Forgot your password?
typodupeerror
Encryption Privacy Security Your Rights Online

Zimmermann's Silent Circle Now Live 127

Posted by timothy
from the different-zimmerman dept.
e065c8515d206cb0e190 writes "Several websites have announced the launch of Silent Circle, PGP's founder Phil Zimmermann's new suite of tools for the paranoid. After a first day glitch with a late approval of their iOS app, the website seems to now accept subscriptions. Have any slashdotters subscribed? What does SilentCircle provide that previous applications didn't have?"
This discussion has been archived. No new comments can be posted.

Zimmermann's Silent Circle Now Live

Comments Filter:
  • by Animats (122034) on Saturday October 20, 2012 @03:40PM (#41716265) Homepage

    The "Silent Circle" uses their own "Silent Network", allowing centralized user tracking. Also, the code isn't open source, so you have no idea if the crypto key generation is any good or if there are backdoors.

    • Re: (Score:1, Flamebait)

      by fustakrakich (1673220)

      If there are backdoors? Doesn't the government mandate them?

      • by Anonymous Coward on Saturday October 20, 2012 @04:06PM (#41716439)

        HURR DURR Obama Warrantless Wiretapping HURR DURR

      • by Ken_g6 (775014)

        If there are backdoors? Doesn't the government mandate them?

        Depends on the government, I think. From one of TFAs:

        Canada's privacy laws are the most stringent in the world

        Not that I really trust the company's proprietary software any more because of this.

      • by Bysshe (1330263) on Saturday October 20, 2012 @05:50PM (#41717115)
        Considering Zimmermann's track record of not including backdoors and that he was investigated for several years much to his personal detriment for several years in the 90s for his release of PGP I think this particular protocol is pretty safe. Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught. I highly doubt the core team (there are 4 of them, including Zimmermann, 2 ex seals, and Callas) would risk their reputations on including a backdoor. In addition any real backdoors would flag an interference.
        • Regardless of their reputation, a central server will always put you at risk. There are lots of bad people out there with squeaky clean reputations, but we only find out when they slip up. If you're trying to hide your communications from anyone, then you should better than to trust anyone, including the person you're communicating with. So, you know the risks, take your chances, and hope for the best.

          If the government is ordering the placement of backdoors, which is very likely if the service becomes wides

          • by mlts (1038732) *

            Even if the endpoints encrypt data, encrypted data going through one central point is still at risk. Even though it can't be read, it can be tampered with, possibly DoS-ed. At the minimum, an attacker can eventually do traffic analysis and figure out who is communicating to whom.

            The physical car example:

            You don't drive an armored car with your gold in it via a depot in Spokane every time you want to make a deposit to the bank.

            • by Bill, Shooter of Bul (629286) on Saturday October 20, 2012 @11:59PM (#41719243) Journal

              Of course I don't drive an armored car with my Gold. The armored car is only used for the silver. The gold is transported by zepplin, for increased security.

        • by pnot (96038) on Saturday October 20, 2012 @08:22PM (#41718085)

          Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught.

          Lance Armstrong is innocent. His business case is based 100% on being a non-cheating cyclist: if it ever leaked that he'd taken any kind of performance enhancers, it would all be for naught.

          • by Anonymous Coward

            Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught.

            Lance Armstrong is innocent. His business case is based 100% on being a non-cheating cyclist: if it ever leaked that he'd taken any kind of performance enhancers, it would all be for naught.

            Wait! Are you saying Zimmerman has testicular cancer?

            • by SpzToid (869795)

              No, that would be to Phil Zimmerman's detriment. I think the take-home message here is Phil Zimmerman and Sheryl Crow are probably a hot item now, but let's get real. Phil is still Phil and she'll move on; these things cannot last forever.

        • So how do we know he wasn't found guilty of something, cut a deal and released a closed source program with a direct link to all government agencies? ....tin Hat Maximum power!@!!

    • by Anonymous Coward

      The "Silent Circle" uses their own "Silent Network", allowing centralized user tracking. Also, the code isn't open source, so you have no idea if the crypto key generation is any good or if there are backdoors.

      I couldn't sign up going through my 3 proxies - the website timed out.

      What?!? And let them know my IP?!?!

      This could be a honey pot for the FBI or CIA or Illuminati!

      • This could be a honey pot for the FBI or CIA or Illuminati!

        You think that FBI and CIA would fall for it and ditch their own encryption measures? I mean, they're dumb at times, but still...

    • by Genda (560240)

      Why stop there. The government can just watch the "Silent Circle" and log the folks who go on their site on the presumption that if they want to hide their stuff, there must be reasonable cause for investigation.

    • by interval1066 (668936) on Saturday October 20, 2012 @04:44PM (#41716667) Homepage Journal
      Even so, with Zimmerman's involvement I tend more to a "trust" relationship than an "untrusted" one. Zimmerman is on my whitelist.
      • by nurb432 (527695)

        Him being trusted makes it even more dangrous if hes gone rogue, or someone else in his organization has.

        I prefer point to point encryption with no middle man and a direct connection between us. Nothing is perfect, but it should be better than putting your trust in someone else, no matter who it is..

      • by Anonymous Coward

        Zimmerman is on my whitelist.

        Why... because he has a web page on which he asserts that there are no backdoors in PGP?

        And what do you expect he would have said if there are?

        Note that the source code you can download doesn't compile into the PGP executable. Convenient.

        • Note that the source code you can download doesn't compile into the PGP executable. Convenient.

          And you conclude this how? MD5/SHA-1? Because that proves a whole lot...just one character different somewhere and it's out the window.

        • by mlts (1038732) *

          Which PGP executable? I've never encountered his work not building when I used PGP in the past (before GnuPG came out.) Even RSAREF would work.

          PRZ stuck his neck on the line from the get-go way back when Congress was in the process of codifying laws to completely ban cryptography wholesale in the US, or only allow backdoored implementations like Clipper/Skipjack to be used. He spent years twisting on the wind of the ITAR lawsuit.

          You have to trust someone; and he is one of the few people in the industry w

      • by maestroX (1061960) on Saturday October 20, 2012 @05:29PM (#41716967)
        buuttt.... is it Zimmerman?
      • by chihowa (366380) on Saturday October 20, 2012 @06:03PM (#41717217)

        Even so, with Zimmerman's involvement I tend more to a "trust" relationship than an "untrusted" one. Zimmerman is on my whitelist.

        That's funny, because I almost feel the complete opposite way. I really want to trust Zimmerman, but I can't make myself do it. Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.

        But part of it also comes from his past. He went against the wishes of the US government and won. In my experience, that just doesn't happen... ever. The fact that he's still working in cryptography and not in some hole somewhere makes me think he's playing ball with the government. It at least raises doubts, which cannot be alleviated by reviewing the source code.

        Or maybe I'm just paranoid. But cryptography is the plaything of the paranoid, and relying on the paranoid to just trust you seems a little off.

        • by Incadenza (560402) on Saturday October 20, 2012 @06:53PM (#41717549)
          "Yes, I am paranoid. But am I paranoid enough?"
        • Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.

          Unless you're a crytpographer and a programmer... examining the source is pretty much pointless. It may give you a warm happy fuzzy to be able to do so, but you lack the qualifications to actually evaluate it.

          But cryptography is the plaything of the paranoid

          No, it's mostly the plaything of those desperately trying to improve th

          • by pnot (96038) on Saturday October 20, 2012 @08:18PM (#41718053)

            Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.

            Unless you're a crytpographer and a programmer... examining the source is pretty much pointless. It may give you a warm happy fuzzy to be able to do so, but you lack the qualifications to actually evaluate it.

            The point, surely, is not that I am necessarily a cryptographer, but that the source is available to those who are. It's not necessary for every user to independently audit the code, because the skilled individuals who do audit the code can then communicate their findings.

            "But why trust the skilled individuals?", you may ask. Answer: because I find it unlikely that all the world's cryptographers are conspiring to keep quiet about any vulnerabilities they find the code. At any rate it's a more sensible strategy than "assume that Zimmerman is both infallible and incorruptible".

            • by martin-boundary (547041) on Saturday October 20, 2012 @10:48PM (#41718907)

              The point, surely, is not that I am necessarily a cryptographer, but that the source is available to those who are. It's not necessary for every user to independently audit the code, because the skilled individuals who do audit the code can then communicate their findings.

              Yes. Let me just add a nitpick. It is necessary that *any* user can *initiate* an independent audit of the code he personally received.

              Merely trusting a community of experts who choose to publish their audits as they please is another form of argument from authority. It's a slippery slope to a world where the source code is only available to qualified experts, since there would be no point in making it available to nonqualified individuals.

              Instead, the point of open source is that any user can hire an expert of their choosing, to work on source code as given to them (not source code the expert downloaded from a presumably equivalent source). AND THE PROBABILITY THAT SOME USERS ACTUALLY DO SO MUST BE STRICTLY POSITIVE.

              because I find it unlikely that all the world's cryptographers are conspiring to keep quiet about any vulnerabilities they find the code.

              Like nearly everybody, cryptographers tend to act in the best interests of their employers. That is why it is necessary for random users to hire such cryptographers every once in a while, as outlined above.

              We cannot trust that the usual employers won't keep quiet about the findings for selfish reasons, eg large companies like Microsoft or Google sitting on discoveries until they can create and deploy a patch.

            • Unless you're a crytpographer and a programmer... examining the source is pretty much pointless. It may give you a warm happy fuzzy to be able to do so, but you lack the qualifications to actually evaluate it.

              The point, surely, is not that I am necessarily a cryptographer, but that the source is available to those who are. It's not necessary for every user to independently audit the code, because the skilled individuals who do audit the code can then communicate their findings.

              Which brings you right back to

              • by HiThere (15173)

                Ah, I see your mistake. You're assuming that P = NP.

                Many things which are hard to calculate are easy to check. So it takes a much better expert to create good code than it does to find a hole in the same code.

                This implies that MANY "experts" who wouldn't be qualified to write the code, are still qualified to punch holes in it. Lots of them have large egos, and would like the world to know how smart they are, so some percentage of them would shout it from the rooftops. *IF* they have access so they can f

        • by phantomfive (622387) on Saturday October 20, 2012 @09:04PM (#41718343) Journal

          He went against the wishes of the US government and won. In my experience, that just doesn't happen... ever.

          Then you don't pay attention enough.

        • paranoid is good when you are dealing with security. If your security product doesn't properly asses the concerns of the paranoid, its a shitty secutiy product.
        • I believe him (Score:2, Interesting)

          by ei4anb (625481)
          I was working on public key cryptography in the late 70s while doing my undergrad degree in maths and electronics and got to know some of the people in that field. I have talked with PZ face to face about his experiences with PGP and government. I believe him.
      • Your Logical Fallacy is genetic [yourlogicalfallacyis.com].
    • by reybo (2540564)
      There are more gov agents misleading this topic than any we've seen before in this forum. Probably means this will make eavesdropping on email, etc. more complicated.
    • Re: (Score:3, Interesting)

      by Mjanke (2757431)

      From Silent Circle's CEO:
      We are putting our products out open source. CALEA does not apply to us -we are a VOIP and software company. If Canada -US-UK Governments try to regulate VOIP -we will move to where we can provide it to the world. We do not have the ability to track individual user logs nor calls. We hold aggregate server IP logs for 7 days - we are working hard to get it down to 24 hours. The data we do have is:

      *Authentication information — your user name and hashed password. We hash passwor

  • by Anonymous Coward on Saturday October 20, 2012 @03:40PM (#41716269)

    shhh...

  • by Anonymous Coward on Saturday October 20, 2012 @03:50PM (#41716341)

    "What does SilentCircle provide that previous applications didn't have?"

    The 20$/*PER MONTH* price tag. You can also use csipsimple, it does secure messaging (using sips) and voice using the zrtp protocol. For 0$/*PER MONTH*.

    (Captcha: investor. How fitting...)

  • by betterunixthanunix (980855) on Saturday October 20, 2012 @04:01PM (#41716415)
    How many times will subscription approaches to crypto have to fail before people understand that it does not work? It failed with Hushmail, and it will almost certainly fail here.
    • Hushmail is still going, for anyone who wants to trust a service that can be cracked by court order.
      Actually, in theory, point to point encryption can also be cracked by court order - but if you are the putative holder of the secret key, you get the option to reveal it or go to jail.
      • Hushmail is still going, for anyone who wants to trust a service that can be cracked by court order.

        Or by any Hushmail employee, or by anyone who can hack Hushmail, etc., etc., etc.

        Actually, in theory, point to point encryption can also be cracked by court order

        In which case at least one of the two parties is aware that the secret was leaked. In the case of Hushmail, neither the sender nor the receiver of the message would know.

  • by Anonymous Coward

    Seriously though, WTF is it with the SEAL shit. Do they cover advanced cryptography after mastering small unit tactics and CQB? I have nothing but the greatest respect for Phil Zimmerman but this just smacks of crude marketing.

  • Poor headline (Score:1, Informative)

    by Anonymous Coward

    Using the name Zimmerman immediately after a post about Treyvon Martin was a poor choice. Perhaps "PGP Creator's Silent Cirlce is now live" would have been a better choice. I certainly didn't associate the name with PGP, I associated it with the previous article, and I'm sure others did as well.

  • by bigdarryld (2551986) on Saturday October 20, 2012 @04:10PM (#41716465)
    They have the first working implementation of CONTROL's Cone of Silence.
  • by Jane Q. Public (1010737) on Saturday October 20, 2012 @04:14PM (#41716483)
    Seriously. Make programs (like email, IM, etc.) work with a good but open encryption protocol, like gpg for example. And surely (since Skype has shown what is possible with compression) voice applications can make good use of encryption too.

    But a subscription-based, proprietary solution with central servers? No thanks.
    • by HatofPig (904660) <(moc.liamg) (ta) (keegehtnotnilc)> on Saturday October 20, 2012 @04:41PM (#41716641) Homepage
      Ostel [ostel.me] is a running public beta of the Open Secure Telephony project [guardianproject.info]. It's end-to-end secure VoIP. Anyone with an Android phone (i.e. everybody reading this) is covered for everything but video by The Guardian Project [guardianproject.info].
    • by westlake (615356)

      Seriously. Make programs (like email, IM, etc.) work with a good but open encryption protocol, like gpg for example. And surely (since Skype has shown what is possible with compression) voice applications can make good use of encryption too.

      Encryption in Skype is transparent to the user. He doesn't have to give it a second thought --- much less persuade a critical mass of users to adopt the same standard,

      • That's because it's weak and leaves you vulnerable to snooping by Microsoft (either for their own purposes or for someone else's, like law enforcement), since there's no way for you to verify that you're communicating directly with the other party's instance, and that the network doesn't have a copy of its key. This is the reason why people using PGP/GPG publish their fingerprints.

    • Problem is, the email service providers don't want you to use crypto, cause then they can't data mine you. Thus even third party things that make crypto user friendly are foiled (cf gmail and GPG)
  • by pbjones (315127)

    why would you mention on CIA-/. that you have subscribed to that service??

  • by hardie (716254) on Saturday October 20, 2012 @04:44PM (#41716669)

    I worked with Phil for awhile at StorageTek--6 months or a year I think. He's a very smart guy. He was also one of the most evangelistic people I have ever met. I do NOT mean this in a religious sense, any way shape or form. At the time (this was the 1980's) he spoke a lot (incessantly?) about the danger of nuclear war and all these bombs we've got. I expect that this same incredible focus and sense of purpose has now been applied to security, which could be a really good thing. I also expect that he has mellowed a bit, but that's just a guess.

    Steve

  • When I saw the title, I thought it was a Google+ story. There are a lot of silent circles over there, after all.

  • CALEA (Score:5, Informative)

    by gellenburg (61212) <george@ellenburg.org> on Saturday October 20, 2012 @04:59PM (#41716793) Homepage Journal

    I wrote to Silent Circle over a week ago when news of the impending launch first started making circles.

    SC's COO was kind to respond in an attempt to allay my fears. Sadly though his answer was more "non" than one.

    A week ago replied back with a follow-up question, and have yet to receive a response.

    While my political activism is pretty much limited to change.org petitions, SC is directly marketing their services TO activists. As the Occupy movement has shown, political activism, and the free-speech that goes along with it, are becoming in jeopardy. My concern, and I feel it's a valid one, is that CALEA will give subscribers a false sense of security. After all when Microsoft purchased Skype, one of the first things they did (they had no choice) was to install CALEA intercepts.

    Hopefully somebody at Silent Circle will be able to answer this. Until then, I wouldn't recommend it. Check out The Guardian Project and Jitsi instead.

    (Note - I'm only posting this because as Silent Circle's COO, Vic Hyder is authorized to speak on behalf of the Company.)

    -----BEGIN EMAIL-----
    Mr. Hyder,

    Thank you very much for the reply and information you've provided below,
    but I'm afraid I'm still unclear on one particular point: /does Silent
    Circle fall under /CALEA/jurisdiction or not/?

    Kind regards,

    George Ellenburg

    On 10/11/12 7:43 PM, Vic Hyder wrote:
    > *George*,
    > Thanks for the note. Quick response - Silent Circle provides peer to
    > peer encryption from subscriber to subscriber. The Secure Calling Plan
    > offers members a little flexibility to use their Silent Phone number
    > to send and receive calls outside the Circle (encrypted to our servers
    > but decrypted from servers to non-subscriber). We'll let our members
    > determine what their threat model is and how they need to protect
    > their transmissions.
    >
    > Circle up.
    > *______________*
    >
    > Vic Hyder
    > Chief Operations Officer
    >
    > Silent Circle
    > Private Encrypted Communications
    > Silicon Valley | Washington DC
    >
    > w: SilentCircle.com
    >
    > This email and any files transmitted with it are confidential and
    > intended solely for the use of the individual or entity to whom they
    > are addressed. If you received this e-mail in error, please notify the
    > sender immediately and destroy and/or delete all copies. Circle up.
    >
    >
    >
    > On Oct 11, 2012, at 6:01 AM, George Ellenburg > wrote:
    >
    >> Hello-
    >>
    >> I read with interest news reports yesterday that Silent Circle was
    >> getting ready to launch. As an activist and privacy advocate, I was
    >> troubled though to read that Silent Circle was planning on offering a
    >> Secure Calling Plan amongst other communication services.
    >>
    >> I understand the obvious revenue stream such an offering will generate,
    >> but I'm intrigued as to how you plan to not comply with CALEA, or
    >> curious as to how CALEA wouldn't do an end-run around your service
    >> altogether? CALEA, as you probably know, is the Communications
    >> Assistance for Law Enforcement Act, which requires mandatory technical
    >> intercept points for Law Enforcement and Intelligence purposes.
    >>
    >> Being a United States Company, offering Communication services, located
    >> in the United States, your Company is certainly subjected to mandatory
    >> CALEA implementations.
    >>
    >> Thanks for your time. I earnestly look forward to your response.
    >>
    >> -George Ellenburg
    >>
    >
    -----END EMAIL-----

    • by Anonymous Coward

      You might be asking for a legal theory when trying to find out if CALEA applies. CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time. (taken from wikipedia)

      Are they a telecom carrier or telecom equipment manufacturer? How is a telecom carrier de

    • Also check out CryptoCat [crypto.cat] (no affiliation), and StegaMail [stegamail.com] (affiliated), or just roll your own and wrap it in a couple of more common layers of trusted security such as PGP, etc.
    • A week ago replied back with a follow-up question, and have yet to receive a response.

      The lack of response is the response. The product is surely CALEA compliant.

      • by gellenburg (61212)

        Oh agreed. Definitely. In fact I already knew the answer before writing the guy originally. Any telecom provider located in the US *must* be CALEA compliant. However the entire service will give folks a false sense of security and that's the larger point I was trying to make.

        Most speech isn't prohibited today, but political winds change all too often and what may be legal today may become illegal tomorrow.

        Just hope and wish folks realize that their calls can and WILL be intercepted no matter what Silent Cir

        • Oh agreed. Definitely. In fact I already knew the answer before writing the guy originally. Any telecom provider located in the US *must* be CALEA compliant. However the entire service will give folks a false sense of security and that's the larger point I was trying to make.

          Most speech isn't prohibited today, but political winds change all too often and what may be legal today may become illegal tomorrow.

          Just hope and wish folks realize that their calls can and WILL be intercepted no matter what Silent Circle may say on the matter, that's all.

          We agree to agree :-)

    • "There has been considerable chatter about Silent Circle's launch and about what our products, service and unique architecture is all about. We wanted to get out in front to keep everyone here informed as best we can....

      We just posted our Law & Compliance information on our site (https://silentcircle.com/web/law-compliance/) to clear up a lot of the questions about whether CALEA laws apply to us, what data we do hold and how we will handle the "heat" to come.

      We are putting our products out open source.

  • by rueger (210566) * on Saturday October 20, 2012 @05:03PM (#41716819) Homepage
    Of late I've been thinking that it might be prudent to establish an on-line persona that can't be traced back to me. Between corporate tracking (Google?) and government's love of surveillance, and a sense that we could be heading for some economically or politically charged time, I can see situations where anonymity could be essential.

    It seems to me that if you can start with an untraceable e-mail address and consistent use of Tor, you should be on the way to building up an on-line profile that's recognizable, useful, and fairly disconnected from real life.

    I'm not naive enough to think that anything I could do would be 100% safe or secure, but surely you can keep most of the prying eyes away from you.
    • by Anonymous Coward

      In espionage circles this is called a "legend." Establishing one is probably enough to make you of interest to the security services (except for valid reasons. For example, I established one for the purposes of marketing a novel as part of an elabourate joke.) YMMV.

      RP

    • by swell (195815)

      "might be prudent to establish an on-line persona that can't be traced"

      It would be prudent for everyone to do so. And everyone should encrypt every communication possible.

      The simple reason is that if only 1% seek privacy, then governments and others can simply focus their great power on that 1%; but when everyone seeks privacy it is more difficult to snoop on any particular 1%.

      Yes, it will be harder to pin down bad guys & terrorists, but that's the wrong approach anyway. When people are educated, treate

    • by Anonymous Coward

      You'll also need a way to block online tracking (cookies, widgets, gifs).
      Ghostery comes close, but there's no guarantees that it gets them all.

      Next you need to make your browser un-unique.
      With version number, installed add-ons and what information is available about your particular hardware, it's quite possible to figure out which personas belong together.

      It's not just about a particular id bit any longer, it's tiny bits of irrelevance scooped up by tracker networks combined into a whole in the long term.

  • new suite of tools for the stupid and paranoid

  • Presumably this is a US-only thang?
  • and they are not the same Zommerman. who would have thought.
  • I'm personally surprised that no one has bothered to build encryption in to the TCP/IP stack yet, an sTCP/IP if you will. Using a public/private key encryption model, each time the stack initiates a new connection to any IP, it would first ask the other side if it supports secure encryption, if it doesn't, the other side would probably return an error. Once it is determined the other side supports encryption, both sides generate one-time key pairs and transmits the public key to the other side. Once the con
  • by koan (80826)

    "suite of tools for the paranoid" where you let a 3rd party handle your security...

Make headway at work. Continue to let things deteriorate at home.

Working...