Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Silent Circle Dangerous to Cryptography Software Development

Katrin Verclas katrin at mobileactive.org
Thu Oct 11 11:33:29 PDT 2012


I like to see them deliver on the code audits before jumping to judgment since the product is not even released.  Zimmerman gets those reservations, for sure, so let's see whether they can do a lot better than some companies before them. 

For now, the fact that Zimmerman and another staffer took significant time with activists and journalists under threat to understand specific use cases was interesting.  

We shall see... 

Cheers,

Katrin 


On Oct 11, 2012, at 2:24 PM, Nadim Kobeissi wrote:

> On 10/11/2012 2:14 PM, Katrin Verclas wrote:
>> Having sat for the better part of the day with Phil Zimmerman with activists and journalists in a room, here is what I learned: 
>> 
>> On Oct 11, 2012, at 12:15 PM, Nadim Kobeissi wrote:
>> 
>>> On 10/11/2012 12:04 PM, James Losey wrote:
>>>> Hi Nadim,
>>>> 
>>>> I largely agree with your assessment of Silent Circle and I offer these
>>>> thoughts in an effort to increase my understanding of the issue. The
>>>> product is a packaged "solution" clearly targeted towards business
>>>> customers focused on corporate privacy. And while the company offeres
>>>> regular transparency statements on government requests and strives to
>>> 
>>> Unless hit by a search warrant and a gag order at the same time, or a
>>> federal subpoena.
>> 
>> Zimmerman stated that servers are located in Canada to avoid US subpoenas (not a lawyer, not sure what's that worth in the end).
> 
> His entire IP block is connected to servers in the United States. I am
> very skeptical of that claim. Furthermore, this is nonsense; the issue
> isn't being protected against *one* country's subpoena, it's being
> protected against *any* subpoena.
> 
>> 
>> According to the Silent Circle website: 
>> 
>> Websites and products that don’t list the people behind the technology or where their servers are located, how the encryption keys are held or even how you can verify that your data is actually encrypted, are typical of the industry and provide only pseudo-security based on a lot of unverifiable trust.
>> 
>> Our secure communications products use “Device to Device Encryption” – putting the keys to your security in the palm of your hand (except for Silent Mail, which is configured for PGP Universal and utilizes server side key encryption). We DO NOT have the ability to decrypt your communications across our network and nor will anyone else - ever. 
> 
> The closed-source nature of the software makes pushing
> government-mandated backdoors incredibly easy and extremely difficult to
> detect if done right. This is a tall claim not backed by evidence or the
> possibility of review.
> 
>> Silent Phone, Silent Text and Silent Eyes all use peer-to-peer technology and erase the session keys from your device once the call or text is finished. Our servers don’t hold the keys…you do. Our secure encryption keeps unauthorized people from understanding your transmissions. It keeps criminals, governments, business rivals, neighbors and identity thieves from stealing your data and from destroying your personal or corporate privacy. There are no back doors, nor will there ever be.
> 
> ...unless they're served a court order, in which case Silent Circle will
> either implement a backdoor or go to jail, thank you very much.
> 
>> 
>> 
>> More importantly, Zimmerman noted that Silent Circle code will be made available for audit.
>> 
> 
> Skype, too, says that its code is available for audit, and then only
> lets a single academic audit it via an auditing that they themselves
> fund. This is likely PR; I will not be satisfied unless anyone can
> audited the code, and the source code is kept updated with every new
> release.
> 
>> 
>>> 
>>>> minimize storage of some types of data (and you're right that payment
>>>> info is problematic) the company is clearly interested in paying for
>>>> privacy assurances and seems less focused on supporting activists. 
>> 
>> According to Zimmerman (who was keenly interested in use cases for activists) will make licenses available to activists at no cost.  They have not figured out the process for this yet, but we'll certainly follow up with them. 
> 
> This is just really scary -- a piece of closed source, unaudited,
> unverifiable software that costs money for corporations, but is free for
> activists?
> 
>> 
>> 
>> Katrin 
>> 
>> --
>> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
> 
> NK
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech


Katrin Verclas
MobileActive.org
katrin at mobileactive.org

skype/twitter: katrinskaya
(347) 281-7191

A global network of people using mobile technology for social impact
http://mobileactive.org




More information about the liberationtech mailing list