silent circle app

[OBSoul33t]

wondering if anyone has experience with this communication encryption app called silent circle , https://silentcircle.com/

any techies out there that could shed some light on this would be great, it came recommended by a very top criminal defense lawyer..

cheers

 

[rexmanning]

Very familiar and it's not worth the $$. Please tell the criminal defense lawyer that they need to take a close look at SC's response to data requests within the USA....SC is meant to protect military and contractors overseas.

Try out the freeware that is available:

Android:
TextSecure for SMS
Gibberbot for IM
cSIPsimple for Voice
RedPhone for Voice

iOS:
Chat Secure for IM

 

[soursmoker]

seems like good advice ^^ but yet he is brand new here.... 1 post...
makes me a little leary...

 

[rexmanning]

Yep...just one post..I tend not to post unless there is something worth posting. Don't scare away folks with low post counts...and don't automatically trust post counts

Couple of good talking points:

SC public announcement

"With a team comprised of the world's most noted crypto experts, including Phil Zimmermann, we have published all of Silent Circle's source code so customers are assured there are absolutely no backdoors or areas of compromised security within our service. "

Truth: SC released the initial source code and since then have kept it close source

http://issilentcircleopensourceyet.com/

The Encryption Protocol
SC works on the ZRTPP protocol which Zimm released open source and then pulled it claiming "exportation" issues....since this was a needed protocol, folks quickly moved to ZRTP4PJ (new protocol, not under Zimm's control) and you can use Ostel.me for the exact same protection (maybe more? their code is open for peer review) as SC for free.

The last nail in the coffin:

From: https://silentcircle.com/web/law-compliance/

"In providing this service, however, it’s also important to recognize that a small number of people will use our products and services to do unlawful, bad things. We obviously don’t want that: it hurts everyone, but we know it will happen. Various law enforcement agencies will therefore make demands, on a case-by-case basis, that we disclose existing subscriber data, and preserve data that we would not normally keep. Such legal demands are inevitable and come with the territory. We must and will comply with valid legal demands for the very limited information we hold. Thus, we want to make it clear that when legally compelled to do so, we will turn over the little information we hold, described above. Before turning it over, however, we will evaluate the request to make sure it complies with the letter and spirit of the law. And, consistent with best privacy practices followed by other companies, when possible and legally permissible, we will notify the user in order to give him or her the opportunity to object to the disclosure."

What SC will provide (that they can legally disclose that they disclose)?:

-Authentication information — your user name and hashed password. We hash passwords with a twelve-character random salt and 20,000 iterations of HMAC-SHA256 via PBKDF2.

-Your contact email address.

-Your Silent Phone number that we issue you

-Server IP Logs for login only. We currently retain these for 7 days, and are working to reduce this to 24 hours


Open to any questions regarding SC (I tested it for some time on all devices) as well as setting up (free) secure comms.

-RM

 

[username474]

Thanks for the write up Rex. What would you recommend for myself and one other person to use to insure are privacy? My primary concern would be if either one of us got compromised we would not compromise the other.

 

[mojave green]

imessage and facetime work just as well as silent circle without the additional service cost. beware though. one way encryption only if comm with non imessage or facetime user.
http://www.theatlanticwire.com/tech...ing-way-capture-imessages-and-facetime/66292/
course i'v always been a fan of Zimmermann stuff. depends on the user network that you want to secure i suppose.

 

[rexmanning]

@username474 - Tough question to answer...how do you want to communicate?

-Phone (RedPhone, Ostel)
-Email (Riseup.net, Countermail.com w/PGP encryption)
-Computer (Look to TAILS https://tails.boum.org/)
-Instant Messaging (Jitsi, Jabber +OTP...any XMPP chat program supporting Off-The-Record(OTR))

Your second comment is the kicker...how to CYA if the other party is comprimised?

In the case of most of these solutions they rotate single use encryption keys that are destroyed (simplest terms here) at the end of each communication. Email and IM solutions leave the most trace...and that is where you need to work on OPSEC....don't put any data out there that could be traced to you (addresses, names, work....the typical) and then practice sanitizing your email and IM after each use.....this is a tough subject and easier to tackle knowing your specific requirements for secure comms.

@mojave_green Yep, both are giving everyone a headache with the end-to-end encryption...the drawback I see is that it is closed source program so code can be introduced down the road....and it's Apple so I can't imagine they will fight any requests for CALEA-type monitoring. Other issue is that only Apple users can talk to each other.

Here are some other great solutions out there for communicating securely

https://www.gruveo.com/ Video/Voice/Chat (just launched...no account or install needed....untrusted at this point)

https://crypto.cat/ Encrypted group chat (used to be full of holes....still has a way to go but works well for anonymous chat)

Thanks so far for the warm welcome! Security is my favorite subject...second only to...well, not a tough guess

-RM

 

[username474]

Thanks for your time on that post Rex, very much appreciated. I had not heard of TAILS
before.