[cryptography] Fwd: Answers to some of your questions (Silent Circle responds..)

Fri Feb 15 07:19:55 PST 2013

This was circulated on libtech and here it is for your consideration too.

It confirms some of the ramblings on the pad, disposes of some others, ..

Also attached is a condensed version of the pad after "summary" was
put at the top.

Cheers, -Ali

---------- Forwarded message ----------
From: Jon Callas <jon at silentcircle.com>
Date: Thu, Feb 14, 2013 at 11:28 AM
Subject: Answers to some of your questions
To: Ali-Reza Anghaie <ali at packetknife.com>
Cc: Jon Callas <jon at silentcircle.com>

Hi, Ali-Reza.

I saw your pastebit with some questions, and let me answer. You may
repost this mail to liberation tech or anywhere else.

* A Latvian company wrote most of the software, not SilentCircle

When we formed Silent Circle, we looked around for people to partner
with. We selected Tivi because they're really cool people -- I used
their ZRTP-enabled VOIP client back in the days when I had a Nokia
N95. We picked them in part because they were willing to release
source code. (Other potential partners were not willing.)

Our partnership with them includes that code base, and that they work
for us full-time now. They're some of our main developers now.

I have a bit of a raised eyebrow at this comment. (Yes, I know it's
not your words, you're also explaining.) It sounds to me like whoever
is making that comment is implying that there's something wrong with
Latvia. Riga was for many, many years a center of European high-tech
until the dark days of WWII and Soviet occupation. It's a lovely place
filled with incredibly smart, friendly people. It is a part of the EU,
and also a NATO nation. Our team in Riga. We picked them because they
rock.

Perhaps the comment comes from the fact that they were in business
before our partnership. It's relatively common in high-tech that
companies enter into partnerships with others. Google, Microsoft,
Apple, Facebook, and others often use some sort of relationship like
this to get software or technologies that they didn't have, so that it
speeds up development. We are hardly unique in this.

Perhaps I don't understand. If someone could explain the objection to
me, I'm happy to address it further.

* Application is designed for VoIP, not specifically for Security

It's a secure VOIP client. Because of its history, there's a lot of
latent capability in it that is VOIP related. Is there an actual
question or objection?

* It does use an outdated SSL library (PolarSSL 1.1.1) with some known
security vulnerabilities ?

No, we're using PolarSSL 1.1.4. We did not include the PolarSSL code
in the drop because we didn't want to figure out the licensing
details.

* It does not use LibZRTP by Philip Zimmermann used in Zfone but ZRTPCPP

That is correct. We're using Werner Dittmann's library. We like it. We
like it so much that Werner is working for us. Werner rocks.

* It does use an outdated version of ZRTPCPP library?

I don't believe so. If anything, we're using a version of it that is
newer than anyone else's; Werner works for us, now.

Should we need release a new version, we will.

* It does reveal their test/development server?

- "I wonder if they are hiring new iOS devs now?"

Yes, we are. We also need Android devs, and need them more than iOS
devs. Feel free to send risumis to <jobs at silentcircle.com>. Note that
we are a highly-distributed company with developers and staff
stretched from Latvia to Greece, to the Pacific West. Location almost
does not matter. 31337 skillz do.

I will also note that the code of the VOIP system is the same across
all our apps. It gets compiled for iOS and Android, as well as Windows
(Silent Eyes). Each OS has its own UX skin on top of the code VOIP
system.

- "I'd say anything that gets Silent Circle to actually answer
questions proper is useful, if that is the result."

Feel free to send questions to me, or to "security at silentcircle.com"

* In ./silentphone/tiviengine/prov.cpp there is some kind of
provisioning protocols, used probably to auto-configure the voip
clients.

Good catch! Yes, indeed, we provision the clients ourselves. Silent
Circle is a *SERVICE* not an app.

* It should be evaluated the capability for a government
censoring/filtering host to block the user out by blocking
accounts.silentcircle.com or sccps.silentcircle.com. Maybe some
dynamic methods is in place?

We'd love to hear suggestions. If someone's suggestion is particularly
clever, feel free to attach a risumi.

* It should be asked what are the privacy handling for those data and
if those can be additionally "privacy enforced" .

Feel free to ask. I don't understand the question, myself.

* QUESTION: What this certificate is used for ?
TODO: We should check to see if this certificate is used for TLS
Validation? If so that's cool, that it does not rely on third party
CA.

Got it in one! Thank you for thinking it's cool.

Again, feel free to forward this mail to anyone, and I'm happy to
entertain questions from anyone.

        Jon

-----
Jon Callas
Chief Technical Officer
Silent Circle, LLC
email: jon at silentcircle.com Silent Phone: jon

NOTE: The original pad is being vadalized. A backup of the content, before nonsense, of that pad can be had at http://pastebit.com/pastie/12001 for background reading. A Summary of the useful parts of that pad is:

- The TiViPhone base appears to be an acquisition by SilentCircle and the (c) reflects that. Also a number of the TiViPhone employees are SC employees.
- The ZRTPCPP library being used is also maintained primarily by a SC employee and is not entirely unrelated.
- We do not have a clear source vs binary tree relationship here and can't vouch that the code that has been released is a fully accurate representation of the product Silent Circle has shipped.

What remains below is now the "meat" of the interesting discussion.

CODE: https://github.com/SilentCircle

---

* It does use an outdated SSL library (PolarSSL 1.1.1) with some known security vulnerabilities ?
        ???    Latest version is 1.2.5 (2013-02-02), the project seems very active as 1.1.1 has been released 2012-01-23
        ???    PolarSSL Security Advisory: https://polarssl.org/tech-updates/security-advisories (most recent advisory Feb 2nd) .
        ???    PolarSSL Changelog https://github.com/polarssl/polarssl/blob/master/ChangeLog 
        ???    they embed 1.1.1 and 1.1.4 in libs, but I only find 1.1.1 usage in the code
        ???    TODO: It should be checked in details if that 1.1.1 is vuln and/or patched to some of the advisory.
        ???    ^--- PolarSSL 1.1.1 suffers from "Weak Diffie-Hellman and RSA key generation": https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2012-01
        ???    Easily a non-issue as w/ many other projects. Verifying against binaries is tougher. The updated codebase that was uploaded does not appear to show signs of back-ported patching so they keep upgrading the version they use - perfectly reasonable as long as we can get an idea of what is exactly used in each subsequent release to the App Store and Google Play.

---

* It does use an outdated version of ZRTPCPP library?
  Looking at libs/zrtp/Changelog it does use ZRTPCPP 1.5.2 version (released on 05-Dec-2010).
  Latests version is libzrtpcpp 2.3.2 (released on 20-Nov-2012)
  ZRTPCPP 1.5/1.6/2.3 download: http://ftp.gnu.org/gnu/ccrtp/ .

---

* It does reveal their test/development server?
  In the file ./apple/ios/VoipPhone/settings.txt there is the hostname fs-devel.silentcircle.org with ip 50.116.49.43

   Do we have that code too? It would be nice to have a full development enviornment to play with / even a fake one would have its uses.

   That's a nice inquiry. It would be also very interesting, while i think it's not doable technically for smartphone platforms's constraints, to have "Deterministic Building" to always have the exact checksum of files given the same build process repeated in the same environment (Unfortunately that's an hard topic, due to various timestamps and stuff that linked put into the executable files).//AppStore binaries are encrypted/heavily obfusticated... right, proving the released binary match the released source code is hard.

---

Unless the build is reproducible and verifiable, releasing the source is pretty meaningless. <-- THIS <--- Seconded

A release of source against each App Store or Google Play edition seems to be in order - that isn't unlike other projects spreading legs on both sides of the App Store and FOSS fence.

---

TODO: It would be nice if someone could share an url with a backup of an "Installed and configured SilentCircle" to look at!.
I am trying to read some code. They are just a peice of mess. Like this: smartphone/codecs/vTiVi/ep.cpp. It is like something from a decompiler (even the indentation didn't conform)+1 definitely not iOS devs

---

Like this: (this is a library search path for one of the libs) "$(SRCROOT)/../../../../../Library/Developer/Xcode/DerivedData/werner_zrtp-gibkbzjaoguukggnpjvrvnwattfm/Build/Products/Debug-iphoneos"  <that's very bad and stupid, if they just brought the zrtp project into the same workspace xcode would handle all of this automagically for them
// I am wondering how did they get this mess run on a phone. It's very fraigle, likely this environement works on the developer's machine (lol) and was good enough to generate a binary for app store submission. If we would have gotten lucky we might have seen his username in one of the search paths but no dice.

---

* In ./silentphone/tiviengine/prov.cpp there is some kind of provisioning protocols, used probably to auto-configure the voip clients.
Interesting the following strings:
        http://sccps.silentcircle.com/provisioning/silent_phone/tivi_cfg.xml?api_key=12345^M
        http://sccps.silentcircle.com/provisioning/silent_phone/settings.txt?api_key=12345^M
        http://sccps.silentcircle.com/provisioning/silent_phone/tivi_cfg_glob.txt?api_key=12345^M
   const char *pLink="https://accounts.silentcircle.com";^M

        It should be evaluated the capability for a government censoring/filtering host to block the user out by blocking accounts.silentcircle.com or sccps.silentcircle.com. Maybe some dynamic methods is in place?

---

   const char *dev_id=t_getDevID_md5();^M <--- What's up with these functions? Maybe the IMEI/UDID of the Phone hashed with md5?
   TODO: Someone should check it!
   const char *dev_name=t_getDev_name();^M Only works on IOS, returns UTF8String of NSString *n = [[UIDevice currentDevice]model]; That's something like "iPhone5" or "iPhone4s"? If so, it's less privacy invasive.

   It should be evaluated the privacy impact of retrieving the "name" of the device (Is that the name of the phone?) that could be stored somewhere (how?).
        Additionally it should be considered that if the "Device ID" is an IMEI, even hashing it with MD5, could make it easily reversable by Silentcircle to retrieve it. TODO: Checkit
   NSString *n = [[UIDevice currentDevice]uniqueIdentifier];
        These UDID's were rendered useless a while ago weren't they? There is an advertising udid framework but you can request a fresh ID whenever you want.
It's IOS's ^^^ yeah.
It is deprcated since iOS5: https://developer.apple.com/library/prerelease/ios/#documentation/UIKit/Reference/UIDevice_Class/DeprecationAppendix/AppendixADeprecatedAPI.html
   It should be asked what are the privacy handling for those data and if those can be additionally "privacy enforced" .

---

Are UI Bugs worth finding? Sometimes they can actually lead to code execution. For example, setting your nickname to be something that can exploit the UI for nickname display and execute code... or just mislead the user? Part of the UI includes presenting security phrases for validation, it's worth scrutinizing. From an OPSEC perspective it might lead to leeks as well.

---

Random iOS tidbit of information: if you go into settings.app and change any permissions for address book/photos/etc??? any applications running that require those permissions will automatically forcequit.

---

QUESTION: What this certificate is used for ?
TODO: We should check to see if this certificate is used for TLS Validation? If so that's cool, that it does not rely on third party CA.
const char *pEntrustCert=^M
"-----BEGIN CERTIFICATE-----\r\n"^M
"MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\r\n"^M
"VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\r\n"^M
"ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\r\n"^M
"KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\r\n"^M
"ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\r\n"^M
"MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\r\n"^M
"ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\r\n"^M
"b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\r\n"^M
"bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\r\n"^M
"U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\r\n"^M
"A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\r\n"^M
"I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\r\n"^M
"wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\r\n"^M
"AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\r\n"^M
"oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\r\n"^M
"BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\r\n"^M
"dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\r\n"^M
"MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\r\n"^M
"b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\r\n"^M
"dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\r\n"^M
"MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\r\n"^M
"E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\r\n"^M
"MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\r\n"^M
"hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\r\n"^M
"95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\r\n"^M
"2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\r\n"^M
"-----END CERTIFICATE-----\r\n"^M

---

* A Backup of the Pad content has been put read-only online (with some
comments and further analysis to be done)
  * http://pastebit.com/pasties/store/12001/silentcircle.html 
  * http://pastebin.com/dKRPrGMN

* SilentCircle source code has been temporarily removed from Github:https://github.com/SilentCircle/silent-phone-base

* Nadim opened a ticket to ask about the code back:https://github.com/SilentCircle/silent-phone-base/issues/1 

* A new (different) version of the code has been uploaded online:https://github.com/SilentCircle/silent-phone-base

* Someone in the meantime put the original code back online (as a zip
archive):http://jednorog.sneakyness.com/1U060B2S3I1P

* A diff between the "original SC open source release"  and the "modified
SC open source release" reveal some code difference
 * Output of git diff "original/silent-phone-base new/silent-phone-base/ sc. patch" is available at
http://codepad.org/eQkexG2R

_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE