HOME

TheInfoList



OR:

Moxie Marlinspike is an American
entrepreneur Entrepreneurship is the creation or extraction of economic value. With this definition, entrepreneurship is viewed as change, generally entailing risk beyond what is normally encountered in starting a business, which may include other values th ...
,
cryptographer Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, and
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
researcher. Marlinspike is the creator of
Signal In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...
, co-founder of the
Signal Technology Foundation The Signal Foundation, officially the Signal Technology Foundation, is an American non-profit organization founded in 2018 by Moxie Marlinspike and Brian Acton. Its mission is "to develop open-source privacy technology that protects free expres ...
, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the
Signal Protocol The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls and instant messaging conversations. The protocol was developed by Open W ...
encryption used by Signal,
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
,
Google Messages Messages (formerly known as Android Messages) is an SMS, RCS, and instant messaging application developed by Google for its Android and WearOS mobile operating systems, while it's also available via the Web. Messages is Google's official univ ...
,
Facebook Messenger Messenger is a proprietary instant messaging app and platform developed by Meta Platforms. Originally developed as Facebook Chat in 2008, the company revamped its messaging service in 2010, released standalone iOS and Android apps in 2011, and ...
, and
Skype Skype () is a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for VoIP-based videotelephony, videoconferencing and voice calls. It also has instant messaging, file transfer, deb ...
. Marlinspike is a former head of the security team at
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
and the author of a proposed SSL authentication system replacement called
Convergence Convergence may refer to: Arts and media Literature *''Convergence'' (book series), edited by Ruth Nanda Anshen * "Convergence" (comics), two separate story lines published by DC Comics: **A four-part crossover storyline that united the four Wei ...
. He previously maintained a cloud-based
WPA WPA may refer to: Computing *Wi-Fi Protected Access, a wireless encryption standard *Windows Product Activation, in Microsoft software licensing * Wireless Public Alerting (Alert Ready), emergency alerts over LTE in Canada * Windows Performance An ...
cracking service and a targeted anonymity service called GoogleSharing.


Career

Marlinspike began his career working for several technology companies, including enterprise infrastructure software maker BEA Systems Inc. In 2010, Marlinspike was the chief technology officer and co-founder of
Whisper Systems Whisper Systems was an American enterprise mobile security company that was co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson in 2010. The company was acquired by Twitter in November 2011. Some of the company's s ...
, an enterprise mobile security startup company. In May 2010, Whisper Systems launched
TextSecure TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other app ...
and
RedPhone Open Whisper Systems (abbreviated OWS) was a software development group that was founded by Moxie Marlinspike in 2013. The group picked up the open source development of TextSecure and RedPhone, and was later responsible for starting the devel ...
. These were applications that provided end-to-end encrypted SMS messaging and voice calling, respectively.
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
acquired the company for an undisclosed amount in late 2011. The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security". During his time as Twitter's head of cybersecurity, the firm made Whisper Systems' apps
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
. Marlinspike left Twitter in early 2013 and founded
Open Whisper Systems Open Whisper Systems (abbreviated OWS) was a software development group that was founded by Moxie Marlinspike in 2013. The group picked up the open source development of TextSecure and RedPhone, and was later responsible for starting the devel ...
as a collaborative open source project for the continued development of TextSecure and RedPhone. At the time, Marlinspike and Trevor Perrin started developing the
Signal Protocol The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls and instant messaging conversations. The protocol was developed by Open W ...
, an early version of which was first introduced in the TextSecure app in February 2014. In November 2015, Open Whisper Systems unified the TextSecure and RedPhone applications as
Signal In signal processing, a signal is a function that conveys information about a phenomenon. Any quantity that can vary over space or time can be used as a signal to share messages between observers. The ''IEEE Transactions on Signal Processing'' ...
. Between 2014 and 2016, Marlinspike worked with
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
,
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
, and
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
to integrate the Signal Protocol into their messaging services. On February 21, 2018, Marlinspike and
WhatsApp WhatsApp (also called WhatsApp Messenger) is an internationally available freeware, cross-platform, centralized instant messaging (IM) and voice-over-IP (VoIP) service owned by American company Meta Platforms (formerly Facebook). It allows us ...
co-founder
Brian Acton Brian Acton (born 1972/1973) is an American computer programmer and Internet entrepreneur. Acton is the executive chairman of the Signal Technology Foundation, which he co-founded with Moxie Marlinspike in 2018. , Acton also serves as interim C ...
announced the formation of the
Signal Technology Foundation The Signal Foundation, officially the Signal Technology Foundation, is an American non-profit organization founded in 2018 by Moxie Marlinspike and Brian Acton. Its mission is "to develop open-source privacy technology that protects free expres ...
and its subsidiary, Signal Messenger LLC. Marlinspike served as Signal Messenger's first CEO until stepping down on January 10, 2022.


Research


SSL stripping

In a 2009 paper, Marlinspike introduced the concept of SSL stripping, a
man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
in which a network attacker could prevent a
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
from upgrading to an SSL connection in a way that would likely go unnoticed by a user. He also announced the release of a tool, sslstrip, that would automatically perform these types of man-in-the-middle attacks. The
HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other co ...
(HSTS) specification was subsequently developed to combat these attacks.


SSL implementation attacks

Marlinspike has discovered a number of different
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
in popular SSL implementations. Notably, he published a 2002 paper on exploiting
SSL/TLS Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
implementations that did not correctly verify the X.509 v3 "BasicConstraints" extension in
public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
chains. This allowed anyone with a valid CA-signed certificate for any
domain name A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
to create what appeared to be valid CA-signed certificates for any other domain. The vulnerable SSL/TLS implementations included the
Microsoft CryptoAPI The Microsoft Windows platform specific Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI) is an application programming interface included with Microsoft Windows ...
, making
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
and all other Windows software that relied on SSL/TLS connections vulnerable to a man-in-the-middle attack. In 2011, the same vulnerability was discovered to have remained in the SSL/TLS implementation on
Apple Inc. Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company ...
's
iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...
. Also notably, Marlinspike presented a 2009 paper in which he introduced the concept of a null-prefix attack on SSL certificates. He revealed that all major SSL implementations failed to properly verify the Common Name value of a certificate, so that they could be tricked into accepting forged certificates by embedding
null character The null character (also null terminator) is a control character with the value zero. It is present in many character sets, including those defined by the Baudot and ITA2 codes, ISO/IEC 646 (or ASCII), the C0 control code, the Universal Coded Ch ...
s into the CN field.


Solutions to the CA problem

In 2011, Marlinspike presented a talk, "SSL And The Future Of Authenticity", at the
Black Hat Black hat, blackhats, or black-hat refers to: Arts, entertainment, and media * Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain * Black hat, part of black and white ...
security conference in
Las Vegas Las Vegas (; Spanish for "The Meadows"), often known simply as Vegas, is the 25th-most populous city in the United States, the most populous city in the state of Nevada, and the county seat of Clark County. The city anchors the Las Vegas ...
. He outlined many of the problems with certificate authorities and announced the release of a software project called
Convergence Convergence may refer to: Arts and media Literature *''Convergence'' (book series), edited by Ruth Nanda Anshen * "Convergence" (comics), two separate story lines published by DC Comics: **A four-part crossover storyline that united the four Wei ...
to replace them. In 2012, Marlinspike and Perrin submitted an
Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
for TACK, which is designed to provide SSL
certificate pinning HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates. A server uses it ...
and help solve the CA problem, to the
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
.


Cracking MS-CHAPv2

In 2012, Marlinspike and David Hulton presented research that makes it possible to reduce the security of
MS-CHAPv2 MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with pptp3-fix that was in ...
handshakes to a single DES encryption. Hulton built hardware capable of cracking the remaining DES encryption in less than 24 hours, and the two made the hardware available for anyone to use as an Internet service.


Mobily surveillance controversy

In 2013, Marlinspike published emails on his blog that he claimed were from Saudi Arabian telecom service Mobily soliciting his help in surveilling their customers, including intercepting communications running through various applications. Marlinspike refused to help, making the emails public instead. Mobily denied the allegations. "We never communicate with hackers", the company said.


Traveling

Marlinspike says that when flying within the United States he is unable to print his own
boarding pass A boarding pass or boarding card is a document provided by an airline during airport check-in, giving a passenger permission to enter the restricted area of an airport (also known as the airside portion of the airport) and to board the air ...
, is required to have airline ticketing agents make a phone call in order to issue one, and is subjected to secondary screening at TSA security checkpoints. While entering the U.S. on a flight from the Dominican Republic in 2010, Marlinspike was detained by federal agents for nearly five hours, all his electronic devices were confiscated, and at first agents claimed he would only get them back if he provided his passwords so they could decrypt the data. Marlinspike refused to do this, and the devices were eventually returned, though he noted that he could no longer trust them, saying, "They could have modified the hardware or installed new keyboard firmware."


Speaking engagements

*
DEF CON DEF CON (also written as DEFCON, Defcon or DC) is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyer ...
17: "More Tricks for Defeating SSL" * DEF CON 18 and
Black Hat Black hat, blackhats, or black-hat refers to: Arts, entertainment, and media * Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain * Black hat, part of black and white ...
2010: "Changing Threats to Privacy" * DEF CON 19 and Black Hat 2011: "SSL and the Future of Authenticity" * DEF CON 20: "Defeating PPTP VPNs and WPA2 with MS-CHAPv2" *
Webstock Webstock is a web technology conference held in Wellington, New Zealand featuring a range of high-profile speakers covering a variety of web-related topics such as accessibility, usability, ethnographic design and development practices. Webstoc ...
'15: "Making private communication simple" * 36C3: "The ecosystem is moving"


Recognition

* In 2013 and 2014, the
Shuttleworth Foundation The Shuttleworth Foundation was established in January 2001 by South African entrepreneur Mark Shuttleworth as an experiment with the purpose of providing funding for people engaged in social change. While there have been various iterations of th ...
provided Marlinspike with a total of $289,487.18 in funding for Open Whisper Systems. * In 2016, ''
Fortune Fortune may refer to: General * Fortuna or Fortune, the Roman goddess of luck * Luck * Wealth * Fortune, a prediction made in fortune-telling * Fortune, in a fortune cookie Arts and entertainment Film and television * ''The Fortune'' (1931 film) ...
'' magazine named Marlinspike among its
40 under 40 ''Fortune'' magazine's 40 Under 40 is a list of individuals the publication considers to be the most influential young leaders for the year. The list has existed in two phases: First, from 1999 to 2003, the list was presented purely as a numeric ...
for being the founder of Open Whisper Systems and " ncryptingthe communications of more than a billion people worldwide". ''
Wired ''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquartered in San Fra ...
'' also named him to its "Next List 2016," as one of "25 Geniuses Who Are Creating the Future of Business." * In 2017, Marlinspike and Perrin were awarded the
Levchin Prize Maksymilian Rafailovych "Max" Levchin ( uk, Максиміліан Рафаїлович Левчин; born July 11, 1975) is a Ukrainian-American software engineer and businessman. In 1998, he co-founded the company that eventually became PayP ...
for Real World Cryptography "for the development and wide deployment of the Signal protocol".


Personal life

Originally from the state of
Georgia Georgia most commonly refers to: * Georgia (country), a country in the Caucasus region of Eurasia * Georgia (U.S. state), a state in the Southeast United States Georgia may also refer to: Places Historical states and entities * Related to the ...
, Marlinspike moved to
San Francisco San Francisco (; Spanish language, Spanish for "Francis of Assisi, Saint Francis"), officially the City and County of San Francisco, is the commercial, financial, and cultural center of Northern California. The city proper is the List of Ca ...
in the late 1990s at age 18. Marlinspike is an
anarchist Anarchism is a political philosophy and movement that is skeptical of all justifications for authority and seeks to abolish the institutions it claims maintain unnecessary coercion and hierarchy, typically including, though not neces ...
and a
sailing Sailing employs the wind—acting on sails, wingsails or kites—to propel a craft on the surface of the ''water'' (sailing ship, sailboat, raft, windsurfer, or kitesurfer), on ''ice'' (iceboat) or on ''land'' (land yacht) over a chosen cour ...
enthusiast. In 2004, he bought a derelict sailboat and, with three friends, refurbished it and sailed around the
Bahamas The Bahamas (), officially the Commonwealth of The Bahamas, is an island country within the Lucayan Archipelago of the West Indies in the Atlantic Ocean, North Atlantic. It takes up 97% of the Lucayan Archipelago's land area and is home to ...
while making a " video zine" about their journey called ''Hold Fast''. Several of Marlinspike's essays and speeches have been published in the Anarchist Library, including "An Anarchist Critique of Democracy" and "The Promise of Defeat."


References


External links

* {{DEFAULTSORT:Marlinspike, Moxie Living people Computer security specialists Cypherpunks American chief technology officers Businesspeople from Georgia (U.S. state) 1980s births