Search Mailing List Archives
[liberationtech] Silent Circle Dangerous to Cryptography Software Development
nadim at nadim.cc
Thu Oct 11 09:15:47 PDT 2012
On 10/11/2012 12:04 PM, James Losey wrote:
> Hi Nadim,
> I largely agree with your assessment of Silent Circle and I offer these
> thoughts in an effort to increase my understanding of the issue. The
> product is a packaged "solution" clearly targeted towards business
> customers focused on corporate privacy. And while the company offeres
> regular transparency statements on government requests and strives to
Unless hit by a search warrant and a gag order at the same time, or a
> minimize storage of some types of data (and you're right that payment
> info is problematic) the company is clearly interested in paying for
> privacy assurances and seems less focused on supporting activists.
> However, is Silent Circle dangerous to the development of cryptography
> software or simply an example of poor implementation of how to do it
> well? I would argue that it is the latter. I think it can be helpful for
> the development of cryptography. First and foremost, while many on this
> list understand the import of encryption and privacy, increasing
> mainstream digital security. One way to do this is offering a service
> and ease of use. I agree that charging for services increases barriers
> but I also think that increased availability also helps raise the
> profile of why digital security is important.
James, you can charge for a service and leave it as open source
software. This has been done countless times over the years and has
functioned successfully. I am not against Silent Circle costing money -
I'm against it being closed source software.
> I make no claims or defense of the actually security of Silent Circle.
> It might be fine for some people and it might have built-in backdoors
> that would revealed through a security audit. Either way, I would not
> recommend it for sensitive uses. Where there is a perceived demand there
> will always be someone ready to offer a product. Not necessarily a good
> one, but something nonetheless.
> Concluding, I think there are two main important themes here. First, I
> see Silent Circle as an example of increased understanding of security
> threats and thus increased demand for secure communications. Secondly,
> conversations of best and worst practices of cryptography are vibrant
> in this community but not necessarily mainstream. I think Silent Circle
> is an opportunity discuss what people need to look for in a secure
> communications tool, and when not to trust it.
> *TL:DR *I don't think Silent Circle is dangerous for the development of
> cryptography software but demonstrates potential demand and can spark a
> discussion of best and worst practices of crypto software development.
How did you jump to this? Even the softest cryptography software still
has to allow for an audit, and Silent Circle operates from a culture
that doesn't. It is still dangerous.
> Nadim and others I'm curious of your thoughts.
> On Thu, Oct 11, 2012 at 5:41 PM, Nadim Kobeissi <nadim at nadim.cc
> <mailto:nadim at nadim.cc>> wrote:
> My blog post on the matter: http://log.nadim.cc/?p=89
> Your feedback is appreciated, thank you!
> Unsubscribe, change to digest, or change password at:
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech