Saudi Arabian Telco Asks Pro-Privacy Researcher To Help Them Spy On Citizens, Hilarity & Then Seriousness Ensues
from the perhaps-google-the-person-you're-contacting-first dept
Via Chris Soghoian, we learn that a Saudi Arabian telecom company (one of just two) contacted well-known pro-privacy researcher Moxie Marlinspike recently to see if he might help them intercept communications from a variety of popular communications apps, including Twitter, Viber, Line and WhatsApp. Curious about what they wanted, Marlinspike emailed with them a bit, and then published what he was told -- including the fact that they later told him they very quickly and easily figured out how to intercept WhatsApp communications. Eventually, he told them that he wouldn't work with them, and the guy he was communicating with told him by not helping the Saudi government intercept communications, he was helping the terrorists:I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that’s why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.From there, however, Marlinspike goes on into a very interesting discussion, well worth reading, about changes in the hacker/security community lately and the lucrative business of selling 0day exploits (often to governments) rather than publishing them and getting things fixed.
Exploits will be exploited. Helping anyone to make use of them means that eventually they're going to get exploited by others in ways you might not agree with.Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward. I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.
Maybe this is an unpopular opinion and the bulk of the community is totally fine with how things have gone (after all, it is profitable). There are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom, but having nothing to do with these ugly situations in Saudi Arabia. Once exploits are sold to US defense contractors, however, it’s very possible they could end up delivered directly to the Saudis (eg, eg, eg), where it would take some even more substantial handwaving to think that they’ll serve in some liberatory way.
Filed Under: hacking, interception, moxie marlinspike, privacy, saudi arabia, selling vulerabilities, spying, surveillance
Companies: mobily