I think that dismissing as baseless investigations from 9 different reporters, on 3 different newspapers (add one more, FP, if consider this[1]) is misleading. Additionally, it is just false to say all the articles only relied on anonymous sources (of which they have many, by the way), but there are clearly sources on record as well, such as Simone Margaritelli and Jonathan Cole for The Intercept, and Lori Stroud for Reuters.
While obviously there is no scientific metric for this, I do think the number of sources (anonymous and not) and the variety of reporters and of newspapers (with their respective editors and verification processes) do qualify the reporting as "credible" and "extensively sourced". Additionally, details provided by sources on record directly matched attacks documented by technical researchers. For example, Lori Stroud talking details over the targeting of Donaghy, which was also proven in Citizen Lab's "Stealth Falcon" report. Lastly, Reuters reporters make repeated mentions of documents they had been able to review supporting the claims of their sources. Unless you have good reasons to believe reporters are just lying out of their teeth, I don't see how all of this can't be considered credible. [1] https://foreignpolicy.com/2017/12/21/deep-pockets-deep-cover-the-uae-is-paying-ex-cia-officers-to-build-a-spy-empire-in-the-gulf/ On 7/9/19 6:09 PM, Nadim Kobeissi via dev-security-policy wrote: > Dear Wayne, > > I fully respect Mozilla's mission and I fully believe that everyone here is > acting in good faith. > > That said, I must, in my capacity as a private individual, decry what I > perceive as a dangerous shortsightedness and lack of intellectual rigor > underlying your decision. I do this as someone with a keen interest in > Internet freedom issues and not as someone who is in any way partisan in > this debate: I don't care for DarkMatter as a company in any way whatsoever > and have no relationship with anyone there. > > I sense enough urgency in my concerns to pause my work schedule today and > respond to this email. I will do my best to illustrate why I sense danger > in your decision. Essentially there are three specific points I take issue > with: > > ----------------- > 1: Waving aside demands for objective criteria. > ----------------- > You say that "if we rigidly applied our existing criteria, we would deny > most inclusion requests." Far from being an excuse to put more weight (or > in this case, perhaps almost all weight) on subjective decision making, > this should be a rallying cry for Mozilla to investigate why it is that an > objective and democratic decision-making process is failing, and what can > be done to make it work better. Waving aside objective procedures as > "checklists" dismisses a core procedural element of how such critical > decisions should be made in the future and is explicitly undemocratic and > therefore dangerous. > > ----------------- > 2: Calling allegations "credible" and "extensively sourced" with almost no > basis whatsoever. > ----------------- > You cite four articles: two are from the Intercept, one is from Reuters and > one is from the New York Times. You claim that the fact that they are years > apart bolsters their credibility; why is this the case? In fact, these > articles all parrot almost exactly the same story, with some minor > additions, updates and modifications. They all almost read like the same > article, despite their temporal distribution. Furthermore, the notion that > the articles are "extensively sourced" is simply incorrect: all of the > articles are based on anonymous sources and none of them provide a shred of > evidence, which is why we are in this debate to begin with (or so I've been > thinking). > > It should also be noted that both The Intercept and the New York Times have > published misleading and incorrect information many times in their history. > The Intercept in particular has a very spotty credibility record. > > It is also is not difficult to theorize how a politically trendy topic > (cyberattacks) against the world's most easy-to-villainize company (an > Arabic offensive cybersecurity company operating within a true monarchic > state) would be appealing to American journalists. This sort of thing isn't > new, and American "digital rights" groups have previously linked malicious > cyberattacks to Middle Eastern countries without providing something that > is even close to the same standard of evidence that they almost always > provide when naming American or European actors. > > Is is indeed unfortunate that this issue was dealt with in a single > paragraph: I would have expected it to be the brunt of the email given its > importance, and it is impossible to qualify that reporting as "credible" > and "extensively sourced" so summarily. > > ----------------- > 3: Culminating in an argument that simply boils down to "the people's > safety", a trope that is often overused and that leads to undemocratic > behavior. > ----------------- > > We don't know if DarkMatter is an evil spying empire that doesn't care > about the rights and dignity of private citizens or not. We don't know if > they're setting up shell companies to mislead Mozilla's CA vetting > procedures or not. In fact, it's been months where no new information has > arisen and I would like to repeat that I do not _at all_ discount the > possibility that all of the allegations may turn out to be completely true. > > But instead of making effort towards resolving this uncertainty, or, in > case that's not possible, create procedures to deal with it, we see it > being wielded in order to increase the subjectivity of the decision making > that gatekeeps some of the most fundamental issues of Internet security and > to legitimize shoddy thinking. > > Individually, your apparent decision against DarkMatter doesn't bother me. > It is the decision making process itself however that risks setting a > dangerous precedent that is already taking shape in other parts of the tech > community, where major decisions are predicated on gut feeling and notions > of safety that are almost by design impossible to elucidate, and where > much-needed objectivity, vetting and reasoned behavior is relegated to > one-shot paragraphs that barely come with an apology. > > In conclusion: perhaps it is exactly because DarkMatter are so incredibly > easy to demonize that we are so temporarily blind to an infinitely more > dangerous and terrifying lapse of judgement: one that may come from much > closer to home. I don't mind if DarkMatter loses out here, but I urge you > to self-reflect critically on what this decision may constitute in terms of > a future trend. > > Presented with the utmost respect and good faith, > > Yours sincerely, > > Nadim Kobeissi > Symbolic Software • https://symbolic.software > Sent from office > > > On Tue, Jul 9, 2019 at 5:31 PM Wayne Thayer <wtha...@mozilla.com> wrote: > >> I would like to thank everyone for their constructive input on this >> difficult issue. I would also like to thank DarkMatter representatives for >> participating in the open, public discussion. I feel that the discussion >> has now, after more than 4 months, run its course. >> >> The question that I originally presented [1] to this community was about >> distrusting DarkMatter’s current intermediate CA certificates (6 total) >> based on credible evidence of spying activities by the company. While a >> decision to revoke trust in these intermediates would likely result in a >> denial of DarkMatter’s root inclusion request [2], the public discussion >> for that request has not yet begun. A decision not to revoke these >> intermediates does not necessarily mean that the inclusion request will be >> approved. >> >> Some of this discussion has revolved around compliance issues, the most >> prominent one being the serial number entropy violations discovered by >> Corey Bonnell. While these issues would certainly be a consideration when >> evaluating a root inclusion request, they are not sufficient to have >> triggered an investigation aimed at revoking trust in the DarkMatter >> intermediates or QuoVadis roots. Therefore, they are not relevant to the >> question at hand. >> >> Much of the discussion has been about the desire for inclusion and distrust >> decisions to be made based on objective criteria that must be satisfied. >> However, if we rigidly applied our existing criteria, we would deny most >> inclusion requests. As I stated earlier in this thread, every distrust >> decision has a substantial element of subjectivity. One can argue that >> we’re discussing a different kind of subjectivity here, but it still >> amounts to a decision being made based on a collective assessment of all >> the information at hand rather than a checklist. >> >> Some, including DarkMatter representatives [3], have declared the need to >> examine and consider the benefits of having DarkMatter as a trusted CA. >> However, last year we changed our policy to replace the weighing of >> benefits and risks with “based on the risks of such inclusion to typical >> users of our products.” [4] >> >> Perhaps the most controversial element in this discussion has been the >> consideration of “credible evidence”. The first component is the inherent >> uncertainty over what is “credible”, especially in this day and age. While >> it has been pointed out that respected news organizations are not beyond >> reproach [5], having four independent articles [6][7][8][9] from reputable >> sources published years apart does provide some indication that the >> allegations are credible. These articles are also extensively sourced. >> >> If we assume for a second that these allegations are true, then there is >> still a sincere debate over what role they should play in our decision to >> trust DarkMatter as a CA. The argument for considering these allegations is >> akin to the saying “where there’s smoke there’s fire”, while the argument >> against can be described as “innocent until proven guilty”. >> >> DarkMatter has argued [3] that their CA business has always been operated >> independently and as a separate legal entity from their security business. >> Furthermore, DarkMatter states that once a rebranding effort is completed, >> “the DarkMatter CA subsidiary will be completely and wholly separate from >> the DarkMatter Group of companies in their entirety.” However, in the same >> message, DarkMatter states that “Al Bannai is the sole beneficial >> shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al >> Bannai would remain the sole owner of the CA business. More recently, >> DarkMatter announced that they are transitioning all aspects of the >> business to DigitalTrust and confirmed that Al Bannai controls this entity. >> This ownership structure does not assure me that these companies have the >> ability to operate independently, regardless of their names and legal >> structure. >> >> Mozilla’s principles should be at the heart of this decision. “The Mozilla >> Manifesto [10] states: >> >> Individuals’ security and privacy on the internet are fundamental and must >> not be treated as optional.” >> >> And our Root Store policy states: “We will determine which CA certificates >> are included in Mozilla's root program based on the risks of such inclusion >> to typical users of our products.” >> >> In other words, our foremost responsibility is to protect individuals who >> rely on Mozilla products. I believe this framing strongly supports a >> decision to revoke trust in DarkMatter’s intermediate certificates. While >> there are solid arguments on both sides of this decision, it is reasonable >> to conclude that continuing to place trust in DarkMatter is a significant >> risk to our users. I will be opening a bug requesting the distrust of >> DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also >> recommend denial of the pending inclusion request, and any new requests >> from DigitalTrust. >> >> In the past, we’ve seen CAs attempt to make an end run around adverse trust >> decisions - through an acquisition, a shell company, etc. We will treat any >> such attempt as a violation of this decision and act accordingly. Mozilla >> does welcome DigitalTrust as a “managed” subordinate CA under the oversight >> of an existing trusted CA that retains control of domain validation and the >> private keys. >> >> This discussion has highlighted an opportunity to improve our review of new >> externally-operated subordinate CAs [11]. This issue [12] is part of the >> current policy update discussions. >> >> Wayne >> >> [1] >> >> https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ >> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 >> [3] >> >> https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/mJ0EV2eoCgAJ >> [4] >> >> https://groups.google.com/d/msg/mozilla.dev.security.policy/58F6FgeGOz8/Zzb-r76wBQAJ >> [5] >> >> https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/27/bloomberg-is-still-reporting-on-challenged-story-regarding-china-hardware-hack/ >> [6] >> >> https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ >> [7] https://www.reuters.com/investigates/special-report/usa-spying-raven/ >> [8] >> >> https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html >> [9] https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/ >> [10] https://www.mozilla.org/en-US/about/manifesto/ >> [11] >> >> https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits >> [12] https://github.com/mozilla/pkipolicy/issues/169 >> > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
