
New "Surveillance-Proof" App To Secure Communications Has Governments Nervous - kunle
http://www.slate.com/articles/technology/future_tense/2012/10/silent_circle_mike_janke_s_iphone_app_makes_encryption_easy_governments.single.html
======
dzuc
_Janke assembled what he calls an “all-star team”: Phil Zimmerman, a recent
inductee to the Internet’s Hall of Fame, who in 1991 invented PGP encryption,
still considered the standard for email security. Jon Callas, the man behind
Apple’s whole-disk encryption (which is used to secure hard drives in Macs
across the world), became Silent Circle’s chief technology officer._

Yeah... that might actually qualify as "all-star"

~~~
notimetorelax
I'm not familiar with the specifics, why do you think they are not real all-
star?

~~~
samstave
I think he is being serious, not facetious...

~~~
notimetorelax
Quotes confused me a little.

~~~
gagege
And the ellipsis.

------
OldSchool
I've always had this sneaking suspicion that Microsoft bought Skype solely
under the direction of the government so that it could be centrally
administered and monitored by a vendor that is willing to do the job. There
certainly has never been a business case for it that would support the obscene
valuation even the first time around. I usually see about 20m users logged in
and most of them are probably not active let alone terminating calls to a
telco so they represent zero revenue.

~~~
s_henry_paulson
Along the same lines, I've always had the thought that the reason IPv6
adoption is taking so long is because encryption is actually built into the
protocol.

What happens to all those billion dollar wiretapping facilities all over the
country once they find out they can't just siphon internet traffic into their
facilities anymore?

~~~
fuzzix
"Along the same lines, I've always had the thought that the reason IPv6
adoption is taking so long is because encryption is actually built into the
protocol"

Are you talking about IPSec? This is still optional in IPv6 and available
using IPv4.

I think the reason adoption is slow is that it's not easy to convince managers
to allocate people and time to it... "So, it's not yet broken but you want to
fix it?"

------
chrisballinger
It's good to hear they will be releasing the source! A tool like this would be
rather insane to use by anyone serious about security without the ability to
inspect the source. The article states it will be under a "noncommercial open-
source license".

~~~
Cogito
I'm interested if they will release enough to reproduce the entire system, or
only the client aspect. It's apparently using client-client protocols, but
there is obviously some level of discoverability provided by the network that
is a monetisation avenue for the company.

------
Mizza
Can't believe people are getting so jazzed over proprietary encryption
technology! It's a truly horrible idea, especially as there are already
existing F/OSS alternatives, such as <https://chatsecure.org/> for iPhone.

~~~
shin_lao
You overestimate the importance of source code availability for security.

Counter-example: <http://digitaloffense.net/tools/debian-openssl/>

What matters is who writes the software, how experienced they are and what the
validation process is.

~~~
iwwr
Without public availability of the source code and an auditable trail from
source to build, there is really no way to trust it.

Also, this: _it reserves the right to shut off that person’s service and will
do so "in seven seconds."_

~~~
shin_lao
_Without public availability of the source code and an auditable trail from
source to build, there is really no way to trust it._

This is where I feel you might be a little bit dogmatic.

You don't need the source code to audit software. Software that are heavily
used are audited.

Microsoft software is probably more scrutinized that any other open source one
(I'm not implying it's more secure, just that it's more analyzed).

Security is a question of trust, not a question of source code. Even if you do
the audit yourself, it's a question of trust: it means you trust your own
abilities to evaluate the security.

I'll go a little bit further.

Did you check that the computer you bought isn't rigged? Maybe someone can
remotely control your webcam or eavesdrop your keyboard.

Did you check that the operating system you have hasn't been compromised?
Maybe someone intercepted your download and patched it on the fly to insert a
backdoor.

Is your home physically secure? Maybe someone is copying your hard disk every
day.

You're right when you say Silent Circle should be scrutinized and criticized.

Nevertheless, I disagree when you imply that the unavailability of its source
code is a show stopper. Source code only makes one small part of the security
audit a little bit easier.

Security is a process, not a feature.

~~~
BUGHUNTER
BS! Crypto software has to be open source to be taken seriously - all the
other things you write about are additional factors that count in and are not
related to this one argument, so you are trying to wishiwashi the discussion -
it only shows that you think your readers are not able to think clearly and in
a well-structured way or you are not able to do it.

Without sourcecode no crypto routines can be trusted - period. Anything else
might work in the fake industries, where producing marketing lies is part of a
standardized way to make money, but not in the real crypto world.

~~~
shrughes
Your opinion only makes sense if you think P(your analysis of the source code
is correct) > P(you can trust person X) * P(person X's analysis of the source
code is correct).

Actually the right hand side is much more difficult to defeat because it
involves more than one person.

------
mapgas88
If people are interested in this type of thing for Android, I recommend
checking out the RedPhone and TextSecure apps.

They're free to use, all the source code is GPLv3 on GitHub, and RedPhone
already has global calling coverage. The apps have been translated into 15
languages, and in my experience they're really dead simple to use.

~~~
aw3c2
I really hope that TextSecure will be ported to iOS.

~~~
ConstantineXVI
Stop hoping and port it, then. The protocol[0] is based on OTR, which already
has at least one Cocoa implementation in Adium. AFAIK you can't directly tap
into SMS on iOS, so you'll either need to do a lot of copy/pasting or run
across your own messaging network.

[0] <https://github.com/WhisperSystems/TextSecure/wiki/Protocol>

------
tsotha
I'm pretty sure this kind of thing doesn't make governments nervous. For one
thing, they can always place a virus or a bug on your phone. Or they can do it
the old fashioned way and bug your car/office/bedroom.

This will only going defeat the "dragnet" type stuff that combs through
millions of conversations looking for keywords. I guess that's something, but
if you've managed to attract the all-seeing eye you shouldn't be lulled into a
false sense of security because the link between your mobile and someone
else's is secure.

~~~
mogrim
They can also just legislate you out of existence: "You want to operate here?
You comply with the law. And that means a backdoor."

As long as this service is commercial (which apparently it is) it will have a
payment gateway, and that point can be easily blocked by a local government.

~~~
Vivtek
So everybody _but_ the United States will have secure communications. Race to
the bottom, then? The place seems more Soviet every day.

~~~
tsotha
The US has a lot more influence in these kinds of things than you would think.
I'm continually amazed at how easily countries buckle when faced with, for
example, financial industry sanctions. Look at the way copyright law has
changed over the years.

~~~
Vivtek
Ouch - point taken.

------
zentrus
My main question is how are these keys generated and exchanged? Normal diffie-
hellman is susceptible to man-in-the-middle attacks. You can eliminate this by
adding public key certificates to the mix, but how would Silent Circle manage
these certificates? How easy would it be to forge an encrypted text from an
account? Essentially, how does the app verify that the key it is given is
legit? So many questions and so little detail.

~~~
moxie
For the voice app, it uses ZRTP. Basically, the initiator and responder
perform an ephemeral DH key agreement. Both clients then independently
generate a "short authentication string" (basically just two English words)
from the shared secret they negotiated, and display those two words to the
caller.

Both callers then read the two words to each-other, and if they're the same,
they know there couldn't have been a MITM attack. In the case where there's a
MITM attack, each caller would have different key material, resulting in a
different SAS. The protocol uses hash commitment and other tricks to make this
really work in practice.

They haven't published the protocol for their chat app's encryption yet, but
it sounds similar to OTR. While OTR has some nice tricks for verifying
authenticity by using zero-knowledge proofs, it doesn't sound as if they have
support for that sort of thing, and parties would have to make a call and read
a SAS to each-other over the phone.

~~~
jmspring
So voice is an iteration on Phil's Zfone product he was pushing a few years
back...

~~~
moxie
Yes, although they seem to have much better marketing this time around (a good
thing).

~~~
rdl
They're also doing some iOS/mobile specific tricks with Apple Push to do the
key exchange (at least in the text app)

------
xyzzy123
The problem with crypto is not source code. The problem with crypto is not the
protocols or the algorithms. Partly it is infrastructure. Mostly it is network
effect. Where the cypherpunks have failed (multiple times) is getting strong
crypto to be the "default option" for a large enough proportion of users that
it spreads virally and takes over the world.

This is one more shot at it.

~~~
pnathan
It's very hard to convince ordinary people that encryption benefits them.
Encryption needs to be _unbelievably_ easy to use in order to make the average
joe-on-the-street use it. I've been involved with such efforts- the cold truth
is "no one cares" (except people who REALLY care). So what usually happens is
very few people set it up, and the ones who do will struggle through to _make_
it work, because they care.

------
JonnieCache
I love the fact that he's an ex-SEAL. Dragging him into a little room at the
airport to intimidate him might not work so well here.

------
rohern
It seems to me the way to get around this (for the nervous government) is to
attack the iphone itself and capture keystrokes, nay?

~~~
ntaylor
> _If authorities wanted to intercept the communications of a person using
> Silent Circle, it is likely they’d have to resort to deploying Trojan-style
> tools—infecting targeted devices with spyware to covertly record
> communications before they become encrypted._

------
zwass
The problem is, anyone who is serious about security is going to need to read
the source and compile the binary they load onto their phone. Nontechnical
people aren't going to be able to do that.

~~~
hollerith
A tech guy can ask a non-tech guy if he can examine his phone. If the binary
on the phone differs from any binary the tech guy can get by compiling clean
source code, he can raise questions. This is how a group of tech guys who are
in communication with each other can protect the privacy of a much larger
population of non-tech guys.

~~~
xyzzy123
Right; if you don't understand the technology (or like most of us, haven't
taken the time to comprehensively review it) you have to rely on social proof.

------
mayneack
Really wish I could sign up and then hold my free month until after the
Android app comes out. Guess I'll just keep checking back (or assume that when
it happens, it will be mentioned here)

~~~
moxie
You might check out RedPhone and TextSecure (I'm one of the developers).
They're in the Play Store and on GitHub.

------
leke
Janke's book: [http://www.amazon.com/Power-Living-Mastering-The-Self-
Discip...](http://www.amazon.com/Power-Living-Mastering-The-Self-
Discipline/dp/0967513936)

------
Fando
Wow I would love to learn the details of this technology.

~~~
moxie
The secure voice app is ZRTP (they are just using an existing open source ZRTP
library). The ZRTP protocol is now an RFC:
<http://tools.ietf.org/html/rfc6189>

The secure chat protocol they're using is something they developed and haven't
yet published. It sounds as if it's similar to OTR, though. TextSecure (an
encrypted SMS app I work on) uses a version of OTR adapted to the mobile
environment, which is documented here:

<https://github.com/WhisperSystems/TextSecure/wiki/Protocol>

------
projectmeshnet
Open source alternative: Cjdns. <http://en.wikipedia.org/wiki/Cjdns>

~~~
Cogito
This has been announced as open source as well, though it hasn't been released
yet.

------
digitalengineer
If these guys want it to go more mainstream they should let people purchase
PRE-PAID cards. I love the idea of easy encryption but hate the SaaS. (That's
fine for webservices but this is more of a phone-service. 20 bucks a/month is
too much for most people).

~~~
chiph
They're selling prepaid "Ronin" cards. Or you can fund your account with a
prepaid Visa card (hint: Pay in cash at a supermarket you don't normally
frequent)

The SaaS part of it is pretty necessary. In order for your phone/pad to
traverse a NAT firewall there needs to be a common device that acts as a
matchmaker between callers. This also solves the problem of "What if the
person I'm calling is at some random coffee shop, and not at home?", where
they can't set up a firewall rule.

But really, their initial audience is business people who won't blink an eye
at $20+ a month to secure their communications for a multi-million dollar
deal. Not cheapskates like me. :)

~~~
digitalengineer
Thanks Chip.

------
dfc
Is Silent Phone just zfone 2.0?

------
ihsw
So this is like Tor but for mobile phones? Very interesting.

~~~
drivebyacct2
Moxie's point is important, but one that is more important is the difference
between anonymization and encryption. If your connection is not encrypted, it
may be possible to determine who you are, but something being encrypted
doesn't by nature mean that the users are unknown.

In this case, they know each other and communicate encrypted. In Tor's onion
routing, the server and user don't "know" each other _and_ they communicate
via an encrypted channel. Thus, if someone listens to your tor connection,
they still can't see your data [and/or guess at your identity].

~~~
moxie
I don't think it's worth emphasizing the confidentiality aspects of Tor's
"link layer" protocol, given that users really shouldn't conceptualize Tor as
something which provides confidentiality for their traffic.

Or as the Tor project says, plaintext over Tor is still plaintext:
[https://blog.torproject.org/blog/plaintext-over-tor-still-
pl...](https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext)

------
aw3c2
$20 is more than what I pay for my whole phone & data plan per month, that is
much too expensive for me and my peers.

~~~
gokhan
Every politician in any second or third world country would pay ten times as
much for such a service, not counting people doing illegal things or things
not approved by the ruling party / dictator etc.

Having it as nice to have in a free country is one thing, having your life or
career depend on eavesdropping free communication is another.

~~~
aw3c2
I would much rather have John Doe be safe from government surveillance than
the government itself.

------
perlpimp
nice job, but it is not available in Russia. Maybe other itunes regions. What
good does it do when it is not available?

------
bluedanieru
> It will store only the email address, 10-digit Silent Circle phone number,
> username, and _password_ of each customer.

Surely this is not correct.

~~~
JshWright
I'm the guy who wrote the accounts management platform for Silent Circle. Rest
assured, passwords are stored as PBKDF2 hashes. (I realize bcrypt is popular
around here, but when it comes to crypto stuff, standards are a good thing,
most of the time...)

edit: s/DK/KD/

~~~
na85
How much computing power would it take to brute-force one of those hashes?

We know NSA has gargantuan parallel processing capabilities.

~~~
JshWright
We tune the hash iterations to take a reasonably long amount of time on our
modern hardware. That said, a dedicated and well funded attack on a single
hash could certainly crack it in a relatively short period of time (which is
why we protect the hashes as if they were cleartext passwords...)

