Ask Hacker and Security Gadfly Moxie Marlinspike

As a security researcher, Moxie Marlinspike has played a big role in explaining what can go wrong in using Certificate Authorities to authenticate SSL traffic, an issue that's been top of mind this year thanks to compromised and faked certificates. On that front, he's lately come up with a system designed to circumvent CAs entirely, which means bypassing compromised (or invidious) authorities, rather than trying to patch the CA system. Another line of research, but not the only one, is mobile security and privacy; his Whisper Monitor Android firewall, released earlier this year, gives Android users notifications (and fine-grained permissions) when apps — including location-tracking or malware apps — want to make outbound connections. Possibly related: Moxie can also speak first-hand about what new border-search policies mean for travelers, having had his laptop and phones seized on returning to the U.S. from a trip. (And by the way, he's also an accomplished sailor and film-maker.) Moxie's agreed to answer your questions. Ask as many questions as you'd like, but please, be kind of rewind^wask don't ask unrelated questions in the same post.

WhisperCore

[dark_requiem]

I really like the idea behind WhisperCore. The problem, as I see it, is that it's only available for two devices, and the Android source is updated regularly, making it difficult to keep WhisperCore up to date with the latest version of Android. Also, there are a wide variety of existing ROMs, each sporting its own array of features, but WhisperCore is the only one focusing on full-device encryption and a quality firewall interface. Given that security is becoming more critical on mobile devices, I would love to see WhisperCore's functionality integrated into every ROM. Have you given any consideration to integrating the WhisperCore project into an existing community such as CyanogenMod, or opening the source to build a community around WhisperCore? It would definitely help with making it available on more devices.

CarrierIQ

[nnet]

Does Whisper Monitor stop CarrierIQ as well?

Wildcard rules

[PacoBell]

Moxie, please oh please add the ability to use wildcards for a range of IPs and subdomains. The tedium of creating rules ad nauseum for certain CDNs outweighs the utility of the firewall itself. This is a major usability issue. Please look into it. Thanks.

Who writes your paychecks?

[SirGarlon]

From your Web site it looks like you've worn a number of hats. How do you mainly earn your living -- by penetration testing, developing software as a contractor, or what? Or do you have a day job? (I won't ask where). Do you have any advice for software engineers seeking an independent career?