Squeak
"I felt a great disturbance in the Force, as if millions of canaries suddenly cried out in terror, and were suddenly silenced. I fear something terrible has happened."
Silent Circle has quietly euthanized its warrant canary for 'business reasons' leading privacy pundits to freak out over double negatives and double speak. The much-loved privacy company offers the hardened BlackPhone geared to business folks who want to frustrate the surveillance state and criminals. Like others, its warrant …
Mr. Praline: "Look, I took the liberty of examining that parrot when I got it home, and I discovered the only reason that it had been sitting on its perch in the first place was that it had been NAILED there."
Anyway - did Silent Circle receive a NSL making them drop the warrant canary or not?
Of course it was, nobody is expecting the janitor to go and do it on his own. The issue is that, if it were a proper decision, there should have been publication of the intent.
It's really unbelievable that, in the 3rd Millennium, we have Internet-facing companies that have still not understood that when you're dealing with the public, you make public-impacting decisions publicly.
If you display something that the public gets used to, you can't yank it out on a whim (hey, Yahoo!, you hear that ?). The list of companies that have gotten grief from doing just that is longer than I care to type here so it's not news, yet these guys didn't get the frakkin memo.
The Internet remains a wonderful education tool. I hope these clowns get all the schooling they deserve.
You didn't use an icon so I'm not sure if you were serious or being sarcastic. In case you were serious... you do understand how warrant canaries work, don't you? It's a statement affirming that they haven't (yet) received any secret warrants which they aren't allowed to reveal publicly. If they subsequently receive one, they "yank" the warrant canary. It's not done "on a whim" as you say, it's the entire point. If they say "business reasons", well maybe that's because they're not allowed to say the real reason.
I may have not made myself perfectly clear : by having yanked the canary without any prior notice, the public has no choice but to consider that the canary is indeed dead and warrants have been served.
By mumbling something about a "business decision", these guys are trying to make it sound like they had decided to do it for other reasons. If that were true, they should have made an announcement that they were retiring the canary on a given date, then retired said canary on said date.
They didn't, ergo one must consider a dead canary no matter what they say.
Funny how tax evasion is way easier than acknowledging a simple warrant.
> "not related to any warrant for user data which we have not received”
so they received a warrant (or: didn't NOT receive a warrant) for something other that user data.
Really: any programmer past novice level deals with more complex conditionals than this every day.
Nobody here is unfamiliar with De Morgan's theorems, are they?
I own a Blackphone 2. Its pretty mediocre. It needs charging twice a day. Much of the phones selling points shocked me because they should be part of every phone as standard. Readers of El Reg rightfully make much of the invasion of privacy and tracking that is Windows 10, but its piddling compared to the average smartphone (especially Android).
I had avoided smartphones for a long time for privacy reasons, but the Blackphone seemed to be an option. However all it really does is (sort of) allow you to have a phone that has the option to install and use apps in a 'space' that supposedly does not have Google's tentacles deep into it. It permits you to have quite fine grained controls over what apps can and cannot access - but this should be fucking standard on all phones, not a specialist phone selling point.
But its still basically an Android phone, e.g. a fucking phone pwned by Google.
If you have an Android phone, take some time to peek into the default settings of many of the software components. The default keyboard on the 'privacy' Blackphone 2 sends data back to Google. It has the Google app with its open mic running out of the box. The default browser in the latest 3.0 version of their OS is the fucking Google Chrome browser: you cant even use it without granting permissions to Google et al to snoop on you. I have been reporting issues to Silent Circle about their phone for months now, most of them very basic security issues, and my impression is that they are more young hipster coders than security focused software engineers.
Even the basic phone Blackphone 2 design suggests form over function. Users like me want a solid private phone. Give me an ugly functional brick with a battery life longer than 8 hours, a detachable external mic, cameras with physical obstructions (if you don't trust the software) not a high gloss Apple wannabe product. It barely works as a phone - their engineers keep dialing down the phone connectivity (somehow) to save battery to the point that its almost impossible for people to call me.
Thanks for drawing my attention to the Silent Phones requirement to access the camera. I shall be dropping some shit on their customer support later for that.
Has anyone experience of the Ubuntu phone? How much privacy is lost by default to Ubuntu and its masters?
Is it too much to ask to have a small mobile device that is a phone but which also allows me to access the internet with a modern browser? And which does what I tell it do and nothing else? You know, something like a computer...
The big gap in modern smartphones is the baseband, which the maker of the phone or its OS has no control over. They get it from whoever provided their baseband processor, typically Qualcomm. There are no open source basebands, which is why there is reputedly the ability for spooks to silently "call" a phone and have it serve as a bug by enabling its microphone without it ringing or anything showing up on the screen but no way to confirm or deny this, or prevent it even if confirmed. Such ability probably depends on the baseband being used, but if there's a backdoor for that in Qualcomm's for example it doesn't matter whether you have an iPhone, Samsung, Blackphone, Blackberry or whatever if it uses Qualcomm cellular chips.
There are rumors that Apple is including a "dark mode" in iOS 10 that will allow a simple one-touch method in control center of disabling cellular entirely while leaving wifi active, unlike airplane mode which disables all both cellular and wifi. This is already possible today but you have to enter the settings app, enable airplane mode and then re-enable wifi, and most people don't even know it is possible to do this. There's an umarked sixth button added to the five on the top of the control center that will supposedly be used for this. If that is implemented by powering off the baseband, you would be protected against this sort of thing and could still use wifi calling. If they do that, they'll basically be declaring open war on the authorities, furthering the battle they began this spring by refusing to go along with the FBI's demands.
Of course, this isn't a complete fix since it would only help in places where you have wifi (but still very good to prevent say corporate or government espionage listening in to meetings) A better fix may arrive eventually if the rumors are true that Apple will license Intel's baseband and build the hardware into their SoC. If they do that, they could develop the baseband software themselves and strip out any backdoors it may have. However, if you want absolute proof that's done Apple won't be good enough, you'll have to hope someday someone develops an open source baseband you could use on Android phones that have the right baseband hardware, and use a version of Android that has EVERYTHING Google-related stripped out.
1. It would be as simple as possible: Every line of code is a potential bug which is a potential security hole. If your mobile OS is more complex than a Windows 3.1 system including MS-DOS it's most likely to complex.
2. It should not make obviously false claims: You cannot protect data against physical access, and physical access is a very likely vector for mobile devices. So avoid companies which claim that they can store data on your device with no one being able to access it even when having physical access to the device. Most security chips can be read out by de-capping them and probing them directly.
3. It must be open: Not just open for everyone to see and analyze, but also open for people to make simpler. Non open systems tend to be rather complex as they need to cater the needs for diverse groups of users. If however the user can directly manipulate code, there might not be a need for some complicated configuration features, as the same use could be gotten out of a function you change for a particular group of users. This can help to achieve point 1.
4. There must not be an entity behind it: Entities can be manipulated into doing things easily. They can be forced to do things with national security letters. Instead you want products that are made by a loose collective of developers. It helps if you honor point 1, as simple code is simple to maintain.
5. You must be able to control it: If your manufacturer can push updates onto your device without you being able to understand them, it can easily bypass all the security easily. You must be able to make your device talk to noone but you and your servers. This also means that if you store your data on a server, you must be able to store it on your own servers or servers operated by people you trust.
Why should this surprise anyone !!! Prior to launching the black phone and re-branding they were the top in my opinion in email security and encryption. But when the Gov decided that they wanted access, they capitulated and decided to get out of the market before anything happened. Since I personally know and served with one of the gentlemen involve in this project and would not have thought that they would run scared. What a wonderful world we live in !