Zimmermann's Silent Circle Now Live 127
e065c8515d206cb0e190 writes "Several websites have announced the launch of Silent Circle, PGP's founder Phil Zimmermann's new suite of tools for the paranoid. After a first day glitch with a late approval of their iOS app, the website seems to now accept subscriptions. Have any slashdotters subscribed? What does SilentCircle provide that previous applications didn't have?"
Now, with centralized user tracking! (Score:5, Insightful)
The "Silent Circle" uses their own "Silent Network", allowing centralized user tracking. Also, the code isn't open source, so you have no idea if the crypto key generation is any good or if there are backdoors.
Re: (Score:1, Flamebait)
If there are backdoors? Doesn't the government mandate them?
Re:Now, with centralized user tracking! (Score:5, Funny)
HURR DURR Obama Warrantless Wiretapping HURR DURR
Re: (Score:1)
Bush isn't president anymore. Forget about him...
Re: (Score:2)
If there are backdoors? Doesn't the government mandate them?
Depends on the government, I think. From one of TFAs:
Canada's privacy laws are the most stringent in the world
Not that I really trust the company's proprietary software any more because of this.
Canada's Canada's privacy laws the most stringent? (Score:2)
Re:Now, with centralized user tracking! (Score:5, Informative)
Re: (Score:2)
Regardless of their reputation, a central server will always put you at risk. There are lots of bad people out there with squeaky clean reputations, but we only find out when they slip up. If you're trying to hide your communications from anyone, then you should better than to trust anyone, including the person you're communicating with. So, you know the risks, take your chances, and hope for the best.
If the government is ordering the placement of backdoors, which is very likely if the service becomes wides
Re: (Score:3)
Even if the endpoints encrypt data, encrypted data going through one central point is still at risk. Even though it can't be read, it can be tampered with, possibly DoS-ed. At the minimum, an attacker can eventually do traffic analysis and figure out who is communicating to whom.
The physical car example:
You don't drive an armored car with your gold in it via a depot in Spokane every time you want to make a deposit to the bank.
Re:Now, with centralized user tracking! (Score:5, Funny)
Of course I don't drive an armored car with my Gold. The armored car is only used for the silver. The gold is transported by zepplin, for increased security.
Re: (Score:2)
Sometimes, I wonder if someone will be able to make a decent DC-net implementation, or if that doesn't work, perhaps use age-old remailer technologies to hide who is messaging whom, with both end to end encryption, as well as hub to hub encryption.
This would work better for non real-time messaging such as E-mail, file sending, or a SMS analogue. Of course, video and other real-time stuff this would be made difficult just due to the fact that latency forces connections to be as direct as possible.
Traffic an
Re:Now, with centralized user tracking! (Score:5, Funny)
Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught.
Lance Armstrong is innocent. His business case is based 100% on being a non-cheating cyclist: if it ever leaked that he'd taken any kind of performance enhancers, it would all be for naught.
Re: (Score:1)
Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught.
Lance Armstrong is innocent. His business case is based 100% on being a non-cheating cyclist: if it ever leaked that he'd taken any kind of performance enhancers, it would all be for naught.
Wait! Are you saying Zimmerman has testicular cancer?
Re: (Score:2)
No, that would be to Phil Zimmerman's detriment. I think the take-home message here is Phil Zimmerman and Sheryl Crow are probably a hot item now, but let's get real. Phil is still Phil and she'll move on; these things cannot last forever.
Re: (Score:2)
So how do we know he wasn't found guilty of something, cut a deal and released a closed source program with a direct link to all government agencies? ....tin Hat Maximum power!@!!
Doesn't matter. (Score:3, Funny)
The "Silent Circle" uses their own "Silent Network", allowing centralized user tracking. Also, the code isn't open source, so you have no idea if the crypto key generation is any good or if there are backdoors.
I couldn't sign up going through my 3 proxies - the website timed out.
What?!? And let them know my IP?!?!
This could be a honey pot for the FBI or CIA or Illuminati!
Re: (Score:3)
This could be a honey pot for the FBI or CIA or Illuminati!
You think that FBI and CIA would fall for it and ditch their own encryption measures? I mean, they're dumb at times, but still...
Re: (Score:1)
Why stop there. The government can just watch the "Silent Circle" and log the folks who go on their site on the presumption that if they want to hide their stuff, there must be reasonable cause for investigation.
Re:Now, with centralized user tracking! (Score:5, Funny)
Careful there. You're commenting on a story about "wanting to hide stuff" on a known gathering place for geeks and occasionally cyber-terrorists. You're in a database somewhere for simply being here.
Re: (Score:1)
Re: (Score:3)
That's not the way to format an SQL injection attack.
And I'm not going to try, because it MIGHT work.
Re:Now, with centralized user tracking! (Score:5, Interesting)
Re: (Score:2)
Him being trusted makes it even more dangrous if hes gone rogue, or someone else in his organization has.
I prefer point to point encryption with no middle man and a direct connection between us. Nothing is perfect, but it should be better than putting your trust in someone else, no matter who it is..
Re:Now, with centralized user tracking! (Score:5, Interesting)
Re: (Score:1)
Next up, Sarah Palin releases her own encryption solution.
Re: (Score:2)
Re: (Score:1)
Zimmerman is on my whitelist.
Why... because he has a web page on which he asserts that there are no backdoors in PGP?
And what do you expect he would have said if there are?
Note that the source code you can download doesn't compile into the PGP executable. Convenient.
Re: (Score:2)
Note that the source code you can download doesn't compile into the PGP executable. Convenient.
And you conclude this how? MD5/SHA-1? Because that proves a whole lot...just one character different somewhere and it's out the window.
Re: (Score:3)
Which PGP executable? I've never encountered his work not building when I used PGP in the past (before GnuPG came out.) Even RSAREF would work.
PRZ stuck his neck on the line from the get-go way back when Congress was in the process of codifying laws to completely ban cryptography wholesale in the US, or only allow backdoored implementations like Clipper/Skipjack to be used. He spent years twisting on the wind of the ITAR lawsuit.
You have to trust someone; and he is one of the few people in the industry w
Re:Now, with centralized user tracking! (Score:4, Funny)
Re:Now, with centralized user tracking! (Score:5, Interesting)
Even so, with Zimmerman's involvement I tend more to a "trust" relationship than an "untrusted" one. Zimmerman is on my whitelist.
That's funny, because I almost feel the complete opposite way. I really want to trust Zimmerman, but I can't make myself do it. Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.
But part of it also comes from his past. He went against the wishes of the US government and won. In my experience, that just doesn't happen... ever. The fact that he's still working in cryptography and not in some hole somewhere makes me think he's playing ball with the government. It at least raises doubts, which cannot be alleviated by reviewing the source code.
Or maybe I'm just paranoid. But cryptography is the plaything of the paranoid, and relying on the paranoid to just trust you seems a little off.
Re:Now, with centralized user tracking! (Score:5, Funny)
Re: (Score:3)
Unless you're a crytpographer and a programmer... examining the source is pretty much pointless. It may give you a warm happy fuzzy to be able to do so, but you lack the qualifications to actually evaluate it.
No, it's mostly the plaything of those desperately trying to improve th
Re:Now, with centralized user tracking! (Score:5, Insightful)
Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.
Unless you're a crytpographer and a programmer... examining the source is pretty much pointless. It may give you a warm happy fuzzy to be able to do so, but you lack the qualifications to actually evaluate it.
The point, surely, is not that I am necessarily a cryptographer, but that the source is available to those who are. It's not necessary for every user to independently audit the code, because the skilled individuals who do audit the code can then communicate their findings.
"But why trust the skilled individuals?", you may ask. Answer: because I find it unlikely that all the world's cryptographers are conspiring to keep quiet about any vulnerabilities they find the code. At any rate it's a more sensible strategy than "assume that Zimmerman is both infallible and incorruptible".
Re:Now, with centralized user tracking! (Score:4, Insightful)
Yes. Let me just add a nitpick. It is necessary that *any* user can *initiate* an independent audit of the code he personally received.
Merely trusting a community of experts who choose to publish their audits as they please is another form of argument from authority. It's a slippery slope to a world where the source code is only available to qualified experts, since there would be no point in making it available to nonqualified individuals.
Instead, the point of open source is that any user can hire an expert of their choosing, to work on source code as given to them (not source code the expert downloaded from a presumably equivalent source). AND THE PROBABILITY THAT SOME USERS ACTUALLY DO SO MUST BE STRICTLY POSITIVE.
Like nearly everybody, cryptographers tend to act in the best interests of their employers. That is why it is necessary for random users to hire such cryptographers every once in a while, as outlined above.
We cannot trust that the usual employers won't keep quiet about the findings for selfish reasons, eg large companies like Microsoft or Google sitting on discoveries until they can create and deploy a patch.
Re: (Score:2)
Which brings you right back to
Re: (Score:2)
Ah, I see your mistake. You're assuming that P = NP.
Many things which are hard to calculate are easy to check. So it takes a much better expert to create good code than it does to find a hole in the same code.
This implies that MANY "experts" who wouldn't be qualified to write the code, are still qualified to punch holes in it. Lots of them have large egos, and would like the world to know how smart they are, so some percentage of them would shout it from the rooftops. *IF* they have access so they can f
Re:Now, with centralized user tracking! (Score:4, Insightful)
He went against the wishes of the US government and won. In my experience, that just doesn't happen... ever.
Then you don't pay attention enough.
Re: (Score:3)
I believe him (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Interesting)
From Silent Circle's CEO:
We are putting our products out open source. CALEA does not apply to us -we are a VOIP and software company. If Canada -US-UK Governments try to regulate VOIP -we will move to where we can provide it to the world. We do not have the ability to track individual user logs nor calls. We hold aggregate server IP logs for 7 days - we are working hard to get it down to 24 hours. The data we do have is:
*Authentication information — your user name and hashed password. We hash passwor
the first rule of the silent circle... (Score:3, Funny)
shhh...
What does SilentCircle.... (Score:5, Informative)
"What does SilentCircle provide that previous applications didn't have?"
The 20$/*PER MONTH* price tag. You can also use csipsimple, it does secure messaging (using sips) and voice using the zrtp protocol. For 0$/*PER MONTH*.
(Captcha: investor. How fitting...)
Re: (Score:2)
Zimmerman and SilentCircle are now providing a paid service. But there is nothing stopping you from rolling your own.
FWIW, the 'Z' in zrtp stands for Zimmerman.
https://en.wikipedia.org/wiki/ZRTP [wikipedia.org]
Re: (Score:3, Informative)
What do MDM and MAM stand for?
Mobile Application Management (MAM) and Mobile Device Management (MDM)
You cannot subscribe to good crypto (Score:5, Insightful)
Re: (Score:1)
Actually, in theory, point to point encryption can also be cracked by court order - but if you are the putative holder of the secret key, you get the option to reveal it or go to jail.
Re: (Score:3)
Hushmail is still going, for anyone who wants to trust a service that can be cracked by court order.
Or by any Hushmail employee, or by anyone who can hack Hushmail, etc., etc., etc.
Actually, in theory, point to point encryption can also be cracked by court order
In which case at least one of the two parties is aware that the secret was leaked. In the case of Hushmail, neither the sender nor the receiver of the message would know.
SEAL of approval? (Score:1)
Seriously though, WTF is it with the SEAL shit. Do they cover advanced cryptography after mastering small unit tactics and CQB? I have nothing but the greatest respect for Phil Zimmerman but this just smacks of crude marketing.
crude marketing (Score:2)
well, hes gotta eat too....
Poor headline (Score:1, Informative)
Using the name Zimmerman immediately after a post about Treyvon Martin was a poor choice. Perhaps "PGP Creator's Silent Cirlce is now live" would have been a better choice. I certainly didn't associate the name with PGP, I associated it with the previous article, and I'm sure others did as well.
Re: (Score:2)
I associated it with the previous article, and I'm sure others did as well.
No, just you.
Re:Poor headline (Score:4, Informative)
I certainly didn't associate the name with PGP, I associated it with the previous article, and I'm sure others did as well.
I associated it with Bob Dylan myself.
Would you believe? (Score:4, Funny)
All This Needs Is A FOSS Solution (Score:3)
But a subscription-based, proprietary solution with central servers? No thanks.
Re:All This Needs Is A FOSS Solution (Score:4, Informative)
Re: (Score:2)
Seriously. Make programs (like email, IM, etc.) work with a good but open encryption protocol, like gpg for example. And surely (since Skype has shown what is possible with compression) voice applications can make good use of encryption too.
Encryption in Skype is transparent to the user. He doesn't have to give it a second thought --- much less persuade a critical mass of users to adopt the same standard,
Re: (Score:2)
That's because it's weak and leaves you vulnerable to snooping by Microsoft (either for their own purposes or for someone else's, like law enforcement), since there's no way for you to verify that you're communicating directly with the other party's instance, and that the network doesn't have a copy of its key. This is the reason why people using PGP/GPG publish their fingerprints.
Re: (Score:2)
d'oh! (Score:2)
why would you mention on CIA-/. that you have subscribed to that service??
Phil Zimmerman is ok in my book (Score:5, Informative)
I worked with Phil for awhile at StorageTek--6 months or a year I think. He's a very smart guy. He was also one of the most evangelistic people I have ever met. I do NOT mean this in a religious sense, any way shape or form. At the time (this was the 1980's) he spoke a lot (incessantly?) about the danger of nuclear war and all these bombs we've got. I expect that this same incredible focus and sense of purpose has now been applied to security, which could be a really good thing. I also expect that he has mellowed a bit, but that's just a guess.
Steve
Re:Phil Zimmerman is ok in my book (Score:5, Interesting)
Exactly. My reason to believe SilentCircle is in good faith is Zimmerman's history fighting for privacy. It doesn't mean I would trust that service. But I guess it gives some hope that people are going to become more aware of privacy issues in general.
Which is why I was ambivalent about this and came to get
Re: (Score:2)
Silent Circle? (Score:1)
When I saw the title, I thought it was a Google+ story. There are a lot of silent circles over there, after all.
CALEA (Score:5, Informative)
I wrote to Silent Circle over a week ago when news of the impending launch first started making circles.
SC's COO was kind to respond in an attempt to allay my fears. Sadly though his answer was more "non" than one.
A week ago replied back with a follow-up question, and have yet to receive a response.
While my political activism is pretty much limited to change.org petitions, SC is directly marketing their services TO activists. As the Occupy movement has shown, political activism, and the free-speech that goes along with it, are becoming in jeopardy. My concern, and I feel it's a valid one, is that CALEA will give subscribers a false sense of security. After all when Microsoft purchased Skype, one of the first things they did (they had no choice) was to install CALEA intercepts.
Hopefully somebody at Silent Circle will be able to answer this. Until then, I wouldn't recommend it. Check out The Guardian Project and Jitsi instead.
(Note - I'm only posting this because as Silent Circle's COO, Vic Hyder is authorized to speak on behalf of the Company.)
-----BEGIN EMAIL-----
Mr. Hyder,
Thank you very much for the reply and information you've provided below, /does Silent /CALEA/jurisdiction or not/?
but I'm afraid I'm still unclear on one particular point:
Circle fall under
Kind regards,
George Ellenburg
On 10/11/12 7:43 PM, Vic Hyder wrote:
> *George*,
> Thanks for the note. Quick response - Silent Circle provides peer to
> peer encryption from subscriber to subscriber. The Secure Calling Plan
> offers members a little flexibility to use their Silent Phone number
> to send and receive calls outside the Circle (encrypted to our servers
> but decrypted from servers to non-subscriber). We'll let our members
> determine what their threat model is and how they need to protect
> their transmissions.
>
> Circle up.
> *______________*
>
> Vic Hyder
> Chief Operations Officer
>
> Silent Circle
> Private Encrypted Communications
> Silicon Valley | Washington DC
>
> w: SilentCircle.com
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you received this e-mail in error, please notify the
> sender immediately and destroy and/or delete all copies. Circle up.
>
>
>
> On Oct 11, 2012, at 6:01 AM, George Ellenburg > wrote:
>
>> Hello-
>>
>> I read with interest news reports yesterday that Silent Circle was
>> getting ready to launch. As an activist and privacy advocate, I was
>> troubled though to read that Silent Circle was planning on offering a
>> Secure Calling Plan amongst other communication services.
>>
>> I understand the obvious revenue stream such an offering will generate,
>> but I'm intrigued as to how you plan to not comply with CALEA, or
>> curious as to how CALEA wouldn't do an end-run around your service
>> altogether? CALEA, as you probably know, is the Communications
>> Assistance for Law Enforcement Act, which requires mandatory technical
>> intercept points for Law Enforcement and Intelligence purposes.
>>
>> Being a United States Company, offering Communication services, located
>> in the United States, your Company is certainly subjected to mandatory
>> CALEA implementations.
>>
>> Thanks for your time. I earnestly look forward to your response.
>>
>> -George Ellenburg
>>
>
-----END EMAIL-----
Re: (Score:1)
You might be asking for a legal theory when trying to find out if CALEA applies. CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time. (taken from wikipedia)
Are they a telecom carrier or telecom equipment manufacturer? How is a telecom carrier de
Re: (Score:2)
It makes a big difference when criminal charges or lawsuits are filed.
In the US at least, there are laws which apply extra penalties for people if they willfully violate them. For 99.99% of all email traffic, things like this don't mean anything. However, when you start dealing with things like breaches of confidential data, trade secrets, PII, proprietary information... it makes a big difference.
Working in the Defense Industry, one of the big things that we work hard to remind our workers of, is that it
Re: (Score:2)
He didn't agree to that - it was stuck on an email someone sent him. If I email you saying `you get to send me some Zappa CDs once a month` I don't expect you to give a shit either. It's not a contract - I'm not going to expect a copy of `One Size Fits All` in the post from you, and some guy sending emails to random people shouldn't expect them to follow his random instructions either.
Re: (Score:2)
So I can stop sending the CDs then?
Re: (Score:2)
So, your point is that this Vic Hyder person, the COO of a company supposedly providing a technological solution to private conversations, apparently thinks that such PS blocks are worth the bits to transmit them? That says a lot for my confidence in SC...
Or were you suggesting that the GP shouldn't have posted that message? Here's a hint: those blocks are not only completely unenforceable, they're basically meaningless business-speak bullshit. Short of legal or contractual obligations to do otherwise, once
Re: (Score:1)
Re: (Score:2)
A week ago replied back with a follow-up question, and have yet to receive a response.
The lack of response is the response. The product is surely CALEA compliant.
Re: (Score:2)
Oh agreed. Definitely. In fact I already knew the answer before writing the guy originally. Any telecom provider located in the US *must* be CALEA compliant. However the entire service will give folks a false sense of security and that's the larger point I was trying to make.
Most speech isn't prohibited today, but political winds change all too often and what may be legal today may become illegal tomorrow.
Just hope and wish folks realize that their calls can and WILL be intercepted no matter what Silent Cir
Re: (Score:2)
Oh agreed. Definitely. In fact I already knew the answer before writing the guy originally. Any telecom provider located in the US *must* be CALEA compliant. However the entire service will give folks a false sense of security and that's the larger point I was trying to make.
Most speech isn't prohibited today, but political winds change all too often and what may be legal today may become illegal tomorrow.
Just hope and wish folks realize that their calls can and WILL be intercepted no matter what Silent Circle may say on the matter, that's all.
We agree to agree :-)
From Silent Circle -Re:CALEA (Score:1)
"There has been considerable chatter about Silent Circle's launch and about what our products, service and unique architecture is all about. We wanted to get out in front to keep everyone here informed as best we can....
We just posted our Law & Compliance information on our site (https://silentcircle.com/web/law-compliance/) to clear up a lot of the questions about whether CALEA laws apply to us, what data we do hold and how we will handle the "heat" to come.
We are putting our products out open source.
Timely Idea, but Do It Yourself? (Score:4, Interesting)
It seems to me that if you can start with an untraceable e-mail address and consistent use of Tor, you should be on the way to building up an on-line profile that's recognizable, useful, and fairly disconnected from real life.
I'm not naive enough to think that anything I could do would be 100% safe or secure, but surely you can keep most of the prying eyes away from you.
Re: (Score:1)
In espionage circles this is called a "legend." Establishing one is probably enough to make you of interest to the security services (except for valid reasons. For example, I established one for the purposes of marketing a novel as part of an elabourate joke.) YMMV.
RP
Re: (Score:2)
"might be prudent to establish an on-line persona that can't be traced"
It would be prudent for everyone to do so. And everyone should encrypt every communication possible.
The simple reason is that if only 1% seek privacy, then governments and others can simply focus their great power on that 1%; but when everyone seeks privacy it is more difficult to snoop on any particular 1%.
Yes, it will be harder to pin down bad guys & terrorists, but that's the wrong approach anyway. When people are educated, treate
Re: (Score:1)
You'll also need a way to block online tracking (cookies, widgets, gifs).
Ghostery comes close, but there's no guarantees that it gets them all.
Next you need to make your browser un-unique.
With version number, installed add-ons and what information is available about your particular hardware, it's quite possible to figure out which personas belong together.
It's not just about a particular id bit any longer, it's tiny bits of irrelevance scooped up by tracker networks combined into a whole in the long term.
`You'll also need a way to block online tracking' (Score:2)
TFS / TFTFY (Score:2)
Restricted (Score:2)
Two Zimmerman stories in a row! (Score:1)
Zimmerman gave us PGP, he can shoot who he wants! (Score:2)
That explains why there are so many Zimmerman supporters in the shooting stories... They think it is THAT Zimmerman. I remember Mr. Filesystem which lost files better than he lost evidence... many biased defenders on that one too...
Re: (Score:2)
Correction. Reiser lost files better than he lost incriminating evidence.
Encryption in the stack (Score:2)
Re: (Score:2)
https://en.wikipedia.org/wiki/IPsec [wikipedia.org]
Re: (Score:2)
Isn't this what TLS is for, or am I mistaken? TLS is a connection level encryption protocol.
On the individual IP packet level, there is IPSec, but that tends to be mainly used in Windows domains.
Laugh... (Score:2)
"suite of tools for the paranoid" where you let a 3rd party handle your security...