
Blackphone 2 – Coming Soon - mike-cardwell
https://www.silentcircle.com/products-and-solutions/devices/
======
ilurk
AFAIK only the Neo9000 offers baseband isolation from the main system.

[https://neo900.org/faq](https://neo900.org/faq)

> Unlike some other smartphones do, Neo900 won't share system RAM with the
> modem and system CPU will always have full control over the microphone
> signal sent to the modem. You can think of it as a USB dongle connected to
> the PC, with you in full control over the drivers, with a virtual LED to
> show any modem activity.

I found no information on baseband isolation for the Blackphone. Does anyone
has further information on this?

~~~
EthanHeilman
Baseband isolation is a must for a secure phone. Blackphone does not offer it
and blackphones can been compromised as a result[1].

>"The Blackphone does not protect you against vulnerabilities in the Android
subsystem, in the application processor (SoC), or in the baseband itself." [1]

Blackphone excels at protecting communication from passive adversaries, but it
needs to shore up endpoint security.

>The makers of Blackphone are well aware of this. “We have a bit of a problem
with the press saying that the Blackphone will make you NSA-proof. If someone
[at the Blackphone booth] tells you that it’ll protect you from the NSA, I’ll
fire them,” Phil Zimmermann, one of the Blackphone’s creators, told Anthony. -
[2]

While the NEO9000 has some baseband isolation, I would still be extremely
careful in assuming this isolation is complete. I haven't researched this
enough to have an opinion but I would like to know exactly what privileges it
has and what sandboxing is done to isolate it.

[1]: [http://www.itproportal.com/2014/02/26/blackphones-big-
proble...](http://www.itproportal.com/2014/02/26/blackphones-big-problem-the-
belief-that-the-device-is-nsa-proof/#ixzz2uW5QC6WJ)

[2]: [http://qz.com/181977/hidden-risk-in-blackphones-secure-
commu...](http://qz.com/181977/hidden-risk-in-blackphones-secure-
communications/)

~~~
dogma1138
There's very little chance that anyone can make anything which is actually NSA
proof, if they want to compromise it they will it's just a matter of
resources.

The Neo900 is doing their BB isolation by using a 3G/4G USB dongle, by doing
this they claim that they not only can disconnect the BB from the rest of the
phone but also to analyse it's behavior. While the 1st part is very doable as
they can use relays/electronic switching to disconnect the BB the 2nd part is
well more iffy.

Due to regulations BBP's tend to be extremely close devices while the Neo900
might be able to do some power usage analysis in order to ensure that when the
BB is suspended it is indeed off (something that any phone vendor should be
able to accomplish) I have very strong doubts about their ability to detect a
compromise especially from a state agency with the capabilities of the NSA
while the BBP is mounted and in active use by the user.

For the most part I don't see neither of them as being a solution against
government directed action especially not against the NSA, so the question
here is really when it comes to effective privacy and operation security which
device can be made more secure against surveillance by criminal elements,
corporate agents, casual snoopers, and maybe low level state actors (Emerging
nation etc.).

------
ch4s3
I'd be curious to hear from anyone that has a Blackphone. How does it compare
to other phones you have used? Do you plan to get a Blackphone 2?

~~~
rbcgerard
In particular, what's it like using the phone outside of the silent circle
ecosystem...because let's face it, 95% of the people you are going to
call/text etc will not be using a similar device

~~~
orph4nus
I would assume it would have the same effect as with end-to-end encryption
mails, where you just have unencrypted data when you are communicating with
people that don't support this. Such as is the case with
[https://protonmail.ch/](https://protonmail.ch/)

------
mtgx
Have they ever responded to that warrant canary issue?

[https://news.ycombinator.com/item?id=8796307](https://news.ycombinator.com/item?id=8796307)

[https://news.ycombinator.com/item?id=9162186](https://news.ycombinator.com/item?id=9162186)

By the looks of it, they seem to have updated the warrant canary:

[https://canary.silentcircle.com/?new-
issue](https://canary.silentcircle.com/?new-issue)

~~~
StavrosK
I'm not sure if there was a public statement, but I was commenting on the
thread way back when it happened. It turns out that there was an editor issue
with the way the canary was being updated that prevented the new one from
getting saved, and nobody realized that was the case.

We've since changed the way we update the canary and added monitoring checks
to notify us if it's out of date. IIRC we also changed the text to a more
clear version.

------
Zhenya
Is silentcircle no longer offering the service for consumers?

Cache shows this:
[http://webcache.googleusercontent.com/search?q=cache:oiqIFBt...](http://webcache.googleusercontent.com/search?q=cache:oiqIFBtn7TgJ:https://silentcircle.com/pricing+&cd=1&hl=en&ct=clnk&gl=us)

    
    
      Starter
    
      100 Silent World Minutes
      Make Calls to 120 Destinations
      Unlimited Received Calls
      Unlimited Member to Member
      $12.95 /month

etc

but their website now only has you contact sales for enterprise:
[https://silentcircle.com/products-and-
solutions/](https://silentcircle.com/products-and-solutions/)

~~~
dogma1138
You can still register as a personal user with and buy a subscription for 1 to
50 users.

------
d_theorist
In Chromium on Ubuntu I'm getting:

"You attempted to reach www.silentcircle.com, but the server presented a
certificate issued by an entity that is not trusted by your computer's
operating system. This may mean that the server has generated its own security
credentials, which Chromium cannot rely on for identity information, or an
attacker may be trying to intercept your communications."

~~~
mike-cardwell
Weird. I'm getting the same thing using Chromium on Debian Jessie. Firefox on
the same system has no such warning. I don't see any errors on ssllabs.com,
but interestingly, it only supports TLS1.1 and above. No support for TLS1.0:

[https://www.ssllabs.com/ssltest/analyze.html?d=silentcircle....](https://www.ssllabs.com/ssltest/analyze.html?d=silentcircle.com)

~~~
heinrich5991
I believe Firefox ships their own Root Certificates.

------
karmakaze
The product info would be much more interesting with target pricing. Anyone
have an idea?

