Silent Circle, the secure mobile communications app backed by Phil Zimmermann, has gone live - offering protection from all but the most determined of government departments. Silent Circle comprises a handful of iOS/Android/PC apps facilitating secure phone calls, text messaging and video calling, with secure email promised soon …
What I'm really looking for these days is an end to end solution providing a VPN from here to a remote virtual server from which I can do my browsing etc. which is also located in an extra-judicial location from where I'm sitting.
I'm sure I could cobble together different services to achieve this, but not found anyone doing it 'all' so to speak.
How about the Tor Project?
One of the VPN providers listed doesn't keep logs and shares single IP addresses for multiple users (obscures who's actually using the service even to the people running the show) and can take payments via BitCoin for an even more level of anonimity.
CitizenVPN provides that, they are a danish company but based in Bahamas so they don't have to conform to logging requirements by the EU.
Secure Circle is also registered outside the USA to avoid lawful-intercept requirements.
You fucking beautiful geeks. Where do I sign up?
Can't tell you - it's secret. Ahahaha, ha, ha. Ha.
Nah, it's not really, try https://www.silentcircle.com/
Not so fast ..
I wouldn't be too fast if I were you.
Domain name ownership points to the US, the geolocation of their MX record (22.214.171.124) points to a US location, they do not answer to requests for clarification regarding their exposure to the PATRIOT Act - something is *seriously* off.
Control of their domain lies in France, which is also not really known for its tolerance of crypto - NOT in the safe countries they allege to deploy. It is irrelevant where the servers are hosted if the parent can be compelled under (abuse of) the PATRIOT Act. Feel free to check yourself.
Never trust anyone who sells security without doing your homework, without evaluating the architecture and certainly not without considering the legal framework in which they operate.
For the moment, as far as I can tell it fails validation on exactly the points that matter. Given that it leans very heavily on Phil Zimmermann's reputation I am surprised, and disappointed. I hope they fix this soon.
Re: Not so fast ..
I assume that 'registered outside the USA' means that Silent Circle isn't a US based organisation and therefore is immune (or at least strongly resistant) to the Patriot Act.
If their organisation is outside the US and their servers are outside the US then they are also reasonably resistant to a MegaUpload style takedown.
No system is of course, perfect. They are still vulnerable to a Bodog style takedown (removal of DNS) and likely still vulnerable to a wikileaks type takedown - ie. a financial one.
The thing to remember is that Silent Circle isn't offering to sell you perpetually secure crypto. They can't. What they can do (and seem at first glance to have done), is ensure that governmental interference with their operation can't be easily done secretly. This means that you'll know when the Bad Guys(tm) decide to come knocking and take appropriate measures.
Please sign-up here ...
$20 a month "a bit rich" for terrorists?
Let's hope the tech is a a bit more savvy than the real-world threat analysis skills there.
Silent Circle comprises a handful of iOS/Android/PC apps facilitating secure phone calls, text messaging and vidn idiot-friendly interface aimed at corporate executives and international journalists rather than local freedom fighters who might find $20 a month a bit rich.
The concern and intended audience for these types of projects is not terrorists or other criminals, but the "good guys" (read: journalists, or dissidents under oppressive regimes like Syria, Iran, etc).
The technology potentially (likely?) being used by "bad guys" is an unavoidable consequence of creating and releasing such solutions.
Legitimate vs. illegitimate use, freedom fighter vs. terrorist - those are all arbitrary labels, sure. Don't sell such a complex situation short by oversimplifying it to "[encryption is for terrorists]".
Maybe you didn't mean to come across that way...?
"and then enter the unsecure public networks, "
Networks are not secure. My girlfriend is insecure.
registered outside the USA to avoid lawful-intercept requirements
As if that'll stop the super paranoid World Police/American administration from seizing servers, arresting anyone who's ever looked at Silent Circle, read this article about Silent Circle or viewed anything on the web anywhere in the world which has anything even remotely related to Silent Circle.
Re: registered outside the USA to avoid lawful-intercept requirements
Allegedly. I can't validate that statement either. What I also don't like is the statement that Navy SEALs are somehow experts in security. They're experts in ops, not in crypto AFAIK - this smells of marketing BS.
I've been looking at this the moment it was announced, and as of yet I have not been able to shake a *positive* validation out of this thing. So far, it doesn't feel right at all :(
Where they go?
The subheading mentions 'Navy SEAL pals' but the said SEALs are so stealthy they can't be spotted in the text of the article. Man, those guys can hide anywhere!
Re: Where they go?
They're behind the fnords.
"Lawful" is the keyword here
Just because it cant be intercepted lawfully doesn't ever stop it from being intercepted, it just means its inadmissible in a court. It can and will still be used in an intelligence analysis and as information used to profile you in an investigation if it warrants it. Building a profile with inadmissible evidence or information doesn't prevent them from keeping under a microscope while they find something admissible.
Always keep that in mind. You're not really secure, nor are you really private if they have a reason to want to take a hard enough look at you. Assuming otherwise is simple ignorance.
Re: "Lawful" is the keyword here
Just using it would be enough for Team 'Merica to make you a person of interest and if you don't end up in GITMO you'll end up as a storyline in some crappy equaliser-esqe TV series :(
Re: "Lawful" is the keyword here
Even if the programs and transmissions are rock solid, there are ways... and they may even be <gasp> lawful in somd cases.
Example: Your hard drive is encrypted with "unbreakable" encryption, but I Evil Maid you and keylog your 56 character "unbreakable" password.
Example: you have a "red phone" that uses "unbreakable" encryption. I bug the room it's in.
Example: you use PGP on your e-mail, I hide a camera in your office to shoulder surf you, or mount a keylogger inside your keyboard.
The best way to get past a wall isn't always to go through it. I think the biggest complaint law enforcement has with these solutions is that it makes their job more difficult - it doesn't make it impossible.. and it should be difficult to break into my shit and steal my stuff. The lazy bastards!
Re: "Lawful" is the keyword here
The USA does not recognise any law, or The Constitution, other than a law written by the current administration.
Perhaps the unemployed SEALS are going to do guard duty on the servers.
At least this project has creds with Zimmerman on board.
I know I said this last time this service came up (pretty sure it was the same one), but a subscription model for this kind of product seems really, really wrong to me. It's absolutely critical for strong security that all encryption and decryption be done locally, so I would expect only minimal third-party involvement, certainly not $20/mo worth. Basically all you need is a directory. So I can't help but think either it's just a rip-off or they're way more intimately involved than I'd ever feel comfortable with.
I have been looking at doing this, but to do it right you have a couple of factors that drive up your price.
First of all, you need not only the tech, but also the 3rd party evaluation and the processes to keep it safe.
Next, you need a way to validate your customers or you'll get butchered either by the secret services of ANY country you operate in (and that includes Canada and Switzerland), or by public opinion the moment a couple of child abusers use the service to keep themselves away from the police. Privacy is a right, but any sensible organisation ensures it meets the obligations that go with it - it is not a hiding place for law breakers unless that is your intention from the outset. This means more process, lawyers and good local relationships with law enforcement so that any access is lawful. On that topic, throwing away data will preclude the service from being used by business which in some countries needs to keep up to 6 years worth of records and email..
Last but not least you need to run this clean and in plain sight. Whatever you hide is the bit that cannot be trusted. Especially when you make it complex, validation costs go up. Silent Circle is presently far too silent.
There is *no* way you can run this at $20/month unless you seek a volume that will make you break any of the points above - which then negates what you are offering.
Unless , of course, you are *sponsored*..
That 50s BBC broadcaster icon
all very 'nux retro botty bashing I say ole chap steampunk Orwell Bright Young Things.
Suppose it beats the endless Guy Fawkes masks and manga porn icons.
Won't be safe for long
I'm betting money that the spooks will have access to all Internet traffic and that it can be decrypted enroute.
If I was considering such a thing
I'd stick to moxie's RedPhone
at the very least it has a way cooler name.
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip