Interviewed- Moxie Marlinspike

Computers, Featured, Interviews, Other News | phANT1m | May 24, 2010 at 4:18 pm

In our time at the Security Summit held by ITWeb we had a chance to sit down with Moxie Marlinspike even though it was for the briefest moment (was end of day and all wanted head home). For those of you who do not know who Moxie is shame on you. He carries out independent computer research into computer security with the focus being on defeating SSL. He is also the author of sslstirp a tool which was presented at Blackhat in 2009 showing how HTTPS sites are vulnerable to man in the middle attacks if they start out from a HTTP location.

1) Hi, your name and what you do?

My name is Moxie Marlinspike and I work at the Institute for Destructive Studies.

2) What got you into hacking?

The 90’s hacker scene (in America). In the 1990’s there was a hacker community/culture wherein a lot of the things that are easily accessible today were very closed off. No one understood how the telephone worked, no one knew how the internet work. Having access to computers and networks was very rare and it binded people together.

3) What are you currently working on?

At the moment working on a few different projects. One is a targeted anonymity system for Google. Which allows you to use Google services without sacrificing your privacy. Which is similar to Scroogle but is a Firefox add-on allowing you to use all services.

4) What got you into working on SSL?

I think SSL is very insane. One is it is pretty fundamental making it a very nice target wherein you get a lot for whatever vulnerabilities you find. So many things depend on it and it is so universally used that attacks tend to extrapolate across all fields.

5) Any interesting stories you can share with us?

I now am banned from obtaining an SSL certificate from a number of certificate authorities. For the Google Sharing project I had to get an SSL certificate and it was like the first time I had to get one. Doesn’t have to be forged or anything so I go to the bottom of the barrel and go to one of these cheap providers, make an account filling in my details and then it logs me into someone else’s account. I was like what? I am not even looking for vulnerabilities and every time I did it, I would be logged into a new account. So then I went to a few different places and every time a filled in the information and clicked request certificate it would say request denied. Before I even gave the cerificate signing request, so I filled out the tech support tickets and let it escalate till I got a call and talking to the guy he is like “Oh, you. You’re banned from obtaining a certificate”. The message is clear to me. If you deal with shady business that sells snake oil and threaten to remove their underline they will move to exclude you from what is currently an essential piece of the web structure.

6) AMD or Intel?

I don’t know, but I guess I have an Intel machine.

7) Any shout outs?

Shout outs to the Institute for Destructive Studies.

Tags: , , , , , , ,

Leave a Reply