Now hiring hackers; leave your lulz and your ethics at the door

Wanted: Cyber spy for hire. Must be willing to crack existing products to allow repressive governments to snoop on their citizens and/or prevent them from communicating with each other. Salary commensurate with experience; moral flexibility a must.

While this want ad doesn’t actually exist, ones very much like it do — though it’s unlikely you’ll find them posted on Monster.com. There’s a thriving gray market of companies working for governments that seek to insinuate themselves into social networks like Twitter and Facebook, the better to identify and silence “terrorists” (insert your own definition here).

[ Cash in on your IT stories! Send your IT tales to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld’s Tech Watch blog. ]

Today’s example comes to us via blog post by hacker/security wonk Moxie Marlinspike. Yes, he has a name like an animated supervillain, but he also sports an impressive resume. As an independent security researcher, Marlinspike (whose birth name is probably Matthew Rosenfeld) has developed tools for enhancing privacy on Google and Android handsets. He’s also created tools for launching man-in-the-middle attacks — allowing hackers to secretly intercept otherwise secure communications between a user and, say, a bank or other secure network, then use that information for nefarious purposes.

You’re either with us or against us

That’s probably why he was contacted by Mobily, a $5 billion telecom based in Saudi Arabia. Mobily wanted him to develop a way to bypass SSL certificates in a handful of apps, including Twitter, Viber, Line, and WhatsApp. When he asked why the Saudis would want to do that, he received the standard answer: to fight the spread of “terrorism.” He writes:

So privacy is cool, but the Saudi government just wants to monitor people’s tweets because… terrorism. The terror of the retweet.

But the real zinger is that, by not helping, I might also be a terrorist. Or an indirect terrorist, or something.

While this email is obviously absurd, it’s the same general logic that we will be confronted with over and over again: choose your team. Which would you prefer? Bombs or exploits. Terrorism or security. Us or them.

Instead of signing on and cashing a big check, however, Marlinspike declined the offer and decided to publicize the email string. He writes:

I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider. What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.

Over the past year there has been an ongoing debate in the security community about exploit sales. For the most part, the conversation has focused on legality and whether exploit sales should be regulated.

I think the more interesting question is about culture: what do we in the hacker community value and prioritize, and what is the type of behavior that we want to encourage?

It’s a variation on the old joke: What do hackers do when they graduate from high school and discover that food and housing cost money? They become security consultants.

That’s essentially what happened to Marlinspike, though he walked away from a desk job at Twitter after they bought his security startup, Whisper Systems.

Black hats give way to green hats

As a longtime hacker, Marlinspike has noticed a dangerous shift in the attitude of those who like to expose the Internet’s vulnerabilities. They used to do it for “lulz”; now they do it for money. They don’t uncover zero-day exploits to publically demonstrate weaknesses in technology in an effort to goad companies or governments to do a better job securing their stuff; they do it on the sly to help repressive governments exert control over their citizens. More Moxie:

It’s hard to say exactly when it happened, but these days, the insecurity of the Internet is now more predominantly leveraged by people that I dislike against people that I like. More often than not, that’s by governments against people.

Simultaneously, the tension between “0day” vs “publish” has largely transformed into “sell secretly” vs “publish.” In a sense, the AntiSec narrative has undergone a full inversion: This time, there are no “black hats” anymore, only “green hats” — the color of money.

Of course, the worst offenders here aren’t individual hackers who are bribed into working for The Man. They’re multi-billion-dollar tech companies supplying the equipment that make repressive policies possible. Like Cisco, which is being sued for allegedly helping China to construct the Great Firewall. Or Nokia Siemens, which helped the government of Iran to locate and prosecute dissidents. Or Intel, whose security subsidiaries sold network filtering tech to governments in the Middle East and North Africa. Or AT&T, for that matter, when it allowed NSA spooks to install network surveillance equipment in one of its San Francisco data centers.

It’s a long list, and I’m sure we only know about a fraction of what’s really going on. Thanks to ethical hackers like Marlinspike, we now know just a scosh more.

Do tech companies have a moral obligation to avoid doing business with repressive regimes? Post your thoughts below or email me: cringe@infoworld.com.

This article, “Now hiring hackers; leave your lulz and your ethics at the door,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.