Does this include baseband and chips or is it just a chinese phone (as mine is) that has blackphone running sort of on top of it. Cause that makes it kinda fucking pointless as I can get anything I want out of it if I control the hardware.
The “Blackphone”, a super-secure Android handset promised to arrive in late June has just made its deadline, with the announcement that the first batch started to ship on the last day of the month. The handset is the brainchild of Spanish smartphone maker Geeksphone and Silent Circle, a secure communications firm founded by …
It's a first step. Also the baseband needs the OS's cooperation to access things like the filesystem, if the OS refuses or supplies a fake empty drive as is probably the case here then that's also improved security.
Apparently they won't ship to a PO Box, so how am I supposed to buy one without 'them' knowing?
anonymous phone purchase
If it's PAYG, get a friend or agency to buy and register it for you. Illegal in some countries, but effectively unenforceable.
There are businesses that will rent you a mailbox that have a "Street Address" you can send it to. Just find one that takes cash or
bribe ask-nicely for an employee to keep an eye out for your one-time delivery.
Which app store?`
The Blackphone doesn't come with Google Play installed - http://tinyurl.com/blackpnogplay - so which app store is it designed to look at?
If apps are (as I suspect) by their very nature a security risk, one tends to wonder what the point of the AOSP implementation is at all.
Re: Which app store?`
"While PrivatOS is essentially Android, it’s Android without Google—which means no Google Play store and no easy access to Google’s collection of apps.
For many people, this won’t be an issue. I ended up downloading and installing the Amazon App Store app on the Blackphone to get a few of the apps I needed—and doing some clever sideloading tricks to get others installed. The Security Center features allowed me to toggle on and off features in some applications that are more difficult to get to from within the apps’ own settings—for example, I switched off Twitter’s access to location services easily from Security Center when I wanted to post a tweet from an undisclosed location....
PrivatOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks."
Am I the only person assuming that the NSA is behind this?
NSA behind this ?
You can't achieve security without trust at some level. That's looking at it from the point of view of risk management which is possible, and not full risk elimination which isn't possible.
You can make whatever conclusions you like of the fact Phil Zimmerman is their CEO. He was the author of PGP and faced a grand jury trial many years ago which was eventually thrown out, based on the allegation his authorship and release of PGP contravened export regulations which classified crypto software as equivalent to munitions at the time. You can form whatever opinion you like of Phil's motivations in doing this, and of his ability effectively to select and manage whichever professional engineers he has chosen to collaborate with him on this.
Re: NSA behind this ?
I fear it's very much a legitimate question. I've looked at a number of so-called "secure" setups and I am as yet to be convinced they are what they say they are. I am not implying this isn't a genuine effort, but doing a tech thing and making sure it all stacks up are two separate things. I, for one, would not yet touch it until it had a decent size user base and has gone through two independent audits of people not linked in any way, shape or form to the US. I've already had too many questions during Silent Circle, too many things simply did not add up. As soon as there is any link to the US, you ought to consider it tainted.
They have their Spanish part - get an audit done and a proper risk profile compiled, publicly, and it'll become interesting, but if it doesn't meet Kerckhoff's Principle I'm not interested, and neither should you. Just because they have more money doesn't mean it's secure - only facts and evidence matter.
Re: NSA behind this ?
You can make whatever conclusions you like of the fact Phil Zimmerman is their CEO. He was the author of PGP and faced a grand jury trial many years ago which was eventually thrown out, based on the allegation his authorship and release of PGP contravened export regulations which classified crypto software as equivalent to munitions at the time.
Of course the neat trick there was to publish the source code as a book which was protected by 1st Amendment (and export regulations only covered electronic form). This was then scanned and proofread to make a 100% legal version. I took part in the initial 5.0i proofread effort and I can tell that OCR at the time left fair bit to be desired.
Nice try "Ian Johnston" or should I say, Mr Black. You won't discredit them that easily.
What's the result of...
CelleBrite UFED vs. Blackphone?
Can the authorities just slurp your data with physical access?
Or does this version of Android come with secure whole-disk encryption?
That is a necessary default for *anything* purporting to be secure these days.
Re: What's the result of...
There's a simple word for what you listed: risk profile. Security is always a balance between risks mitigated and risks accepted (often that balance is steered by available budget).
Personally, I'm not bothered about physical access. I will not cross a border with a data holding device, we have our own private storage and travel protocol which pretty much prevents a border screening from becoming an issue. Transport security, however, is another matter and ZRTP protected comms is not a bad thing to have - provided it's implemented properly and it's still easy to use.
Re: What's the result of...
Not relevant to the phone, but I'm a cinematographer; I have no choice but cross borders with several terabytes of digital cinema data.
As for risk profile, phone falling into unauthorized or unwelcome hands is clearly a high risk; they're very vulnerable to theft - including by less than straightforward phone thieves in the target market for this phone (think corporate espionage, both private and government-sponsored).
Physical access is ALWAYS a risk, and one that can be substantially mitigated very easily by strong whole-disk encryption, with a strong passphrase at boot time - Truecrypt-style. I can't think of a good reason for NOT making that part of the defenses for this phone, but I haven't seen it mentioned in the spec.
So, does it or doesn't it?
Watch the owners of these new 'phones...
...install Facebook on it!
Re: Watch the owners of these new 'phones...
Or put in their Google IDs.