1. The Topic of the Month for October is "Make this the Perfect Bugout Location". Please join the discussion in the TOTM forum.

A Saudi Arabia Telecom's Surveillance Pitch : it will never happen here

Discussion in 'General Discussion' started by VisuTrac, May 13, 2013.

  1. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    • Blog >>
    • A Saudi Arabia Telecom's Surveillance Pitch
    May 13, 2013

    Moxie Marlinspike >> Blog >> A Saudi Arabia Telecom's Surveillance Pitch
    Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they’re working on in that country. Having published two reasonably popular MITM tools, it’s not uncommon for me to get emails requesting that I help people with their interception projects. I typically don’t respond, but this one (an email titled “Solution for monitoring encrypted data on telecom”) caught my eye.

    I was interested to know more about what they were up to, so I wrote back and asked. After a week of correspondence, I learned that they are organizing a program to intercept mobile application data, with specific interest in monitoring:
    • Mobile Twitter
    • Viber
    • Line
    • WhatsApp
    I was told that the project is being managed by Yasser D. Alruhaily, Executive Manager of the Network & Information Security Department at Mobily. The project’s requirements come from “the regulator” (which I assume means the government of Saudi Arabia). The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup. Here’s a sample snippet from one email:
    From: Yasser Alruhaily <…….. .. .@mobily.com.sa>
    Date: Thursday, May 2, 2013 1:04 PM
    Subject: Re: As discussed last day .further discussion
    we are working in defining a way to deal with all such requirements from regulator and it is not only for Whatsapp, it is for whatsapp, line, viber, twitter etc..
    So, what we need your support in is the following:
    • is there any technical way that allow for interception these traffic?
    • Is there any company or vendor could help us on this regard?
    • is there any telecom company they implement any solution or workaround?
    One of the design documents that they volunteered specifically called out compelling a CA in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.
    Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.
    What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.
    In The Name Of Terror

    When they eventually asked me for a price quote, and I indicated that I wasn’t interested in the job for privacy reasons, they responded with this:
    I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that’s why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.​
    So privacy is cool, but the Saudi government just wants to monitor people’s tweets because… terrorism. The terror of the re-tweet.
    But the real zinger is that, by not helping, I might also be a terrorist. Or an indirect terrorist, or something.
    While this email is obviously absurd, it’s the same general logic that we will be confronted with over and over again: choose your team. Which would you prefer? Bombs or exploits. Terrorism or security. Us or them. As transparent as this logic might be, sometimes it doesn’t take much when confirming to oneself that the profitable choice is also the right choice.
    If I absolutely have to frame my choices as an either-or, I’ll choose power vs. people.
    Culture Over Time

    I know that, even though I never signed a confidentiality agreement, and even though I simply asked questions without signaling that I wanted to participate, it’s still somewhat rude of me to publish details of correspondence with someone else.
    I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider. What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.
    Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legalityand whether exploit sales should be regulated.
    I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?
    Let’s take stock. One could make the case that the cultural origins of exploit sales are longstanding. Since at least the 90’s, there has been an underlying narrative within the hacker community of not “blowing up” or “killing” bugs. A tension against that discipline began with the transition from a “hacker community” to a “security industry,” and the unease created by that tension peaked in the early 2000’s, manifested most clearly by the infamous AntiSec movement.
    Fundamentally, AntiSec tried to reposition the “White Hat” vs “Black Hat” debate by suggesting that there are no “White Hats,” only “Green Hats” – the color of money.
    As someone who also regretted what money had done to the hacker community, I was largely sympathetic with AntiSec. If I’m really honest with myself, though, my interest in the preservation of 0day was also because there was somethingfun about an insecure internet at the time, particularly since that insecurity predominately tended to be leveraged by a class of people that I generally likedagainst a class of people that I generally disliked.
    In short, there was something about not publishing 0day that signaled affiliation with the “hacker community” rather than the “security industry.”
    The Situation Today

    In many ways, it’s possible that we’re still largely operating based on those original dynamics. Somewhere between then and now, however, there was an inflection point. It’s hard to say exactly when it happened, but these days, the insecurity of the internet is now more predominantly leveraged by people that Idislike against people that I like. More often than not, that’s by governments against people.
    Simultaneously, the tension between “0day” vs “publish” has largely transformed into “sell secretly” vs “publish.” In a sense, the AntiSec narrative has undergone a full inversion: this time, there are no “Black Hats” anymore, only “Green Hats” – the color of money.
    There are still outliers, such as Anonymous (to the extent that it’s possible to be sympathetic with an unguided missile), but what’s most significant about their contribution is that they’re not using 0day at all.
    Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward. I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.
    Maybe this is an unpopular opinion and the bulk of the community is totally fine with how things have gone (after all, it is profitable). There are even explicitlypatriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom, but having nothing to do with these ugly situations in Saudi Arabia. Once exploits are sold to US defense contractors, however, it’s very possible they could end up delivered directly to the Saudis (eg, eg, eg), where it would take some even more substantial handwaving to think that they’ll serve in some liberatory way.
    For me at least, these changes have likely influenced what I choose to publishrather than hold, and have probably caused me to spend more time attemptingto develop solutions for secure communication than the type of work I was doing before.
    It’s Happening

    Really, it’s no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that it’s happening. More to the point, if you’re in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they’re watching.
    For the rest of us, I hope we can talk about what we can do to stop those who are determined to make this a reality, as well as the ways that we’re already inadvertently a part of that reality’s making.
    Mindgrinder likes this.
  2. Mindgrinder

    Mindgrinder Karma Pirate Ninja Jedi Bipolar WINNING M.L.F.

  3. BTPost

    BTPost Old Fart Snow Monkey Moderator

    This is all political BS from the NWO.... and those who want to control something, that IS uncontrollable.... it is a simple FACT that as long as the US controls the Root DNS Servers, thru ICANN, We control the Internet.... and these other Bit Players, are just "WannaBees" with "Delusions of Grandure"
    If we choose to lock out some Two Bit Player, for not playing nice, we can do that in the matter of minutes. Not only cut them off from DNS, but cut off their Countries links to the World Network.
  4. Mindgrinder

    Mindgrinder Karma Pirate Ninja Jedi Bipolar WINNING M.L.F.

    Kinda got your own delusions of grandure happening there old timer.
    U think China/Russia need ICANN?
    U think the US controls ICANN? Rly? You don't even control your own military anymore...
    U think Root DNS is a kill switch? Wake up Obama.
    U think you own all the fiber in the world?

    *shakes his head*
  5. BTPost

    BTPost Old Fart Snow Monkey Moderator

    Ok SmartGuy, tell us ALL what would happen if ICANN decided to teach the Chinese a lesson, and filter ALL Chinese based IP Addresses from the Root DNS Servers..... Come on... Show us how they get around that.... and make the Internet, outside their country Work... come on expound your Brilliance.....

    Just how many seconds, do you think it would take the Chinese to be in the UN Security Council, screaming about the Massive Cyber-Attack on their Country, and the Massive slowdown it would cause on their Internet traffic, to the rest of the world.....
  6. Mindgrinder

    Mindgrinder Karma Pirate Ninja Jedi Bipolar WINNING M.L.F.

    Pick one outside your country?
    Host their own backup outside China and route through it?
    WTFHax the root zone file and "undo" your "filter"?
    Let me say it one more time...
    Your arrogance in thinking you have super powers and control everything is what is turning the world against you. Saddly, you're living proof that it's not just your government...but also your infected culture.
    U.S. Debt - How Much China Owns
    Crash overnight.

  7. BTPost

    BTPost Old Fart Snow Monkey Moderator

    The Chinese have no call on MY Debt, as I have NO DEBT, and haven't had any DEBT for the last three DECADES..... Have you ever TRIED to Hack into a Root Server? it ain't as easy as you believe.... Your are way outside your depth here sonny.... How long do you think it would take the Chinese to setup a Hosted DNS Server, with the REQUIRED Bandwidth, outside their IP Ranges, that can handle ALL the Internet DNS Traffic, from their WHOLE IP Range? Now, How long to delist that Server, from the Root DNS Servers, once it starts asking for Information? Duh....
  8. Mindgrinder

    Mindgrinder Karma Pirate Ninja Jedi Bipolar WINNING M.L.F.

    While you personally have no debt (good on ya btw), I assure you that your country has the greatest debt in all the world. Many people in Cyprus had no debt and some savings....it didn't stop the banks from just TAKING what they felt owned. Anyway...

    Of coarse I've never tried to hack a root server. How long do I think it would take the Chinese to set up a their own? I'd be surprised if it's not already done..and in multiple allied countries that owe them money. How much of your infrastructure have they already hacked into? How many trade "secrets" and patented ideas have they snatched from your slack sec with no retaliation? For the love of God man...US Trade Dept can't even keep The Pirate Bay offline for a day let alone a country with billions of people who have to proxy/spoof just to get a Newspaper from outside The Great Firewall.

    Outside my depth eh?
    Not really feeling it....(haven't hit near that speed since Jan though :( )
    Bandwidth isn't a problem anymore...
    I think you are just behind the times and have major hubris.

  9. Quigley_Sharps

    Quigley_Sharps The Badministrator Administrator Founding Member

    Do I win a PRIZE!!!!!:lol:
    Mindgrinder, BTPost and kellory like this.
  10. BTPost

    BTPost Old Fart Snow Monkey Moderator

    Yep, There is ALWAYS someone with a Bigger Pipe.... I am content with my SAT Based IP Links, here in the bush, and our T3, that feeds our Servers in Seattle, that have been in existence, for a couple of DECADES... I don't keep my Assets in a Bank.... Only enough for my immediate Needs.... So even if some .GOV decides to rob all the Accounts to pay for some fool thing, I will not have lost but maybe .001% of my assets. I sure there are a LOT of things that surprise you, MG....
    Mindgrinder likes this.
  11. Mindgrinder

    Mindgrinder Karma Pirate Ninja Jedi Bipolar WINNING M.L.F.

    Every day bud.
  12. Mindgrinder

    Mindgrinder Karma Pirate Ninja Jedi Bipolar WINNING M.L.F.

    You already won the prize when your politicians showed some real guts and marched on Bilderberg in 2011.
    Bilderberg 2011: The opposition steps up | World news | guardian.co.uk
    You won another prize when your people elected a Pirate Party Mayor in Eichberg in 2012.

    Carry on downloading all that American "intellectual property" treasure.

    Quigley_Sharps likes this.
survivalmonkey SSL seal        survivalmonkey.com warrant canary