Re: [liberationtech] Silent Circle Dangerous to Cryptography Software Development

6 Jul 2018


      I just wanted to note that hosting things in Canada isn't inherently, or
necessarily, safer than hosting in other countries. Canadian courts are
as able as American courts to apply pressure towards 'privacy sensitive'
companies, with Hushmail being a good example.

I would also note that Canada's lawful access legislation - perhaps on
ice now, but something that will likely come back to life at some point
- includes a decryption requirement that could have serious implications
for companies providing encryption services/encrypting data in transit.
A colleague of mine and I have written a piece on those decryption
requirements (which is available at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2148060) as they
would affect cloud services, and it might be of interest to people on
this list.

Cheers,
Chris
-- 
******************************************
Christopher Parsons
Doctoral Candidate
Political Science, University of Victoria
http://www.christopher-parsons.com
******************************************
...
Julian Oliver <mailto:julian@julianoliver.com>
11 October, 2012 11:36 AM
A chap on Twitter by the name of Eric King wrote that "I don't have a
URL yet
but Phil said yesterday he was releasing the source code."
In any case, even with the source (including server-side) it is
unclear as to
whether protection is not compromised by this suite.
With a credit-card payment system the client list is practically a
click away
for any Government client, itself a worry. Having the servers located on
Canadian soil garners little, I think: software in a position like this
configures the distributor under responsibility to the juristiction in
which its
business is registered whilst foreign governments become potential
clients.
Ultimately software promising this level of privacy needs to reflect
that people
come from differing geo-political contexts. As such both client and
server needs
to be freely distributed and installable such that communities can
then manage
their own communication needs, taking risks within their techno-political
context as they see fit.
Cheers,
Nadim Kobeissi <mailto:nadim@nadim.cc>
11 October, 2012 11:24 AM
On 10/11/2012 2:14 PM, Katrin Verclas wrote:
...
Having sat for the better part of the day with Phil Zimmerman with activists and journalists in a room, here is what I learned:
On Oct 11, 2012, at 12:15 PM, Nadim Kobeissi wrote:
...
On 10/11/2012 12:04 PM, James Losey wrote:
...
Hi Nadim,
I largely agree with your assessment of Silent Circle and I offer these
thoughts in an effort to increase my understanding of the issue. The
product is a packaged "solution" clearly targeted towards business
customers focused on corporate privacy. And while the company offeres
regular transparency statements on government requests and strives to
Unless hit by a search warrant and a gag order at the same time, or a
federal subpoena.
Zimmerman stated that servers are located in Canada to avoid US subpoenas (not a lawyer, not sure what's that worth in the end).
His entire IP block is connected to servers in the United States. I am
very skeptical of that claim. Furthermore, this is nonsense; the issue
isn't being protected against *one* country's subpoena, it's being
protected against *any* subpoena.
...
According to the Silent Circle website:
Websites and products that donbt list the people behind the technology or where their servers are located, how the encryption keys are held or even how you can verify that your data is actually encrypted, are typical of the industry and provide only pseudo-security based on a lot of unverifiable trust.
Our secure communications products use b Device to Device Encryptionb b putting the keys to your security in the palm of your hand (except for Silent Mail, which is configured for PGP Universal and utilizes server side key encryption). We DO NOT have the ability to decrypt your communications across our network and nor will anyone else - ever.
The closed-source nature of the software makes pushing
government-mandated backdoors incredibly easy and extremely difficult to
detect if done right. This is a tall claim not backed by evidence or the
possibility of review.
...
Silent Phone, Silent Text and Silent Eyes all use peer-to-peer technology and erase the session keys from your device once the call or text is finished. Our servers donbt hold the keysb&you do. Our secure encryption keeps unauthorized people from understanding your transmissions. It keeps criminals, governments, business rivals, neighbors and identity thieves from stealing your data and from destroying your personal or corporate privacy. There are no back doors, nor will there ever be.
...unless they're served a court order, in which case Silent Circle will
either implement a backdoor or go to jail, thank you very much.
...
More importantly, Zimmerman noted that Silent Circle code will be made available for audit.
Skype, too, says that its code is available for audit, and then only
lets a single academic audit it via an auditing that they themselves
fund. This is likely PR; I will not be satisfied unless anyone can
audited the code, and the source code is kept updated with every new
release.
...
...
...
minimize storage of some types of data (and you're right that payment
info is problematic) the company is clearly interested in paying for
privacy assurances and seems less focused on supporting activists. 
According to Zimmerman (who was keenly interested in use cases for activists) will make licenses available to activists at no cost.  They have not figured out the process for this yet, but we'll certainly follow up with them.
This is just really scary -- a piece of closed source, unaudited,
unverifiable software that costs money for corporations, but is free for
activists?
...
Katrin
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
NK
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Katrin Verclas <mailto:katrin@mobileactive.org>
11 October, 2012 11:14 AM
Having sat for the better part of the day with Phil Zimmerman with activists and journalists in a room, here is what I learned:
On Oct 11, 2012, at 12:15 PM, Nadim Kobeissi wrote:
...
On 10/11/2012 12:04 PM, James Losey wrote:
...
Hi Nadim,
I largely agree with your assessment of Silent Circle and I offer these
thoughts in an effort to increase my understanding of the issue. The
product is a packaged "solution" clearly targeted towards business
customers focused on corporate privacy. And while the company offeres
regular transparency statements on government requests and strives to
Unless hit by a search warrant and a gag order at the same time, or a
federal subpoena.
Zimmerman stated that servers are located in Canada to avoid US subpoenas (not a lawyer, not sure what's that worth in the end).
According to the Silent Circle website:
Websites and products that donbt list the people behind the technology or where their servers are located, how the encryption keys are held or even how you can verify that your data is actually encrypted, are typical of the industry and provide only pseudo-security based on a lot of unverifiable trust.
Our secure communications products use b Device to Device Encryptionb b putting the keys to your security in the palm of your hand (except for Silent Mail, which is configured for PGP Universal and utilizes server side key encryption). We DO NOT have the ability to decrypt your communications across our network and nor will anyone else - ever. Silent Phone, Silent Text and Silent Eyes all use peer-to-peer technology and erase the session keys from your device once the call or text is finished. Our servers donbt hold the keysb&you do. Our secure encryption keeps unauthorized people from understanding your transmissions. It keeps criminals, governments, business rivals, neighbors and identity thieves from stealing your data and from destroying your personal or corporate privacy. There are no back doors, nor will there ever be.
More importantly, Zimmerman noted that Silent Circle code will be made available for audit.
...
...
minimize storage of some types of data (and you're right that payment
info is problematic) the company is clearly interested in paying for
privacy assurances and seems less focused on supporting activists.
According to Zimmerman (who was keenly interested in use cases for activists) will make licenses available to activists at no cost.  They have not figured out the process for this yet, but we'll certainly follow up with them.
Katrin
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

Christopher Parsons

tags

participants (1)