
Silent Circle's warrant canary is out of date - scotchmi_st
https://canary.silentcircle.com/
======
ThinkBeat
First off I have no standing here, and I am nobody. I am a customer of Silent
Circle though. (or so I claim)

I am sure that StavrosK is well known by the community and it is my fault that
I dont know his connection with SilentCircle. His profile points to stavros at
stochastic dot io.

But more importantly HackerNews is not a very secure platform.

We have no real way of knowing StavrosK is StavrosK, or if ThinkBeat is the
same ThinkBeat as last week. Using Hackernews or any social media as a
platform to "override" a warrant canary is ill advised. In fact I think it
makes matters worse.

Properly signed messages through the announced channel is the way to go.

~~~
StavrosK
Yep, this is definitely true. The only way to get this resolved is to update
the canary. I can prove I work there, but it's irrelevant.

I also want to note that I didn't try to override anything, dang helpfully
tried to temporarily hide this post to avoid causing a panic while we get this
resolved, but that doesn't change the fact that this is still a problem we
need to resolve.

~~~
jacquesm
I think this needs an additional safeguard, such as the destruction of the
private key associated by the messages and a defined 'grace period' (defined
up front, not after the fact) in case of a missed update as well as a very
good procedure to update _and_ check that the update has indeed been made.

~~~
StavrosK
What sort of grace period do you mean? For which?

~~~
jacquesm
Missed updates, which is what this thread is all about. So say you define up
front that you're going to update your canary once weekly but that you reserve
the right not to update it for up to three weeks before you consider the
canary to be in a state where you can't revive it. This adds a bit of leeway
in case someone sleeps in and because you define it up front you can let your
users determine if they are comfortable with the period specified as
'uncertain'. Any time beyond that grace period and you're definitely
compromised, any time between the normal interval and the grace period and
you're in 'degraded' mode and as long as you are within the normal interval
you're good.

Personally I think the grace time should be much smaller than your normal
update period for the system to continue to work without appearing incompetent
after all if you can't be bothered to update the canary you probably should
not be trusted with critical data. It's not as if it is a large amount of work
and it's not as if checking whether it is done or not is a large amount of
work either. In fact, the update should be manual but the check could easily
be automated and a 'canary out of date' text message could easily be sent to
all the people working for companies such as silent circle if they take their
job seriously.

~~~
jcrawfordor
I build a grace-period into the warrant canary that I publish by a very simple
method: I issue each canary early. Each canary has a stated expiration date
that is either the 15th or the last of the month (the lazy man's bimonthly),
but the scheduled reminder to update it goes out the 13th and third-to-last
day. Usually I take care of it immediately, so a new canary is issued e.g. the
13th that expires the 31st.

So, I essentially have a built-in grace period of two days before the canary
expires, and users know that a canary issued on the 13th or 14th is also fine.
I really don't see any downside to this method except for the fact that it
extends the effective interval between canaries up to two days (the same as a
two-day grace period would, but with less reduction in confidence). And in my
application that interval varies based on the length of the month anyway, so
you can see that I'm not particularly concerned about the length of the
interval so long as there is a clearly defined date after which users should
worry.

~~~
jacquesm
That's clever! And elegant too, no added uncertainty.

------
ThinkBeat
Ok, so from a conspiracy perspective:

Lets say there was a good reason for the canary not being updated.

I the FBI or whichever law enforcement agency was involved in the process
noticed that updates were missing, (or saw it because it was pointed out on a
well trafficked website)

Could the law enforcement agency then compel the employees to post a note that
it was just a mistake and it will be rectified soon? And then have them update
it?

Since not updating it when asked would equal disclosing that the event had
taken place, which under certain laws might be illegal?

This hurts my head.

~~~
MichaelGG
Or, since Silent Circle partakes of extremely misleading marketing and claims
you can make encrypted calls all over the world, LE can just go tap the VoIP
providers they use. Legally, or, since almost all VoIP is unencrypted, just by
tapping Ethernet. Seriously, go read the press release for the BlackPhone and
tell me you'd trust their CEO at _all_. Even Mr Zimmerman admits the entire
business relies on LE not coming into their office with guns.

~~~
StavrosK
What? Where is this claimed? As far as I know, all claims are that OCA calls
are encrypted _to the server_.

It sounds like you're confusing the PSTN calling offering with the Silent
Phone service itself, which is encrypted peer to peer.

~~~
MichaelGG
[http://www.prnewswire.com/news-releases/silent-circle-
expand...](http://www.prnewswire.com/news-releases/silent-circle-expands-
encrypted-services-with-global-out-circle-calling-266542861.html)

"enables Silent Circle members to make and receive encrypted, private voice
calls through the company's Silent Phone service to non-Silent Circle
subscribers in 79 total countries"

The PR goes on and in about how "disruptive" this is, even though it's much
more expensive than Skype, and about as secure.

It's highly misleading. The PR obviously wants people to buy this product for
security and encryption, but it can't deliver. It's about as good as using
SIP+TLS/SRTP, Skype, or a VPN. Yet given the high cost (12 cents a minute)
plus the marketing, it makes users believe they're getting actual encrypted
calls. You guys should clearly state in the marketing and in-app that the call
gets a first hop encrypted, then dumped unencrypted out to the Internet/PSTN
(which nowadays are rather intermingled, sometimes when least expected).

Other stuff like "100% dedicated network – no sharing or leasing" sounds like
it's probably untrue, or uses a special value of 100%. Either way, such
statements should be backed with clarification.

Finally, there was a PR with Mike Janke, linked here on HN about a year ago. I
can't seem to find it now, but he says a bunch of misleading/false things
while writing off competition and makes SC come off rather slimy. Y'all
shouldn't let him talk for the company as it makes the engineers look bad.
(Not to mention the whole thing about Blackphone - a closed source fork of
Android with a few 3rd party apps, no mention of the baseband processor issue,
yet billed as some amazing breakthrough and it's own OS.)

SC should lower the hype and be transparent about things. Overall, I get the
distinct impression it's a marketing joint bankrolled by a non technical
founder, who hired some good names and provided a commercial vehicle for zRTP.
Which by itself is fine, but the execution feels more marketing than
technical.

PS, if you're using FreeSwitch, then I gotta ask: where are all the CVEs? Are
you fixing them privately, publicly without announcement, or are you using FS
without a security audit? (The only reason I mention this is SC often seems a
major sponsor of ClueCon.) If not FS, what is your VoIP platform, and in what
language is it written?

------
read
Is a warrant canary even legal? If it isn't, what's the point of having them?

From
[http://en.wikipedia.org/wiki/Warrant_canary](http://en.wikipedia.org/wiki/Warrant_canary)

 _The US security researcher Moxie Marlinspike states that "every lawyer we've
spoken to has confirmed that [a warrant canary] would not work" for the
TextSecure server._

Direct link:
[https://github.com/WhisperSystems/whispersystems.org/issues/...](https://github.com/WhisperSystems/whispersystems.org/issues/34#issuecomment-49910725)

~~~
pakled_engineer
The main worry for TextSecure is that Google upon receiving a NSL will send
you a targeted update for the TS client and GAPPS framework that sends all
your msgs to a three letter agency before being encrypted and sent as usual.
So Google would need a canary for the play store

~~~
jlund
Except for the fact that Google does not have the signing keys that are used
for the TextSecure binaries. They cannot silently distribute a binary that has
been tampered with. This distributed trust system is one of Android's
strengths:

[https://developer.android.com/tools/publishing/app-
signing.h...](https://developer.android.com/tools/publishing/app-signing.html)

~~~
petertodd
To clarify, so Google _can_ distribute a binary that has been tampered with,
but it'd be trivial to prove that they had in fact done that?

~~~
jlund
That's correct. Android will warn you if the signatures don't match too. Even
if we're in the full-on conspiracy theory territory of Google disabling that
core security feature, impersonating a third-party developer, and dropping a
binary onto a single user's phone, they still couldn't fake the signature.

~~~
jacquesm
They could simply disable the warning. It's android giving the warning, _not_
the app.

------
gpm
Reading this canary has me worried, it doesn't actually say that "no warrants
have been served, nor have any searches or seizures taken place", it only says
that a declaration stating that will be provided.

Compare this to rsync's
([http://www.rsync.net/resources/notices/canary.txt](http://www.rsync.net/resources/notices/canary.txt)),
which this seems to have been based off of. It explicitly states "No warrants
have ever been served to rsync.net, or rsync.net principals or employees. No
searches or seizures of any kind have ever been performed on rsync.net assets,
including:..."

~~~
StavrosK
You're right, it looks like the wording is a bit unclear. I'll talk to the
guys to see if we can get it updated, thanks.

------
spacefight
Maybe they were indeed slapped with an NSL. What a nice christmas present,
huh!?

If they failed their own canary - how could you believe them in terms of their
warant canaray setup ever again? Not so much at all, I'd say.

~~~
StavrosK
The entire purpose of a canary is to get manually updated. Automating it would
defeat the purpose. If the person (or people, but you'd want to keep them as
few as possible) was sick, unavailable, etc, it obviously wouldn't get
updated.

A canary also fails open by design. There's no way for the canary to fail on
the side of getting your data compromised. If we forget to update it, you
should just be more cautious, until we update it again (if we do).

~~~
spacefight
Of course it needs to be manually. Fail open? A warrant canary system setup
for the sole purpose of telling the whole world (and the clients, of course)
that they were hit by not posting "a declaration that, up to that point, no
warrants have been served, nor have any searches or seizures taken place".

Can there really be a fail-open or fail-safe here?

Edit: "not posting" fixed.

~~~
StavrosK
Yes, forgetting to update the canary = safe. If you had a system that signed
stuff until you stopped it, it would fail unsafe, i.e. it would keep telling
people they're safe when they weren't.

~~~
spacefight
You realize, that forgetting to update the canaray gives the same message as
"we were hit by a big fucking NSL, don't trust us and our software and systems
ever again as their security has been compromised."?

From the outside, there is just no way of knowing that it was just a forgotten
update or if it was a strong message.

~~~
StavrosK
Hey, I'm not any happier about this than you are. I'm just saying that at
least it doesn't lull users into a false sense of security, which would have
been disastrous.

~~~
spacefight
What's your threshold to "disastrous" in terms of a missing warrant canary
then? 3 weeks? 1 month? 2 months? longer?

~~~
StavrosK
_Not_ missing the canary when you were served an NSL.

------
spacefight
So it looks now, that the canary got updated. No other information given, at
least not within the canary itself.

[https://canary.silentcircle.com/](https://canary.silentcircle.com/)

------
StavrosK
[DELETED, wait for an official company response or canary update]

~~~
jacquesm
That's pointless. It's like allowing an alarm to ring without cause. Next time
it rings the canary won't be trusted until you personally vouch for the fact
that it wasn't an accident, and if that's the new channel the canary has lost
its value.

False alarms are lethal for something as important as this.

Sorry...

~~~
rsync
"That's pointless. It's like allowing an alarm to ring without cause. Next
time it rings the canary won't be trusted until you personally vouch for the
fact that it wasn't an accident, and if that's the new channel the canary has
lost its value."

That's not really true.

The canary is only "dead" and that channel is only useless until a new one is
published. Unless the operator of the canary has decreed _in advance_ that a
particular time period elapsed should be considered "dead" regardless of
future updates, then the canary is alive and well as soon as a new update
comes out.

Here's the thing - a warrant canary is, by definition, a manual process. It
should never be automated. A human has to resign and republish (or they are
doing it wrong). And this means that sometimes they get published late.

In the 9 years that we (rsync.net) have been publishing our canary, we've
probably missed our normal Monday morning publish 10 or 15 times. But as soon
as we publish, with the affirmative canary and it's signature and language,
etc., it's alive and well again.

Obviously this changes if someone is months late with an update.

~~~
spacefight
"Obviously this changes if someone is months late with an update."

That's what I was asking before - what is a reasonable timeslot for being
"late"? Is it "months" or "weeks" or the <deltaManualUpdateT+1d> of canary x?
In this case, SC was almost 3 times their weekly update rate late (December
5th to December 25th).

~~~
rsync
When we have been late, it's been 8-12 hours.

Once it gets to weeks, I think something else is going on.

------
higherpurpose
Does the US Patriot Act even apply to them anymore? They moved to Switzerland
this year. Still, they should probably look into doing the same kind of thing
for Swiss laws.

[https://blog.silentcircle.com/our-move-to-
switzerland/](https://blog.silentcircle.com/our-move-to-switzerland/)

If the warrant canary is out of date, though, I wonder if they moved to
Switzerland _because_ the US government tried to get to them, and it wasn't
just a forward-thinking action.

~~~
toyg
As long as you have a single server in the US, the Patriot Act applies to that
server and its administrators, regardless of where they are located.

~~~
a3n
Even if there are no servers in the US, are any of the principals or employees
US citizens? If so, then they're as immune as they have the resources to fight
off an assertion by the USG that they're not.

Think of Microsoft's current fight over giving up email from one of their
Irish servers. Microsoft has the resources to fight this off, and that's the
only reason they're still fighting and not complying. Someone small would have
to fold or go to jail.

If you're small, it doesn't matter if the law is on your side if the USG
overwhelms you before the question even gets a hearing.

------
CGamesPlay
The purpose of the canary is to provide the issuer with a way of saying "I am
no longer trustworthy". Since the canary has not been updated, nothing that
can be said in favor of Silent Circle should be trusted. When the canary is
again updated, it will be Silent Circle saying "I can be trusted again"
(subject to the limitations about coercion as described in the canary
message).

For now, do not trust that Silent Circle has not been compromised despite
anything you may read in this thread. When the canary is updated, then you may
return to the state that you had before: you can speculate that they are being
coerced into lying about the canary, or that they are trustworthy. That choice
is an has always been yours to make.

~~~
jacquesm
I disagree that the state post a future update of the canary is equal to the
state before it failed. New canary, same as the old does not apply, the alarm
has rung, it can't be 'un-rung'.

~~~
jcrawfordor
The warrant canary is not an alarm that an NSL/etc has been served precisely
because NSLs do not allow for any such alarm to be raised. The canary is an
assertion that this event has not happened up to a certain date, and so one
issued at any point whatsoever is as valid (up to its issue date) as any
other.

It's not practical to release new canaries constantly, so there is always an
interrim period between one and the next where it is unclear if the situation
has changed. A due date/release schedule is a guideline to users for that
interrim period. Last canary within one normal scheduled interval? Everything
is normal. Last canary longer back? Now we must worry that the situation has
changed, because if it hadn't the canary should have been updated.

The release schedule is only that, though, a guideline for deciding during the
period since issuance. It changes nothing about the fundamental nature of the
canary as a claim up to the specified date. A new canary, early, on time, or
late, makes the exact same assertion as each of the older canaries. It being
late just prevents user confidence about the state of the service in the time
period between 'expiration' and new issuance, the new issuance brings back
this confidence.

Releasing a canary late is a sin because it creates a time period in which the
state of the service is in question, and frequent/lengthy/otherwise egregious
incidents should reduce user trust in a service. That time period ends when a
new canary is issued, though, as the protection of the canary is once again in
place.

But perhaps I simply misunderstand your ideas. Could you explain what you mean
by a means other than analogy (which is honestly not particularly useful here,
as the nature of signed text is different than the nature of birds)? Or a
better question, if a new canary is issued, but late, then what is the actual
scenario that users are not protected against?

~~~
jacquesm
That depends on how late 'late' is. A bit late, maybe. Weeks late:
indefensible. That leaves room for creative interpretations such as deals
being struck and compromised identity.

We need a canary monitor service or something to that effect, I imagine of the
alarm wasn't raised here then this situation could have gone on for much
longer still. Makes you wonder what the value of the canary is if nobody is
actively monitoring it.

------
subleq
I hadn't heard of Silent Circle before so I looked at their offerings. Is it
any different than what you get from TextSecure and RedPhone for free?

------
shalmanese
It seems to me that a warrant canary being updated after public notice is the
_most_ definitive proof we have that Silent Circle hasn't been served with an
NSL.

If the NSL had the ability to force an update, the canary would have been
updated before anyone noticed it was a problem. If the NSL didn't have the
ability to force an update, the canary would still remain un-updated.

------
raverbashing
"As of Thu Dec 25 19:07:56 2014 UTC, here are the current headlines"

So it's up again?

~~~
tedivm
Yeah, my guess is that someone at the site saw this and realized that they
need to update it.

That or they were forced to by law enforcement due to all of the attention
this was getting. Turns out warrant canaries are mostly useless.

~~~
qnaal
Based on a critical reading of the 'Thu Dec 25 19:07:56 2014 UTC' update I'd
say it has served its purpose and delivered its only message as loudly and
clearly (or absently and morbidly, as the analogy may go) as it can.

ps anyone got a link to any previous canary update, or even a copy of the
public key?

pps the update I read (including signature) had sha1sum
790b9817923137c68bd0a818456f2b47ff25719f

------
astrojams
Does that mean they've been served a warrant?

~~~
CSMastermind
Either that or they forgot to update it.

~~~
StavrosK
[DELETED, wait for an official company response]

~~~
spacefight
Well, some folks obviously watched out "for not updating it" during the last
couple of weeks.

From far away, the warrant canary served its purpose well.

~~~
StavrosK
Yeah, I agree. I think we update it every Friday (it's another team that does
it), but I wonder why we missed the last two. Maybe there's just stuff I don't
know about.

------
sarciszewski
Good catch :)

------
spacefight
That canary sits in direct reach of a LE (Law enforcement) of the US.

$> whois 199.217.106.243

[http://myip.ms/view/ip_addresses/3352914432/199.217.106.0_19...](http://myip.ms/view/ip_addresses/3352914432/199.217.106.0_199.217.106.255)

Edit: Typo law enforcement.

~~~
StavrosK
I'm not sure what a LAE is, but the server doesn't matter much, since we sign
the file itself.

------
dang
As long as it's a false alarm, we'll demote this story.

Edit: Ok, we restored it with a question mark. That's a more balanced way to
handle these; I just forgot about it.

Edit 2: Now that I think about it, there's no need for a question mark on a
factual statement. Sorry—I'm a little distracted right now! (We can change
"is" to "was" if they update it, but someone will have to let us know.)

I'm going to detach this subthread now so it can go to the bottom as off-
topic.

~~~
Tomte
I'm pretty tired of sensationalist NSA stories here on HN, as well, but I
think you're really wrong here.

First of all, it is a factual post, nothing sensationalist.

Second, it is obviously on topic (warrant canaries and their failure modes
have been discussed here several times, and usually very civilly).

Third, just because "some guy" tells you "hey, everything is fine" doesn't
make it true. You just declared that you're satisfied with the explanation,
which I can understand, but demoting the story means that you don't believe
that someone can rationally think otherwise. That's unfair, IMO.

Fourth, if you're posting a warrant canary and fail to update it, you deserve
the suspicion and discussion. That's kind of the whole point. So: working as
designed. :-)

~~~
spacefight
Yes - dang, plesae put that discussion back up where it belongs.

