I hope for all our sakes that this phone really takes off.
That would send a strong message to govt, telcos, and manufacturers that privacy still counts for something.
The launch of the privacy-focused Blackphone attracted plenty of attention at Mobile World Congress last week, but security experts are already warning privacy-conscious potential users not to get too carried away. The technology has limitations and even its developers acknowledge it is not "NSA-proof". Blackphone is scheduled …
The problem is that if it REALLY works there will be all sorts of creativity taking place courtesy of pissed of intelligence services. DDoS of their server park, personal mud slinging, massive press exposure as soon as the first child molester is caught with such a phone - the works.
The first problem I see is that is a US based enterprise, which means they haven't learned from what happened with Lavabit and the Silent Circle email service. There is no conceivable way this can be executed with a US based HQ because it enables all sorts of threats from laws such as the Patriot Act to the promise of perpetual IRS audits of the people involved.
Until that HQ leaves the US I do not consider this product viable.
This post has been deleted by its author
"It's made by a major US defence contractor, it's main customers are US govt agencies who want to drop Blackberry."
The US DoD, which counts the NSA, all have secure cell phones already, both Blackberry and non-Blackberry units.
I loved the crap about "jumping through hoops" over the use of crypto. If the military can use it, anyone can. I know that one well enough, I spent nearly 28 years of my life in the US military.
The NSA isn't the only game in town in defending "the motherland" (damn, but I hate that word, it reminds me of fascism). The DoD has plenty of cyberwarfare and cyberintelligence about, they're quite good at what they do, as are the folks in Russia and the PRC (and pretty much every other nation on the planet).
I know that firsthand as well, courtesy of my IASO duties and briefings.
My only real worry is that cyberwarfare might become too tempting, which would result in *real* harm to infrastructure and result in a reprisal via WMD retaliation.
In 2008 we already saw cyberwarfare used by the Russians in Georgia.
What could happen if such an event was exchanged between nuclear armed nations makes one shudder.
It will also interoperate securely with any other phone running the Silent Circle apps on either Android or iOS, which means there are already vast numbers of handsets out in the world able to participate safely in the ecosystem
And so we need to buy a Blackphone why again?
Why not just use a Silent Circle app on our current, cheaper phones?
"Why not just use a Silent Circle app on our current, cheaper phones?"
Note the bit about trimmed down, secured OS.
Android is notorious for its lack of security and generosity to app developers in terms of information being given by users.
I've already dismissed 50 different apps due to their excessive data gathering requirements to install. That number will grow, as I only have had my android for a month.
Herein lies the real mountain of insecurity. It isn't the OS, its the apps we run.
What we want is a decent gmaps replacement and VPN back to my own home server for email etc.
Perhaps a better compromise would be a vritualised phone which pretends to provide your phonebook to the app but really gives the app nothing but a filtered view with the phone records and fields you say it can have. So maps gets addresses but not phone numbers, facebook gets nothing, skype gets skype id's but not telephone numbers, games get nothing. All the apps think they have access but there's just no data.
If various forms of spookery switch (or reinforce) their attention to examining things at the telco end, then wouldn't Blackphone users be living in a fool's paradise?
Sure it might not be easy, but never underestimate the twisted genius of the spook community
... is the first to get the chop.
So it is with crowds. If you stand out, you attract attention. So having a "black" phone that is supposedly secure against all the thing the designers found were easy to do (but that completely misses those that are difficult, or that the designers lacked the knowledge/ability/imagination to consider) will be the phone that attracts attention.
Sure, if your security really is good enough to withstand the inevitable extra scrutiny, then that's OK. Except you'll never know - since the security organisations won't be considerate enough to let you know when they've hacked, cracked or whacked all the little defenses your $3-digit device put up against their multi-billion $$$$ counter-counter-measure tools.
As the article says a challenge any secure phone has is still traffic analysis. However, that's more than a challenge - it's a gaping hole as wide as the Grand Canyon. That's why (when they were used) government "intelligence" radio stations would broadcast 24 hours a day, whether there was any threat or situation or not. As they knew well, that merely the act of increasing the amount of radio "chatter" was all the other guys needed to know that you'd rumbled them. So the only way these phones could add to the security of the user would be to keep a connection to "the other guy" 24*7¹. Somehow I don't think that people value their security enough that they'd be prepared for that much of a bill every month.
[1] Though I do know a few particularly talkative types who are already pushing the limits of their vocal chords and phone's batteries in that direction.
So the only way these phones could add to the security of the user would be to keep a connection to "the other guy" 24*7¹. Somehow I don't think that people value their security enough that they'd be prepared for that much of a bill every month.
That's part of how Freenet works, doesn't it? It keeps connecting to all sorts of peers 24/7. Only trick right now keeping this from working on mobile network is usage caps. If phones had usage to spare, then perhaps they can obfuscate by holding lots of fake conversations between each other. Then how would the spooks distinguish the real conversation from the chaff?
(Love that expression!)
Depends who's after you. NSA? agree with you. Muhammad al Jihad in a sleeper cell may want to stick with lower profile gear while casing the godless unbelievers.
Random Hackerimu@ru.com after you? Man-in-middle @ starbucks wifi? Your wife? (amazing how often OKCupid's "would you read your partner's emails" quiz gets a yes). May help.
I think a big deciding factor in the mainstream will be app compatibility. God forbid FB or Spastic Volatiles don't work. Maybe not so much on this phone but surely on a mass-market enhanced-sec phone.
Icon? Just because.
This post has been deleted by its author
I assume that this is aimed at business/government users, not the man in the street?
There must be millions of government workers in the US/Canada/UK/Australia(*) that would potentially need these phones, and that's before you include their 'delivery partners' who would need them to ensure safe communications with the government entities...
I don't think this phone is intended to replace Apple, but it's there to ensure an alternative when Blackberry goes bust...
(*) who probably don't mind that the NSA is listening in, as long as other foreign powers can't!!
> How so?
A few ways.
1) Most Andorid handsets come bundled with (closed source) vendor bloatware. Some of which can be disabled some of which cannot. Possibly not the fault of the OS, but thats the way it is.
2) Android is not really open source. The source code/apis for dual SIM functionality has never been released.
3) Modem/radio part of the firmware tends to be vendor specific. Lots of scope for NSA abuse there. (Maybe not part of the Android OS but you won't get far without it)
4) Even in a stripped down Android with no Gapps (including Cyanogenmod) it reaches out to Google servers. Specifically clients3.l.google.com (check getDefaultUrl() in the ConnectivityService). This at the moment is fairly harmless, but could be exploited in the future and there may be others.
5) Apps can and do request lots of permissions. These cannot be turned off. You either install the app or you do not. Is it the OS role to police the apps? Maybe not, but it could be improved. Like disabling perm by perm after installation.
So there is IMHO a market for a device with a more secure OS. If its based on Android it needs a bit of work to do it. But maybe thats that the Black Phone guys have done. But do you trust them? :-) Will they open source the complete OS?
And now to address each point:
1) Most Andorid handsets come bundled with (closed source) vendor bloatware. Some of which can be disabled some of which cannot. Possibly not the fault of the OS, but thats the way it is.
These are vendors interested in data mining. This one is figuring on the opposite, so bloatware should be reduced to just Silent Circle and a few essentials.
2) Android is not really open source. The source code/apis for dual SIM functionality has never been released.
Got any better alternatives besides the Android Open-Source Project? Ubuntu's too new, QNX has to be licensed to use, and Blackberry's in limbo. Besides, do any of them support dual SIMs? The main reason it's not community-supported goes to your next point below.
3) Modem/radio part of the firmware tends to be vendor specific. Lots of scope for NSA abuse there. (Maybe not part of the Android OS but you won't get far without it)
If you can't trust the radio or modem chip, you're basically screwed since these chips are usually patent-encumbered meaning an open version of such won't exist. And if it's not the NSA poking backdoors in the hardware, it's their Russian or Chinese counterparts. Why not just X-ray each lot that comes in to make sure their pattern matches a known-good spec?
(Going back to dual SIMs, there's more than one way to make it work. Dual SIM controllers are as closed as radio and modem chips. THAT'S why they're not community-supported.)
4) Even in a stripped down Android with no Gapps (including Cyanogenmod) it reaches out to Google servers. Specifically clients3.l.google.com (check getDefaultUrl() in the ConnectivityService). This at the moment is fairly harmless, but could be exploited in the future and there may be others.
Is this true even of non-Google Android devices like the Amazon Kindles and B&N Nooks? Besides, something like that should be easy to edit in the source. It's just that many open-source distros don't bother.
5) Apps can and do request lots of permissions. These cannot be turned off. You either install the app or you do not. Is it the OS role to police the apps? Maybe not, but it could be improved. Like disabling perm by perm after installation.
Not even with App Ops or a similar security program? And there are versions that work with the latest Android 4.4.2 KitKat.
> These are vendors interested in data mining. This one is figuring on the opposite, so bloatware should be reduced to just Silent Circle and a few essentials.
Indeed.
> Got any better alternatives besides the Android Open-Source Project? Ubuntu's too new, QNX has to be licensed to use, and Blackberry's in limbo. Besides, do any of them support dual SIMs? The main reason it's not community-supported goes to your next point below.
No, there are no better alternatives. But that was my point Android is no better or worse starting place than any other mobile OS. At the moment its security credentials (like most other OS) are lacking.
> If you can't trust the radio or modem chip, you're basically screwed since these chips are usually patent-encumbered meaning an open version of such won't exist. And if it's not the NSA poking backdoors in the hardware, it's their Russian or Chinese counterparts. Why not just X-ray each lot that comes in to make sure their pattern matches a known-good spec?
True. Although if you encrypt securely with a decent key higher up the stack all the radio/WiFi sees is encrypted traffic.
> Is this true even of non-Google Android devices like the Amazon Kindles and B&N Nooks? Besides, something like that should be easy to edit in the source. It's just that many open-source distros don't bother.
I do not know if non-Google and non-Cyangenmod Android devices report back to Google. I have not tested them. Yes its easy to edit in the Android source to fix these. But my point was stuff like this exists in the Android open source today. Anyone interested in making a secure phone based on Android needs to find all the stuff like this and make good.
> Not even with App Ops or a similar security program? And there are versions that work with the latest Android 4.4.2 KitKat.
Relying on a third party app (which you have to grant a large number of permissions to) to secure your OS (or more accurately other apps) is hardly ideal from a security point of view! This needs to be in the OS.
So really my point was Android needs a lot of work (and so would any other OS) to make it secure. I am not saying it cannot be done. I am hoping that is what the Black phone guys have done.
> True. Although if you encrypt securely with a decent key higher up the stack all the radio/WiFi sees is encrypted traffic.
Not unless the plods have other parts of the system borked like the OS core, the CPU, or a hardware security chip: areas where the key HAS to be readable in order to be useable. Meaning even if you encrypt before the modem/radio chip, they'll still know how to decrypt it.
> No, there are no better alternatives. But that was my point Android is no better or worse starting place than any other mobile OS. At the moment its security credentials (like most other OS) are lacking.
Meaning, all other things being equal, the price tag wins. Meaning AOSP (price tag $0) wins. Yes, it needs serious security hardening, but as you've said yourself you need to do that ANYWAY, so don't handicap yourself by paying for an OS license on top of that.
Have you any evidence that Android cannot be made secure?
I am of the opinion that any device running any operating system can never be 100% secure.
I wouldn't single out Android.
If a device can be rooted it can be made *more* secure or less secure dependant on the skills of the owner. Although I am not expert with Android or Linux my skills are adequate enough for me to know with certainty that my rooted device is far more secure than it was when I first powered it up.
If one uses a device that is not rooted one does not own it. Either the telco does or the operating system provider does, regardless of whether the OS be Android, IOS or WinPhone.
Now I'm far from knowledgeable in the field of encryption - I still can't fathom how a public key can work. . .
But provided whatever magic makes the work is legit, could it not be feasible to have a public key as our phone number?
There are of course the problem of communicating said key, but such things could be solved with a bluetooth connection (or similar) for close proximity exchanging of numbers, or with a QR-code (or similar) if you have a website or add which needs to include your number.
Then when you wish to communicate you chose a person, and anything you write or speak (And once again my lack of knowledge is revealed, but I'm just guessing that speech-data should be just as encryptable - though that might introduce a lag) is encrypted before it's sent out.
Sure there's still meta-data available, but any content is now encrypted. Even if it can be unencrypted at least it's no longer feasible (I hope) to gather all data (except in it's encrypted form)
So my question: Is it feasible to use public encryption keys as a phone number? If not, where did my lack of knowledge show its hideous face the most, and could any issues perhaps not be solvable?
I think that's a very good question. I'd like to know too.
I will add a bit that I do know... Firstly (and I think this is just me being pedantic on your wording), a number would still be needed for routing purposes. But I suspect you mean the number would be tied in with the key.
Secondly, public key encryption, being asymetrical is relatively slow and expensive. The way TLS/SSL work is they initially establish a connection via this public key magic, and then exchange a big private randomly generated key for a non public/private key encryption system, which is then actually used to encrypt the session.
So a standard connection uses 2 encryption systems. The first one which is public/private key based is used to set up the initial channel, and securely pass the session key for the subsequent symetrical encryption system.
I suppose some IP phone protocols use similar, but yeah? Why not generally simply 'SSL for phones' ? My guess is it's the age old chicken or egg problem in getting it rolled out. Does 4G use anything like it?
I'm far from knowledgeable in this also, but back in the dark ages (late 60's), radio comms were secured by a crypto device and the key was changed daily. This meant that everyone on that particular net was encrypted and reasonably secure since it was a 64 bit (as I recall) key. So it seems to me that if you and a friend wanted truly secure comms, a small app that let you then change your keys, daily, weekly, monthly, etc. would work. Once it's out of the range of a small group of like minded folks, it's open season as giving a whole range of users the keys to the castle is probably not a good idea. Never was, never will be. If more than 2 people know, it's not a secret.
On the other hand, how many of us need crypto comms? I don't.... I mean my calls consist of "get a loaf of bread" or "the Smithsons are coming over tonite". Whoop-dee-do. I imagine that's probably what 99% of all cell phone comms are like. Or sending selfies, maybe. Business and military is a different issue, of course. But even that's a gray area. Of course, using crypto might make you a "person of interest" to certain agencies, but they have to justify their budgets anyway so maybe we all should do our part in keeping them gainfully employed by sending encrypted cat pics and encrypted "pick up the following from the store" calls.
> On the other hand, how many of us need crypto comms?
All of us.
> I don't.... I mean my calls consist of "get a loaf of bread"
Sure - and most of us are in exactly the same boat.
But what happens on that one particular occasion where you *do* want to send something privately? Pick your own reason - nefarious or not - sometimes, we do want privacy. If you only ever send cleartext messages, that one encrypted one sticks out like a sore thumb, so if anyone is watching, that's the message that says something is afoot.
On the other hand, if every "loaf of bread" message is as heavily encrypted as that secret one, the difference in nature is hidden so long as the encryption method does actually work...
Vic.
What you describe is similar to the Freenet system which uses hashes and generated keys as resource locators. The main problem with your idea (and with Freenet) is routing. Part of the reason IP works as it does is it allows switches and other routing hardware to map out where certain packets have to go. It's actually very important because it conserved bandwidth which can add up as you go up the backhaul. Without that routing information, you end up having to poll the whole network to try to find the destination, and it's never going to be as snappy as the open Internet because efficiency leaves traces that plods can sniff out. IOW, INefficiency is pretty much required to improve security, creating a tug of war between the two since both have practical implications.
You can:
https://play.google.com/store/apps/details?id=org.thialfihar.android.apg&hl=en_GB
This also integrates with K9 mail. Personally I do not use K9 because its as user friendly as a cornered rat.
But you can encrypt/decrypt to clipboard so use PGP over WhatApp (for text). Its a bit clunky but works.