why not disable external mail, keep intenal mail (Re: Who bought off Zimmermann?)

Jon Callas jon at callas.org
Sat Aug 31 20:15:25 PDT 2013


On Aug 31, 2013, at 1:05 AM, Adam Back <adam at cypherspace.org> wrote:

> More precisely its the exposed meta-data in the SMTP.  But why would you use
> meta-data rich transport for silent circle internal-mail?  (Internal-mail I
> mean silent circle user to silent circle user vs external mail being smtp
> mail to silent circle user or silent circle user to smtp mail user).
> 
> I said it before, but again: why not cancel external mail, and leave the
> internal mail working - silent circle obviously have the tech for that
> because they have SMS equivalent in-mail.  Good for you: users who want to
> continue to communicate will encourage the people they are communicating
> with to also pay for subscriptions.  Maybe you could allow people to give
> each other gifts of 1month membership, which you hope they extend
> themselves; or some referal system with a bonus free month to the existing
> user etc.
> 
> Now there might be some software legacy, but that seems straight forward
> enough.  The crypto gap is purely the in and out mail.  (Other than forced
> software changes, but others have discussed how to combat that issue, and
> some claim legal advice is that its harder for the mil-int community to
> legally force companies to change their software.  (Hushmail saga not
> withstanding!)


I believe that when one is on a team, the more senior one is on the team, the more one has the responsibility to discuss the *team* decision even when one's opinion was different. Actually, *especially* when one's personal decision was different. Every decision has reasons for and reasons against. One's job as a senior team member is to talk about the way one came to the decision for, and not about the reasons against.

I just had a short conversation with Mike Janke about this issue and this discussion, and with his leave I'm going to go against my normal beliefs.

Silent Circle is Mike's vision. He did physical security in a variety of countries and saw that people who are expats from anywhere in anywhere else have a lot of issues they have to face that are all secure communications. Moreover, these people are told "no" all the time (don't use Skype, don't use Gmail, don't trust SMS, don't use cell phones, landlines) and never "yes." The initial vision of Silent Circle was to give those people a "yes." There are (were) three pillars of that vision to give people yesses -- voice/video/etc., texting etc., and email etc.

When I wrote that the email was "something of a quandary," that means that Mike was always for it and I was always against it. I see the other side of it and believe that something that's email-like is essential. We have an architecture for how we're going to grow texting into "messaging" and that will be email-like with true end-to-end security for internal mail. It is a ways off. There are lots of things to work on, from user experience to syncing across devices -- each with real security.

In the meantime, what do the users do? We did a lot of talking to end users, and what they want and need is more than just internal email. They need it to be connected to the Internet. Part of the use case includes that someone wants to send a subscriber a PDF of an insurance form, rental agreement, or so on that the subscriber needs to print out, sign, scan, and send back. A number of them said that what they really wanted as much as anything was an email system run by people who give a damn about security as much as the crypto itself. Whatever that means.

Mike was (and is) a happy customer of one of the existing secure email systems for years, understood its limitations and thought that a useful system could be made out of a conventional email infrastructure augmented by PGP Universal. I was on the other side. PGP Universal is designed for a different use case, a different threat model, blah, blah, blah. You've heard me say it, so I won't repeat it.

When I rationally looked at the facts of the situation, Silent Mail's proposed security was *different* than other secure email systems, but similar. If someone uses it "securely" then it's very good, and when they use it "conveniently" it isn't worse than any of the other convenience-minded secure email systems. Moreover, and getting to the real brass tacks here, Mike's the boss. It's his dream and his money funding it. As an interim system to have, it isn't that bad.

Additionally, one of my bugaboos about security is something I call "security arrogance." Security arrogance is when the security person tells the users what their threat model should be. It's closely related to another thing I talked about a decade ago that I called "the security cliff" -- you start with no security and to get to security, you have to climb a cliff rather than ascend a ramp in that you can't stop halfway up. I believe that one of the ways we security people shoot our clients in the foot is to focus on the ways that security is imperfect and thus argue that less-than-perfect security is worse than no security.

Okay, fine. Hoist by my own petard. Silent Mail, ho!

I'll also add that other team members were of course, spread all over the essential quandary here from thinking it was wonderful to being conflicted to thinking that Silent Mail was worse than nothing.

Development-wise, we had some plans to improve Silent Mail -- specifically, one of the tasks was to make a network widget that would scrape offending headers out of SMTP. However, note that we're a startup. Life is not a zero-sum game, but development is. Every iota of effort that's spent propping up SMTP is an iota that's not going to making its replacement. This ended up being a different sort of quandary. The people who accepted Silent Mail warts and all (or shock, horror liked it) like the idea of the new "messaging" system even better. Thus, propping up SMTP didn't really have any champions, and it's not like we have people sitting around doing nothing. We all considered Silent Mail to be a stop-gap.

Let me fast-forward up to the day before we shut Silent Mail down. One of the major requests that we had was to split the suite of products up. We were working on precisely that. (And it should go live next week.) In fact, we were *discussing* a breakup of the suite even before Silent Mail went live, and we noted that it became a legacy product after being up for about a week.

As there was more and more news about state-sponsored espionage (China, Countries Starting With The Letter 'I', etc.), we got more "business" customers and they were as a rule not interested in secure email that was not under the direct control of their own IT. Post-Snowden, the people who thought, "It's good enough" became fewer. The proportion of users who were using Silent Mail was about 5% of the total.

Every account has a page where you set up your devices, and there's a link to click to set up Silent Mail. Only people who clicked that link got set up, and the 5% number is the people who set it up, so that's obviously an upper bound of people using it.

We had been discussing shutting it down -- that 5% figure is either an argument for why it just isn't succeeding as a product, or an argument why the people who are using it understand it and its limitations. It was a discussion item for our September BoD meeting. My plan was to suggest we stop taking new orders and subscription renewals as part of the suite break-up, and then just let it fade away. I was, in fact, lobbying hard for that. I believe I would have prevailed at the board meeting, but of course I'd think that.

Your suggestion about making it be internal-only was something I'd be willing to compromise on. However, remember that much of the whole *point* of Silent Mail is that it's a well-run Internet Email System.

Now let's get to the day we shut it down. I had been at the VoIP conference, ClueCon, in Chicago. As luck would have it, I finished up early and failed to get standby on an early flight home. Others of us were scattered with other travel. One of my major thoughts was what if there's paperwork on its way, and that paperwork doesn't know I'm in an airport lounge? When I finally got Mike on the phone, he said, "You did the right thing. I'm glad you're my partner." Interestingly, the guys who work for me told me after that they had decided that they would delete things themselves if things went on for another couple hours.

I know this has been long, so let me sum up answers to your questions:

* Silent Mail was always a debate between perfect and good enough. It was even a debate over what it means to be good enough.

* The people who thought it was good enough don't think like you and me, and I think their point of view has it's own validity.

* The people who wanted it wanted it to be an Internet Email System above all. Even in the design of the new thing, it has to be connected to the Internet so that someone on the Internet can send you an email. Pulling back to being internal-only would not meet the goals of the people who wanted it.

* We're a startup. We only have so many resources, and no one was the champion of making Silent Mail better. The people who thought it was good enough didn't see the point in making it better, and the people who thought it wasn't good enough didn't see the point either.

I hope this helps explain.

	Jon






More information about the cypherpunks mailing list