<nettime> Black hat, white hat, green hat hackers

[nettime's avid reader <nettime@kein.org>]

http://www.thoughtcrime.org/blog/saudi-surveillance/

Last week I [Moxie Marlinspike] was contacted by an agent of Mobily, one 
of two telecoms operating in Saudi Arabia, about a surveillance project 
that they’re working on in that country. Having published two reasonably 
popular MITM tools, it’s not uncommon for me to get emails requesting 
that I help people with their interception projects. I typically don’t 
respond, but this one (an email titled “Solution for monitoring 
encrypted data on telecom”) caught my eye.

I was interested to know more about what they were up to, so I wrote 
back and asked. After a week of correspondence, I learned that they are 
organizing a program to intercept mobile application data, with specific 
interest in monitoring:

    Mobile Twitter
    Viber
    Line
    WhatsApp

I was told that the project is being managed by Yasser D. Alruhaily, 
Executive Manager of the Network & Information Security Department at 
Mobily. The project’s requirements come from “the regulator” (which I 
assume means the government of Saudi Arabia). The requirements are the 
ability to both monitor and block mobile data communication, and 
apparently they already have blocking setup. Here’s a sample snippet 
from one email:

    From: Yasser Alruhaily <…….. .. .@mobily.com.sa>

    Date: Thursday, May 2, 2013 1:04 PM

    Subject: Re: As discussed last day .further discussion

    we are working in defining a way to deal with all such requirements 
from regulator and it is not only for Whatsapp, it is for whatsapp, 
line, viber, twitter etc..

    So, what we need your support in is the following:

        is there any technical way that allow for interception these 
traffic?
        Is there any company or vendor could help us on this regard?
        is there any telecom company they implement any solution or 
workaround?

One of the design documents that they volunteered specifically called 
out compelling a CA in the jurisdiction of the UAE or Saudi Arabia to 
produce SSL certificates that they could use for interception. A 
considerable portion of the document was also dedicated to a discussion 
of purchasing SSL vulnerabilities or other exploits as possibilities.

Their level of sophistication didn’t strike me as particularly 
impressive, and their existing design document was pretty confused in a 
number of places, but Mobily is a company with over 5 billion in 
revenue, so I’m sure that they’ll eventually figure something out.

What’s depressing is that I could have easily helped them intercept 
basically all of the traffic they were interested in (except for Twitter 
– I helped write that TLS code, and I think we did it well). They later 
told me they’d already gotten a WhatsApp interception prototype working, 
and were surprised by how easy it was. The bar for most of these apps is 
pretty low.
In The Name Of Terror

When they eventually asked me for a price quote, and I indicated that I 
wasn’t interested in the job for privacy reasons, they responded with this:

    I know that already and I have same thoughts like you freedom and 
respecting privacy, actually Saudi has a big terrorist problem and they 
are misusing these services for spreading terrorism and contacting and 
spreading their cause that’s why I took this and I seek your help. If 
you are not interested than maybe you are on indirectly helping those 
who curb the freedom with their brutal activities.

So privacy is cool, but the Saudi government just wants to monitor 
people’s tweets because… terrorism. The terror of the re-tweet.

But the real zinger is that, by not helping, I might also be a 
terrorist. Or an indirect terrorist, or something.

While this email is obviously absurd, it’s the same general logic that 
we will be confronted with over and over again: choose your team. Which 
would you prefer? Bombs or exploits. Terrorism or security. Us or them. 
As transparent as this logic might be, sometimes it doesn’t take much 
when confirming to oneself that the profitable choice is also the right 
choice.

If I absolutely have to frame my choices as an either-or, I’ll choose 
power vs. people.
Culture Over Time

I know that, even though I never signed a confidentiality agreement, and 
even though I simply asked questions without signaling that I wanted to 
participate, it’s still somewhat rude of me to publish details of 
correspondence with someone else.

I’m being rude by publishing this correspondence with Mobily, not only 
because it’s substantially more rude of them to be engaged in 
massive-scale eavesdropping of private communication, but because I 
think it’s part of a narrative that we need to consider. What Mobily is 
up to is what’s currently happening everywhere, and we can’t ignore that.

Over the past year there has been an ongoing debate in the security 
community about exploit sales. For the most part, the conversation has 
focused on legality and whether exploit sales should be regulated.

I think the more interesting question is about culture: what do we in 
the hacker community value and prioritize, and what is the type of 
behavior that we want to encourage?

Let’s take stock. One could make the case that the cultural origins of 
exploit sales are longstanding. Since at least the 90’s, there has been 
an underlying narrative within the hacker community of not “blowing up” 
or “killing” bugs. A tension against that discipline began with the 
transition from a “hacker community” to a “security industry,” and the 
unease created by that tension peaked in the early 2000’s, manifested 
most clearly by the infamous AntiSec movement.

Fundamentally, AntiSec tried to reposition the “White Hat” vs “Black 
Hat” debate by suggesting that there are no “White Hats,” only “Green 
Hats” – the color of money.

As someone who also regretted what money had done to the hacker 
community, I was largely sympathetic with AntiSec. If I’m really honest 
with myself, though, my interest in the preservation of 0day was also 
because there was something fun about an insecure internet at the time, 
particularly since that insecurity predominantly tended to be leveraged 
by a class of people that I generally liked against a class of people 
that I generally disliked.

In short, there was something about not publishing 0day that signaled 
affiliation with the “hacker community” rather than the “security industry.”
The Situation Today

In many ways, it’s possible that we’re still largely operating based on 
those original dynamics. Somewhere between then and now, however, there 
was an inflection point. It’s hard to say exactly when it happened, but 
these days, the insecurity of the internet is now more predominantly 
leveraged by people that I dislike against people that I like. More 
often than not, that’s by governments against people.

Simultaneously, the tension between “0day” vs “publish” has largely 
transformed into “sell secretly” vs “publish.” In a sense, the AntiSec 
narrative has undergone a full inversion: this time, there are no “Black 
Hats” anymore, only “Green Hats” – the color of money.

There are still outliers, such as Anonymous (to the extent that it’s 
possible to be sympathetic with an unguided missile), but what’s most 
significant about their contribution is that they’re not using 0day at all.

Forgetting the question of legality, I hope that we can collectively 
look at this changing dynamic and perhaps re-evaluate what we culturally 
reward. I’d much rather think about the question of exploit sales in 
terms of who we welcome to our conferences, who we choose to associate 
with, and who we choose to exclude, than in terms of legal regulations. 
I think the contextual shift we’ve seen over the past few years requires 
that we think critically about what’s still cool and what’s not.

Maybe this is an unpopular opinion and the bulk of the community is 
totally fine with how things have gone (after all, it is profitable). 
There are even explicitly patriotic hackers who suggest that their 
exploit sales are necessary for the good of the nation, seeing 
themselves as protagonists in a global struggle for the defense of 
freedom, but having nothing to do with these ugly situations in Saudi 
Arabia. Once exploits are sold to US defense contractors, however, it’s 
very possible they could end up delivered directly to the Saudis (eg, 
eg, eg), where it would take some even more substantial handwaving to 
think that they’ll serve in some liberatory way.

For me at least, these changes have likely influenced what I choose to 
publish rather than hold, and have probably caused me to spend more time 
attempting to develop solutions for secure communication than the type 
of work I was doing before.
It’s Happening

Really, it’s no shock that Saudi Arabia is working on this, but it is 
interesting to get fairly direct evidence that it’s happening. More to 
the point, if you’re in Saudi Arabia (or really anywhere), it might be 
prudent to think about avoiding insecure communication tools like 
WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate 
secure replacements), because now we know for sure that they’re watching.

For the rest of us, I hope we can talk about what we can do to stop 
those who are determined to make this a reality, as well as the ways 
that we’re already inadvertently a part of that reality’s making.



#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org