Moxie Marlinspike : The Coder Who Created Encrypted Tools That The NSA/FBI Can't Crack
In the past decade, Moxie Marlinspike has squatted on an abandoned island, toured the U.S. by hopping trains, he says, and earned the enmity of government officials for writing software.
Mr. Marlinspike created an encryption program that scrambles messages until they reach the intended reader. It's so simple that Facebook Inc.'s WhatsApp made it a standard feature for many of the app's 800 million users.
The software is effective enough to alarm governments. Earlier this year, shortly after WhatsApp adopted it, British Prime Minister David Cameron called protected-messaging apps a "safe space" for terrorists. The following week, President Barack Obama called them "a problem."
That makes the lanky, dreadlocked and intensely private coder a central figure in an escalating debate about government and commercial surveillance. In a research paper released Tuesday, 15 prominent technologists cited three programs relying on Mr. Marlinspike's code as options for shielding communications.
His encrypted texting and calling app, Signal , has come up in White House meetings, says an attendee. Speaking via video link last year as part of a panel on surveillance, former National Security Agency contractor Edward Snowden, who leaked troves of U.S. spying secrets, urged listeners to use "anything" that Mr. Marlinspike releases.
That endorsement was "a little bit terrifying," Mr. Marlinspike says. But he says he sees an opening, following Mr. Snowden's revelations, to demystify, and simplify, encryption, so more people use it. He finds most privacy software too complicated for most users.
The former teenage hacker studies popular apps like Snapchat and Facebook Messenger, trying to understand their mass appeal. He says he wants to build simple, "frictionless" apps, adopting a Silicon Valley buzzword for "easy to use."
"I really started thinking about, 'How do I be more in touch with reality?' " he says.
Those who know him say he has both the will and the technical chops to popularize complex technology.
A few years ago, Matthew Green, a cryptographer and professor at Johns Hopkins University, unleashed his students on Mr. Marlinspike's code. To Prof. Green's surprise, they didn't find any errors. He compared the experience to working with a home contractor who made "every single corner perfectly squared."
During chats about surveillance and security, Mr. Marlinspike also won over Morgan Marquis-Boire, a researcher who has worked on security for Google Inc. In a fellowship recommendation for Mr. Marlinspike, Mr. Marquis-Boire wrote, "There are very few people who write privacy tools that I trust, and Moxie is one of them."
Mr. Marlinspike says it is more important that users trust his software than trust him. "It's easier to trust that I haven't made mistakes," he says.
Even by the standards of privacy activists, Mr. Marlinspike is unusually secretive about himself. He won't give his age, except to say he is "in his 30s." In an interview, he wouldn't say whether Moxie Marlinspike was his birth name. In an 2011 online interview with the website Slashdot , however, he wrote, "the name my parents put on my birth certificate is ‘Matthew.' " Friends and former associates say they know him only as Moxie.
Consumer encryption tools like Mr. Marlinspike's have been around since the early 1990s, but most are so cumbersome that few people use them. A popular email-encryption program, PGP , or Pretty Good Privacy , requires users to swap a series of thousands of random letters and numbers with anyone they wish to contact. Sending a message requires several clicks, a password, and sometimes, copying and pasting.
A young Mr. Marlinspike once thought users would eventually adopt such tools. "That hasn't really worked out," he says now.
Phil Zimmermann, who invented PGP, says he rarely uses it because "it doesn't seem to work well on the current version of MacIntosh."
Such headaches have limited the use of encryption to a level law enforcement has mostly learned to live with. Big technology companies like Google, Microsoft Corp. and Yahoo Inc. usually maintain access to customer messages and provide user emails and contact information to authorities when faced with a court order, even if they oppose it. Consumer services like these typically haven't had strong encryption.
Adding easy-to-use encryption that companies can't unscramble to products used by millions changes that calculus. After Apple Inc. tweaked its iPhone software so that the company could no longer unlock phones for police, the director of the Federal Bureau of Investigation accused Apple of aiding criminals. Apple Chief Executive Tim Cook counters that he is defending user privacy.
The incident sparked a continuing war of words between Silicon Valley and Washington.
"Encryption has moved from something that is available to something that is the default," FBI Director James Comey told a congressional panel Wednesday. "This is a world that in some ways is wonderful and in some ways has serious public-safety ramifications."
Technology companies, once cozy with Washington, sound increasingly like Mr. Marlinspike. Apple, Facebook, Google and others are resisting efforts to give the government access to encrypted communications.
Last fall, WhatsApp added Mr. Marlinspike's encryption scheme to text messages between users with Android smartphones, but there is no easy way to verify that the encryption software is actually turned on. The app maker, acquired by Facebook for $22 billion last year, plans to extend encryption to images and iPhone messages, a person familiar with the project said.
Behind the clash lurks this reality: Even if the big tech companies come around, there are others like Mr. Marlinspike who will pick fights with code.
Mr. Marlinspike argues for safe spaces online. His personal Web address is thoughtcrime.org , a reference to George Orwell's "1984."
As a teenager, Mr. Marlinspike says, he was more interested in breaking software than creating it. He turned to protecting data as he grew more concerned about surveillance.
He moved to San Francisco in the late 1990s and worked for several technology companies before the dot-com bust, including business-software maker BEA Systems Inc . Since then, he often has lived on the edge of the Bay Area's tech-wonk scene.
During the mid-2000s, he and three friends refurbished a derelict sailboat and spent summers being blown around the Bahamas, without a backup motor, as depicted in a home movie Mr. Marlinspike posted online.
In 2010, Mr. Marlinspike's company, Whisper Systems , released an encryption app, TextSecure . Twitter Inc. bought Whisper Systems for an undisclosed sum in 2011 primarily so that Mr. Marlinspike could help the then-startup improve its security, two people familiar with the transaction said. He worked to bolster privacy technology for the social-media firm, leaving in 2013.
Around that time, the State Department was looking to use technology to support pro-democracy movements overseas. Mr. Marlinspike's work caught the attention of Ian Schuler, manager of the department's Internet freedom programs. Encrypted messaging was viewed as a way for dissidents to get around repressive regimes.
With help from Mr. Schuler, Radio Free Asia's Open Technology Fund, which is funded by the government and has a relationship with the State Department, granted Mr. Marlinspike more than $1.3 million between 2013 and 2014, according to the fund's website.
Mr. Marlinspike was hardly a conventional Washington player. He and a government official missed meeting one another at a San Francisco burrito joint because the visitor assumed the dreadlocked Mr. Marlinspike couldn't be the person he was there to see, Messrs. Schuler and Marlinspike said.
Mr. Marlinspike now runs a new firm, Open Whisper Systems , from a low-rent workspace in San Francisco's Mission District. He has received other grants but says he isn't interested in venture capital, partly because he would have to promise returns to investors.
His latest app, Signal , promises users secure text messages and voice calls. He acknowledges that it still has some kinks. Calls can drop if a user receives a traditional phone call while on an encrypted call. Mr. Marlinspike won't disclose how many people use the app.
He still has work to do if he wants typical users to adopt encrypted communications.
But its minimalist blue-and-white design looks like something that could have emerged from Facebook.
Mr. Marlinspike says the San Francisco Police Department called last year to ask whether the app was secure enough for its officers to use. A spokesman for the department said it "did look at this vendor."
Internet History Privacy Software
When you surf the web, your computer stores tons of data about where you have been on the internet, what you have been doing and what information you have entered when surfing the web. Over time, this information builds up on your computer. If someone gains access to your computer, something that is common and easy to do, they will have a treasure trove of personal data that could cause you serious problems. Things like credit card information, bank account information, passwords, social security numbers, all are likely to be accessed by these kinds of hackers.
To prevent this, you need to regularly remove this information from your computer so that it does not pile up like a digital fire hazard. Here are some of the top rated privacy software products to help with this.
Webroot Window Washer – (all prices are estimated) – Removes unnecessary files, cleans up internet use, overwrites files to truly delete them, frees up computer space.
Cyber Scrub Privacy Suite – Frees up disk space, cleans up internet history, erases Vista shadow copies, uses 256 bit encryption, protects emails and chats, overwrites deleted files.
Portable Firefox – Free – Keep your browser on a flash drive. Minimizes information stored and shared, doesn't put information on the PC at the same risk, portable for use on multiple computers.
Sometimes just removing information from your PC isn't enough. Often times a computer virus will cause your computer to collect and transmit data surreptitiously. To prevent the most common viruses, use a good anti virus software like these.
Norton – Standard anti-virus PC protection from one of the most trusted names in anti-virus.
McAfee – Standard anti-virus PC protection from one of the most trusted names in anti-virus.
AVG – Free – Standard anti-virus protection, although less robust than the paid version, from a trusted name in free anti-virus protection.
Email is one of the most notoriously unprotected forms of communication. Not only is it possible to collect and analyze all plain text emails (that is emails that you have not taken steps to encrypt), but it is extremely easy for oppressive governments, identity thieves and hackers to get the contents of emails. To prevent intrusion by oppressive governments and unscrupulous identity thieves, use email encryption services.
BitMessage – (Free) – Protect the security of your emails. (No Security Audit As of 8-19-2013)
Send me a "Hello" or "test" message. KryptoKit : Easy-to-Use, In-Browser Bitcoin and Messaging for the Masses
PGP – (Lifetime) – Protect the security of your emails.
Hushmail – Free – Encrypt your emails as they bounce around the internet, or, if emailing another Hushmail user, completely protect messages from just about all but warrant searches.
Whether it is business data that needs to be protected from competitors, or private communications with your attorney, or just keeping files on your laptop, like banking information, tax information, or other files that you don't want compromised in case your laptop gets lost or stolen, you need to encrypt at least some of your files. Here is some great privacy software for doing that.
Once you accept these facts, it's easy to see that you should use encryption to protect your important data and communications. But surely encrypting something like "yay :)" is overkill, right? The catch here is that encryption is most effective when everyone uses it all the time. Otherwise the encrypted stuff sticks out like a sore thumb, announcing to all the world that this data is special and secret. So even if you have nothing to hide, using encryption as part of your regular routine will help protect you when you really need it, not to mention helping to protect others who really need it.
The problem is, the barrier to entry has traditionally been fairly high. Access to modern encryption used to be restricted to government agencies. This is now changing as more and more people pick up on PGP for email and HTTPS for the web.
Telegram: Messages are heavily encrypted and can self-destruct. Open API and protocol free for everyone. Distributed servers are spread worldwide for security and speed. (For Android/iPhone)
BitMessage – (Free) – Protect the security of your emails. BM-2D8imU27HR8oKxV8EyDKrT3wD6brXU76VX
Send me a "Hello" or "test" message.
KryptoKit: Easy-to-Use, In-Browser Bitcoin and Messaging for the Masses
Bitmsg.me – Free – (Extremely easy to use) Allows you to encrypt your online communications. Send me a "Hello" or "test" message: BM-2DBubtaAq4Mz2DJxKcXwkmW2aWAsuzTmhB
Encryptfree – Free – (Extremely easy to use) Allows you to encrypt your data and your communications.
GnuPG – Free (Requires some skill to use) – Allows you to encrypt your data and your communications.
TrueCrypt - The development of TrueCrypt was discontinued back in 2014 and has subsequently not been maintained. A number of security flaws have been uncovered and as a result we are reaching out to people to highlight a list of alternatives.
Silent Phone: Encrypted voice and video calls on mobile devices. Currently available for iOS and Android, it can be used with Wi-Fi, EDGE, 3G or 4G cellular anywhere in the world.
Silent Text: Encrypted text messaging with attachments and "Burn Notice" feature for permanently deleting messages from device registries. Currently available for iOS with Android version under development.
Silent Mail: Encrypted e-mail on Silent Circle's private, secure network through unique silentcircle.com e-mail accounts with up to 1 Gigabyte (GB) of encrypted mailbox space. Compatible with popular e-mail client software.
Silent Eyes: Encrypted video and voice teleconferencing from laptops and business conference systems through Silent Circle's custom HD network. Compatible with Silent Phone. Currently available for Windows.
"there exists no method of verifying the effective security properties of Silent Circle, or to verify if, at all, the application does anything more or less than what it says it does. [...] Silent Circle promises encryption and yet offers no method to verify the security, integrity and reliability of their claims." Monty
Cryptocat: Free open source software that aims to provide an open, accessible Instant Messaging environment that encrypts your conversations and works right in your browser.
Wickr: The app (not open source) sends messages, photos (and soon videos) that will eventually be erased. Wickr allows users to choose how long they want their digital missives to last: as short as one second, and as long as 5 days, 23 hours, 59 minutes and 59 seconds.
Internet Use Itself:
Your IP address says a lot about you, your location, etc. and can be used to identify you personally. It can also be used to track you around the internet to figure out what you are doing, even if you have used other software to prevent your internet history from popping up. Plus, oppressive governments can just ask your ISP where you have been on the internet. If you don't want this to happen, you should turn your web surfing into anonymous browsing with these tools.
DropBox – Free – Cloud based file storage. No need to access files from any particular computer that might be compromised to track you. It is encrypted and you can upload files encrypted yourself for double the pleasure and double the fun of encryption. Paid services offer more storage.
IdentityCloaker – Makes anonymous browsing automatic and easy. Allows you to choose from several countries to base your anonymous browsing so you can watch the BBC from outside of England or watch Hulu from outside of the US.
Cryptohippie – Gives you access to their secure encrypted Virtual Private Network (VPN) to do anonymous browsing, even from public WiFi hotspots, hotels and other public places.
Proxify – Free – Anonymous web proxy. Free but can be slow and limited functionality of some sites.
Tor – Free – Onion router which bounces your web traffic around through different servers to make it very difficult to trace your internet use to your IP address.
FireEye: The leader in next generation threat protection, stopping advanced malware, zero-day, and targeted APT attacks that bypass traditional defenses.
Password Management Privacy Software:
No matter how secure your networks, encryption, anti-virus and computer habits, the weakest point of all security systems is the password. Good password habits go a long way, but with increasing computing power, it is becoming increasingly easy to break simple passwords by brute force. Using password generators helps you keep track of more passwords and make those passwords more complex to prevent brute force attacks.
KeePass – Free – Keeps track of all of your passwords. You only have to remember one password to unlock the secure database where they are stored.
RoboForm – A lot like KeePass except it enters your passwords automatically. This can be very helpful when your strong passwords are long, complicated and easy to misspell.