Marlinspike: Saudi mobe network tried to recruit me to sniff citizens' privates

Gov plans to probe tweets, chat, claims crypto guru

Claims that a Saudi mobile network is attempting to spy on citizens emerged after the telco apparently tried to recruit top cryptographer Moxie Marlinspike - who promptly went public.

The cryptography expert and former hacker, who left Twitter's security team in January, said he had been asked to help Mobily in its state-backed project to monitor encrypted chat sent by Twitter, Viber, WhatsApp and other third-party smartphone natter apps.

Just two months ago, the Saudi telecommunications regulator was reported to have warned that encrypted messaging services including Skype, Viber and WhatsApp could be blocked if they did not provide the government the means to monitor the apps. Saudi papers at the time said the affected firms had been given one month to respond.

Marlinspike has published emails exchanged between himself and someone who appears to be a high-ranking executive at the mobile telco, who apparently tried to hire the noted software engineer. The network is investigating the claims, we're told. A spokesman told the WSJ that Marlinspike's "account of of his contacts with Mobily 'is not 100% accurate'."

Mobily, one of two telecom operators in Saudi Arabia, is believed to be under pressure from a regulator within the kingdom to wiretap the aforementioned apps. Its bosses, it is claimed, sought technical knowhow from Marlinspike, who created a tool that intercepted secure web traffic to highlight shortcomings in HTTPS and SSL.

But the expert would have been a rather poor recruitment target: he co-founded Whisper Systems, a company which provided free encrypted cellphone comms technology to dissidents in Egypt during the time of the Arab Spring uprising. And he devised the Convergence SSL system to strengthen the bedrock of cryptography HTTPS web browsing is built on.

Whisper was bought by Twitter in 2011, and Marlinspike worked on the social network's software security team after the acquisition. All of this makes Marlinspike a highly unlikely recruit for a state-sponsored surveillance project.

Nonetheless, according to the engineer and keen sailor, Mobily sent him an email titled Solution for monitoring encrypted data on telecom that outlined its requirements for the dragnet lawful interception project. Despite the telco's apparent lack of communications security skills, with the funds available at its disposal, it will eventually come up with a mobile snooping system that works, Marlinspike lamented on his blog. He claimed:

One of the design documents that they volunteered specifically called out compelling a CA [Certificate Authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.

Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.

What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.

The discussion between the Mobily employee and Marlinspike progressed until, we're told, the SSL expert was asked for a price quote - at which point he declined stating he wasn't interested in the job for privacy reasons.

Undaunted, according to the published emails, the Mobily pitchman responded that the project was needed in order to spy on the local jihadis, going so far to suggest that Marlinspike was "indirectly helping those who curb the freedom with their brutal activities" by not getting involved with the wiretap project.

Marlinspike has little doubt that other telecom providers in multiple countries are running surveillance projects similar to the one described above, hence his decision to publish the messages.

"I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider," he said. "What Mobily is up to is what’s happening everywhere, and we can’t ignore that."

In his blog post Marlinspike went on to talk about changes in hacking culture, increased commercialism, governments and defence contractors splashing cash all over exploit marketplaces to becoming the biggest consumers of attack code, and private citizens becoming a principal target. ®

Broader topics

Narrower topics

Other stories you might like

  • Musk repeats threat to end $46.5bn Twitter deal – with lawyers, not just tweets
    Right as Texas AG sticks his oar in

    Elon Musk is prepared to terminate his takeover of Twitter, reiterating his claim that the social media biz is covering up the number of spam and fake bot accounts on the site, lawyers representing the Tesla CEO said on Monday.

    Musk offered to acquire Twitter for $54.20 per share in an all-cash deal worth over $44 billion in April. Twitter's board members resisted his attempt to take the company private but eventually accepted the deal. Musk then sold $8.4 billion worth of his Tesla shares, secured another $7.14 billion from investors to try and collect the $21 billion he promised to front himself. Tesla's stock price has been falling since this saga began while Twitter shares gained and then tailed downward.

    Morgan Stanley, Bank of America, Barclays, and others promised to loan the remaining $25.5 billion from via debt financing. The takeover appeared imminent as rumors swirled over how Musk wanted to make Twitter profitable and take it public again in a future IPO. But the tech billionaire got cold feet and started backing away from the deal last month, claiming it couldn't go forward unless Twitter proved fake accounts make up less than five per cent of all users – a stat Twitter claimed and Musk believes is higher.

    Continue reading
  • Twitter shareholders to vote on Elon Musk's acquisition
    Mogul's team sprayed with 'firehose' of data as unending saga continues

    Twitter has reportedly thrown its $44 billion buyout by Elon Musk to a shareholder vote, which could take place around late July or early August.

    Execs told employees of the plans on Wednesday, according to outlets including CNBC and the Financial Times.

    The move follows reiterations by Musk's camp that he is prepared to walk away from the deal if the social media network fails to provide accurate information on the number of fake accounts.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022