Ask Hacker and Security Gadfly Moxie Marlinspike 70
As a security researcher, Moxie Marlinspike has played a big role in explaining what can go wrong in using Certificate Authorities to authenticate SSL traffic, an issue that's been top of mind this year thanks to compromised and faked certificates. On that front, he's lately come up with a system designed to circumvent CAs entirely, which means bypassing compromised (or invidious) authorities, rather than trying to patch the CA system.
Another line of research, but not the only one, is mobile security and privacy; his Whisper Monitor Android firewall, released earlier this year, gives Android users notifications (and fine-grained permissions) when apps — including location-tracking or malware apps — want to make outbound connections. Possibly related: Moxie can also speak first-hand about what new border-search policies mean for travelers, having had his laptop and phones seized on returning to the U.S. from a trip. (And by the way, he's also an accomplished sailor and film-maker.) Moxie's agreed to answer your questions. Ask as many questions as you'd like, but please, be kind of rewind^wask don't ask unrelated questions in the same post.
Re: (Score:2)
Re: (Score:2)
Probably the same way every maker of guns, or claw hammers, or rope, lock jimmys, or any other physical item does: It's a tool which has no moral standing. It's your fault if you are a douchebag, pedo or sociopath, not the tool's.
So what are the legitimate uses of this tool then? I have no interest in searching for information myself on something created by anyone with such a stupid name.
Incidentally, "tools" such as landmines, thumbscrews, mustard gas or H-bombs have only one real use. Not all tools are neutral.
Re:What is up with the name? (Score:4, Informative)
From this interview [therevolut...itised.com]:
Heather Brooke: Maybe if you could just tell me what you do. Have you created this name as well?
Moxie Marlinspike: No that’s my name. It’s my really real name.
H: Were you born with it?
M: I wasn’t born with it but it is a real name.
H: So you changed your born name to this one.
M: For all intents and purposes this is my real name.
I don't think he wants anyone to know his birth name.
Re: (Score:3)
True names can be dangerous
http://en.wikipedia.org/wiki/True_Names [wikipedia.org]
Is dissent, like the gadfly, easy to swat? (Score:3)
And also, how do you feel about hemlock?
WhisperCore (Score:5, Insightful)
Re:WhisperCore - why not OSS? (Score:2)
Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?
Re: (Score:2)
CarrierIQ (Score:5, Interesting)
Whisper Monitor (Score:3)
Wildcard rules (Score:5, Interesting)
Why is it that prominent security researchers (Score:3)
Re: (Score:2)
because bob and alice are the people sending encrypted data to each other and trying to keep carman from listening in. walter? who is that?
Re: (Score:3)
Re: (Score:1)
Re: (Score:1)
Do you seriously expect a community evaluated primarily on merit not to mod you troll?
What have *you* accomplished?
They have handles. There's a reason they have handles. The handles tend to persist assume nobody screws up. Their credibility is based wholly upon their claimed past and present actions.
The guy is an accomplished sailor. Sailors tend to use marlinspikes.
Even if it wasn't a crap question I think /you're/ the one projecting phallic thoughts...
Keep feeling special, cupcake.
Re: (Score:1)
Who writes your paychecks? (Score:5, Interesting)
Re: (Score:1)
At least he sells the WPA Cracker service, but from the stories section of the site, regarding the years of hitchhiking, train hopping, squatting and sailing on a shoestring budget, it could be guessed that he might not be overly concerned of a regular paycheck.
Thoughts on TLS-SRP as a partial solution? (Score:3)
Most secure sites we normally depend on require you to establish an account. Rather than sending our passwords in the "clear" over SSL as everyone is foolishly doing today couldn't part of this problem be solved using trust previously established between you and the site in the form of mutually authenticated credentials?
The best case example would be an online banking site first requiring you to physically come into the office with proper ID. There would no longer be any need for this bank to need to trust or use any third party.
TLS-SRP RFCs have already been written, SSL stacks used by all popular browsers already patched with support... obviously this does not fully eliminate the need for trusted third parties.
Using UPS (Score:2)
For traveling in and out of the USA is using UPS or some other shipping a good idea for moving your laptop to your destination?
Hope for the Future (Score:2, Interesting)
As a security researcher myself - albeit an unknown one - I find myself constantly looking around at the state of security in our always-online world. To say the least, striving for a goal of security where nothing is ever actually secure is disheartening, something akin to a donkey chasing an inedible plastic carrot.
While the cat and mouse games between genuine rob-your-grandmother criminals and (hopefully) 'honorable' types continue today, is there really any hope that this situation won't eventually j
Web of trust versus online consensus (Score:5, Interesting)
If I wanted to validate the hypothetically secure https://slashdot.org/ [slashdot.org] I would be happy seeing an SSL certificate signed by Geeknet's PGP key (assuming they cared enough to be in the strong set), but even happier if it was also signed by a couple certificate authorities and some other folks in the strong set. I would assign partial trust to each of the certificate authorities' root certificates and use PGP to measure the partial trust of other signatures and set a threshold for the security of any SSL site, perhaps requiring "full trust" for automatic acceptance of an SSL certificate, a warning for marginal trust, and a bigger warning for anything less.
One of the primary advantages is separation of privacy and identification; the private key for identifying an entity would only be used to sign SSL certificates, reducing the likelihood of an attacker compromising an identity certificate. Notaries, as in Convergence, would simply be entities who sign a large number of SSL certificates after verifying the owner's identity through the existing trust network. The advantage for notaries is that they would not need to keep their private keys online and would only serve signatures. SSL sites could also just include the signatures in the initial SSL/TLS exchange, shifting bandwidth costs to the entities that benefit from the signatures. Site owners could also pre-distribute new SSL keys to certificate authorities and notaries to obtain signatures similar to the way that the existing PKI works, without relying on projects like Convergence to correctly identify a legitimate key change through heuristics.
The biggest advantage is a much more robust framework for trusting the privacy and identify of web sites. The likelihood of obtaining fraudulent SSL certificates signed by enough entities to achieve full trust is much lower than the likelihood of compromising a single fully trusted root CA or tricking a Convergence-style network into trusting a fraudulent SSL certificate by DNS poisoning or other methods.
Do you think this is a workable and, if so, good idea?
Re: (Score:2)
Or to put it another way: why not Monkeysphere? (Score:3)
There is a project called Monkeysphere [monkeysphere.info] which have been working on doing this and much more with PGP for a while. They support SSL certificates in the browser (with some difficulty) and SSH host keys authentication, and generally aim to bridge the PGP web of trust with other tools to decentralize the work of certification authorities.
How does Convergence compare with Monkeysphere? Why didn't you collaborate with the Monkeysphere project instead of starting your own?
Re: (Score:2)
WhisperMonitor primitives (Score:2)
It seems to currently work on Nexus and nothing else. Are you going to give community guidance as to how to sandbox the OS or calls, so that others can watch the cockroaches? I don't even mind rooting the phone, if I can find ways to get a mirror of application outbound system calls documented. Sure would be nice......
And to think... (Score:2)
... it was only yesterday I posted about this: http://slashdot.org/comments.pl?sid=2538008&cid=38142128 [slashdot.org]
Moxie, I got to attend your Keynote at OWASP Con, great stuff!
security and society (Score:3)
In addition to being a very sharp security researcher, you seem to have a strong interest in issues of social and political control.
What emerging security trends do you see as being most important or helpful for authoritarians (at home and abroad)?
What security trends are most important for anti-establishment movements?
Hold Fast (Score:1)
Hold Fast inspired me to learn more about sailing and eventually join a crew and earn my sea legs (see http://www.instructables.com/id/How-to-Get-a-Free-Yacht/). I'm also involved in seasteading (http://seasteading.org) and Ephemerisle (http://ephemerisle.org). I'd love to hear your thoughts on security, survival and life on the open sea. Would you consider joining us at the next Ephemerisle on the Sacramento River in June 2012? If you don't have one of your own, you'd be most welcome to stay on our boa
Is everyone just re-inventing _parts_ of the WoT? (Score:2)
It seemed to me that what Perspectives notaries do, as expressed in OpenPGP-speak, is act as sophisticated Robot CA. (Is this wrong?) Is a Convergence notary "merely" a more sophisticated Robot CA, or does it provide information which couldn't be represented in a Web of Trust?
Sovereign Keys (Score:2)
What do you think of the EFF Sovereign Keys proposal ?:
https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure [eff.org]
bootstrapping -- notary trust (Score:2)
Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.
Have you considered notary list configuration based on "subscriptions" a là AdBlock lists. For example, if the EFF periodic
Hardware for the traveling hacker (Score:2)
Hi Moxie -
I'd be interested to know more about the hardware and/or platform you use on a daily/regular basis to do your work/research. I would assume that with your 'itinerant' lifestyle you have had to make choices and compromises in this area. IIRC, you "temporarily bought" ;) a laptop to edit Hold Fast, but that isn't something you do on a regular basis - is it? Are there any suggestions/tips/tricks about hardware or methods that you'd care to share for the traveling hacker with the above in mind?
As an a
miscellaneous topical ideas (Score:2)
I don't expect this list to make it as one of the high-rated questions; I'm just offering it as food for thought and in the off chance that Mr. Marlinspike would find interest in addressing any of its ideas.
Automatic Vetting of Notaries
What if the software monitored performance of notaries over time (checking concordance, availability, misbehavior of whatever sort, etc.) and internally rated the notaries, even disabling (and perhaps reporting) badly behaving ones?
Redundancy
What about a configuration option
how bad is it? (Score:2)
How insecure would you say the current CA model is? Looking at the fundamentals (logical OR of 600 CAs v. bell curve of their performance) I feel like it's "well and truly fucked".
How relatively secure would you say the Convergence system (as a concept) is? (Or if you want to address the actual implementation's relative security, please do.)
Choice of name (Score:2)
Completely unrelated to your work, but the name "Moxie Marlinspike" sounds wonderful. It's obvious why you chose "Marlinspike", after all as a sailor it's an object that you may have found useful (and it's not that uncommon to have a last name that is a tool or a trade). But the first name you chose - why did you choose it? Looking around for references to Moxie the most prominent one is for one of the earliest carbonated beverages sold in the world, which doesn't sound too probable as an origin.
Switch from Perspectives? (Score:2)
Hello Moxie,
I'm already using the Perspectives extension (and not sure what benefit I'm getting from that)... Why should I switch from Perspectives to Convergence?