Marlinspike: Saudi mobe network tried to recruit me to sniff citizens' privates

Gov plans to probe tweets, chat, claims crypto guru

5 things you didn’t know about cloud backup

Claims that a Saudi mobile network is attempting to spy on citizens emerged after the telco apparently tried to recruit top cryptographer Moxie Marlinspike - who promptly went public.

The cryptography expert and former hacker, who left Twitter's security team in January, said he had been asked to help Mobily in its state-backed project to monitor encrypted chat sent by Twitter, Viber, WhatsApp and other third-party smartphone natter apps.

Just two months ago, the Saudi telecommunications regulator was reported to have warned that encrypted messaging services including Skype, Viber and WhatsApp could be blocked if they did not provide the government the means to monitor the apps. Saudi papers at the time said the affected firms had been given one month to respond.

Marlinspike has published emails exchanged between himself and someone who appears to be a high-ranking executive at the mobile telco, who apparently tried to hire the noted software engineer. The network is investigating the claims, we're told. A spokesman told the WSJ that Marlinspike's "account of of his contacts with Mobily 'is not 100% accurate'."

Mobily, one of two telecom operators in Saudi Arabia, is believed to be under pressure from a regulator within the kingdom to wiretap the aforementioned apps. Its bosses, it is claimed, sought technical knowhow from Marlinspike, who created a tool that intercepted secure web traffic to highlight shortcomings in HTTPS and SSL.

But the expert would have been a rather poor recruitment target: he co-founded Whisper Systems, a company which provided free encrypted cellphone comms technology to dissidents in Egypt during the time of the Arab Spring uprising. And he devised the Convergence SSL system to strengthen the bedrock of cryptography HTTPS web browsing is built on.

Whisper was bought by Twitter in 2011, and Marlinspike worked on the social network's software security team after the acquisition. All of this makes Marlinspike a highly unlikely recruit for a state-sponsored surveillance project.

Nonetheless, according to the engineer and keen sailor, Mobily sent him an email titled Solution for monitoring encrypted data on telecom that outlined its requirements for the dragnet lawful interception project. Despite the telco's apparent lack of communications security skills, with the funds available at its disposal, it will eventually come up with a mobile snooping system that works, Marlinspike lamented on his blog. He claimed:

One of the design documents that they volunteered specifically called out compelling a CA [Certificate Authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.

Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.

What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.

The discussion between the Mobily employee and Marlinspike progressed until, we're told, the SSL expert was asked for a price quote - at which point he declined stating he wasn't interested in the job for privacy reasons.

Undaunted, according to the published emails, the Mobily pitchman responded that the project was needed in order to spy on the local jihadis, going so far to suggest that Marlinspike was "indirectly helping those who curb the freedom with their brutal activities" by not getting involved with the wiretap project.

Marlinspike has little doubt that other telecom providers in multiple countries are running surveillance projects similar to the one described above, hence his decision to publish the messages.

"I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider," he said. "What Mobily is up to is what’s happening everywhere, and we can’t ignore that."

In his blog post Marlinspike went on to talk about changes in hacking culture, increased commercialism, governments and defence contractors splashing cash all over exploit marketplaces to becoming the biggest consumers of attack code, and private citizens becoming a principal target. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.