Wanted: Cyber spy for hire. Must be willing to crack existing products to allow repressive governments to snoop on their citizens and/or prevent them from communicating with each other. Salary commensurate with experience; moral flexibility a must.
While this want ad doesn't actually exist, ones very much like it do -- though it's unlikely you'll find them posted on Monster.com. There's a thriving gray market of companies working for governments that seek to insinuate themselves into social networks like Twitter and Facebook, the better to identify and silence "terrorists" (insert your own definition here).
[ Cash in on your IT stories! Send your IT tales to offtherecord@infoworld.com. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]
Today's example comes to us via blog post by hacker/security wonk Moxie Marlinspike. Yes, he has a name like an animated supervillain, but he also sports an impressive resume. As an independent security researcher, Marlinspike (whose birth name is probably Matthew Rosenfeld) has developed tools for enhancing privacy on Google and Android handsets. He's also created tools for launching man-in-the-middle attacks -- allowing hackers to secretly intercept otherwise secure communications between a user and, say, a bank or other secure network, then use that information for nefarious purposes.
You're either with us or against us
That's probably why he was contacted by Mobily, a $5 billion telecom based in Saudi Arabia. Mobily wanted him to develop a way to bypass SSL certificates in a handful of apps, including Twitter, Viber, Line, and WhatsApp. When he asked why the Saudis would want to do that, he received the standard answer: to fight the spread of "terrorism." He writes:
So privacy is cool, but the Saudi government just wants to monitor people's tweets because... terrorism. The terror of the retweet.
But the real zinger is that, by not helping, I might also be a terrorist. Or an indirect terrorist, or something.
While this email is obviously absurd, it's the same general logic that we will be confronted with over and over again: choose your team. Which would you prefer? Bombs or exploits. Terrorism or security. Us or them.
Instead of signing on and cashing a big check, however, Marlinspike declined the offer and decided to publicize the email string. He writes:
I'm being rude by publishing this correspondence with Mobily, not only because it's substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it's part of a narrative that we need to consider. What Mobily is up to is what's currently happening everywhere, and we can't ignore that.
Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legality and whether exploit sales should be regulated.
I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?