
Philip Zimmermann's fears for privacy - sasvari
http://www.theguardian.com/technology/2015/may/25/philip-zimmermann-king-encryption-reveals-fears-privacy
======
zmanian
Switzerland is mostly a privacy snake oil in regards to the coercive powers of
various legal authorities. Your executives, investors etc are all subject to
US law. Swiss law isn't going to protect users.

Switzerland might be a reasonable place to stage civil disobedience from. Phil
has credibility in that regard. Would love to see a statement from Silent
Circle comparable to Least Authority's [https://tahoe-
lafs.org/pipermail/tahoe-dev/2010-October/0053...](https://tahoe-
lafs.org/pipermail/tahoe-dev/2010-October/005353.html)

~~~
MichaelGG
Most of Silent Circle is marketing, as far as I can tell. The ZRTP stuff is
great, as voice verification is easy (spoofing it is hard).

But the rest? They talk about secure PSTN, but they are just using VoIP AFAIK
(even if they had TDM handoffs, a ton of traffic goes over random VoIP
providers anyways.) But that aside - there is no such thing as secure PSTN
(outside of things like PGPfone). What benefit is there versus using a VPN and
any random VoIP provider? Maybe they keep less CDRs, and if you use no calling
number, that'd be a little better, I guess.

Hell, try to explain what this even means:

"Our Silent Network provides the backbone to our encrypted communications
service. There's no sharing of our dedicated network. We have custom-built
servers, CODECs, software and hardware that ensure security integrated through
design"

Custom built servers? Like what, they assembled Super Micro servers or FB's
server spec? Or what? 100% dedicated network? They ran fiber? Or they mean
they bought some Ethernet switches instead of using AWS or some colo's
switches? And new codecs? I guess it's possible but if they've outdone all the
other audio codecs out there, that's worth taking about concretely. Not to
mention that's a huge breakthrough, on top of the crypto work. (Or do they
mean ZRTP is the custom built codec?)

Seriously everyone: go to this page[1] and tell me if your BS meter doesn't
redline.

Custom built PBX? Does that mean FreeSWITCH or Asterisk, or something else? If
it is one of the open source systems, where are the CVEs they've found and
upstreamed?

Custom built HD network? Wtf does that even _mean_?

And Blackphone? Last I saw it on HN, it was a closed source system, zero
mention of baseband processor security. I thought it was Android based, with a
few apps thrown in but I don't recall offhand.

SC has some great tech guys and the people I've met seem nice and sincere and
I've no doubt they are acting in good faith. But the stuff their CEO and
marketers say make it come off very scammy.

1: [https://silentcircle.com/silent-network](https://silentcircle.com/silent-
network)

~~~
spacehome
> voice verification is easy

Why can't anyone who hears my voice spoof it? Seems relatively insecure to
broadcast my password every time I talk.

I've heard in other contexts such as retinal or fingerprint scanning that
biometrics are more like usernames than passwords (public and hard to change).
Why shouldn't voice be the same?

~~~
JshWright
They are referring to the SAS verification, which are two words derived from
the peer to peer key exchange process. If they match on both ends, you can
have a very high degree of confidence that there is no man in the middle.

It's not a password, it's a verification tool that can be used to double check
the security of your connection once you are sure you are talking to the right
person.

------
marincounty
"Today, his biggest worry is not software backdoors, but the petabytes (1m
gigabytes) of information being hoarded by the likes of Google and Facebook.
“If you collect all that data, it becomes an attractive nuisance. It’s kind of
a siren calling out inviting someone to come and try to get it. Governments
say that if private industry can have it, why can’t our intelligence agencies
have it?”

I am hoping if enough people stop using these two services; they might start
deleting information permanently? I know Google is hard to give up, but I
don't think they need to keep everything. As to Facebook, I can't see any
reason, other than business, as to why they keep every bit of information we
put up there--forever.

~~~
Zigurd
Keep in mind that not using Facebook or Google is a bit like not having a
Social Security number. Totally possible, but a gratuitous red flag.

It's better to poison the data beast than to try to starve it.

~~~
throwawayaway
what about not using the internet, is that a red flag too?

------
java-man
"Today, email can be routinely and automatically scanned for interesting
keywords, on a vast scale, without detection. This is like driftnet fishing."

\-- Phil Zimmermann, 1991

~~~
StavrosK
This is why I'm for any attempt to encryption that makes such large-scale
surveillance hard. It doesn't have to be _perfect_ (although it should also
not be marketed as perfect), but things like encrypting all connections,
opportunistically encrypting communications, and everything else that would
require someone to actively tap an endpoint, rather than just tap any backbone
random router, still does a lot of good for privacy. Do it, just don't call it
"secure" ("secure" to me means person-to-person secure).

~~~
lisper
Would love to get your feedback on this then:

[https://github.com/Spark-Innovations/SC4](https://github.com/Spark-
Innovations/SC4)

~~~
ryukafalz
The fact that it's meant to be run in a browser is somewhat concerning. HTTPS
is... okay... but for a GPG replacement I wouldn't really want to be dependent
on the CA system _or_ a remote server.

~~~
lisper
Two responses:

1\. You can run it on your own server, and you can run it from a FILE: URL
(though that part is still work in progress).

2\. This implementation is not the only one there will ever be. The goal of
this implementation is just to make something that non-technical people can
easily use in order to establish the (open) file interchange protocol. Then
anyone who wants to can write native clients, email plugins, etc.

------
comrade1
The last time I looked into it, all SilentCircle had was a small sales office
in the French part. No engineering, marketing, etc... just a secretary and a
sales guy.

I'd be surprised if they move anything substantial besides their servers to
Switzerland. It's increasingly difficult for non-europeans to get residence
permits here. I doubt Phil, Jon Callas, etc are anywhere near Switzerland, but
I'd be happy to be proven wrong.

As for Switzerland being a 'privacy snakeoil', that's wrong. Privacy rules
(especially financial) are strict and followed by the government, unlike in
the u.s. There are definitely surveillance operations, for example, the
satellite communication program that uncovered the CIA rendition programs, but
these are mostly directly outward.

~~~
JshWright
Phil spends almost all his time in Geneva at this point (obviously excepting
travel for conferences, etc).

~~~
comrade1
That's great. However, it still looks like it's just a sales office based on
sc's job board.

I'd be curious to know if he got residency but I know you probably can't
answer that. Without residency he can only spend 90 days in ch every 6 months.

~~~
JshWright
I don't know about his official residency status. I do know that he spends
enough time on the road for conferences, etc, that it is possible that half of
every 6 months works for him...

As far as who is in the office there... Any office we have is a sales office.
All of our tech/engineering folks are remote, and spread all around the world.

