Zimmermann's Silent Circle Now Live

e065c8515d206cb0e190 writes "Several websites have announced the launch of Silent Circle, PGP's founder Phil Zimmermann's new suite of tools for the paranoid. After a first day glitch with a late approval of their iOS app, the website seems to now accept subscriptions. Have any slashdotters subscribed? What does SilentCircle provide that previous applications didn't have?"

Now, with centralized user tracking!

[Animats]

The "Silent Circle" uses their own "Silent Network", allowing centralized user tracking. Also, the code isn't open source, so you have no idea if the crypto key generation is any good or if there are backdoors.

Re:Now, with centralized user tracking!

HURR DURR Obama Warrantless Wiretapping HURR DURR

Re:Now, with centralized user tracking!

[interval1066]

Even so, with Zimmerman's involvement I tend more to a "trust" relationship than an "untrusted" one. Zimmerman is on my whitelist.

Re:Now, with centralized user tracking!

Careful there. You're commenting on a story about "wanting to hide stuff" on a known gathering place for geeks and occasionally cyber-terrorists. You're in a database somewhere for simply being here.

Re:Now, with centralized user tracking!

[maestroX]

buuttt.... is it Zimmerman?

Re:Now, with centralized user tracking!

[Bysshe]

Considering Zimmermann's track record of not including backdoors and that he was investigated for several years much to his personal detriment for several years in the 90s for his release of PGP I think this particular protocol is pretty safe. Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught. I highly doubt the core team (there are 4 of them, including Zimmermann, 2 ex seals, and Callas) would risk their reputations on including a backdoor. In addition any real backdoors would flag an interference.

Re:Now, with centralized user tracking!

[Bysshe]

Zimmermann's one of those hyper-idealists who will defend his position to his own detriment and the detriment of anyone close to him. If you have to trust someone for privacy, its him.

Re:Now, with centralized user tracking!

[chihowa]

Even so, with Zimmerman's involvement I tend more to a "trust" relationship than an "untrusted" one. Zimmerman is on my whitelist.

That's funny, because I almost feel the complete opposite way. I really want to trust Zimmerman, but I can't make myself do it. Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.

But part of it also comes from his past. He went against the wishes of the US government and won. In my experience, that just doesn't happen... ever. The fact that he's still working in cryptography and not in some hole somewhere makes me think he's playing ball with the government. It at least raises doubts, which cannot be alleviated by reviewing the source code.

Or maybe I'm just paranoid. But cryptography is the plaything of the paranoid, and relying on the paranoid to just trust you seems a little off.

Re:Now, with centralized user tracking!

[Incadenza]

"Yes, I am paranoid. But am I paranoid enough?"

Re:Now, with centralized user tracking!

[pnot]

Part of it is keeping his work closed source, which is extra scary when talking about cryptography. Being asked to trust a security solution that you can't examine is insane.

Unless you're a crytpographer and a programmer... examining the source is pretty much pointless. It may give you a warm happy fuzzy to be able to do so, but you lack the qualifications to actually evaluate it.

The point, surely, is not that I am necessarily a cryptographer, but that the source is available to those who are. It's not necessary for every user to independently audit the code, because the skilled individuals who do audit the code can then communicate their findings.

"But why trust the skilled individuals?", you may ask. Answer: because I find it unlikely that all the world's cryptographers are conspiring to keep quiet about any vulnerabilities they find the code. At any rate it's a more sensible strategy than "assume that Zimmerman is both infallible and incorruptible".

Re:Now, with centralized user tracking!

[pnot]

Lastly and business case is based 100% on total security. If ever it leaked that there's any kind of backdoor it would all be for naught.

Lance Armstrong is innocent. His business case is based 100% on being a non-cheating cyclist: if it ever leaked that he'd taken any kind of performance enhancers, it would all be for naught.

Re:Now, with centralized user tracking!

[phantomfive]

He went against the wishes of the US government and won. In my experience, that just doesn't happen... ever.

Then you don't pay attention enough.

Re:Now, with centralized user tracking!

[martin-boundary]

The point, surely, is not that I am necessarily a cryptographer, but that the source is available to those who are. It's not necessary for every user to independently audit the code, because the skilled individuals who do audit the code can then communicate their findings.

Yes. Let me just add a nitpick. It is necessary that *any* user can *initiate* an independent audit of the code he personally received.

Merely trusting a community of experts who choose to publish their audits as they please is another form of argument from authority. It's a slippery slope to a world where the source code is only available to qualified experts, since there would be no point in making it available to nonqualified individuals.

Instead, the point of open source is that any user can hire an expert of their choosing, to work on source code as given to them (not source code the expert downloaded from a presumably equivalent source). AND THE PROBABILITY THAT SOME USERS ACTUALLY DO SO MUST BE STRICTLY POSITIVE.

because I find it unlikely that all the world's cryptographers are conspiring to keep quiet about any vulnerabilities they find the code.

Like nearly everybody, cryptographers tend to act in the best interests of their employers. That is why it is necessary for random users to hire such cryptographers every once in a while, as outlined above.

We cannot trust that the usual employers won't keep quiet about the findings for selfish reasons, eg large companies like Microsoft or Google sitting on discoveries until they can create and deploy a patch.

Re:Now, with centralized user tracking!

[Bill,+Shooter+of+Bul]

Of course I don't drive an armored car with my Gold. The armored car is only used for the silver. The gold is transported by zepplin, for increased security.

Re:Now, with centralized user tracking!

[Mjanke]

From Silent Circle's CEO:
We are putting our products out open source. CALEA does not apply to us -we are a VOIP and software company. If Canada -US-UK Governments try to regulate VOIP -we will move to where we can provide it to the world. We do not have the ability to track individual user logs nor calls. We hold aggregate server IP logs for 7 days - we are working hard to get it down to 24 hours. The data we do have is:

*Authentication information — your user name and hashed password. We hash passwords with a twelve-character random salt and 20,000 iterations of HMAC-SHA256 via PBKDF2.
*Your contact email address.
*Your Silent Phone number that we issue you...

That's it. No more no less..We use ZRTP and PGP encryption. Phil created both. Jon created PGP universal and Apple's Whole Disk encryption.They have been open, peer reviewed and tested for 10-20 years. Phil, Jon Callas and Vincent Moscaritolo ( Top crypto engineer at PGP, Apple and Symantec) created our new Instant Messaging encryption called SCimp....it's being released worldwide for audit and review in a few days...we too believe in open source. We will put our products out open source. We are paranoid. We are on the firing line. There are lots of organizations who do not want us doing what we are doing. We want to push back. We worry about CALEA being highjacked again. We do Peer to peer, device to device encryption. We dont like survellience. we believe every worldwide citizen has the right to private comms. We dont like Huawei or the Chinese Government putting holes in the silicon. They dont like Silent Circle. So its a fair fight.

Our silent network is how we can do clear, very low latency Mobile video and voice on 3G, 4G, edge, and wifi- completely encrypted. Without our custom built network- customers would have poor comms- as is the case with modern day VOIP. We wanted better. We did better. Its not perfect, but we are trying hard to make it the best out there. We don't have the keys to your voice, video, text and data- you do. True security is up to the user. We only secure your comms.

We are not perfect. We are swimming as fast as we can to launch Android, our Secure PSTN calling plan, Windows 8 version and some new products in 2013... We will make mistakes. We don't stop traffic analysis. We don't secure the device. We don't peddle "military grade encryption" or snake oil VPN systems and we are not for everyone...we deserve scrutiny, skepticism, and questioning. We want to do this right. Phil has been fighting for this chance for 23 years.

the first rule of the silent circle...

shhh...

What does SilentCircle....

"What does SilentCircle provide that previous applications didn't have?"

The 20$/*PER MONTH* price tag. You can also use csipsimple, it does secure messaging (using sips) and voice using the zrtp protocol. For 0$/*PER MONTH*.

(Captcha: investor. How fitting...)

You cannot subscribe to good crypto

[betterunixthanunix]

How many times will subscription approaches to crypto have to fail before people understand that it does not work? It failed with Hushmail, and it will almost certainly fail here.

Doesn't matter.

The "Silent Circle" uses their own "Silent Network", allowing centralized user tracking. Also, the code isn't open source, so you have no idea if the crypto key generation is any good or if there are backdoors.

I couldn't sign up going through my 3 proxies - the website timed out.

What?!? And let them know my IP?!?!

This could be a honey pot for the FBI or CIA or Illuminati!

Would you believe?

[bigdarryld]

They have the first working implementation of CONTROL's Cone of Silence.

Re:MDM and MAM?

[furbearntrout]

What do MDM and MAM stand for?

Mobile Application Management (MAM) and Mobile Device Management (MDM)

Re:All This Needs Is A FOSS Solution

[HatofPig]

Ostel is a running public beta of the Open Secure Telephony project. It's end-to-end secure VoIP. Anyone with an Android phone (i.e. everybody reading this) is covered for everything but video by The Guardian Project.

Phil Zimmerman is ok in my book

[hardie]

I worked with Phil for awhile at StorageTek--6 months or a year I think. He's a very smart guy. He was also one of the most evangelistic people I have ever met. I do NOT mean this in a religious sense, any way shape or form. At the time (this was the 1980's) he spoke a lot (incessantly?) about the danger of nuclear war and all these bombs we've got. I expect that this same incredible focus and sense of purpose has now been applied to security, which could be a really good thing. I also expect that he has mellowed a bit, but that's just a guess.

Steve

Re:Phil Zimmerman is ok in my book

[e065c8515d206cb0e190]

OP here.

Exactly. My reason to believe SilentCircle is in good faith is Zimmerman's history fighting for privacy. It doesn't mean I would trust that service. But I guess it gives some hope that people are going to become more aware of privacy issues in general.

Which is why I was ambivalent about this and came to get /.'s opinion

CALEA

[gellenburg]

I wrote to Silent Circle over a week ago when news of the impending launch first started making circles.

SC's COO was kind to respond in an attempt to allay my fears. Sadly though his answer was more "non" than one.

A week ago replied back with a follow-up question, and have yet to receive a response.

While my political activism is pretty much limited to change.org petitions, SC is directly marketing their services TO activists. As the Occupy movement has shown, political activism, and the free-speech that goes along with it, are becoming in jeopardy. My concern, and I feel it's a valid one, is that CALEA will give subscribers a false sense of security. After all when Microsoft purchased Skype, one of the first things they did (they had no choice) was to install CALEA intercepts.

Hopefully somebody at Silent Circle will be able to answer this. Until then, I wouldn't recommend it. Check out The Guardian Project and Jitsi instead.

(Note - I'm only posting this because as Silent Circle's COO, Vic Hyder is authorized to speak on behalf of the Company.)

-----BEGIN EMAIL-----
Mr. Hyder,

Thank you very much for the reply and information you've provided below,
but I'm afraid I'm still unclear on one particular point: /does Silent
Circle fall under /CALEA/jurisdiction or not/?

Kind regards,

George Ellenburg

On 10/11/12 7:43 PM, Vic Hyder wrote:
> *George*,
> Thanks for the note. Quick response - Silent Circle provides peer to
> peer encryption from subscriber to subscriber. The Secure Calling Plan
> offers members a little flexibility to use their Silent Phone number
> to send and receive calls outside the Circle (encrypted to our servers
> but decrypted from servers to non-subscriber). We'll let our members
> determine what their threat model is and how they need to protect
> their transmissions.
>
> Circle up.
> *______________*
>
> Vic Hyder
> Chief Operations Officer
>
> Silent Circle
> Private Encrypted Communications
> Silicon Valley | Washington DC
>
> w: SilentCircle.com
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you received this e-mail in error, please notify the
> sender immediately and destroy and/or delete all copies. Circle up.
>
>
>
> On Oct 11, 2012, at 6:01 AM, George Ellenburg > wrote:
>
>> Hello-
>>
>> I read with interest news reports yesterday that Silent Circle was
>> getting ready to launch. As an activist and privacy advocate, I was
>> troubled though to read that Silent Circle was planning on offering a
>> Secure Calling Plan amongst other communication services.
>>
>> I understand the obvious revenue stream such an offering will generate,
>> but I'm intrigued as to how you plan to not comply with CALEA, or
>> curious as to how CALEA wouldn't do an end-run around your service
>> altogether? CALEA, as you probably know, is the Communications
>> Assistance for Law Enforcement Act, which requires mandatory technical
>> intercept points for Law Enforcement and Intelligence purposes.
>>
>> Being a United States Company, offering Communication services, located
>> in the United States, your Company is certainly subjected to mandatory
>> CALEA implementations.
>>
>> Thanks for your time. I earnestly look forward to your response.
>>
>> -George Ellenburg
>>
>
-----END EMAIL-----

Timely Idea, but Do It Yourself?

[rueger]

Of late I've been thinking that it might be prudent to establish an on-line persona that can't be traced back to me. Between corporate tracking (Google?) and government's love of surveillance, and a sense that we could be heading for some economically or politically charged time, I can see situations where anonymity could be essential.

It seems to me that if you can start with an untraceable e-mail address and consistent use of Tor, you should be on the way to building up an on-line profile that's recognizable, useful, and fairly disconnected from real life.

I'm not naive enough to think that anything I could do would be 100% safe or secure, but surely you can keep most of the prying eyes away from you.

Re:Poor headline

[1u3hr]

I certainly didn't associate the name with PGP, I associated it with the previous article, and I'm sure others did as well.

I associated it with Bob Dylan myself.