Slashdot Mirror
CryptoPhone Sales Jump To 100,000+, Even at $3500
An anonymous reader writes "Since Edward Snowden started making NSA files public last year, GSMK has seen a jump in sales. There are more than 100,000 CryptoPhones in use today. How secure they really are will be determined in the future. But I'm sure that some government agencies, not just in the U.S., are very interested in getting a list of users."
For the price the company's charging for a modified Galaxy S3, it had better be as secure as they claim; otherwise, the free and open source RedPhone from Moxie Marlinspike's Whisper Systems seems like something to think about first.
Pull the other one... A phone has more than one chip in it.
“He’s not deformed, he’s just drunk!”
$3500 is a lot to spend on software
...Blackphone?
Then rest assured that governments know how to get into them. Else we'd have seen some kind of harebrained reason why these phones can no longer be bought and used.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
At least it's not from a US company. There is another phone like this, and it's from a US based company. And I'm thinking... yeah right, NSA honey trap.
We need secure software. We cant trust hardware at all, unless it's for a single purpose, with a verifiable protocol. The Bitcoin community are coming up with some great solutions, which will help.
I've said it before on the topic and I'll say it again. One word: Honeypot.
I laugh hysterically at people who fork over thousands of dollars to admit they have something to hide and lead the watchers right to them.
Sounds like a perfect trap to find out terrorists.
So it's basically encrypted VoIP and not GSM calls
I can do this with any mobile.
How is it a phone if the carriers don't know where it is? They can't let you know when someone calls you that way.... I suspect the tracking is not disabled.
I should note that its not impossible to make some improvement in this area: there is no reason the carrier has to know which phone is which, and when you have internet from another source you don't have to connect to the cell network. When you connect you could generate a new unique ID that they couldn't associate with you, and have a third party (which you have an account with, but does not have access to the carrier's tracking info) handle billing for your pseudorandom ID (They could decrypt the ID, and map the billing to your account, and pay the carrier for your bandwidth). In general, this leaks lots of metadata still, but its a major improvement over the current way things work.
However, I bet this phone does not go nearly that far: I bet its basically useless and the carrier still knows who is where and the government can compel them to log it and hand that over.
It would be naïve to think that with all of the massive crytographic resources at their disposal, the NSA can't hack into this phone's communications at the push of a button.
You can buy both online worry free delivered to your doorstep.
With something like RedPhone is that there are multiple CPUs on the phone -- in particular, the base-band is a full ARM chip with complete access to all ram on the device. And the software running there is almost never under the users control. So it doesn't matter how good red-phone is -- if it ever leaks *any* plaintext or key bits out to ram, or across any wires outside the cpu it's running on, the baseband chip and the software running on it can wiretap you. And even if those things never leak off the main cpu die, the baseband can probably inject processes/instructions into that main chip's address space that would steal those critical key bits.
Unless you have control over *all* the firmware running on *all* the processors in a phone, I wouldn't trust it any farther than I can comfortably spit out a rat.
(and this is not accounting for hardware tricks -- I think you cannot trust your communications are secure unless you trust everyone involved in its design, manufacture and programming (including the compiler and related toolchain, and its compiler and toolchain -- and so on ad-infinitum) -- and that is probably a *very* sizable list indeed -- the odds that some lettered agency (looking at *you* cse/csis, nsa, gchq, fsb, etc) have not corrupted *someone* on that large list are so small that only god/fsm could tell the difference between it and 0.)
Ian Ameline
Go to the stadium in shorts and t-shirt, freshly washed (and dried indoors). Wear new style running shoes with very thin sole, as recommended in Scott Jurek's "Eat and run".
Talk while walking via woods or a park, among trees.
Not phone, no watch, no camera, no heavy clothing.
And speak quietly anyway. Still it does not guarantee privacy.
All other talk or messaging are public. It is a new brave world where there are no secrets.
Just get a VPN provider outside the US (countries hostile towards the US are good for this), and push all your traffic through your VPN, and use IP for everything, along with RedPhone and TextSecure. Also enable whole-phone encryption and autodestruct for N incorrect unlock attempts.
At $3500 a pop, I expect it's the NSA (or another 3-4 letter agency) who've bought most of these phones.
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
While the vast majority of people do not use cryptography on all their communications those who do will be noticed and put under greater scrutiny therefore in being proactive they have made themselves a target protected only by the assumption that the technology they are employing does not contained flaws know to those who wish to monitor them, a very foolish assumption.
Showden el al have done the NSA (and similar organisations in every other government) a favour by motivating targets to "break cover" while not actually providing them with any real protection. Even if I can't break your shine new phone protecting now I can still put an old school bug in your physical location now that I know I need to target you. Or arrange for you to acquire an attractive new friend with a lot if common interests etc. Old school methods become efficient on a large scale if the targets do you the favour of identifying themselves because your efforts can be much more focused.
you are always posting for vpns...they are all 100% pwned....and viewable by spy agencies...are you there at this 3rd party to verify anything?
NO...oh your a trustable sort....
and as yoda said..."it is why you fail"
Do RedPhone and Avast! Anti-theft play nicely together yet? Last time I tried Avast! Anti-theft claimed it wouldn't work because RedPhone claimed priority over SMSes. I would have thought there ought to be some method of Anti-theft still getting the SMS after RedPhone decides it's not for it.
Isn't there a software stack for encrypted comm?
I think I'll stick with fishing line and tin cups.
I still want to make a bluetooth end-to-end encryption device- connects to the phone as a headset and connects to a headset as a phone and does a modem functionality to exchange public keys and set up the call. Unfortunately some carriers have clauses saying you can't send data as analog.
Slashdot seems to be asleep when it comes to new security products, especially when its a Phil Zimmerman venture and the phone only costs about what an iPhone does.
Setting aside the fact that "hardware" and "software" have a fine and wavering line between them, you have apparently never heard of (say) Transmeta, or FPGAs. Or even software working around hardware issues -- e.g. the kernel patch for the Intel F00F bug.
Maybe you shouldn't try to sound so authoritative about stuff. Nobody knows everything, and, unless you do, acting as an Authority is dumb.
Any time you want to go to the mat on phones, you just let me know. Embedded systems, Linux, Android, POTS, VoIP (SIP and MGCP spoken here -- likewise RTP and RTSP), T1, BRI/PRI, ATM/SONET -- I'm there for you. We can even talk cell backend networks and equipment, too, if you'd like -- so happens my wife covers that side of the playing field. And my best man designed class 5 switches pretty much from the ground up until he got promoted to VP of a billion-dollar telecom/networking company -- I got to call the damn manufacturer when I found a bug on the switch my home phone went through; fastest patch ever. (The VP of software development was *also* at my wedding. Handy, that.)
But, really, what I'm saying here is that you appear to be just smart enough to *think* you know what you're talking about -- and more than willing to spout off -- when, in actuality, you don't. If you just stopped being so damn certain, and, instead, allowed that you might not know everything, folks would like you an awful lot more.
Really.
P.P.S. I still don't know everything -- not by a far sight. But I know what I know -- and I know what I don't. And I know where the line lies. Indeed, when hiring, one of the things I look for is a candidate who's willing to acknowledge that they *don't* know something. Because someone who's convinced they know everything is someone I don't want on my team.
Wouldn't it be counter productive for the folks using a secure phone? I mean, currently, the NSA or whoever wants to snoop has to snoop on EVERY call, use some filtering logic to flag a few million calls, analyze these calls to see which are actually malicious and then narrow down on the culprits.
If people start using a secure phone or secure calls, the problem becomes much simpler since now all the agency needs is a list of people who are using this. There are other methods of surveillance than snooping on phone calls and using such phones or software will just result in the search space becoming smaller making it that much easier to narrow down on the list of "suspects".