I linked to this yesterday, but overlooked the REALLY GOOD thoughts on the ethics of security.
Moxie Marlinspike gets pitched by a Saudi telecom to help develop systems for spying on the Saudi population, declines and goes public instead.
Choice quote: “[the shifts towards exploits getting bought by companies/governments] have likely influenced what I choose to publish rather than hold, and have probably caused me to spend more time attempting to develop solutions for secure communication than the type of work I was doing before.”
I think I’ve said this before… what we need is good defensive security. I don’t really agree with Marlinspike’s focus on smartphones as a “secure” communications platform — they can’t be, in a world where anyone can alter the firmware on your device remotely! — but at least he’s putting in the effort.
Marlinspike also touches on something really important, if briefly. In a sense, the computer hacking community has finally lost any vestige of innocence: “If I’m really honest with myself, though, my interest in the preservation of 0day was also because there was something fun about an insecure internet at the time, particularly since that insecurity predominantly tended to be leveraged by a class of people that I generally liked against a class of people that I generally disliked.”
Now it’s the other way around.
“So privacy is cool, but the Saudi government just wants to monitor people’s tweets because… terrorism. The terror of the re-tweet.
But the real zinger is that, by not helping, I might also be a terrorist. Or an indirect terrorist, or something.
While this email is obviously absurd, it’s the same general logic that we will be confronted with over and over again: choose your team. Which would you prefer? Bombs or exploits. Terrorism or security. Us or them. As transparent as this logic might be, sometimes it doesn’t take much when confirming to oneself that the profitable choice is also the right choice.
If I absolutely have to frame my choices as an either-or, I’ll choose power vs. people.[…]
Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legality and whether exploit sales should be regulated.
I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?[…]
If I’m really honest with myself, though, my interest in the preservation of 0day was also because there was something fun about an insecure internet at the time, particularly since that insecurity predominantly tended to be leveraged by a class of people that I generally liked against a class of people that I generally disliked.[…]
I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.[…]
For me at least, these changes have likely influenced what I choose to publish rather than hold, and have probably caused me to spend more time attempting to develop solutions for secure communication than the type of work I was doing before.
Really, it’s no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that it’s happening. More to the point, if you’re in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they’re watching.
For the rest of us, I hope we can talk about what we can do to stop those who are determined to make this a reality, as well as the ways that we’re already inadvertently a part of that reality’s making.”