedly recycled by
> irresponsible journalists looking for a sensationalist angle on
> socio-political regional issues.  And we have consistently, and
> categorically, denied and refuted all of the allegations about DarkMatter,
> including on this forum. [1][2]
>
> The fact that New York Times has chosen to recycle these refuted false
> narratives about DarkMatter, without reaching out to inquire on the real
> DarkMatter story, is unfortunate.  At times like this - it is important to
> note that not all news reporting is based on factual or true events, and is
> sometimes based on undisclosed bias or in some instances on outright
> fraudulent reporting.[3][4][5][6][7][8]
>
> We continue to push for responsible journalism that is based on truth and
> verifiable facts.
>
> Regards,
> Benjamin Gabriel
> General Counsel, DarkMatter Group
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/QAj8vTobCAAJ
> [2]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VZf8xR-hAgAJ
> [3] https://theintercept.com/2016/02/02/a-note-to-readers/
> [4]
> https://www.nytimes.com/2016/02/03/business/media/the-intercept-says-reporter-falsified-quotations.html
> [5]
> https://www.theguardian.com/media/2016/feb/02/the-intercept-fires-reporter-juan-thompson
> [6]
> https://www.nytimes.com/2013/05/05/public-editor/repairing-the-credibility-cracks-after-jayson-blair.html
> [7]
> https://www.nytimes.com/2003/05/11/us/correcting-the-record-times-reporter-who-resigned-leaves-long-trail-of-deception.html
> [8] https://en.wikipedia.org/wiki/The_New_York_Times_controversies
>
>
>
>
>
>
>
>
>
>

Re: DarkMatter Concerns

[Nadim Kobeissi via dev-security-policy]

On Thu, Mar 7, 2019, 4:29 PM Ryan Sleevi  wrote:

>
> On Thu, Mar 7, 2019 at 10:18 AM nadim--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> I think we're all choosing to kid ourselves here if we continue to say
>> that the underlying impetus for this discussion isn't primarily
>> sociopolitical. The sooner an end is put to this, the better.
>>
>
> I don't think it's productive nor charitable to suggest that the
> participants are behaving disingenuously, especially when it's been
> repeatedly highlighted that the concerns are not and have not been
> sociopolitical in nature. This seems unnecessarily dismissive of the
> discussion to date, and likely prevents productive discourse.
>

I'm not at all suggesting that any folks are behaving disingenuously. I'm
just saying that it probably would be useful to admit that at this point,
this discussion has become driven by concerns against Dark Matter that are
largely informed from their previous work, journalistic reporting on said
work, the fact that they're based in the UAE, etc.

This isn't an indicator of disingenuous behavior or anything like that.
It's just distracting from progress and that was my point.


>
>> by either Mozilla, the CABForum, or both
>>
>
> I just want to highlight that the CA/Browser Forum has absolutely no
> relevance to this discussion or matter, nor has it ever. The CA/Browser
> Forum is merely a discussion forum for examining common baseline technical
> requirements. It is not, nor has it ever, been an appropriate place to
> discuss the inclusion, exclusion, or trustworthiness of given entities, and
> has zero bearing whatsoever in the security and policy decisions
> application software vendors may produce.
>

Thanks for clarifying this. I'm regardless still wondering if it would be
better to move forward in the way that I'm proposing: presenting a
documented process through which a set of empirical, falsifiable,
achievable requirements for DarkMatter to fulfill so that they can be
considered for inclusion. If these requirements are (1) defined fairly and
(2) achieved by DarkMatter verifiably, then great. Otherwise, too bad.

You're the expert, Ryan, and so I ask: isn't this the right way to move
forward? How can we pivot in this direction, so that the discussion becomes
more fair and appropriate for all parties?

>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy