Slashdot Mirror
Phil Zimmermann's New Venture Will Offer Strong Privacy By Subscription
New submitter quantic_oscillation7 writes with this excerpt from the Register: "Phil Zimmermann and some of the original PGP team have joined up with former U.S. Navy SEALs to build an encrypted communications platform that should be proof against any surveillance. The company, called Silent Circle, will launch later this year, when $20 a month will buy you encrypted email, text messages, phone calls, and videoconferencing in a package that looks to be strong enough to have the NSA seriously worried. ... While software can handle most of the work, there still needs to be a small backend of servers to handle traffic. The company surveyed the state of privacy laws around the world and found that the top three choices were Switzerland, Iceland, and Canada, so they went for the one within driving distance."
Wow slashdot, a new low: Not even providing a link to TFA for people to complain about other people not reading.
Canada is decent, but they can still be forced to modify their code to catch people on demand of Interpol there.
Look what happened with Hushmail.
Link is http://www.theregister.co.uk/2012/06/14/pgp_seal_encrypted_communications/ since it wasn't in the summary.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
encrypted email, text messages, phone calls, and videoconferencing
With the proper encryption software on the endpoints, and properly encrypted storage, why does the server location even matter?
If nothing was actually stored on the server (or if everything stored there was encrypted with keys unknown to the operators) there would be no point in any government agency grabbing the server other than to shut it down. And nothing prevents that better than multiple sites.
It would seem to me the best solution would be for that server to have zero knowledge about the content of any data, and serve as a store and forward repository for content where one or the other party is off line (file transfer or email). For Video conferencing and text messages the servers might serve only as a routing agent for firewall piercing (where each participant is behind a firewall). But in no case should it contain un-encrypted data, and all logging should be to /dev/null.
Almost all of this is available today using a variety of off the shelf software with PGP keys, etc.
Wouldn't concentrating this traffic in a single place make it easier to monitor? If nothing else, a monitoring agency can gain the equivalent of pen register data simply by doing packet analysis at the upstream of such a service provider.
Wouldn't merely subscribing to such a service (and leaving a money trail) become a red flag?
Sig Battery depleted. Reverting to safe mode.
But if it's made up of a bunch of ex-navy seals, can you really trust that it's going to be secure against american intelligence access? And if it *IS*, what does that say about these EX-SEAL personnel? The old 'loyalty to your job' versus 'loyalty to your country' :D
Are they aware of the Canadian Conservative party's utter contempt for online privacy and willingness to grant broad snooping powers with no oversight to completely unqualified authorities? All without a warrant? Bill C-11 is currently in the process of being rammed through along with plenty of other unpopular legislation. Need I even mention the unabashed kowtowing to the whims of U.S. media conglomerates?
"You can either stand with us or with the child pornographers" - Vic Toews, Minister of Public Safety.
Move to England, you'll do great business there. Didn't you hear? Their government took Orwell's warning and turned it into a plan!
As a Canadian resident, I wouldn't count on our privacy laws remaining strong, or - above all - being strongly enforced - with the Conservative party in power. They should have gone with Sweden or Switzerland.
I'm a little segfault, short and stout.
What do SEALs have to do with it? Are they going to infiltrate the datacenters of privacy violators and blow them up? Secure this company's underwater cables? Now some NSA or CIA signals intelligence veterans might be helpful.
The old 'loyalty to your job' versus 'loyalty to your country'
"Country" means more than just "the guys holding political office right now." Perhaps they see the sad state of privacy laws in the US, remember the 4th Amendment, and realize that they would be doing their country the best service they can by offering this sort of solution.
I'm sure they did their due diligence, but from what Ive seen the last couple years Canada seems to be heavily influenced by US politicians, lobbyist, etc.. And I would not be surprised to hear of a joint task force as in" go ahead eh" taking down the servers for from the US privacy destruction machine. Just my tinfoil hat 2 cents.
They just nee to make sure they don't discuss any details of the service at the airport...
that way have better world coverage and can shift if the local politics go to crap on privacy.
As the Hushmail cases have proven.. bullshit and server /client cryptography DONT work against government subpoena(s).. especially in canada...
and another strike!!!
how about peer to peer voip crypto...
Also, three countries with universal single-payer health care, free education, high standards of living and a thriving middle class.
Also countries that have succeeded despite not adopting the disastrous "austerity measures" that have caused widespread recessions in other countries, and threaten to send the U.S. into a double-dip recession if adopted here.
Having successful developed societies is not really so hard when you have nice clear examples like these three. Yet still if you were to watch any of the news talk programs on television this morning, you would hear our political elite talking about how desperately we need to adopt the austerity measures that are sinking so many countries in the Eurozone. Hell, we have one political party here that is wholly dedicated to adopting precisely those failed policies. And bigger tax cuts for the Rent Seekers!
You are welcome on my lawn.
You get the apps at the iPhone/Android store, so does it just use a password? Where's the 2/3 factor authentication, or a security quiz from the system before you can start using it? Can you set an 'alarm' password that tells everyone you're under duress, or an innocuous password that only shows fake data?
Trying to make it easy to use is commendable, but trading ease for security would be better.
tomorrow who's gonna fuss
They should have gone with one of the other two. My government doesn't have the balls to stand up to US pressure (eg copyright and digital locks legislation--bill C-11--going through the house right now that will make it illegal to even make a backup of media we buy). I have more faith in both Switzerland and Iceland to show more independence.
This has no one worried. PGP was broken in 1991 and is the only Phil Zimmerman is not in jail.
That's why we use one-time pads. :)
They teamed up with Navy SEALs to develop this. That means a branch of the US Government is involved.
No thanks.
For $20 a month you could also rent a virtual server somewhere and run the software for an existing, free anonymization network such as Tor, I2P, or Freenet. And that would even benefit all other users of these networks, who might not be able to afford a commercial service that doesn't seem to provide real benefits...
(And yes, I *have* put my money where my mouth is, and I am doing exactly what I wrote.)
Sounds good.
I believe them when they say it is a good privacy protection package, and $20 sounds reasonable.
It better be open, and available for public comment, for every single line of code that goes into it otheriwse, then no, I don't believe it is safe to use.
I want to see it and make my own determination.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
This looks like the same architecture the NSA is advocating for a secure Android communication platform using encrypted VoIP. The problem with their (NSA) proposal is that it requires 3G+ data network coverage to work and this isn't available everywhere. What data speeds are required by Zimmerman's project? Also, won't using this tool immediately flag the user as suspicious? As a hostile government/network provider could I not just block/flag traffic routing towards the Canadian server? What is to keep someone using this in someplace like Ethiopia from being immediately picked up by the authorities and jailed indefinitely or tortured into revealing the data the cryptography was meant to protect?
including a proxy, mail, webmail, even hosting.
http://www.cotse.net/ is what i use.
The concept of "privacy" as a paid, centralized service leaves something to be desired.
Phil Zimmerman has been compromised ever since PGP 2.6 (IIRC), which was curiously released RIGHT AFTER he was hassled by the IRS. Curiously, 2.6 is incompatible with 2.3a, which was the version just BEFORE PZ was "re-educated" by the Feds.
Now it's time for me to put some copper foil on my hat; because the tinfoil doesn't block enough of the mind-control waves...
They already have one. It's called Windows :| How many bugs and exploits are found almost monthly ? How many zero day exploits are out there but unpublished ? Even Flame was using unpublished zero day stuff, so don't think for a moment they din't exist.
To be fair, not just Windows, but all flavors of OS that require patches on a monthly basis as new exploits are found.
They don't need to backdoor it. A simple keylogger will give them anything they need should the need arise.
Hell, if you really want to get fun, install the keylogger hardware in a chip INSIDE the keyboard. See you find that one. Especially if it came from the manufacturer that way :|
sorry utter fail him partnering up with the us military no really????
FAIL
The company surveyed the state of privacy laws around the world and found that the top three choices were Switzerland, Iceland, and Canada, so they went for the one within driving distance.
So.... that'll be Switzerland, then? Right?
The "Lawful Access" provisions don't require access to the end-user terminals.
Canada might not be a good choice. Our privacy laws right now might be decent, but the Harper government is selling rights to write our laws to the US and to US lobbyists. Don't count on Canada having sane privacy laws nor "Intellectual Property" laws for much longer.
The MPAA, RIAA, and NSA count more to Harper than citizens.
bill C-11--going through the house right now that will make it illegal to even make a backup of media we buy
If you do, I doubt that penalties for individual infractions will be worth anyone persuing. The Supreme Court of Canada has used the Charter of Rights and Freedoms to slash excessive restrictions on individual freedoms, and so would probably not tolerate the heavy-handedness that exists in the US.
Therefore the only way such software can be known to be secure is if the source is published.
Use free software for security.
Does anyone remember Zero Knowledge, they had a product in the late '90s to early 2000s called Freedom, that basically did what Silent Circle is going to be doing, however, it was only for PCs.
Michael
http://s1.sfgame.us/index.php?rec=58163
After seeing all of the dumb shit that Stephen Harper and his Conservative Cronies are doing, it may be a mistake in the long run for them to choose Canada as a base of operations for their service.
It's stupid to base a huge project like this on current laws. They can a. change overnight and/or b. be subverted/ignored any time.
I just hope he doesn't shoot anybody else!
Privacy By Subscription? lol, right... that means, if you are doing nothing illegal, use it.. because it isnt really private.. but then really, why use it? Anyway, if they keep this business idea going, memories of the german hacker Tron come to mind.
Zimmerman and PGP opened a back door to their encryption on orders of the US spooks years ago - hence GPG, an open-source alternative that the spooks don't backdoor.
Why o why would I let them have my encrypted voice communications when I know full well they'll hand the keys to the spooks?
This is quite interesting because if you make a project open source there is much much less that the government can do to stop your project. The thing that makes this even more interesting is this is being started by exactly the same person who PUBLISHED the source code for PGP IN A BOOK just to protect it from the government!
Tor will be illegal/compromised shortly. Or the ISPs will make the use of Tor an offense under their terms of service, and shut the nodes down. The new worldwide police state ain't gonna let you operate an encrypted network for long.
Switzerland and Iceland likely have similar privacy laws to Canada's current laws, but the current Canadian Government is in a race to become like the GOP in the US. Yes, its that bad! Some of their brainless decisions are even similar to the US Tea party! IT.IS.THAT.BAD! Canadian laws are changing to a draconian state. I would do a re-analysis of the Canadian legal system after they changed about 60 laws in one go this past week. Its almost like Hitler burned the Reichstag all over again.
Do they accept payment in bitcoin? or will they?
Within driving distance of the FBI?
They won't think twice about grabbing it. Look what they did to Megaupload and that was in Hong Kong/New Zealand and only affected the RIAA, not "national security".
Let's hope they put it in a huge bunker with lots of heavy timelocked doors - buy enough time for it to become a massive scandal before the MiB can get through to the servers.
No sig today...
Well, I for one welcome our new NSA overlords. Actually, this article is bullshit. Why would anyone think that having former Navy Seals will somehow lend credibility to a project not involving sneaking into some place by water and silently slitting people's throats? It'd be a bit like having phony "Professional" Wrestlers as consultants on a system that allows visualizations of protein folding. What the fuck would they know about THAT?!?
Anyway, it's not going to worry the NSA, even if they pretend it is, because they have industrial strength/government/military grade decryption capabilities, and even if someone somehow figured out how to encrypt shit in such a way that the NSA couldn't read it, they'd use other means to violate your privacy without your knowledge, such as use TEMPEST to read the contents of your display screen or electromagnetic energy emanating from your keyboard every time you hit a key, which can be read from far away from your equipment. Even if you have end to end encryption, whatever message you're reading or porn you're watching will get displayed somewhere, and they can just read it off that. There are probably other approaches as well, such as sections of your computer's CPU, GPU, or NIC that are quietly ready, on command, to send information on what you're doing, or what you've done, to whichever government agency wants the info. You can think I'm crazy if you like, but in case you hadn't noticed, our government will stop at nothing and stoop to whatever arbitrary level of scumminess to do whatever it takes to meet whatever objective they decide to tackle.
It's just like locking-up an expensive car. No matter how hard you might make it to steal your car, someone can always wait in the bushes near where you parked, and put a gun to your head and blow your brains out, then steal your car because they can take the keys out of your pocket. Similarly, the government can threaten to jail you if you don't decrypt whatever they want you to decrypt, and given that the NDAA allows the President (and his jackbooted thugs) to arrest and incarcerate without charges, without rights, etc., anyone suspected of being “a terrorist”, although since you'll have no rights, you have no way to challenge you're being labeled a terrorist, which means they can accuse pretty much anyone of anything with impunity, and we can't do shit about it.
Mathematically, the only encryption strategy that assures you of a message being truly private, is a truly random one-time pad cipher. You manually encrypt the message using the one-time pad. You
destroy that day's crypto-page, and the scratch pad you used to do any of the enciphering and decyphering, and the message is already encrypted before the first time any of the text of the message of messages actually touches ANY of your computer hardware.
Distribution of keys is a source of problems, as is protecting the keys, and spending the time and effort it takes to use OTPC. So it's already a trade-off...
But if you want truly bullet-proof security, that no one but the intended recipient of the message will be able to read, you have to use a one-time pad, otherwise you're just basically jacking off, fantasizing that you have good security and privacy protection..
Even if you have this service or that, or some program to encrypt your message(s), how can you know it doesn't have one or more backdoors built into it? Even if you have the source code, and built it yourself, did you also build the compiler, the linker, etc.? Do you know what the practical upshot of every single line of code of any of those programs is? Of course not. Who does?
So, at the risk of sounding repetitious, end-to-end crypto using a one-time scratch pad where the unencrypted version of the communique is NEVER on the computer, you're probably safe... but only PROBABLY, depends on how bad someone who works for our government, wants that info.
It seems rediculous to me that our governments are not drafting laws to require email services and voip telephone service to be encrypted in this way already. I cant understand why the government allows our data to be so insecurely handled and stored. It leads me to believe that they want us to remain open and suseptible to eavesdropping from all parties... only to allow them to have an easier time doing their job. The government meant to protect us is the same one trying to keep us weak. We the people should stand up and do something about this. Requiring laws to keep us weak in order to make their job easier is a serious threat to the protection of the public. Why is there no politician saying anything about this. If the public was aware of the danger they are putting the country in, then those who support laws which make encryption illegal or require back doors would be seen as the traitors they are and there actions would be considered treasonous.
Peer-2-Peer requires peers which are addressable.
Sadly, most of the cell network are NATed with private IP ranges (10.x.y.z) and thus aren't directly addressable.
You mostly cannot do P2P on a network exclusively consisting of smartphones.
So you need at least some external server with publicly reachable IPs which should help setting up the connection (think Skype's supernodes, STUN, TURN, and the likes) and help a little bit with the key management.
But these servers suddenly become a single point of failure, so better host them in a country which isn't going to shut them down on a whim, just because said server help a secure non-wiretappable communication and said country like to wave the "evil pedo-terrorist" flag as pretext to snoop in every possible communication channel.
Also said servers can't be located into a country with wire tapping laws mandating backdoors in every communication channel, because the whole system is encrypted and thus cannot be wiretapped. It needs to be in a country where the server will be left alone. Unless there's a proper investigation (with all procedure properly followed) coming to ask legally for collaboration and where the server maintainer can legally say "we agree to help as much as we could, but as everything is encrypted peer-2-peer, and there's only minimal anonymous content on our server, there's not much that we can actually do" (without getting thrown in jail for "obstructing justice" or for not properly following wiretapping laws and building in the law-mandated back doors).
And that's probably why this new venture needs servers located in Canada.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Zimmermann originally developed his own symmetric algorithm called Bass-o-Matic, which was originally used in the first versions of PGP circa 1991. Bass-o-Matic was indeed flawed, and he was shown that it was breakable. Zimmermann replaced Bass-O-Matic with a different algorithm (which I don't remember), and that was the version that subsequently became much stronger and started to draw the attention of the investigation circa 1994. In other words, the part that was broken in 1991 was fixed by the time the investigation started.
Running away from a challenge, little mere STUDENT boy? http://yro.slashdot.org/comments.pl?sid=2933305&cid=40421131
?
* Absolutely, and I take IMMENSE PLEASURE watching little wannabe computer guru NOOBS like yourself, a mere STUDENT, running away from a challenge that I put to you there in the link above, where I challenge you to disprove points of mine that show custom hosts files get end users of them the following items:
---
1.) Better "layered-security"/"defense-in-depth"
2.) Better online speed/bandwidth while websurfing
3.) Better "anonymity" to an extent vs. DNS request logs
4.) The ability to circumvent DNSBL's (DNS Block Lists) IF the user finds them inconvenient or unjust
---
(Now, I could care less for your pussy-like "std. evasion replies" here, but instead? Well - let's see you disprove my 21++ points in favor of custom hosts files in the link above, where you're running away like the scared little rabbitt NOOB you are!)
A few years ago, I "knocked-the-chocolate" out of a post doc student named StarKruzr (Jarrett DeAngelis) whom I also caught LYING as well, right here on these forums & also @ Windows IT Pro (where I also knocked the daylights out of Dr. Mark Russinovich of Microsoft as well on memory mgt. (MS too, I was correct that "dedicate all free memory to caches" would FAIL on Windows, because *NIX variants manage memory @ a GLOBAL LEVEL, rather than by process/atomic threads as well as showing his ideas incorrect by examples from MS themselves, then lastly correcting his work for "hardcoded" (blew me away a PhD would make errors like THAT) mistakes in pagedefrag.exe as well... which he ended up THANKING ME FOR no less in email also @ least!)).
I am going to laugh @ you since you have evaded a challenge put to you, and everyone else reading's seeing you do the same too... shame, shame, shame, lol!
"citation needed"?
YOU NEED A SET OF BALLS YOU LITTLE WEASEL... & you're going to require more than your puny overpriced education to "get the better of" me... & you KNOW it (hence why you RAN in the link above).
APK
P.S.=> What's the matter pussy? Your grad school masters/doctoral training (good luck paying off your debts) not enough to face up to a challenge & face the music in the link above?? Obviously... you're WEAK, a punk, and you make me laugh! apk