LAS VEGAS—Encrypted messaging app developer Signal offered a two-part lesson at Black Hat 2024: Software may be today’s magic, but you need to know who you’re waving your wand at.
And with other developers of early encryption applications, Moxie Marlinspike made the mistake of thinking its users were other wizards.
“What we were going to do was create really powerful tools for ourselves and teach everyone to be like us,” he told Black Hat founder Jeff Moss in an onstage chat Thursday morning. “And that won’t work.”
Marlinspike brought Pretty Good Privacy (PGP), a set of encryption tools that first shipped in 1991. PGP was many people’s first experience with encrypted messages—and their last for years after they were reared by the experience of its mysterious user.
“We’re going to teach people how to use a PGP key server,” he recalled with a laugh. “We’ll just hang out over dinner and sign the keys or whatever.”
Sadly, people were willing not to: “We were just wrong.”
Marlinspike called this behavior a kind of software snobbery — “a set of cultural norms that they, including me, were reluctant to undermine because it would mean undermining our identities.”
He said he had to unlearn that mindset, which he also saw in pre-Napster file-sharing tools, to understand that non-technical users wouldn’t do things like his hardware hack of connecting a hardware switch on a phone so he could turn it off. microphone.
“I had given myself some brain damage,” he said. “A lot of people in that world who were very familiar with these things were living an equally crazy life.”
The lesson there, Marlinspike said, is that developers should manage complexity rather than leave it as an exercise for their users. “The intuition was to take the complexity and push it to the user,” he said. “You take on the complexity instead of making the user deal with it.”
Marlinspike didn’t compare Signal (where he served as CEO until stepping down in January 2022) to PGP, but that open-source app shows how a developer can cleanly package end-to-end encryption in a way that looks like it uses any other messaging app.
(If you haven’t used Signal, it’s a bit like Meta’s WhatsApp, except this app doesn’t immediately search your phone’s contact list.)
Earlier in his conversation with Moss, Marlinspike looked beyond the universe of encryption software to discuss the “inherently expensive” craft of software development.
Recommended by our Editors
“I envy writers, filmmakers, musicians, people who can create something and make it happen,” he said. “Software doesn’t work like that. Software never ends.”
Marlinspike added that he is optimistic about AI’s potential to make software development cheaper.
And in a somewhat meandering solo conversation that preceded his talk with Moss, Marlinspike took an even more philosophical view about his profession by comparing software development to magic as depicted in the Harry Potter book series.
“In the world of Harry Potter, all they need is knowledge of spells and a wand,” he said. Writing software might be like that—with the stick replaced by a laptop—but the increasingly complex world of commercial development has eroded that, encouraging coders to see software as a bunch of black boxes.
“I feel like this spell has waned somewhat over time,” Marlinspike mused. But security researchers like those sitting in the audience have the power to bring some of that magic back into their world because of how security requires opening those black boxes to reveal their inner workings.
“Security is the process of looking through abstractions to understand how things work,” he said. “You’re all the ones who have been sitting in the library, learning spells.”
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.