Forgot your password?
typodupeerror
Android Privacy Security The Internet

Ask Hacker and Security Gadfly Moxie Marlinspike 70

Posted by timothy
from the pre-thanksgiving-treat dept.
As a security researcher, Moxie Marlinspike has played a big role in explaining what can go wrong in using Certificate Authorities to authenticate SSL traffic, an issue that's been top of mind this year thanks to compromised and faked certificates. On that front, he's lately come up with a system designed to circumvent CAs entirely, which means bypassing compromised (or invidious) authorities, rather than trying to patch the CA system. Another line of research, but not the only one, is mobile security and privacy; his Whisper Monitor Android firewall, released earlier this year, gives Android users notifications (and fine-grained permissions) when apps — including location-tracking or malware apps — want to make outbound connections. Possibly related: Moxie can also speak first-hand about what new border-search policies mean for travelers, having had his laptop and phones seized on returning to the U.S. from a trip. (And by the way, he's also an accomplished sailor and film-maker.) Moxie's agreed to answer your questions. Ask as many questions as you'd like, but please, be kind of rewind^wask don't ask unrelated questions in the same post.
This discussion has been archived. No new comments can be posted.

Ask Hacker and Security Gadfly Moxie Marlinspike

Comments Filter:
  • by elrous0 (869638) * on Wednesday November 23, 2011 @02:21PM (#38150608)

    And also, how do you feel about hemlock?

  • WhisperCore (Score:5, Insightful)

    by dark_requiem (806308) on Wednesday November 23, 2011 @02:22PM (#38150626)
    I really like the idea behind WhisperCore. The problem, as I see it, is that it's only available for two devices, and the Android source is updated regularly, making it difficult to keep WhisperCore up to date with the latest version of Android. Also, there are a wide variety of existing ROMs, each sporting its own array of features, but WhisperCore is the only one focusing on full-device encryption and a quality firewall interface. Given that security is becoming more critical on mobile devices, I would love to see WhisperCore's functionality integrated into every ROM. Have you given any consideration to integrating the WhisperCore project into an existing community such as CyanogenMod, or opening the source to build a community around WhisperCore? It would definitely help with making it available on more devices.
    • Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?

  • CarrierIQ (Score:5, Interesting)

    by nnet (20306) on Wednesday November 23, 2011 @02:23PM (#38150636) Homepage Journal
    Does Whisper Monitor stop CarrierIQ as well?
  • by dark_requiem (806308) on Wednesday November 23, 2011 @02:24PM (#38150648)
    As a followup to my previous question, have you considered releasing Whisper Monitor as a standalone app for rooted devices, rather than integrating it exclusively with WhisperCore?
  • Wildcard rules (Score:5, Interesting)

    by PacoBell (1569041) on Wednesday November 23, 2011 @02:34PM (#38150734)
    Moxie, please oh please add the ability to use wildcards for a range of IPs and subdomains. The tedium of creating rules ad nauseum for certain CDNs outweighs the utility of the firewall itself. This is a major usability issue. Please look into it. Thanks.
  • by al0ha (1262684) on Wednesday November 23, 2011 @02:35PM (#38150740) Journal
    Why is it that prominent security researchers have names like Moxie, Trevor and Tavis and not Bob, Alice or Walter?
  • by SirGarlon (845873) on Wednesday November 23, 2011 @02:58PM (#38150948)
    From your Web site it looks like you've worn a number of hats. How do you mainly earn your living -- by penetration testing, developing software as a contractor, or what? Or do you have a day job? (I won't ask where). Do you have any advice for software engineers seeking an independent career?
    • by tusam (1851540)

      At least he sells the WPA Cracker service, but from the stories section of the site, regarding the years of hitchhiking, train hopping, squatting and sailing on a shoestring budget, it could be guessed that he might not be overly concerned of a regular paycheck.

  • by WaffleMonster (969671) on Wednesday November 23, 2011 @02:59PM (#38150962)

    Most secure sites we normally depend on require you to establish an account. Rather than sending our passwords in the "clear" over SSL as everyone is foolishly doing today couldn't part of this problem be solved using trust previously established between you and the site in the form of mutually authenticated credentials?

    The best case example would be an online banking site first requiring you to physically come into the office with proper ID. There would no longer be any need for this bank to need to trust or use any third party.

    TLS-SRP RFCs have already been written, SSL stacks used by all popular browsers already patched with support... obviously this does not fully eliminate the need for trusted third parties.

  • by koan (80826)

    For traveling in and out of the USA is using UPS or some other shipping a good idea for moving your laptop to your destination?

  • Hope for the Future (Score:2, Interesting)

    by Anonymous Coward

    As a security researcher myself - albeit an unknown one - I find myself constantly looking around at the state of security in our always-online world. To say the least, striving for a goal of security where nothing is ever actually secure is disheartening, something akin to a donkey chasing an inedible plastic carrot.

    While the cat and mouse games between genuine rob-your-grandmother criminals and (hopefully) 'honorable' types continue today, is there really any hope that this situation won't eventually j

  • by DamnStupidElf (649844) <Fingolfin@linuxmail.org> on Wednesday November 23, 2011 @03:29PM (#38151260)
    PGP provides a model for partial trust in a public key based on the trust placed in signers of that key. I think a similar model would work much better for SSL certificates than either the current forest of fully trusted root CAs or projects like Convergence because it would allow long term trust in entities instead of merely the ephemeral keys used for SSL connections while also providing offline security and the ability to separate the keys used for privacy and identification.

    If I wanted to validate the hypothetically secure https://slashdot.org/ [slashdot.org] I would be happy seeing an SSL certificate signed by Geeknet's PGP key (assuming they cared enough to be in the strong set), but even happier if it was also signed by a couple certificate authorities and some other folks in the strong set. I would assign partial trust to each of the certificate authorities' root certificates and use PGP to measure the partial trust of other signatures and set a threshold for the security of any SSL site, perhaps requiring "full trust" for automatic acceptance of an SSL certificate, a warning for marginal trust, and a bigger warning for anything less.

    One of the primary advantages is separation of privacy and identification; the private key for identifying an entity would only be used to sign SSL certificates, reducing the likelihood of an attacker compromising an identity certificate. Notaries, as in Convergence, would simply be entities who sign a large number of SSL certificates after verifying the owner's identity through the existing trust network. The advantage for notaries is that they would not need to keep their private keys online and would only serve signatures. SSL sites could also just include the signatures in the initial SSL/TLS exchange, shifting bandwidth costs to the entities that benefit from the signatures. Site owners could also pre-distribute new SSL keys to certificate authorities and notaries to obtain signatures similar to the way that the existing PKI works, without relying on projects like Convergence to correctly identify a legitimate key change through heuristics.

    The biggest advantage is a much more robust framework for trusting the privacy and identify of web sites. The likelihood of obtaining fraudulent SSL certificates signed by enough entities to achieve full trust is much lower than the likelihood of compromising a single fully trusted root CA or tricking a Convergence-style network into trusting a fraudulent SSL certificate by DNS poisoning or other methods.

    Do you think this is a workable and, if so, good idea?
    • I do. [slashdot.org]
    • There is a project called Monkeysphere [monkeysphere.info] which have been working on doing this and much more with PGP for a while. They support SSL certificates in the browser (with some difficulty) and SSH host keys authentication, and generally aim to bridge the PGP web of trust with other tools to decentralize the work of certification authorities.

      How does Convergence compare with Monkeysphere? Why didn't you collaborate with the Monkeysphere project instead of starting your own?

  • It seems to currently work on Nexus and nothing else. Are you going to give community guidance as to how to sandbox the OS or calls, so that others can watch the cockroaches? I don't even mind rooting the phone, if I can find ways to get a mirror of application outbound system calls documented. Sure would be nice......

  • ... it was only yesterday I posted about this: http://slashdot.org/comments.pl?sid=2538008&cid=38142128 [slashdot.org]

    Moxie, I got to attend your Keynote at OWASP Con, great stuff!

  • by xappax (876447) on Wednesday November 23, 2011 @03:45PM (#38151412)

    In addition to being a very sharp security researcher, you seem to have a strong interest in issues of social and political control.
    What emerging security trends do you see as being most important or helpful for authoritarians (at home and abroad)?
    What security trends are most important for anti-establishment movements?

  • by Anonymous Coward

    Hold Fast inspired me to learn more about sailing and eventually join a crew and earn my sea legs (see http://www.instructables.com/id/How-to-Get-a-Free-Yacht/). I'm also involved in seasteading (http://seasteading.org) and Ephemerisle (http://ephemerisle.org). I'd love to hear your thoughts on security, survival and life on the open sea. Would you consider joining us at the next Ephemerisle on the Sacramento River in June 2012? If you don't have one of your own, you'd be most welcome to stay on our boa

  • It seemed to me that what Perspectives notaries do, as expressed in OpenPGP-speak, is act as sophisticated Robot CA. (Is this wrong?) Is a Convergence notary "merely" a more sophisticated Robot CA, or does it provide information which couldn't be represented in a Web of Trust?

  • Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.

    Have you considered notary list configuration based on "subscriptions" a là AdBlock lists. For example, if the EFF periodic

  • Hi Moxie -

    I'd be interested to know more about the hardware and/or platform you use on a daily/regular basis to do your work/research. I would assume that with your 'itinerant' lifestyle you have had to make choices and compromises in this area. IIRC, you "temporarily bought" ;) a laptop to edit Hold Fast, but that isn't something you do on a regular basis - is it? Are there any suggestions/tips/tricks about hardware or methods that you'd care to share for the traveling hacker with the above in mind?

    As an a

  • I don't expect this list to make it as one of the high-rated questions; I'm just offering it as food for thought and in the off chance that Mr. Marlinspike would find interest in addressing any of its ideas.

    Automatic Vetting of Notaries
    What if the software monitored performance of notaries over time (checking concordance, availability, misbehavior of whatever sort, etc.) and internally rated the notaries, even disabling (and perhaps reporting) badly behaving ones?

    Redundancy
    What about a configuration option

  • How insecure would you say the current CA model is? Looking at the fundamentals (logical OR of 600 CAs v. bell curve of their performance) I feel like it's "well and truly fucked".

    How relatively secure would you say the Convergence system (as a concept) is? (Or if you want to address the actual implementation's relative security, please do.)

  • Completely unrelated to your work, but the name "Moxie Marlinspike" sounds wonderful. It's obvious why you chose "Marlinspike", after all as a sailor it's an object that you may have found useful (and it's not that uncommon to have a last name that is a tool or a trade). But the first name you chose - why did you choose it? Looking around for references to Moxie the most prominent one is for one of the earliest carbonated beverages sold in the world, which doesn't sound too probable as an origin.

  • Hello Moxie,

    I'm already using the Perspectives extension (and not sure what benefit I'm getting from that)... Why should I switch from Perspectives to Convergence?

Parts that positively cannot be assembled in improper order will be.

Working...