I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
I could drone on about this for pages and pages, but the sad fact is that if you are a target, it doesn't matter that you are using a "secure phone", "secure OS", or "encryption".
Time and time again, these systems have been broken or breached with simple tradecraft and subtle sabotage.
The Pentagon has a concerted (and expensive) effort to validate or verify the absence of "backdoors" or evidence of "additional circuitry" on ASICs or subsystems of it's major weapons systems and associated gadgetry. Do you?
I tell people that their simplest way to avoid having their communications intercepted is to NOT. USE. AN. ELECTRONIC. COMMUNICATIONS. DEVICE.
UBL used couriers, flash drives, and cutouts. If you need that level of protection, SO SHOULD YOU.
When I need to communicate secretly I BUY SOMEONE A BEER.
> I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
I don't really like this kind of anti-crypto argument. At this point I think making normal communications between normal people less embarrassingly mass-snoopable is a very worthy goal. For the time being, people who really, really have something to hide need to be extra careful (as has always been the case).
Which is not to say I'm feeling particularly enthusiastic about this device.
This line of reasoning is sound; it's better than the current situation, and it's likely to work for a while as a minority solution to unsurveilled communications.
For a discussion of the _huge_ value of _international_ telecommunications, which can't be replicated by in-person communication, I reccomend "Talking to Vula" by the ANC (who were considered a terrorist group in many countries for a long time):
http://www.anc.org.za/show.php?id=4693
At the end of the day, state actors all have finite resources. If we continuously tell people to not bother with crypto at all, then we are being self-defeating.
Right now targeting those that use crypto is like shooting fish in a barrel. So few people are using crypto regularly, that they are incredibly easy to single out. If everyone used crypto, the amount it would cost state actors to find and further investigate individuals would quickly overwhelm the current resources of those state actors.
Obviously people using these devices need to know they aren't foolproof and only use them for casual secrets that at most implicate, but not provide solid proof of activities considered subversive by a state actor.
Making the cost of dragnet mass surveillance phishing expeditions prohibitively expensive should be goal number one right now in the crypto community. State actors commit the crime of violating everyone's privacy because it is so incredibly easy and cheap to do so.
I don't know how much it currently costs for state intelligence agencies to investigate an individual, but whatever it is now, I would hope the the price were one to two orders of magnitude more expensive than it currently is and be at least in the 7 figure range. If someone really is a terrorist bent on causing lots of damage and killing civilians, it is trivial to justify spending 7 figures on surveilling that individual. The benefit of making it super expensive to surveil everyone, is that these state agencies can no longer casually surveil those it shouldn't be, such as American lawyers doing work protected by attorney client privilege [0].
At the end of the day, although state actors have deep pockets, they are bounded to some degree by market factors like what activities they can legitimately justify given the cost of surveillance and the the amount of talent they have available.
I think the problem with a device like this is that the kind of person who would be interested to use this just may be precisely the kind of person that the NSA would like to keep tabs on, just in case. Enough so, that an NSA worried about the Snowden leaks could theoretically come up with this idea as a way to corral folks trying to escape the "conventional" channels. Particularly with an ex-Navy Seal as CEO (no longer trusts the US government?), what's to say that there isn't some other vulnerability built into the core of this device. “Just because you're paranoid doesn't mean they aren't after you”. ― Joseph Heller
I would like to think that the business folks that purchased Blackberry devices for the security mechanisms would be interested in a device like this now that it's been made clear that Blackberry was compromised. Of course if someone really wants you, they're going to get your data. But a device like this might be (imho) a good solution for most business level data protection of the sort people thought they would be getting from Blackberry.
I think you're focusing on people who are under a specific, clear and present surveillance threat. Different arguments apply to those people to the majority of people who "value their privacy" in a more nebulous sense.
> I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
The creators acknowledged that fact [1]:
"There is no such device that is NSA-proof," said Mike Janke, co-founder and CEO of Silent Circle, in an interview with Mashable, ahead of the launch. "If you are on the terrorist wanted list or a criminal, intelligence services will get into your device... There's no such thing as 100% secure phone."
"Security research is the continual process of discovering your spaceship is a deathtrap" has to be one of the most apt descriptions of security research I've ever heard. What a great read!
Of course by "state-level adversary" you mean the United States. There are plenty of states with very poor computer attack capabilities, in fact most states aren't very good at it.
Its not merely being a target that is the problem, it is being a high priority target for a long period of time. Eventually they'll find a way to get your communications, but how many days or months does a technology buy you, at what cost to you and to them. Why do you think they are willing to spend that cost on people that aren't Snowden, Greenwald? It isn't win or lose, its mitigation.
We should judge security technologies not on absolutes but on relative merits given the reasonable security goals we wish to achieve (note that Snowden was able to achieve communications security against the NSA/GCHQ long enough to complete his goal).
> When I need to communicate secretly I BUY SOMEONE A BEER.
Hi Richard, it has come to our attention that you have been secretively discussing leaking government information to our enemy in a pub in central London.
What's that you say? You didn't discuss private information? Then why did you try to conceal your handwriting on the napkin from our CCTV security cameras?
We'd like to take you in for questioning. If you resist this may end badly for you.
On a sidenote, if they at least have 2 separate SoC's on board, and a self rolled hardware firewall to make sure the baseband can't access things it shouldn't access, that may still be a great improvement to what we have right now. It still won't protect you from unknown hardware level exploits, but it's better than nothing.
Great point. While you still could be spied on, for instance with a bug stuck onto your back or classified nano-drone (if it exists yet)... that would be extremely expensive. If they wanted you that bad, it's like, fine. Listen to me talk about my motorcycle.
The issue with computers is they are so, so, so cost effective to tap & data mine. And storage just keeps getting cheaper. Hence, illegal mass surveillance.
Probably the best idea would be to go swimming in the ocean with whomever you'd like to contact, since salt water and mechanical agitation probably diminish the reliability and functionality of most listening devices. But there's a continuum of practicality here. It's hard to imagine the Soviet commissars hopping in the water for an afternoon meeting.
By providing ready access to a stream of digital data and metadata about yourself, you're making their job easier.
Even if you use crypto, the mere fact that you use crypto is interesting enough to draw attention.
The point is to blend into the background. Do you think that crossing a border using the Blackphone isn't going to raise eyebrows? In denied areas the idea is to use equipment that looks ordinary and boring: a wristwatch or a calculator.
If for no other reason than an adversary might not know who you are, you reveal yourself to them by using a special-purpose tool.
It seems like you're saying "we should all use encryption as much as possible so it becomes the background". It also seems like you don't think you're saying that.
What I'm saying is that this technology is a small piece of a solution set to a big, hard problem.
Technology and crypto are the easy parts. Infrastructure, legislation, and user behavior are the bigger pieces and a much harder problem.
We have had secure email systems for better than two decades. They are VERY poorly deployed. Why? We have had secure voice systems for even longer. Why is the encryption on these systems so poorly designed?
I don't trust machines to keep my secrets for these very reasons. I have little faith that more crypto will fix anything. That's what I'm saying.
Voice encryption was available with the STU-III for a long long time.
When was the last time you saw a STU-III in an office? Ever? It's because the security capability isn't worth the trade off and friction it creates for business.
The dirty little secret is that the whole process of doing key exchange and verifying that you have a solid connection between two trusted parties is NOT a widely solved problem.
TRUST between two parties that have never met is NOT a solved problem at scale unless you consider SSL a solution and there are a lot of people who think that SSL is broken in many regards.
Think of all the features that a modern enterprise phone system has:
Call waiting
Three way calling
Conference bridges
Voicemail
CallerID
Call Parking
Assistant Mode
...et al.
Regulatory archiving
You don't get ANY of those with ANY commercially available secure phone system. The same problems you have with using secure email at scale you have with secure voice.
yes, and while that's all good the scenario is quite different. they were protecting from an external threat.
we're protecting from an internal one. the moment you go out the door, we're in the public. law enforcement doesn't really need an excuse to follow you around while you are in public.
on the other hand imho you can safely assume that all crypto will eventually be broken. the question is when, and will your adversaries still care at that point. not quite the same, but still kinda related: https://en.wikipedia.org/wiki/Venona_project
If it made it harder for non-state adversaries to create profiles about you, it would still be a good thing. I don't want the Gov. to know about my private life. But neither do I want any search engine, online store or ISP to have that data.
So even though you are right, it's still better to choose a safer technology.
I haven't yet done enough research to argue for or against the phone's security, but your point about buying someone a beer is poignant.
By conversing over the phone or with a computer, we usually expose ourselves to a greater risk of eavesdropping. We should ask ourselves if the medium is worth the exposure to risk, considering, among other things, the privacy of the information we're sharing.
That preliminary question seems to be missing from conversations about online privacy.
But that seems a little like saying "the Internet is a spying machine - don't use it if you want privacy". I just think that's way too defeatist for my taste. If the Internet is a spying machine, then we need to find a way to communicate securely on it. I feel the same way about the phones.
Both the Internet and mobile phones are here to stay, and billions use them. You can't just say "don't use them". That's a big cop-out.
You can choose not to use certain providers, like using DDG instead of Google, or using Blackphone instead of the iPhone 5S. But you can't just use blanket statements like "don't use anything that's a big part of everyone's lives today."
Security is never a guaranteed thing - with or without NSA. That doesn't mean you shouldn't do your best to secure yourself. I feel the same about Blackphone. Granted, I'd prefer something that's fully open source, and I think those solutions are coming (perhaps an even more secure version of CyanogenMod with TextSecure v2 and RedPhone integrated into it), but I think every little bit helps, and I do think we're moving in the right direction - securing our conversations and networks. It's a process, not a goal.
We really need to rewrite the entire stack, carefully and with the intent of security, from open-source-DIY hardware up, to have any trust in technology.
> I hate to break it to you, but this is not going to keep you safe from a state-level adversary.
Assuming it's not being built as a honeypot by a state-level adversary, it's also going to attract attention to you. Want to avoid surveillance -- as much as practical act like someone who isn't worried about surveillance.
You love breaking this edge case to him as if it were the most important one. The adversary is more likely doing industrial espionage [1] and doesn't have those incomprehensibly limitless state-level resources.
Simplest way doesn't mean it's the best nor that it's always an option.
First of all, if you're under targetted surveillance, you're possibly better using electronic communications than meeting in-person. Then, it's not always possible to meet in person.
Then again, the clock on the wall in the pub might have a hidden microphone, or camera. This site is rather ingenious in where they put microphones/cameras (wall charger?) - supercurcuits.com
Generally, there are some trivial precautions that will frustrate all but the most concentrated effort. Things like TRESOR, grsecurity, /boot on an USB stick, etc.
Uh huh. What if I have a deal with Intel and your TRESOR code compiled into the kernel is easily profiled by the microcode and the key is itself silently transmitted/stored by the CPU?
Same with your USB stick.
Go read up on how the CIA sabotaged the Iranian nuclear enrichment centrifuges by compromising the supply chain of the power supplies (not the computer controls).
In that case, airgap and strict media discipline (once media touches the secure network, it's never used on insecure networks again) should do, no?
But my point is that most us aren't foreign states trying to make nuclear reactors against the wishes of a superpower. We're more worried about things like common theft and border seizures.
I could drone on about this for pages and pages, but the sad fact is that if you are a target, it doesn't matter that you are using a "secure phone", "secure OS", or "encryption".
Time and time again, these systems have been broken or breached with simple tradecraft and subtle sabotage.
The Pentagon has a concerted (and expensive) effort to validate or verify the absence of "backdoors" or evidence of "additional circuitry" on ASICs or subsystems of it's major weapons systems and associated gadgetry. Do you?
I tell people that their simplest way to avoid having their communications intercepted is to NOT. USE. AN. ELECTRONIC. COMMUNICATIONS. DEVICE.
UBL used couriers, flash drives, and cutouts. If you need that level of protection, SO SHOULD YOU.
When I need to communicate secretly I BUY SOMEONE A BEER.