Not sure if I trust this....
...but if it is true, it has my support.
A smartphone that tries to thwart eavesdroppers will be launched this summer by Spanish smartphone maker Geeksphone and Silent Circle – the secure chat firm started by the inventors of PGP encryption. Dubbed Blackphone, and featured in the video above, the handset runs a hardened version of Android called PrivatOS that has …
Do something simple: look up the MX record (mail exchange) so you know which server handles their email, then run a geo location on it.
; <<>> DiG 9.8.3-P1 <<>> blackphone.ch mx
;; ANSWER SECTION:
blackphone.ch. 600 IN MX 10 mail.blackphone.ch.
As with Silent Circle, you'll end up in the US. Game over. If a company cannot be bothered to take care of its client's privacy in EVERY detail, I'm not interested, and I predicted the manner of closing of Silent Circle before they even went live: US law.
It may be good technology they're developing, but as long as there is even a whiff of US involvement around this it's worth avoiding. All you'll do is mark yourself as a target.
It's still a flavour of Android though - a very insecure foundation to build a 'secure' phone on...
Opinions vary on that topic.
Against:
- it's designed by an entity whose entire focus is on data acquisition, and who appears not too bothered about bending or ignoring a couple of rules along the way
- it has fairly primitive app access controls
For:
- it's relatively open, although I haven't been following Android closely enough to know if really ALL source code has been published (happy to hear updates)
- its openness allows security researchers to load apps that can go quite a bit further in mining possible risks
From a security perspective that seeks proof I think a Linux (rather than Android) phone might be the way to go, but there are precious few of those. That is, unless Blackberry has an aha moment and opens up - QNX is quite an impressive platform, but to allow Android apps on a platform that was formerly sold on its security credentials feels like inviting thieves to the jewellery store. Such apps can form a bridgehead to start chipping away at the security of the QNX side of things.
Anyway, there's now enough dust flying to make a secure phone a viable business concept and there are plenty of wannabees who haven't quite worked out what dangerous waters they're about to wade into...
They still harvest metadata about all your calls -- including tower / GPS info -- from the service providers. If they know everyone you call, when you call them, call duration, your location at the time of the call, etc., then protecting the content of the calls is of limited value.
> then protecting the content of the calls is of limited value.
I am guessing that the market for this product are businesses vulnerable to industrial espionage. I can see at least one of my clients providing one of these to every employee and ensuring that company-internal calls can only be made through them.
"I am guessing that the market for this product are businesses vulnerable to industrial espionage. I can see at least one of my clients providing one of these to every employee and ensuring that company-internal calls can only be made through them."
I'm guessing that Los Zetas would like them too. Using these phones in conjunction with their private cellphone networks will really give them the privacy they need.
"I am guessing that the market for this product are businesses vulnerable to industrial espionage. I can see at least one of my clients providing one of these to every employee and ensuring that company-internal calls can only be made through them."
Currently the PGP Blackberries are very nice. The only huge issue is user education i.e. do not make non encrypted calls on it to say good night to the babies. Do not carry it with your normal mobe as once they track the other they know you have the black one. Turn it off an hour before travelling to the airport with battery out. Turn it on an hour after landing and clear of airport. get someone else to create PGP key as plausible deniability is a wonderful thing. Be aware that once you go through security at English airports (and other international ones) UK law does not necessarily apply. Change it every 6 months and destroy phone and Sim. Make sure you have a six month package covering all calls and data and pay for it in cash [1.]
Not only businesses but journalists, lawyers, traders, mercenaries cough, err i mean security contractors, whistle blowers, tax dodgers, hookers and old uncle Tom Cobbley and all could benefit from these devices.
1. Grrr, what is wrong with cash? why do people need to pay for very cheap items with a credit card?
I'm guessing that the first customers will be governments. I would insist that the first and second editions are sold in large batches at very high prices until those with the money have a surfeit.
After that they can bring the prices down so the people they sold the expensive ones to can't hear the people they sold the cheaper ones to. That way the bad guys will pay for the R&D.
That's why it doesn't work like that.
Voice -> app -> encryption -> phone -> mast-> internet -> "Silent Network"
"Silent Network" then sends data to the receiving phone's App over IP; you don't just call each other up...
So the metadata will only really show that you send packets to Silent Network ...
Obviously that's as long as Silent Networks calling system is as safe as they say it is...
This is a pointless exercise. It bears repeating that what the agencies want most of all is the metadata - whom is talking to whom. Once they determine that you are connected to a 'person of interest' they can, if so desired, bring nation-state resources to bear in finding out what you talk about. In that match up my money isn't on you.
"If you want to conceal the metadata, then yes but if you want to conceal the actual conversation, then it would appear to be fit for purpose."
I agree, although there is a flaw in that proof is not needed if you're dragged in front of one of the secret "courts" that our governments now run. In that case, the metadata will probably be enough (and, to be fair, they'll probably lock you up even without that much evidence, as so many people in Guantanamo have discovered). The fact that we're being governed by secret organizations is at least as big a problem as anything the terrorists are doing not least because these secret organizations are largely responsible for recruiting and motivating more terrorists. Without Blair and Campbell's minuteless meetings of "Intelligence Heads" there would have been no 7/7 bombings in London.
I agree, although there is a flaw in that proof is not needed if you're dragged in front of one of the secret "courts" that our governments now run. In that case, the metadata will probably be enough (and, to be fair, they'll probably lock you up even without that much evidence, as so many people in Guantanamo have discovered). The fact that we're being governed by secret organizations is at least as big a problem as anything the terrorists are doing not least because these secret organizations are largely responsible for recruiting and motivating more terrorists. Without Blair and Campbell's minuteless meetings of "Intelligence Heads" there would have been no 7/7 bombings in London. .... Robert Long 1 Posted Thursday 16th January 2014 08:55 GMT
What do you think terrorists will do whenever they learn that the likes of a Blair and a Campbell are directly responsible for their plight, Robert Long 1? And should they do whatever they would propose to do?
And here be something today, about something from ages ago, which agrees wholeheartedly with your post ...... http://www.zerohedge.com/news/2014-01-15/guest-post-america-plunging-kafkas-nightmare
It be an inescapable fact, that whenever that which be perceived and/or named by the system to be an enemy of states and/or the status quo, knows the system, does the system leadership have zero chance of surviving in anything like its present phorms with current players.
Re: Just desserts, an unnecessary evil or great force for good?I understood that.
Are you ill? .... dogged Posted Thursday 16th January 2014 12:54 GMT
Doing just fine, dogged. Thanks for asking.
I like to think that one is getting smarter whenever one starts to understand things that before may have been incomprehensible to one. :-)
And as more and more information is dumped around the world in an instant, for anyone with any number of increasingly simply complex devices to pick up, is intelligence bound to dramatically improve and spread, and cause any system which has stupid dirty little secrets to hide to self-implode and collapse.
Such is only natural.
A secure phone OS.
A secure voip application.
A secure interconnect.
All seems to good to be true. All from from ONE provider. Suddenly seems less secure.
Secure comms is a very difficult field indeed. Csipsimple over a VPN to a private PBX is near perfect but sluggish. Cellcrypt is expensive and frankly.. private. Redphone is very good, but Twitter involvement and no open source server is worrying (No disrespect meant to moxi who is frankly pretty awsome) - though with willpower the redphone can be made to work with your own UDP infrastructure.
Until general android security is made more robust, then all is moot. What follows should be interesting; the powers that be may well have to pay an awful lot of companies an awful lot of money for Sssshh money.
This post has been deleted by its author
This is what BlackBerry needs to be doing right now. .... JBarry Posted Thursday 16th January 2014 01:00 GMT
What makes you not think that they have already done it, JBarry?
It is not as if it would be anything anyone clever would be telling the world and his dogs of war about, is it?
* To spin the yarn and try to create the impression and perception that one is collecting base source and analysing all metadata and reprogramming everything in light of what one is supposed to have discovered, delivers one's intelligence services capabilities, or lack of intelligent service capability, to all and sundry in the universe by means of what the browser displays as new news to consider [such as the likes of the tales shared here on El Reg] for each and every new day with its attendant breaking zeroday vulnerabilities to exploit. It is the gift which just cannot stop itself and just keeps on giving.
A cellular phone is a radio transmitter. In the United States and Canada, without very special permission, it is illegal to transmit encrypted signals over the radio. That hasn't been enforced in the case of people visiting secure web sites from their smartphones, but I think they'd find that law again when people started trying to put SIM cards in smartphones with an encrypted voice capability.
The problem with this light encryption is legalintercept (included with all telco equipment, disabled by default unless they pay the license fee). Encryption does exist but is not end to end. It is end to telco, then unencrypted telco to telco, and finally encrypted telco to end.
A5/1 is broken, any individual with 2 terabyte 'berlin rainbow tables' can listen in if they are smart enough for about 500 quids worth of computer and phone handset hardware.
Well that might explain why the development of this phone happens in Europe. Perhaps US is not a good market for security concious after all (unless you define "secure" by "owning a gun"). I think the rest of the world will be happy to throw a spanner into spying activities of US agencies, and if privacy is denied to US residents, that is something they should sort out themselves.
@ John Savard:
May be you are correct about US regulations BUT CANADA doesn't block encrypted communications, based on hardware or software, I know companies that use encryption. Encrypted non-government mobile communications has been used for years.
Additionally, the Blackberry/RIM was encrypted and no one complained about them, either.
Even authoritarian governments, such as VietNam, permit software encryption on any communications in the country. Not that it's easy to tell the difference over the air.
Too many people think Canada is the 51st State and slavishly follows the USA. We don't. We even have government-run drug shoot-em up store fronts in Vancouver, that went ahead even though the US tried to stop them.
I would nobble the chips to radiate more EM (Spread Spectrum Clocking to pass FCC regulations I'm sure helps with this). Then with 24/32bit interleaved high speed ADC's I would just read the data of the chips RF as they process it.
The metadata they collect already is enough to see who they "should" be spying on, then if they really need to see the data they can spend big money and track with humans and mobile antennas arrays. It does not matter how high you build your fence if a government wants to spy on you, as an individual, they will. There is little you can do to block them.
Let's see, Android -> Google -> American = check. Phil Zimmerman -> Silent Circle -> American = check.
So you're telling me they don't have to comply with what their own government wants in a secret court / backdoor dealing. I respect Phil for creating PGP, I'm pretty confident in him, but he is still an American citizen.
I might consider giving a phone some trust if it was made by a Swiss in Switzerland based off FreeBSD/Debian.
@ 02X7Cm:
Phil Zimmerman has the creds for fighting the US government his whole career. Just because Clapper lies his face off doesn't imply all Americans do.
I remember the weekend, long ago, when PGP was released via BBS. Not the greatest User Interface then but it shook the USA government up.
The export of encryption was illegal under Munitions law, without a licence, and by using BBS Zimmerman defeated/circumvented the laws as he didn't export it - users/downloaders did. The code was even featured on T-shirts and the prohibition didn't apply to T-shirts.
I presently work on equipment barred under British, Canadian and US law, of which countries I am a passport-holding citizen, but since it is very lawful where I live, I am in compliance. Exactly what Silent Circle is doing.
"So you're telling me they don't have to comply with what their own government wants in a secret court / backdoor dealing"
If it's a Swiss company and Zimmerman and pals 'airgap' themselves from the production binaries - e.g. by not contributing code for the project, or by only contributing with source code that has to be thoroughly reviewed by non-american staff before being accepted- then the NSA can do fuck all about it. It's a slow and cumbersome way of doing business, but that's nothing new in the encryption/paranoia domain.
Of course, you can't totally discard the yanks bribing or blackmailing some of the Swiss employees. Or even performing ye good olde rubber hose decryption method on said employees. :-(
I may have missed something, but, for this level of encryption to work, I am assuming the communication has to be between to "Black 'phones" ? And if that is the case, then the main target market /will/ be commercial / business et al.
Consumers simply won't buy it because they don't know anybody else with one.
Like me and BlackBerry Playbook: brilliant 7 inch tablet, but the video link is pointless because I don't know anybody else with a Playbook. Even my wife has a Googlly Androidy thing......
Alan was a God and much maligned.
Yes he was gay but as a great alcoholic Irish writer once said, "every cripple has his own way of walking". In an Irish context that means all of us.
Don't shoot the messenger, even if they are wearing those shirts with PGP source code on them. A long time ago they were the fashion item 'de rigeur' for crossing into Mexico.
I remember the days when pattern analysis, frequency analysis, linguistic frequency and iteration was relevant.
Now I is p0wned by the man with the black helicopter and I is sad.
I do have a cunning plan though, I am thinking of raising an armed militia or perhaps a religious sect that ensures all women above 45 and with red hair surrender themselves to the master.
p.s.
Don't tell my wife or I will not be allowed out for the next few months.
We've learned the hard way that you can't trust any OS, the interface is 2 large, same for anything downloaded via BT? GCHQ? Telco? So does anyone know how they intend to deal with this? We've seen attacks that use the accelerometer to decode text entry. So you can't trust your OS CPU, you need to peel 10% of your big chips to ensure they don't carry hidden riders, you have to isolate all your interface I/O (screen, mic, speaker, acceleromter and probably GPS and related A/Ds) and you want a power switch you can trust to actually turn the thing off. Maybe you have hard black/red partitions? Right down to separate EMI boxes? Maybe even run a fibre between black and red partitions?