Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013.
You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher such as Moxie Marlinspike for help, but you would be wrong.


Marlinspike - the author of the GoogleSharing proxy service; creator of Convergence, an alternative to the flawed CA trust model; co-founder and CTO of Whisper Systems, which offered its free voice and text encryption software to Egyptian users during the 2011 revolution; author of the MitM tool sslstrip; and finally a former Twitter employee that was involved in writing its TLS code - described the "pitch" in a blog post.

He says that his was contacted by an agent of telecommunication company Mobily and was asked to help with a program for monitoring communication going through Mobile Twitter, Viber, Line, and WhatsApp.

"I was told that the project is being managed by Yasser D. Alruhaily, Executive Manager of the Network and Information Security Department at Mobily. The projectís requirements come from 'the regulator' (which I assume means the government of Saudi Arabia). The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup," he wrote.

After probing a little, he also discovered that they intend to force a CA in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception, and that they were even looking into acquiring SSL vulnerabilities and exploits for them as alternatives to the original plan.

After having refused the job and having explained he did so for privacy reasons, the agent said they were trying to thwart terrorists, not spy on regular users, but Marlinspike is obviously unconvinced by the explanation.

"Really, itís no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that itís happening. More to the point, if youíre in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that theyíre watching," he added.

It took only a day for Mobily to react and say that they are investigating Marlinspike's claim, adding that the tale of his communication with the agent "is not 100% accurate."

I advise reading Marlinspike's blog post in its entirety, as it makes some very good points about the change of hacker culture over time, and the need to fight it.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //