I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
I could drone on about this for pages and pages, but the sad fact is that if you are a target, it doesn't matter that you are using a "secure phone", "secure OS", or "encryption".
Time and time again, these systems have been broken or breached with simple tradecraft and subtle sabotage.
The Pentagon has a concerted (and expensive) effort to validate or verify the absence of "backdoors" or evidence of "additional circuitry" on ASICs or subsystems of it's major weapons systems and associated gadgetry. Do you?
I tell people that their simplest way to avoid having their communications intercepted is to NOT. USE. AN. ELECTRONIC. COMMUNICATIONS. DEVICE.
UBL used couriers, flash drives, and cutouts. If you need that level of protection, SO SHOULD YOU.
When I need to communicate secretly I BUY SOMEONE A BEER.
> I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
I don't really like this kind of anti-crypto argument. At this point I think making normal communications between normal people less embarrassingly mass-snoopable is a very worthy goal. For the time being, people who really, really have something to hide need to be extra careful (as has always been the case).
Which is not to say I'm feeling particularly enthusiastic about this device.
This line of reasoning is sound; it's better than the current situation, and it's likely to work for a while as a minority solution to unsurveilled communications.
For a discussion of the _huge_ value of _international_ telecommunications, which can't be replicated by in-person communication, I reccomend "Talking to Vula" by the ANC (who were considered a terrorist group in many countries for a long time):
http://www.anc.org.za/show.php?id=4693
At the end of the day, state actors all have finite resources. If we continuously tell people to not bother with crypto at all, then we are being self-defeating.
Right now targeting those that use crypto is like shooting fish in a barrel. So few people are using crypto regularly, that they are incredibly easy to single out. If everyone used crypto, the amount it would cost state actors to find and further investigate individuals would quickly overwhelm the current resources of those state actors.
Obviously people using these devices need to know they aren't foolproof and only use them for casual secrets that at most implicate, but not provide solid proof of activities considered subversive by a state actor.
Making the cost of dragnet mass surveillance phishing expeditions prohibitively expensive should be goal number one right now in the crypto community. State actors commit the crime of violating everyone's privacy because it is so incredibly easy and cheap to do so.
I don't know how much it currently costs for state intelligence agencies to investigate an individual, but whatever it is now, I would hope the the price were one to two orders of magnitude more expensive than it currently is and be at least in the 7 figure range. If someone really is a terrorist bent on causing lots of damage and killing civilians, it is trivial to justify spending 7 figures on surveilling that individual. The benefit of making it super expensive to surveil everyone, is that these state agencies can no longer casually surveil those it shouldn't be, such as American lawyers doing work protected by attorney client privilege [0].
At the end of the day, although state actors have deep pockets, they are bounded to some degree by market factors like what activities they can legitimately justify given the cost of surveillance and the the amount of talent they have available.
I think the problem with a device like this is that the kind of person who would be interested to use this just may be precisely the kind of person that the NSA would like to keep tabs on, just in case. Enough so, that an NSA worried about the Snowden leaks could theoretically come up with this idea as a way to corral folks trying to escape the "conventional" channels. Particularly with an ex-Navy Seal as CEO (no longer trusts the US government?), what's to say that there isn't some other vulnerability built into the core of this device. “Just because you're paranoid doesn't mean they aren't after you”. ― Joseph Heller
I would like to think that the business folks that purchased Blackberry devices for the security mechanisms would be interested in a device like this now that it's been made clear that Blackberry was compromised. Of course if someone really wants you, they're going to get your data. But a device like this might be (imho) a good solution for most business level data protection of the sort people thought they would be getting from Blackberry.
I think you're focusing on people who are under a specific, clear and present surveillance threat. Different arguments apply to those people to the majority of people who "value their privacy" in a more nebulous sense.
> I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
The creators acknowledged that fact [1]:
"There is no such device that is NSA-proof," said Mike Janke, co-founder and CEO of Silent Circle, in an interview with Mashable, ahead of the launch. "If you are on the terrorist wanted list or a criminal, intelligence services will get into your device... There's no such thing as 100% secure phone."
"Security research is the continual process of discovering your spaceship is a deathtrap" has to be one of the most apt descriptions of security research I've ever heard. What a great read!
Of course by "state-level adversary" you mean the United States. There are plenty of states with very poor computer attack capabilities, in fact most states aren't very good at it.
Its not merely being a target that is the problem, it is being a high priority target for a long period of time. Eventually they'll find a way to get your communications, but how many days or months does a technology buy you, at what cost to you and to them. Why do you think they are willing to spend that cost on people that aren't Snowden, Greenwald? It isn't win or lose, its mitigation.
We should judge security technologies not on absolutes but on relative merits given the reasonable security goals we wish to achieve (note that Snowden was able to achieve communications security against the NSA/GCHQ long enough to complete his goal).
> When I need to communicate secretly I BUY SOMEONE A BEER.
Hi Richard, it has come to our attention that you have been secretively discussing leaking government information to our enemy in a pub in central London.
What's that you say? You didn't discuss private information? Then why did you try to conceal your handwriting on the napkin from our CCTV security cameras?
We'd like to take you in for questioning. If you resist this may end badly for you.
On a sidenote, if they at least have 2 separate SoC's on board, and a self rolled hardware firewall to make sure the baseband can't access things it shouldn't access, that may still be a great improvement to what we have right now. It still won't protect you from unknown hardware level exploits, but it's better than nothing.
Great point. While you still could be spied on, for instance with a bug stuck onto your back or classified nano-drone (if it exists yet)... that would be extremely expensive. If they wanted you that bad, it's like, fine. Listen to me talk about my motorcycle.
The issue with computers is they are so, so, so cost effective to tap & data mine. And storage just keeps getting cheaper. Hence, illegal mass surveillance.
Probably the best idea would be to go swimming in the ocean with whomever you'd like to contact, since salt water and mechanical agitation probably diminish the reliability and functionality of most listening devices. But there's a continuum of practicality here. It's hard to imagine the Soviet commissars hopping in the water for an afternoon meeting.
By providing ready access to a stream of digital data and metadata about yourself, you're making their job easier.
Even if you use crypto, the mere fact that you use crypto is interesting enough to draw attention.
The point is to blend into the background. Do you think that crossing a border using the Blackphone isn't going to raise eyebrows? In denied areas the idea is to use equipment that looks ordinary and boring: a wristwatch or a calculator.
If for no other reason than an adversary might not know who you are, you reveal yourself to them by using a special-purpose tool.
It seems like you're saying "we should all use encryption as much as possible so it becomes the background". It also seems like you don't think you're saying that.
yes, and while that's all good the scenario is quite different. they were protecting from an external threat.
we're protecting from an internal one. the moment you go out the door, we're in the public. law enforcement doesn't really need an excuse to follow you around while you are in public.
on the other hand imho you can safely assume that all crypto will eventually be broken. the question is when, and will your adversaries still care at that point. not quite the same, but still kinda related: https://en.wikipedia.org/wiki/Venona_project
If it made it harder for non-state adversaries to create profiles about you, it would still be a good thing. I don't want the Gov. to know about my private life. But neither do I want any search engine, online store or ISP to have that data.
So even though you are right, it's still better to choose a safer technology.
I haven't yet done enough research to argue for or against the phone's security, but your point about buying someone a beer is poignant.
By conversing over the phone or with a computer, we usually expose ourselves to a greater risk of eavesdropping. We should ask ourselves if the medium is worth the exposure to risk, considering, among other things, the privacy of the information we're sharing.
That preliminary question seems to be missing from conversations about online privacy.
But that seems a little like saying "the Internet is a spying machine - don't use it if you want privacy". I just think that's way too defeatist for my taste. If the Internet is a spying machine, then we need to find a way to communicate securely on it. I feel the same way about the phones.
Both the Internet and mobile phones are here to stay, and billions use them. You can't just say "don't use them". That's a big cop-out.
You can choose not to use certain providers, like using DDG instead of Google, or using Blackphone instead of the iPhone 5S. But you can't just use blanket statements like "don't use anything that's a big part of everyone's lives today."
Security is never a guaranteed thing - with or without NSA. That doesn't mean you shouldn't do your best to secure yourself. I feel the same about Blackphone. Granted, I'd prefer something that's fully open source, and I think those solutions are coming (perhaps an even more secure version of CyanogenMod with TextSecure v2 and RedPhone integrated into it), but I think every little bit helps, and I do think we're moving in the right direction - securing our conversations and networks. It's a process, not a goal.
We really need to rewrite the entire stack, carefully and with the intent of security, from open-source-DIY hardware up, to have any trust in technology.
> I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
Assuming it's not being built as a honeypot by a state-level adversary, it's also going to attract attention to you. Want to avoid surveillance -- as much as practical act like someone who isn't worried about surveillance.
You love breaking this edge case to him as if it were the most important one. The adversary is more likely doing industrial espionage [1] and doesn't have those incomprehensibly limitless state-level resources.
Simplest way doesn't mean it's the best nor that it's always an option.
First of all, if you're under targetted surveillance, you're possibly better using electronic communications than meeting in-person. Then, it's not always possible to meet in person.
Then again, the clock on the wall in the pub might have a hidden microphone, or camera. This site is rather ingenious in where they put microphones/cameras (wall charger?) - supercurcuits.com
Generally, there are some trivial precautions that will frustrate all but the most concentrated effort. Things like TRESOR, grsecurity, /boot on an USB stick, etc.
Uh huh. What if I have a deal with Intel and your TRESOR code compiled into the kernel is easily profiled by the microcode and the key is itself silently transmitted/stored by the CPU?
Same with your USB stick.
Go read up on how the CIA sabotaged the Iranian nuclear enrichment centrifuges by compromising the supply chain of the power supplies (not the computer controls).
In that case, airgap and strict media discipline (once media touches the secure network, it's never used on insecure networks again) should do, no?
But my point is that most us aren't foreign states trying to make nuclear reactors against the wishes of a superpower. We're more worried about things like common theft and border seizures.
A prerequisite for security is free software. Critical applications like the Silent Circle ones are proprietary, afaict. I have zero trust in the Blackphone and would not purchase one.
This Verge article [1] says “The company will open source the vast majority of its code for the phone in order for third parties to properly audit its techniques, find holes, and ultimately help to improve the product.”
I've talked to Silent Circle at conferences and what not. It is not like they have some crypto noob working on their project...They have Phil Zimmerman.
But, knowing nothing about them, when I asked them ``How does your protocol compare to TextSecure's Axolotl?'' the response was ``We have Phil Zimmerman''. So....I'm still a bit put off by them.
As someone who works at Silent Circle (though not someone who can speak FOR SC), I'd say "Axolotl and SCIMP are both very good". Also, I don't know who you talked to, but keep in mind that not everyone working for SC is technical and can explain (or sometimes even knows) what Axolotl is/how it works.
That would be nice if they liberated some of the code. However, "vast majority" is another way of saying that the phone runs proprietary software. I think Replicant is still the only Android distribution that has the ability to provide any sort of real security to its users.
The irony is that bad crypto like this is worse than no crypto. It is probably more valuable to specifically target users of this phone because they "have something to hide".
They aren't developed in the open (they're opened up in certain releases), but the protocols themselves are open. The server software is proprietary, but the servers don't see any plain-text data.
I think most people need some fear about state spying. Most are still treating it like it's no big deal. It's like the Stasi are here and no one gives a damn. That should scare people. Maybe we're deeper into Huxley's world than we thought.
Amusingly enough, I think a large part of why people aren't more scared are sentiments like the ones you just expressed. It is plainly not "just like the Stasi are here" and the average person can see that. By overstating the threat we de-legitimise our concerns and apathy grows (similar to the effect the DARE program had on drug use). Is the expansion of state level surveillance cause for concern? Of course it is! However, we are by no means living in a police state and saying so is an insult towards the people working very hard to effect policy to keep it that way. In short, in my opinion, we should spread less fear mongering and more political activism if we want to see change in these policies.
Um, I think you mean Orwell's world. Unless you're trying to compare us to people who are too busy getting high and going to senso-movies to care about anything important.
Shipping in June is not exactly 'here'. Come back when independent people can verify and reproduce the software it is running.
Open sourcing "vast majority of its code" is not good enough -- this thing is selling security and if you can't rebuild it all yourself there's really no point.
Yeah I wondered the same thing. Needs some clarification - it reads to me like "we plan to be in business for at least 2 years, during which time your phone will work", but leaves me wondering how useful the phone would be if they went out of business.
How compatible is the OS with 'normal' android apps?
Since 4.4 I have been able to, at least to some level, revoke some basic rights that apps have, like seeing my contacts (through app shield or whatever). If I am able to download apps from the 'normal' Android store, is access that those apps have somehow controlled as well? Some sort of sandbox mode would be nice.
From an interview I read a while ago I got the impression that Blackphone wouldn't claim to protect from state-level adversaries, and maybe if you were to ask them to be explicit about it they really don't. One could easily come away with another impression from the description here though.
That's a shame, since protection from state level adversaries is really what's at the top of my feature wish list, and that probably goes for a fair amount of other people too, in this day and age.
Is anyone here aware of cell-phone-like projects that have potential to resist exploitation of the type we've seen reported from Five Eyes? I'd be particularly curious about ways to mitigate the location tracking.
You can have basically secure messaging on the phone today. You can use Replicant (libre software) on many phones where there probably are no backdoors, you can use OTR with Xabber (you can build it yourself), there are probably applications for PGP too.
Yeah, Replicant will fail to work on many phones and on those that work, half of the functionality is missing ( http://redmine.replicant.us/projects/replicant/wiki/Replican... ) - but trying to sell non-free phone as "secure" is snake-oil anyway. In my humble opinion.
Guy complaining that dropbox is useless because "For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem."
Yes, one can do all that but I think the market Blackphone is going for is the paranoid but less tech savvy crowd that wants a working solution out of the box. I am not saying this implementation is an actual working solution...
Sadly, we live in a world where it's quite possible that phones like these are nothing more than a ploy to lure NSA targets in. They need to get people, who have something to hide, to feel safe again.
Burners are an effective defense against single-phone-number taps.
But in an era of dragnet surveillance and meta-data analysis [1] they're not very useful.
Unless you're calling varying phones, at varying places, from varying places, at varying times, all with no discernible pattern or schedule -- it would be easy enough for them to identify a network of burners and determine which ones belong to which individuals on the network based on that meta-data. And if anyone in the network carried or used a 'real' phone alongside the burner, it would only get easier.
And you can Google search on the news wires to see how well people do at this game, even when they know their lives are literally on the line and thus devote a significant portion of their effort toward it.
[1] Done well-enough to be confident-enough to lob hellfire missiles at SIM cards in not-quite-friendly countries...
Maybe if you speak in code the whole time, and never reveal the identities of both of you. The contents of the conversation will not be secure, so you have to assume they are hearing it, but don't understand what you're talking about. That may be a little difficult.
It seems like just avoiding mainstream popular services is enough to regain a lot of privacy, if the agencies look no further than Verizon, Google, Twitter, Facebook. They know exactly what my parents activities are.
I could drone on about this for pages and pages, but the sad fact is that if you are a target, it doesn't matter that you are using a "secure phone", "secure OS", or "encryption".
Time and time again, these systems have been broken or breached with simple tradecraft and subtle sabotage.
The Pentagon has a concerted (and expensive) effort to validate or verify the absence of "backdoors" or evidence of "additional circuitry" on ASICs or subsystems of it's major weapons systems and associated gadgetry. Do you?
I tell people that their simplest way to avoid having their communications intercepted is to NOT. USE. AN. ELECTRONIC. COMMUNICATIONS. DEVICE.
UBL used couriers, flash drives, and cutouts. If you need that level of protection, SO SHOULD YOU.
When I need to communicate secretly I BUY SOMEONE A BEER.