[FoRK] /. Moxie Marlinspike Answers Your Questions

Eugen Leitl eugen at leitl.org
Tue Dec 20 05:16:33 PST 2011


Moxie Marlinspike Answers Your Questions

Posted by samzenpus on Monday December 19, @12:40PM

from the here's-the-scoop dept.

A few weeks ago you asked security guru Moxie Marlinspike about all manner of
security issues, being searched at the border, and how to come up with a good
online name. He's graciously answered a number of your inquiries which you
will find below.

Who writes your paychecks?


>From your Web site it looks like you've worn a number of hats. How do you
mainly earn your living by penetration testing, developing software as a
contractor, or what? Or do you have a day job? (I won't ask where). Do you
have any advice for software engineers seeking an independent career?

I was the CTO at WhisperSystems, which was just acquired by Twitter. In the
past, I've done both contract and full-time software engineering work, and
I've worked on boats and as a delivery captain. I've also spent a
considerable amount of time being broke and living without money.

I don't think I have any particularly sage advice for software engineers
looking to go independent, so I'll answer a different question: on a somewhat
regular basis now, I receive inquiries from young people coming out of
high-school or college, asking me what they should do to get started in their
software or security career. My most common response is "don't do it." Or at
least, not right now.

I think the biggest thing young people fail to realize is the interminable
nature of a career. As a young person in the global north, your whole life is
generally marked by periods with definite beginnings and endings: elementary
school is 5 years, middle school is 3 years, high-school is 4 years. It's
significant because when you're in high-school and hating the indignity of it
all, there is at least a definite endpoint that you can look forward to. But
if you're coming out of that, you might not fully comprehend that when you
start a career, you're expected to do that... for the rest of your *life*!
Don't be too anxious to jump into that, because it's not as different as
what's come before as you might think.

A friend of mine recently quipped "most people working in software discovered
technology before they discovered themselves." There are so many people in
the industry working on projects without a real personal narrative as to
*why* they're doing them, other than the intrinsic feeling that solving
technical problems is fulfilling. There is a whole entrepreneurial scene in
the Bay Area right now; I can understand the draw of building things, but the
level of self-seriousness that people bring to something like a "customer
loyalty" startup baffles me. Honestly, it's simply not true that this stuff
is "changing the world," so don't be too concerned about missing out if you
don't jump in as quickly as you can.

Please, don't spend your late teens or early twenties in front of your
computer at a startup. If you're a young person, I think the very best thing
you could do is get together with a group of friends and commit to a one year
experiment in which the substantial part of your life will be focused on
discovery and not be dedicated to wage work -- however that looks for you.
Get an instrument, learn three chords, and go on tour; find a derelict boat
and cross an ocean; hitchhike to Alaska; build a fleet of dirigibles;
construct a UAV that will engage with the emerging local police UAVs;
whatever -- but make it count.

security and society


In addition to being a very sharp security researcher, you seem to have a
strong interest in issues of social and political control. What emerging
security trends do you see as being most important or helpful for
authoritarians (at home and abroad)? What security trends are most important
for anti-establishment movements?

I'll mention a few things I think about:

1) A lot has been said from people like Clay Shirky about the horizontalizing
effect of the internet. And while it's true that platforms have emerged on
the internet which make horizontal coordination and communication possible,
what's often glossed over is that the infrastructure of the internet itself
is actually extremely hierarchical. I know this seems obvious, but it's not
something that comes up in the dialog about this stuff very often. It's worth
remembering that this is how things are currently structured, and that the
dreams of the Clay Shirkies of the world can never be fully realized as long
as that's true; especially since those in control of the infrastructure seem
to be taking increasing notice of that fact.

2) It's also just more of what we've been seeing for years: the economics of
"information capitalism" have created a world where data is for the most part
unsellable, driving businesses towards surveillance and profiling of their
users for targeted advertising as the only means of obtaining revenue.
Perhaps this isn't so bad in itself, but it puts us in a dangerous position,
because it means the data is there for the (very efficient) taking. This
becomes a magnet for governments and attackers.

3) Security vulnerabilities have become more difficult to find and exploit.
Rather than making things "secure," however, it's shifted the balance of who
has access to these vulnerabilities. There are still plenty of dumb sqli bugs
out there, but more and more it's shaping up to mean that those with the most
money and resources will have access to the exploits, while everyone else
will be vulnerable to them. Which is not the way I'd like to see it.

Hardware for the traveling hacker?


I'd be interested to know more about the hardware and/or platform you use on
a daily/regular basis to do your work/research. I would assume that with your
'itinerant' lifestyle you have had to make choices and compromises in this
area. IIRC, you "temporarily bought" ;) a laptop to edit Hold Fast, but that
isn't something you do on a regular basis is it? Are there any
suggestions/tips/tricks about hardware or methods that you'd care to share
for the traveling hacker with the above in mind?

As an aside - Thanks for all the good work and entertaining tales! :) Been
using that Capt's license much lately?

I secretly hate technology, so I actually have a mostly boring setup. I just
run Linux on a laptop, which I replace about every eight years. I'm pretty
stubborn about making a laptop last; the one I have now has cooling problems,
so every time I do a long compile I have to find an ice pack to put under it.
In some small way, it probably makes me feel like my computer is
accomplishing something really difficult.

Every once in a while I'll need to do something creative if my setup isn't
cutting it. So yeah, it's true that I edited Hold Fast on a nice machine with
a 14 day return policy. =)

These days I can't travel internationally without CBP wanting to search (or
failing that, confiscate) my electronics on my return to the US. So I just
don't travel with them if I'm leaving the country.

As for the captain's license, I still get out every now and then, but rarely
make deliveries. There's an anarchist yacht clubb convergence happening in
Guatemala at the end of February.



I really like the idea behind WhisperCore. The problem, as I see it, is that
it's only available for two devices, and the Android source is updated
regularly, making it difficult to keep WhisperCore up to date with the latest
version of Android. Also, there are a wide variety of existing ROMs, each
sporting its own array of features, but WhisperCore is the only one focusing
on full-device encryption and a quality firewall interface. Given that
security is becoming more critical on mobile devices, I would love to see
WhisperCore's functionality integrated into every ROM. Have you given any
consideration to integrating the WhisperCore project into an existing
community such as CyanogenMod, or opening the source to build a community
around WhisperCore? It would definitely help with making it available on more

WhisperSystems was acquired by Twitter recently, so the answer to this
question has changed a little for us. In general, though, we never saw
WhisperCore as something that could be a pervasive aftermarket solution. We
made it available on the Nexus devices with an aftermarket installer because
we wanted to give something free to the security community and those devices
make it easier with unlocked bootloaders. However, the bulk of our
distribution efforts were spent trying to get the software through OEM
channels, so that it would just appear on new devices.

CyanogenMod has done an excellent job of supporting a wide range of devices,
but as you note, they are only able to do this because it's an open source
project with enough volunteers to deal with all of the proprietary
integration, build, and test issues. They only get access to the source after
Google does public drops (that is to say, long after the rest of the industry
does), and the device vagaries are endless. WhisperCore was a commercial
product focused on the enterprise security market, and that market isn't
particularly interested in reflashing ROMs onto their employee's phones. We
were simply making it available in that form so that individuals could
benefit from our work, but it wasn't our main focus. The other integration
problem with CyanogenMod is that they are not a security-focused community,
and have actually done a number of things to reduce the security of the
platform (which is a shame, since the bar was low to begin with). So the
interests of our user bases are fairly distinct, and actually in conflict on
some important points.

WhisperCore - why not OSS?


Are there business or technical reasons you do not want to open the source
code for WhisperCore or any of the sub-projects like WhisperMonitor?

Same reason most enterprise software vendors' products aren't OSS, harder to
sell software that way. =)

CarrierIQ nnet

Does Whisper Monitor stop CarrierIQ as well?

Haven't tested it, but it should. That said, it doesn't come with
WhisperCore, so it seems unlikely that you'd encounter it on a device with

Thoughts on TLS-SRP as a partial solution?  WaffleMonster

Most secure sites we normally depend on require you to establish an account.
Rather than sending our passwords in the "clear" over SSL as everyone is
foolishly doing today couldn't part of this problem be solved using trust
previously established between you and the site in the form of mutually
authenticated credentials?

The best case example would be an online banking site first requiring you to
physically come into the office with proper ID. There would no longer be any
need for this bank to need to trust or use any third party.

TLS-SRP RFCs have already been written, SSL stacks used by all popular
browsers already patched with support... obviously this does not fully
eliminate the need for trusted third parties.

I think these types of approaches are interesting for things like SSH, IMAPS,
and SMTPS. The way that webapps tend to be architected and deployed, however,
makes this tricky.

of trust versus online consensus


PGP provides a model for partial trust in a public key based on the trust
placed in signers of that key. I think a similar model would work much better
for SSL certificates than either the current forest of fully trusted root CAs
or projects like Convergence because it would allow long term trust in
entities instead of merely the ephemeral keys used for SSL connections while
also providing offline security and the ability to separate the keys used for
privacy and identification.

If I wanted to validate the hypothetically secure https://slashdot.org/ I
would be happy seeing an SSL certificate signed by Geeknet's PGP key
(assuming they cared enough to be in the strong set), but even happier if it
was also signed by a couple certificate authorities and some other folks in
the strong set. I would assign partial trust to each of the certificate
authorities' root certificates and use PGP to measure the partial trust of
other signatures and set a threshold for the security of any SSL site,
perhaps requiring "full trust" for automatic acceptance of an SSL
certificate, a warning for marginal trust, and a bigger warning for anything

One of the primary advantages is separation of privacy and identification;
the private key for identifying an entity would only be used to sign SSL
certificates, reducing the likelihood of an attacker compromising an identity
certificate. Notaries, as in Convergence, would simply be entities who sign a
large number of SSL certificates after verifying the owner's identity through
the existing trust network. The advantage for notaries is that they would not
need to keep their private keys online and would only serve signatures. SSL
sites could also just include the signatures in the initial SSL/TLS exchange,
shifting bandwidth costs to the entities that benefit from the signatures.
Site owners could also pre-distribute new SSL keys to certificate authorities
and notaries to obtain signatures similar to the way that the existing PKI
works, without relying on projects like Convergence to correctly identify a
legitimate key change through heuristics.

The biggest advantage is a much more robust framework for trusting the
privacy and identify of web sites. The likelihood of obtaining fraudulent SSL
certificates signed by enough entities to achieve full trust is much lower
than the likelihood of compromising a single fully trusted root CA or
tricking a Convergence-style network into trusting a fraudulent SSL
certificate by DNS poisoning or other methods.

Do you think this is a workable and, if so, good idea?

The MonkeySphere project is working on something quite similar to your
proposal. Personally, I always have trouble with suggestions for bringing the
"web of trust" to some new context, because I never found it workable in the
context it was invented for. I use PGP more consistently for email than
almost anyone else I know, and the truth is that I almost never find a new
key with signatures that are meaningful to me.

While there are organizations and individuals I trust, there aren't thousands
of them, and probably not even hundreds of them. I think that trust agility
is essential to any solution moving forward, but as I see it trust agility
requires two things:

1) The trust relationship has to be initiated by the client.

2) A trust decision can be easily revised at any time.

I don't believe that using WoT style signatures meets these requirements, at
least in their most obvious form. In the WoT model, if I look up a
certificate, I don't have any influence over who's chosen to sign it. I'm
given the signatures I'm given, and that's that. If I decide to make it work
by trusting some entity that has made it a habit to sign a bunch of
certificates, untrusting them becomes difficult, because maybe the entity I'd
really like to trust hasn't signed as many. And if it's a matter of manually
evaluating the signatures I'm given for any site I visit, that sounds pretty
unpalatable to me.

All that said, this idea is not incompatible with Convergence. Just build a
MonkeySphere notary backend, and it'll plug right in alongside any other
notary strategies you'd like to simultaneously query from your client. I
anticipate that it would give you a lot of "stand aside" votes for the
foreseeable future, however.

Is everyone just re-inventing _parts_ of the WoT?


It seemed to me that what Perspectives notaries do, as expressed in
OpenPGP-speak, is act as sophisticated Robot CA. (Is this wrong?) Is a
Convergence notary "merely" a more sophisticated Robot CA, or does it provide
information which couldn't be represented in a Web of Trust?

Well, I dunno, on some level I think all knowledge can be expressed as simile
through any particular domain of knowledge. It's important to remember that a
Convergence notary isn't bound to any particular validation technique,
meaning that not all notaries will use network perspective. I prefer to think
of notaries as SSL Certificate Authorities with an inverted trust
relationship. They're pretty similar, but rather than the server initiating
the trust relationship, it's the client. It's a subtle but powerful change.

bootstrapping -- notary trust

Onymous Coward

Do you see the matter of how users come to trust the notaries themselves as a
concern? What methods do you see for assuring users that a list of notaries
is in fact recommended by a given party? I see notaries distributed with the
Convergence plug-in (is the distribution signed?), but doubtlessly that's not
meant as a steady-state solution as it does not promote trust agility.

Have you considered notary list configuration based on "subscriptions" a l
AdBlock lists. For example, if the EFF periodically published a signed "EFF
Trusted Notaries" list, as one of a number of organizations doing so?

And how much is a working web of trust required for this? Do you feel there
is one?

Right now installing Convergence is a leap of faith, as is true for most
software. I'm being intentionally inflammatory by making a point of not
distributing it over SSL, because if you're installing it, you don't have it
to validate your SSL connection yet. Once you have it, however, all updates
are signed.

I don't actually see pre-distributed lists of trusted notaries as anathema to
trust agility, however. It's nice for a user to be able to select who they
trust, but it's also essential that browser vendors can revise those defaults
as well. Right now that's not the case, and it means that a browser vendor's
entire user base suffers.

I would like to imagine that one day browsers will ship with Convergence
support built in, and that it will come with a list of default notaries that
the browser has curated. If one of those notaries starts acting in bad faith,
the browser can remove them. If you as a user would like to make different
trust decisions, they can do that as well.

Notary subscription lists are a good idea. You can kind of do this with the
HA Notary bundles right now, but it'd be better to break them out into a
meta-bundle. In any case, the bundle auto-update logic is in there, so it
wouldn't be too difficult (git pull requests gladly accepted!).

Switch from Perspectives?


I'm already using the Perspectives extension (and not sure what benefit I'm
getting from that)... Why should I switch from Perspectives to Convergence?

Convergence is obviously inspired by Perspectives, but slightly more
generalized (not tied to network perspective), and designed to address what I
felt were shortcomings in the Perspectives protocol. The biggest differences
are browser integration, notary lag, and privacy.

Perspectives doesn't work for any of the CSS/JS/Image content on a page load,
only the initial GET. It will suffer from notary lag since it requires
notaries to regularly poll target sites. And you'll leak your entire browsing
history to notaries.

Choice of name?


Completely unrelated to your work, but the name "Moxie Marlinspike" sounds
wonderful. It's obvious why you chose "Marlinspike", after all as a sailor
it's an object that you may have found useful (and it's not that uncommon to
have a last name that is a tool or a trade). But the first name you chose -
why did you choose it? Looking around for references to Moxie the most
prominent one is for one of the earliest carbonated beverages sold in the
world, which doesn't sound too probable as an origin.

Apparently the etymology of the word "moxie" is thought to originate with the
soda, although there is some indication that it might have been a word from a
native American language that meant "dark water." I actually know another
person named Moxie in the Bay Area, and someone got us a six pack of Moxie
Cola to split once. I couldn't even finish one!

I'd estimate that in roughly 1/3rd of the cases where I introduce myself to
someone, they ask whether Moxie is my "real name." There are a few
interesting things about this to me. First, apparently we're all so used to a
limited pantheon of possible names that anything outside of it must be "not
real." And second, that when people say "real," it seems that what they
actually mean is "legal."

What's interesting to me about the corpus of "real sounding" names is that
they're mostly drawn from the bible. The name my parents put on my birth
certificate is "Matthew." For as long as I can remember, however, people have
called me Moxie Marlinspike. There's obviously a story there, but it's
actually not that interesting. In the end, it's just what stuck. I don't
switch back to Matthew, however, because it's a biblical name. I'm not that
inspired by the stories from the bible, so it feels counter-intuitive for me
to literally identify with them. So while many people find my name "strange,"
what's more bemusing to me is that many of those same people *also* don't
find the stories of the bible to be the major inspiration of their lives, and
yet continue to be walking endorsements for them with every handshake.

The notion of "realness as legality" is interesting to me because it seems
like it should be possible for reality to extend beyond whatever is defined
by law, yet this seems to be the litmus in most people's minds. If I have a
name which literally everyone in my life since childhood has known me by, it
seems to me that this should be the definition of "reality," not whether the
government (who, by contrast, has a pretty cold and distant relationship with
me as far as acquaintances go) agrees. 

More information about the FoRK mailing list