Slashdot Mirror
Ask Hacker and Security Gadfly Moxie Marlinspike
As a security researcher, Moxie Marlinspike has played a big role in explaining what can go wrong in using Certificate Authorities to authenticate SSL traffic, an issue that's been top of mind this year thanks to compromised and faked certificates. On that front, he's lately come up with a system designed to circumvent CAs entirely, which means bypassing compromised (or invidious) authorities, rather than trying to patch the CA system.
Another line of research, but not the only one, is mobile security and privacy; his Whisper Monitor Android firewall, released earlier this year, gives Android users notifications (and fine-grained permissions) when apps — including location-tracking or malware apps — want to make outbound connections. Possibly related: Moxie can also speak first-hand about what new border-search policies mean for travelers, having had his laptop and phones seized on returning to the U.S. from a trip. (And by the way, he's also an accomplished sailor and film-maker.) Moxie's agreed to answer your questions. Ask as many questions as you'd like, but please, be kind of rewind^wask don't ask unrelated questions in the same post.
And also, how do you feel about hemlock?
SJW: Someone who has run out of real oppression, and has to fake it.
I really like the idea behind WhisperCore. The problem, as I see it, is that it's only available for two devices, and the Android source is updated regularly, making it difficult to keep WhisperCore up to date with the latest version of Android. Also, there are a wide variety of existing ROMs, each sporting its own array of features, but WhisperCore is the only one focusing on full-device encryption and a quality firewall interface. Given that security is becoming more critical on mobile devices, I would love to see WhisperCore's functionality integrated into every ROM. Have you given any consideration to integrating the WhisperCore project into an existing community such as CyanogenMod, or opening the source to build a community around WhisperCore? It would definitely help with making it available on more devices.
Who does your hair?
Does Whisper Monitor stop CarrierIQ as well?
As a followup to my previous question, have you considered releasing Whisper Monitor as a standalone app for rooted devices, rather than integrating it exclusively with WhisperCore?
From this interview:
Heather Brooke: Maybe if you could just tell me what you do. Have you created this name as well?
Moxie Marlinspike: No that’s my name. It’s my really real name.
H: Were you born with it?
M: I wasn’t born with it but it is a real name.
H: So you changed your born name to this one.
M: For all intents and purposes this is my real name.
I don't think he wants anyone to know his birth name.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Moxie, please oh please add the ability to use wildcards for a range of IPs and subdomains. The tedium of creating rules ad nauseum for certain CDNs outweighs the utility of the firewall itself. This is a major usability issue. Please look into it. Thanks.
Why is it that prominent security researchers have names like Moxie, Trevor and Tavis and not Bob, Alice or Walter?
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
M: I wasnâ(TM)t born with it but it is a real name.
H: So you changed your born name to this one.
M: For all intents and purposes this is my real name.
I don't think he wants anyone to know his birth name.
Or maybe he was born first, then named...
His real name is Marx Marvelous.
From your Web site it looks like you've worn a number of hats. How do you mainly earn your living -- by penetration testing, developing software as a contractor, or what? Or do you have a day job? (I won't ask where). Do you have any advice for software engineers seeking an independent career?
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Most secure sites we normally depend on require you to establish an account. Rather than sending our passwords in the "clear" over SSL as everyone is foolishly doing today couldn't part of this problem be solved using trust previously established between you and the site in the form of mutually authenticated credentials?
The best case example would be an online banking site first requiring you to physically come into the office with proper ID. There would no longer be any need for this bank to need to trust or use any third party.
TLS-SRP RFCs have already been written, SSL stacks used by all popular browsers already patched with support... obviously this does not fully eliminate the need for trusted third parties.
For traveling in and out of the USA is using UPS or some other shipping a good idea for moving your laptop to your destination?
"If any question why we died, Tell them because our fathers lied."
Do you seriously expect a community evaluated primarily on merit not to mod you troll?
What have *you* accomplished?
They have handles. There's a reason they have handles. The handles tend to persist assume nobody screws up. Their credibility is based wholly upon their claimed past and present actions.
The guy is an accomplished sailor. Sailors tend to use marlinspikes.
Even if it wasn't a crap question I think /you're/ the one projecting phallic thoughts...
Keep feeling special, cupcake.
True names can be dangerous
http://en.wikipedia.org/wiki/True_Names
I love the idea of Convergence. The big issue is adoption rate. How do you plan on getting "companies that cannot fail" to adopt this instead of the existing CA model?
As a security researcher myself - albeit an unknown one - I find myself constantly looking around at the state of security in our always-online world. To say the least, striving for a goal of security where nothing is ever actually secure is disheartening, something akin to a donkey chasing an inedible plastic carrot.
While the cat and mouse games between genuine rob-your-grandmother criminals and (hopefully) 'honorable' types continue today, is there really any hope that this situation won't eventually just escalate into a forced-at-birth Orwellian nightmare?
whoosh
None of them can see the clouds; The polished wings don't care.
PGP provides a model for partial trust in a public key based on the trust placed in signers of that key. I think a similar model would work much better for SSL certificates than either the current forest of fully trusted root CAs or projects like Convergence because it would allow long term trust in entities instead of merely the ephemeral keys used for SSL connections while also providing offline security and the ability to separate the keys used for privacy and identification.
If I wanted to validate the hypothetically secure https://slashdot.org/ I would be happy seeing an SSL certificate signed by Geeknet's PGP key (assuming they cared enough to be in the strong set), but even happier if it was also signed by a couple certificate authorities and some other folks in the strong set. I would assign partial trust to each of the certificate authorities' root certificates and use PGP to measure the partial trust of other signatures and set a threshold for the security of any SSL site, perhaps requiring "full trust" for automatic acceptance of an SSL certificate, a warning for marginal trust, and a bigger warning for anything less.
One of the primary advantages is separation of privacy and identification; the private key for identifying an entity would only be used to sign SSL certificates, reducing the likelihood of an attacker compromising an identity certificate. Notaries, as in Convergence, would simply be entities who sign a large number of SSL certificates after verifying the owner's identity through the existing trust network. The advantage for notaries is that they would not need to keep their private keys online and would only serve signatures. SSL sites could also just include the signatures in the initial SSL/TLS exchange, shifting bandwidth costs to the entities that benefit from the signatures. Site owners could also pre-distribute new SSL keys to certificate authorities and notaries to obtain signatures similar to the way that the existing PKI works, without relying on projects like Convergence to correctly identify a legitimate key change through heuristics.
The biggest advantage is a much more robust framework for trusting the privacy and identify of web sites. The likelihood of obtaining fraudulent SSL certificates signed by enough entities to achieve full trust is much lower than the likelihood of compromising a single fully trusted root CA or tricking a Convergence-style network into trusting a fraudulent SSL certificate by DNS poisoning or other methods.
Do you think this is a workable and, if so, good idea?
It seems to currently work on Nexus and nothing else. Are you going to give community guidance as to how to sandbox the OS or calls, so that others can watch the cockroaches? I don't even mind rooting the phone, if I can find ways to get a mirror of application outbound system calls documented. Sure would be nice......
---- Teach Peace. It's Cheaper Than War.
... it was only yesterday I posted about this: http://slashdot.org/comments.pl?sid=2538008&cid=38142128
Moxie, I got to attend your Keynote at OWASP Con, great stuff!
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
In addition to being a very sharp security researcher, you seem to have a strong interest in issues of social and political control.
What emerging security trends do you see as being most important or helpful for authoritarians (at home and abroad)?
What security trends are most important for anti-establishment movements?
Hold Fast inspired me to learn more about sailing and eventually join a crew and earn my sea legs (see http://www.instructables.com/id/How-to-Get-a-Free-Yacht/). I'm also involved in seasteading (http://seasteading.org) and Ephemerisle (http://ephemerisle.org). I'd love to hear your thoughts on security, survival and life on the open sea. Would you consider joining us at the next Ephemerisle on the Sacramento River in June 2012? If you don't have one of your own, you'd be most welcome to stay on our boat!
Are you still hacking on GoogleSharing Proxy or would you call it a finished product? Related to this: A year ago you said a chrome version is on its way, so will there be an extension for Google Chrome or even a browser-independent solution anytime soon?
ok, what *really* happened with you and those two chicks on the boat?
Sheesh. Because his real name isn't really actually real even though he says it's real, it's actually a fake name and his birth name is his real name.
Humans.
1> Why do you bugdoor the software you release? Why do you need a covert, plausibly deniable way to hack into everything you create?
2> Why do all your Whisper Systems apps make an encrypted connection back home? I've put them behind a sniffer and they sure are sending a lot of traffic to you when I send an encrypted SMS... it doesn't really need to do that, of course...
bl^^gr^^whitehats unite!
There is a project called Monkeysphere which have been working on doing this and much more with PGP for a while. They support SSL certificates in the browser (with some difficulty) and SSH host keys authentication, and generally aim to bridge the PGP web of trust with other tools to decentralize the work of certification authorities.
How does Convergence compare with Monkeysphere? Why didn't you collaborate with the Monkeysphere project instead of starting your own?
Semantics is the gravity of abstraction
It seemed to me that what Perspectives notaries do, as expressed in OpenPGP-speak, is act as sophisticated Robot CA. (Is this wrong?) Is a Convergence notary "merely" a more sophisticated Robot CA, or does it provide information which couldn't be represented in a Web of Trust?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I've read some of your stories about living in squatted buildings around San Francisco. Can you tell us a story about your favorite housing situation?
Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?
What do you think of the EFF Sovereign Keys proposal ?:
https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure
New things are always on the horizon
Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.
Have you considered notary list configuration based on "subscriptions" a là AdBlock lists. For example, if the EFF periodically published a signed "EFF Trusted Notaries" list, as one of a number of organizations doing so?
And how much is a working web of trust required for this? Do you feel there is one?
Hi Moxie,
I'm currently fixing up my first boat, a 30' run down Roberts having survived a "let's learn to sail or sink" on a 24 footer.
Have you done much work on boat hacking? I find it's great for getting my trade-skills up to speed to match my hacking/sys-admin skills.
Have you got any good yarns from your sailing - any storms and any sea-sickness?
Fair Winds,
Hi Moxie -
I'd be interested to know more about the hardware and/or platform you use on a daily/regular basis to do your work/research. I would assume that with your 'itinerant' lifestyle you have had to make choices and compromises in this area. IIRC, you "temporarily bought" ;) a laptop to edit Hold Fast, but that isn't something you do on a regular basis - is it? Are there any suggestions/tips/tricks about hardware or methods that you'd care to share for the traveling hacker with the above in mind?
As an aside - Thanks for all the good work and entertaining tales! :) Been using that Capt's license much lately?
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
I don't expect this list to make it as one of the high-rated questions; I'm just offering it as food for thought and in the off chance that Mr. Marlinspike would find interest in addressing any of its ideas.
Automatic Vetting of Notaries
What if the software monitored performance of notaries over time (checking concordance, availability, misbehavior of whatever sort, etc.) and internally rated the notaries, even disabling (and perhaps reporting) badly behaving ones?
Redundancy
What about a configuration option that makes a plug-in fallback to using the existing CA system (perhaps with warning) when insufficient notaries are available?
Names
Is Convergence a plug-in or a protocol or a system or any/all of these? If the system and protocol prove viable and a different plug-in is created by others, should they say they use the "Convergence system and protocol"?
Inherently Distributed
What about the option for the plug-in to double as a notary itself, vaguely resembling a Bittorrent-like distribution of client/server responsibility? Maybe have plug-ins report their sites pseudonymously to central repositories? (I imagine such pseudonymy would be very fragile.)
Current CA System Reform — Multiple Signatures
I'm guessing by your seeming politics that reform may not be considered as workable as wholesale change, but... Do you think allowing multiple signatures on SSL certs would enhance trust agility in any practical way (perhaps by allowing easier delisting of previously too-big-too-fail CAs)?
Signatures In A Notary-Based Landscape
What about the idea of allowing signatures from (multiple) notaries to be imported into a site's certificate? Thus the user's software may not need to perform the notary queries (increasing resource consumption and (theoretically) information leakage) if the certificate is already signed by user-trusted notaries. (Could this encourage consolidation into a system virtually the same as the current CA model?) (Could this be used in profiling a user's trust relationship to notaries?)
Relation To Perspectives
What is your system's relation to Perspectives. Was their work seminal?
How insecure would you say the current CA model is? Looking at the fundamentals (logical OR of 600 CAs v. bell curve of their performance) I feel like it's "well and truly fucked".
How relatively secure would you say the Convergence system (as a concept) is? (Or if you want to address the actual implementation's relative security, please do.)
I've seen your movie, Hold Fast, and am interested in how you learned to sail? Did you guys really just go down there and learn as you go? Do you have any advice for those of us thinking about taking to the sea?
Moxie,
What social movement leader has most inspired you to work as an "off the grid" type of person?
Probably the same way every maker of guns, or claw hammers, or rope, lock jimmys, or any other physical item does: It's a tool which has no moral standing. It's your fault if you are a douchebag, pedo or sociopath, not the tool's.
Give a shout out & I'll stand you the sprit of your choice.
Have you pulled RedPhone and TextSecure from the Android Market? I can't locate them on the via Web or QR. I couldn't find any information on the web, FAQ etc.
Hackers get mad pussy, huh?
I think you need to stop watching Hugh Jackman movies.
How do we know you are a whitehat? In particular, how do you make money?
1.)Rogue Warrior is supposedly truthful fiction. Why not write a fiction novel?
2.)Cruise Ships and Big ships tend to rely on Windoz. Why not teach on the BIG ship?
3.)Ocean sailing is hands on when it comes to rogue waves. Why not write on
the 2003 Electrical Blackout caused by BAD GE Display Software causing human
perception failure?
http://www.wired.com/threatlevel/2008/05/did-hackers-cau/
4.)Death may come easily. Where have you been 'BLACK SWAN' surprised?
5.)Bruce Lee JKD: Attack can be a form of defense and Gracie JJ: defense a
form of attack. Why is most of your work in 'DIRECT' attack?
6.)There are single, double and triple agents. Which one(s) do you claim to be? Why?
7.)Maritime law and NOT U.S. law would govern on the high seas. When can I rent an
internet server on a nuclear powered ship named Jules Verne?
8.)While sailing, how long should you stay awake or 'sleep standing up' while steering boat?
9.)How would you teach a dolphin to 'program' or perform NEW complex task set. Can you
teach it to successfully attack a 'weakened' shark?
Probably the same way every maker of guns, or claw hammers, or rope, lock jimmys, or any other physical item does: It's a tool which has no moral standing. It's your fault if you are a douchebag, pedo or sociopath, not the tool's.
So what are the legitimate uses of this tool then? I have no interest in searching for information myself on something created by anyone with such a stupid name.
Incidentally, "tools" such as landmines, thumbscrews, mustard gas or H-bombs have only one real use. Not all tools are neutral.
To have a right to do a thing is not at all the same as to be right in doing it
Completely unrelated to your work, but the name "Moxie Marlinspike" sounds wonderful. It's obvious why you chose "Marlinspike", after all as a sailor it's an object that you may have found useful (and it's not that uncommon to have a last name that is a tool or a trade). But the first name you chose - why did you choose it? Looking around for references to Moxie the most prominent one is for one of the earliest carbonated beverages sold in the world, which doesn't sound too probable as an origin.
Oolite: Elite-like game. For Mac, Linux and Windows
What is your opinion regarding occupy wall street and similar events taking place these days?
Hello Moxie,
I'm already using the Perspectives extension (and not sure what benefit I'm getting from that)... Why should I switch from Perspectives to Convergence?
In early November, the Southern Nevada Health District shut down a "Farm-to-table" dinner hosted at a farm, because the farmer didn't have receipts for the vegetables and meat that came from the farm. (Strangely, they didn't question the imported alcohol.)
Among other things, this story reminds me of all the problems around self-signed certificates.
There were plenty of people who trusted the farmer, and didn't need health district approval before consuming the content.
Do you think browsers should choke over self-signed certificates? Should consumers beware?
Is Convergence foundering due to a lack of buy-in from trustworthy allies?
In your BlackHat 2011 talk you announced Convergence as a new way to establish trust on the internet to replace the SSL/Certificate Authority approach that has been shown to be so broken with the recent compromises of CAs like Comodo and Diginotar. Yet potential allies, some of whom admit that SSL has failed to meet its purpose and needs fixing, have not bought in to Convergence. Notably these include Google's Chrome security people and apparently the EFF (who has proposed a different solution instead).
While the list of Convergence notaries is still growing, there is so far a lack of support from the kind of allies like the EFF who could lend credibility and tip momentum toward widescale adoption of Convergence as a solution to the SSL/CA problem. Is Converence wilting on the vine?