Search Mailing List Archives
[liberationtech] Silent Circle Going Open Source
ali at packetknife.com
Wed Nov 21 11:49:58 PST 2012
Separately I think the most susceptible CALEA component is Silent Mail -
because it's not using a peer-to-peer model by default. So, as of now, I
don't think CALEA can force the software to be poisoned unless SC is also
does store-and-fwd of the message. This has always been a point of
confusion between attorneys and actual companies complying in my
experience. I trust other people here know exactingly how this all works.
Either way, I want some verbiage clarification from SC on the topic anyhow.
On Wed, Nov 21, 2012 at 2:45 PM, Ali-Reza Anghaie <ali at packetknife.com>wrote:
> They have a bit about what they can and will turn over at:
> And make mention of CALEA. There is some ambiguity IMO I'm not thrilled
> with so I'm reaching out about that. I know it's not enough for you but I
> still think that given the target audiences using nothing, this is still a
> huge (potential) win fi they hit a stride. -Ali
> Key quotes:
> "We retain the following information as part of our normal business
> Authentication information — your user name and hashed password. We hash
> passwords with a twelve-character random salt and 20,000 iterations of
> HMAC-SHA256 via PBKDF2.
> Your contact email address.
> Your Silent Phone number that we issue you
> Server IP Logs for login only. We currently retain these for 7 days, and
> are working to reduce this to 24 hours"
> "We are a law-abiding company, and US law (the Communications Assistance
> for Law Enforcement Act, CALEA) makes it clear that communications service
> providers can deliver products to their customers that use encryption to
> protect their communications without having the ability to decrypt those
> communications. This means no Government-mandated backdoors. Indeed,
> history has shown that backdoors created for law enforcement interception
> are themselves a security liability, and present an irresistible target for
> hackers and state sponsored attackers."
> "We must and will comply with valid legal demands for the very limited
> information we hold. Thus, we want to make it clear that when legally
> compelled to do so, we will turn over the little information we hold,
> described above. Before turning it over, however, we will evaluate the
> request to make sure it complies with the letter and spirit of the law.
> And, consistent with best privacy practices followed by other companies,
> when possible and legally permissible, we will notify the user in order to
> give him or her the opportunity to object to the disclosure."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech