Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Silent Circle Dangerous to Cryptography Software Development

James Losey jameswlosey at gmail.com
Thu Oct 11 09:22:33 PDT 2012


>
> > *TL:DR *I don't think Silent Circle is dangerous for the development of
> > cryptography software but demonstrates potential demand and can spark a
> > discussion of best and worst practices of crypto software development.
>


> How did you jump to this? Even the softest cryptography software still
> has to allow for an audit, and Silent Circle operates from a culture
> that doesn't. It is still dangerous.


It is possible that I am misunderstanding something in your post but
perspective I am coming from is that insecure (or closed) attempts at
offering secure communications software is not necessarily bad for the
development of software writ large but an example of how to do it wrong
that needs to be highlighted as well as an opportunity to say why access to
code and independent verification is so important.

J

On Thu, Oct 11, 2012 at 6:15 PM, Nadim Kobeissi <nadim at nadim.cc> wrote:

> On 10/11/2012 12:04 PM, James Losey wrote:
> > Hi Nadim,
> >
> > I largely agree with your assessment of Silent Circle and I offer these
> > thoughts in an effort to increase my understanding of the issue. The
> > product is a packaged "solution" clearly targeted towards business
> > customers focused on corporate privacy. And while the company offeres
> > regular transparency statements on government requests and strives to
>
> Unless hit by a search warrant and a gag order at the same time, or a
> federal subpoena.
>
> > minimize storage of some types of data (and you're right that payment
> > info is problematic) the company is clearly interested in paying for
> > privacy assurances and seems less focused on supporting activists.
> >
> > However, is Silent Circle dangerous to the development of cryptography
> > software or simply an example of poor implementation of how to do it
> > well? I would argue that it is the latter. I think it can be helpful for
> > the development of cryptography. First and foremost, while many on this
> > list understand the import of encryption and privacy, increasing
> > mainstream digital security. One way to do this is offering a service
> > and ease of use. I agree that charging for services increases barriers
> > but I also think that increased availability also helps raise the
> > profile of why digital security is important.
>
> James, you can charge for a service and leave it as open source
> software. This has been done countless times over the years and has
> functioned successfully. I am not against Silent Circle costing money -
> I'm against it being closed source software.
>
> >
> > I make no claims or defense of the actually security of Silent Circle.
> > It might be fine for some people and it might have built-in backdoors
> > that would revealed through a security audit. Either way, I would not
> > recommend it for sensitive uses. Where there is a perceived demand there
> > will always be someone ready to offer a product. Not necessarily a good
> > one, but something nonetheless.
> >
> > Concluding, I think there are two main important themes here. First, I
> > see Silent Circle as an example of increased understanding of security
> > threats and thus increased demand for secure communications. Secondly,
> >  conversations of best and worst practices of cryptography are vibrant
> > in this community but not necessarily mainstream. I think Silent Circle
> > is an opportunity discuss what people need to look for in a secure
> > communications tool, and when not to trust it.
> >
> > *TL:DR *I don't think Silent Circle is dangerous for the development of
> > cryptography software but demonstrates potential demand and can spark a
> > discussion of best and worst practices of crypto software development.
>
> How did you jump to this? Even the softest cryptography software still
> has to allow for an audit, and Silent Circle operates from a culture
> that doesn't. It is still dangerous.
>
> >
> > Nadim and others I'm curious of your thoughts.
> >
> > J
> >
> >
> >
> > On Thu, Oct 11, 2012 at 5:41 PM, Nadim Kobeissi <nadim at nadim.cc
> > <mailto:nadim at nadim.cc>> wrote:
> >
> >     My blog post on the matter: http://log.nadim.cc/?p=89
> >     Your feedback is appreciated, thank you!
> >
> >     NK
> >     --
> >     Unsubscribe, change to digest, or change password at:
> >     https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121011/0919006d/attachment.html>


More information about the liberationtech mailing list