PGP founder, Navy SEALs uncloak encrypted comms biz Phil Zimmermann and some of the original PGP team have joined up with former US Navy SEALs to build an encrypted communications platform that should be proof against any surveillance. The company, called Silent Circle, will launch later this year, when $20 a month will buy you encrypted email, text messages, phone calls, and …
If you don't trust the product, don't use it. Phil Zimmerman has a long history of producing strong encryption products and you can hold him to that reputation and whatever source code or not comes with this product.
One thing is certain. People who say "COINTELPRO" in earnest may as well have NUTCASE stamped on their forehead.
Actually, no - read the article. If they set it up as a Canadian company and host it there, US laws *should* not be able to touch them. However, they made one mistake: Canada is next door. It's physically easy to access, and thus at risk. Plus, if I recall, the Canadian government doesn't have very liberal tendencies.
In addition, $20/account is not going to hack it (sorry) because it's not just infrastructure and labour, it's also legal costs you need to plan for.
Idea: good. Execution: problematic, in need of improvement. Usability: good question, no idea yet.
Back in the 30's they had this machine called Enigma that worked pretty well. Didn't have CALEA to bother with, only Bletchley Park which didn't "exist" until the 70's. One can only suspect that something will "exist" in about 40 years, who knows.
Dialog:
Spy #1: I've got the yo-yo.
Spy #2: I've got the string.
Spy #1: It's OK, I Can keep a secret!
Spy #2: So can I!
I say, Herby, old chap, quite so, There are in deed, indeed highly active alternatives in the field, and there is no need to panic in CHAOS.... 4Bletchley Park2 Station XSSXXXX has IT perfectly covered.
And not a lot of people know that, for only a few are virtually qualify and would have any real need to know. All others will just follow SMARTR Instruction Sets ..... which in AIMagical Mystery Virtual Turing Machine Programs are Sublimely Sent in RESTful packets.
And if not a person of interest and/nor a dabbler in such fields, then will the following, which is well enough known in the enigmatic circles which driver spooky circuses, be practically unknown to you and there will be no danger at all in openly sharing IT securely with y'all.
CHAOS .... Clouds Hosting Advanced Operating Systems
SMARTR ........ Real Systems Monitoring, Analysis and Reporting Technology
REST ...... REpresentational State Transfer
Anything else which would be rightly left and unclear to you, is not yet suitable for general public knowledge, being too raw and dangerous loose in the field.
Everything is under Command of Control. ......... Don't Panic, Don't Panic
but it was the Polish Biuro Szyfrów which cracked the Enigma codes and following improvements during the period from 1932 to the outbreak of the war in 1939. These decryption techniques were revealed to French and British military intelligence, which had gotten nowhere in their own decryption attempts, on 25 July 1939, five weeks before the German attack on Poland, which, in Europe at least, is considered as the start of WW II (it had been going on in East Asia, where Japan was attacking China, for years, but was not called by that name, as Japan, Korea, and China are, as any ful kno, far less important to the world than Europe)....
Henri
"PGP is the world's most popular encryption system, in a large part because it's free." This has not been true for several years unless you're thinking of GPG, an open source alternative. I do remember that when PGP went commercial, Phil said that there would always be a free version for personal use, but sometime after Network Associates was formed the company went back on that promise.
Given the top-secret nature of many SEAL missions, and the concomitant requirement for SEALs to have top-secret clearances, SEALs have a rah-rah-USA, sir, yes sir, can-do, sir! mentality, which means not questioning orders. People openly critical of the government do not get security clearances.
I believe this new venture is US-government-influenced, if not US-government-controlled, and that somebody(ies) is(are) twisting Phil's arm to get him to go along with the program.
Silent Circle's website claims the software has no back-doors.
Is the software open-source? No. Is SC's claim independently-verifiable? No.
Will I trust this software? No.
Given the top-secret nature of many SEAL missions, and the concomitant requirement for SEALs to have top-secret clearances, SEALs have a rah-rah-USA, sir, yes sir, can-do, sir! mentality, which means not questioning orders. People openly critical of the government do not get security clearances.
I believe this new venture is US-government-influenced, if not US-government-controlled, and that somebody(ies) is(are) twisting Phil's arm to get him to go along with the program.
Silent Circle's website claims the software has no back-doors.
Is the software open-source? No. Is SC's claim independently-verifiable? No.
Will I trust this software? No. ....... Anonymous Coward Posted Friday 15th June 2012 06:47 GMT
This new venture then, AC, would be Anonymous Inspired when US-government-influenced, if not US-government-controlled? Hmmm? Now there is a novel development which can be plausibly denied and easily believed for a quite perfect stealth in operations.
Do not all systems have back doors for loding fronts, with silent accesses permitted for loading/smarter secure systems improvement? Wouldn't any smarter security systems developer not always ensure that power and control over something built/taken over, is not lost, even should it be convenient to allow others to exercise supplementary power and a proxy para-virtualised control, which can also be a most handy application in the mentoring and monitoring of others with it/IT in it/IT? Would one not try to cover all possible bases from any conceivable angle in order to guarantee that no fool can steal away its immaculate secrets/driving passions?
That's Edutainment, Pure and Simple, although certainly more than just a little complex, one would have to admit. But hey, anyone and everyone can do easy and where the challenge and satisfaction in that?
That's an iPhone in the picture isn't it? What's to stop the iPhone O/S examining the ram of the encrypt app, extracting the private key and sending it over the VPN to Apple and Co?
Also, I thought that Apple controlled all crypto apps, that's why only certain companies are allowed to have crypto clients on the iPhone. My assumption was that they allowed companies that exposed the backdoors to them.
Our Anonymous friend seems not to know this but, as a **very** concerned Canadian, I do keep up with the news. The Bill C-30 online spying bill (hastily relabelled as something to catch child pornographers but nonetheless seen for what it was) may be in limbo at least until Parliament resumes in the fall, but using Canada is already a very bad idea. The same undemocratic and unprincipled regime has already passed a law which permits U.S. law enforcement to operate within Canada up to 100 miles from the U.S. border...and would have no hesitation whatsoever in allowing further incursions without legislative authority. Surely in the age of the Internet, one doesn't need to be within driving distance, and Iceland is the one country these days that I'd trust to value its citizens' rights over the claims of foreign superpowers.
My business is working for bad guys subject to interception by Governement / Police.
It matters zero that the transmission system is secure. The comms devices usually keep a record of text communications. Capture of one device usually results in a complete evidence trail of sent and received messages. This includes encrypted messages.
What is actually needed is a read-once message system that uses a rolling encryption key that is not reversable. This means any intercepted message cannot lead to the decryption of any other message.
Such systems exist but are not yet widespread.
..about twenty lines of Perl at max. Just wipe the symmetric key and plaintext after reading or after a timeout.
If your nice cryto system keeps lots of plaintext or session cipher records, then it is Broken By Default(TM).
Also, I guess that the gobbermint guys would try to go with microphones. A crypto phone used in a bugged house is excellent for them.
@Interception - I developed a secure messaging app and launched it about 3 years ago. It uses a model whereby all messages and files sent to another user of the app via the app interface are encrypted over SSL (AES128) while in-transit and encrypted at-rest (AES256) in a MS SQL Server DB. Every communication thread gets it's own encryption key and the encryption keys are then encrypted by a passkey of the thread owner's choosing. Passkeys are persisted on the server as well, but they are encrypted by the plain text version of the user's password, which is not stored on the server. Passwords are only stored as an MD5 hash which cannot be reversed into its plain text equivalent. This allows for the passkeys to be accessible by the app only when the user is logged in (mainly as a convenience so that the passkeys do not have to be re-entered every time a thread is revisited. The app has regular users, but not a significant user base. It is hosted in the US, but it is unlikely that it will ever be affected by the "must have a backdoor" rule due to the low number of users. If it ever did, I would most likely shut the site down. You can find this site by Googling "private secure encrypted". It is the first site listed in the organic search results. In the spirit of transparency, the FAQ has considerable detail on how the app works. Unfortunately, it is not open source. It is written in VB.Net.
Interception
My business is working for bad guys subject to interception by Governement / Police.
It matters zero that the transmission system is secure. The comms devices usually keep a record of text communications. Capture of one device usually results in a complete evidence trail of sent and received messages. This includes encrypted messages.
What is actually needed is a read-once message system that uses a rolling encryption key that is not reversable. This means any intercepted message cannot lead to the decryption of any other message.
Such systems exist but are not yet widespread..... Jerry Posted Friday 15th June 2012 08:46 GMT
Is a Zeroday, such a read-once message system, immune to reverse engineering, Jerry? And would field development and deployment of such to exploit vulnerabilities in systems, make IT and Communications Systems, a possible, and therefore highly probable, intangible and invisible Stealth Weapons System?
Or would IT and Communications Systems just be classed as a component/commodity capable of metadatamorph into a Stealth Weapons System?
And does having asked such questions, realise and/or virtualise them into existence for responsible control by developing entities?
And would it create an enigmatic conundrum defying simple resolution by ITAR signatories?
Questions, questions, questions, and all of them requiring one has answers for them if one wants to be considered capable of controlling that which they present for exploitation and development/critical military and intelligence advantage?
Paragraph (b) codifies the principle in ITAR section 120.3 that, in general, a commodity should not be ITAR controlled if it has a predominant civil application or has performance equivalent (defined by form, fit, and function) to articles used for civil applications. If such an article nonetheless warrants control under the ITAR because it provides the U.S. with a critical military or intelligence advantage or for another reason, then it is or should be enumerated on the USML, as described in the “bright line,” “positive list” objectives listed in the Department of State’s December 10, 2010 Federal Register notice, Revisions to the United States Munitions List (75 FR 76935).
We're all criminals:
http://www.theregister.co.uk/2012/06/14/web_super_snoop_draft_bill_released_by_home_office/
So we should be grateful for subscribers to this service who are no doubt disproportionately going to occupy the time of the authorities - who think the same way you do - and therefore divert attention away from the rest of us.
Oh, gee, I dunno... maybe:
o People involved in high-value transactions or negotiations;
o People involved with -- or trying not to be involved with -- other people who have lots of money or influence;
o People involved with -- or trying not to be involved with -- other people who have lots of technical expertise; and,
o Freedom-loving individuals who figure it's nobody else's damn business what they say in their private conversations.
The factor that is often overlooked, but critical to success relates to use cases and business models.
Assuming Silent Circle is a robust technical solution, fixed costs of entry should be relatively high, while variable costs associated with each new subscriber should be quite modest. This means they need to either narrowly target security conscious vertical market segments willing to pay a price commensurate with the value received from a mission critical application, or attempt to garner mass market adoption that allows a large number of relatively low revenue customers to offset fixed costs, with additional subscriber revenue then largely falling to the bottom line. It seems like they may be trying to walk a tightrope between the two.
I'lll be particularly interested to see what kind of "retail consumer" demand might exist for Silent Circle. My experience is that there is a dichotomy between the level of communications security protection that industry professionals imagine users need, and the level of protection most users perceive as being sufficiently valuable to pay an additional fee.
I'm just skeptical of any subscription based encryption service. Encryption/decryption should happen solely on the local device, under absolutely no control from the server, so what exactly am I getting for my $20 a month? Delivery? So at best I'm apparently getting charged extra for something my cellular plan already includes, and at worst the encryption is being done in some horribly insecure way.
To be fair there aren't a whole lot of details yet, so I'm not saying for sure I think it's a scam, but similar sounding products have often turned out to be.
about his zfone technology. We wanted his SDK to create an open source p2p VoIP program that would run on iOS and Android via wifi - this would allow for secure voice communication through later generation ipods and android devices that have microphone inputs and speaker outputs.
He was willing to give us an evaluation license of his SDK as long as we made it open source and/or made the program free of charge. He said if we at all charged for the product that we would have to buy his full developers license of the zfone sdk.
We decided that there were already some open source projects that we could use that were just as good, if not better than his zfone tech.
We never got the idea off the ground. It looks like he took a similar idea and made it profitable.
PGP was popular because you could trust it because you could READ it. And compile your own. Anonymously.
(Ergo free in the dollar sense)
And yes, given PZ's homosexual secrets at the time (ie motivation) and the govt hassles, he was trustworthy and a hero.
PGP commercial got eaten by RSA.
Phil then built a secure phone protocol, program. It was good.
Now Phil works with US govt agents and promotes centralized architectures with financial tie in (anonymity?
traffic analysis?) What are we to think?
And what is the biz model? The protocol is open, someone else can make a comsec phone.
And remember, other apps may be listening...
17 broken bones, two blown-out knees and a crocodile bite scar.» Now that is what I call credibility in the encryption field ! Scherbius & Ritter, Biuro Szyfrów, Bletchley Park, and other wannabes can just roll over and die ; surely none of them have had or have now, so qualified an engineer on their team !...
Henri
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
