[guardian-dev] silent circle out-of-circle (PSTN) calls

Hans-Christoph Steiner hans at guardianproject.info
Tue Jul 15 13:19:37 EDT 2014


Unfortunately, RedPhone only completely encrypts the voice stream, lots of
metadata is very much visible.  Same goes with any existing secure call system.

.hc

On 07/15/2014 01:14 PM, Nathan of Guardian wrote:
> Not sure agree Redphone is the same story, in that what they created was a user experience which felt like a standard phone call but was still completely encrypted, but I get your point about user perception.
> 
> Ultimately I think the SC out call feature is 100% for western travellers or business people going to eastern, middle eastern, etc countries. It is a money making feature that solves a user need that does not require end to end crypto because the adversary is not global.
> 
> On July 15, 2014 1:09:26 PM EDT, Lee Azzarello <lee at guardianproject.info> wrote:
>> Heh, I hadn't seen their new web site. I guess the marketing agency
>> decided the "powered by ex-Navy Seals" wasn't their target market :)
>>
>> Regarding PSTN connectivity, I understand what they are doing. That's
>> the most frequently requested feature at ostel.co as well. I remember
>> when RedPhone was being lauded as "secure phone calls" and the press
>> picked up the story but neglected to mention the calls weren't going
>> over a cellular voice network. RedPhone engaged in similar deception
>> but
>> on a technology level. The calling app would intercept an incoming
>> call,
>> check a list of contacts, do a key exchange and move the call over to
>> the data channel. Since it was integrated into the Android dialer, it
>> appeared that you were calling a cellular number but really you were
>> calling a proprietary URI over IP data.
>>
>> So yeah, voice. Full of mystery.
>>
>> -lee
>>
>> On 7/15/14, 1:01 PM, Peter Villeneuve wrote:
>>> This is actually quite telling, not so much from a technical point of
>>> view (Lee and Nathan's comments are absolutely right - once you enter
>>> PSTN land your call is as tappable as any other), but from a
>>> marketing/business and specially ethics view. Basically, it seems
>> that
>>> SC are taking advantage of the lack of knowledge among 99% of the
>>> population to sell them "snake oil". Now maybe that's a little strong
>>> and unfair, but if you go to their snazzy new website you'll read
>> about
>>> all the wonderful benefits of Out Circle, and if you didn't know any
>>> better, you'd be convinced that your calls to PSTN were also secure.
>> How
>>> many people are going to get hurt by talking freely through their SC
>> out
>>> circle, convinced that their conversation in truly private? Not only
>> is
>>> it not secure, it is even more expensive than most VoIP calling
>>> solutions out there, so I don't see any real benefit except for the
>>> owners of SC and their bank acounts. In fact, one could even argue
>> that
>>> out circle calls are even less secure than PSTN calls because they
>> will
>>> likely be the target of special attention by the usual suspects. To
>>> quote Top Gun, that's a target rich environment, and most will speak
>>> freely because they're "protected" by super duper cripto, right?
>>>
>>> Bottomline: I understand SC is a business and its objective is to
>> make
>>> money. Nothing wrong with that. But "deceiving" (or at least failing
>> to
>>> properly educate its clients about the true protection they afford)
>>> their customers and lulling them into a false sense of security for
>> the
>>> sake of a buck, is extremely dissapointing. After all, what they're
>>> really selling is trust, not so much tech. And by proceeding as
>> they've
>>> done, it shows they care a lot more about image and marketing rather
>>> than substance and security. I'm specially disappointed in the likes
>> of
>>> Callas and Zimmerman. It takes a life time to build a reputation, and
>> it
>>> takes a second of letting greed take over to ruin it.
>>>
>>>
>>>
>>>
>>> On Tue, Jul 15, 2014 at 3:53 AM, Nathan of Guardian
>>> <nathan at guardianproject.info <mailto:nathan at guardianproject.info>>
>> wrote:
>>>
>>>     Exactly... Once you go "out of circle" all of that zrtp
>> encryption
>>>     and "we aren't affected by calea" talk goes out the window.
>>>
>>>     On July 14, 2014 9:20:48 PM EDT, Lee Azzarello
>>>     <lee at guardianproject.info <mailto:lee at guardianproject.info>>
>> wrote:
>>>     >SS will not encrypt your PSTN calls. ZRTP is an end to end
>> protocol.
>>>     >There
>>>     >are no PSTN devices which have ZRTP capabilities.
>>>     >
>>>     >If someone were to wiretap a conversation like this the
>> requirement
>>>     >would
>>>     >be to target the PSTN endpoint and record. That would produce
>> both
>>>     >sides in
>>>     >the clear.
>>>     >
>>>     >-lee
>>>     >
>>>     >On Monday, July 14, 2014, shmick at riseup.net
>>>     <mailto:shmick at riseup.net> <shmick at riseup.net
>>>     <mailto:shmick at riseup.net>> wrote:
>>>     >
>>>     >>
>>>     >>
>>>     >> Nathan of Guardian:
>>>     >> >
>>>     >> >
>>>     >> > On Mon, Jul 14, 2014 at 1:36 PM, Lee Azzarello
>>>     >> > <lee at guardianproject.info <mailto:lee at guardianproject.info>
>>>     <javascript:;>> wrote:
>>>     >> >> -----BEGIN PGP SIGNED MESSAGE-----
>>>     >> >> Hash: SHA1
>>>     >> >>
>>>     >> >> There's no advantage to use SS for PSTN calls from a
>> security
>>>     >> >> perspective. If the pricing is attractive to you, give it a
>> shot.
>>>     >> >
>>>     >> > It also opens them up to a bunch CALEA-like requirements
>> since they
>>>     >are
>>>     >> > now operating as a "plain old telephone service". I am
>> curious how
>>>     >they
>>>     >> > are managing this.
>>>     >>
>>>     >> their thinking:
>>>     >>
>>>     >> https://www.silentcircle.com/faq-zrtp
>>>     >>
>>>     >>  4. Is ZRTP CALEA compliant?
>>>     >>     Only Silent Phone’s end users are involved in the key
>>>     >negotiation,
>>>     >> and CALEA does not apply to end users.
>>>     >>
>>>     >>     Our architecture likely renders that question moot. The
>>>     >> Communications Assistance for Law Enforcement Act applies in
>> the US
>>>     >to
>>>     >> the PSTN phone companies and VoIP service providers, such as
>> Vonage.
>>>     >> CALEA imposes requirements on VoIP service providers to give
>> law
>>>     >> enforcement access to whatever they have at the service
>> provider,
>>>     >which
>>>     >> would be only encrypted voice packets. ZRTP does all its key
>>>     >management
>>>     >> in a peer-to-peer manner, so the service provider does not
>> have
>>>     >access
>>>     >> to any of the keys. Only the end users are involved in the key
>>>     >> negotiation, and CALEA does not apply to end users.
>>>     >>
>>>     >>     Here is the operative language from CALEA itself:
>>>     >>
>>>     >>     47 U.S.C. 1002(b)(3): ENCRYPTION - A telecommunications
>> carrier
>>>     >> shall not be responsible for decrypting, or ensuring the
>> government’s
>>>     >> ability to decrypt, any communication encrypted by a
>> subscriber or
>>>     >> customer, unless the encryption was provided by the carrier
>> and the
>>>     >> carrier possesses the information necessary to decrypt the
>>>     >> communication. [emphasis added]
>>>     >>
>>>     >>     Also, from the CALEA legislative history :
>>>     >>
>>>     >>     Finally, telecommunications carriers have no
>> responsibility to
>>>     >> decrypt encrypted communications that are the subject of
>>>     >court-ordered
>>>     >> wiretaps, unless the carrier provided the encryption and can
>> decrypt
>>>     >it.
>>>     >> This obligation is consistent with the obligation to furnish
>> all
>>>     >> necessary assistance under 18 U.S.C. Section 2518(4). Nothing
>> in this
>>>     >> paragraph would prohibit a carrier from deploying an
>> encryption
>>>     >service
>>>     >> for which it does not retain the ability to decrypt
>> communications
>>>     >for
>>>     >> law enforcement access. [...] Nothing in the bill is intended
>> to
>>>     >limit
>>>     >> or otherwise prevent the use of any type of encryption within
>> the
>>>     >United
>>>     >> States. Nor does the Committee intend this bill to be in any
>> way a
>>>     >> precursor to any kind of ban or limitation on encryption
>> technology.
>>>     >To
>>>     >> the contrary, section 2602 protects the right to use
>> encryption.
>>>     >>
>>>     >> >
>>>     >> >>
>>>     >> >>
>>>     >> >> - -lee
>>>     >> >>
>>>     >> >> On 7/13/14, 7:40 PM, shmick at riseup.net
>>>     <mailto:shmick at riseup.net> <javascript:;> wrote:
>>>     >> >>>  has anybody tested or used silent circle for what they
>> call
>>>     >> >>>  out-of-circle calls ?
>>>     >> >>>
>>>     >> >>>  what's been your quality experience ? anyone know their
>> server
>>>     >> >>>  addresses ?
>>>     >> >>>
>>>     >> >>>  some claim the quality is better than their own mobile
>> carrier
>>>     >and
>>>     >> >>>  use it entirely for outbound calls
>>>     >> >>>
>>>     >> >
>>>     >> > +n
>>>     >> _______________________________________________
>>>     >> Guardian-dev mailing list
>>>     >>
>>>     >> Post: Guardian-dev at lists.mayfirst.org
>>>     <mailto:Guardian-dev at lists.mayfirst.org> <javascript:;>
>>>     >> List info:
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>     >>
>>>     >> To Unsubscribe
>>>     >>         Send email to:
>>>      Guardian-dev-unsubscribe at lists.mayfirst.org
>>>     <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>     >> <javascript:;>
>>>     >>         Or visit:
>>>     >>
>>>    
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>     >>
>>>     >> You are subscribed as: lee at guardianproject.info
>>>     <mailto:lee at guardianproject.info> <javascript:;>
>>>     >>
>>>     >
>>>     >
>>>    
>>> ------------------------------------------------------------------------
>>>     >
>>>     >_______________________________________________
>>>     >Guardian-dev mailing list
>>>     >
>>>     >Post: Guardian-dev at lists.mayfirst.org
>>>     <mailto:Guardian-dev at lists.mayfirst.org>
>>>     >List info:
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>     >
>>>     >To Unsubscribe
>>>     >        Send email to: 
>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>     <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>     >Or visit:
>>>    
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
>>>     >
>>>     >You are subscribed as: nathan at guardianproject.info
>>>     <mailto:nathan at guardianproject.info>
>>>
>>>     _______________________________________________
>>>     Guardian-dev mailing list
>>>
>>>     Post: Guardian-dev at lists.mayfirst.org
>>>     <mailto:Guardian-dev at lists.mayfirst.org>
>>>     List info:
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>>     To Unsubscribe
>>>             Send email to: 
>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>     <mailto:Guardian-dev-unsubscribe at lists.mayfirst.org>
>>>             Or visit:
>>>    
>> https://lists.mayfirst.org/mailman/options/guardian-dev/petervnv1%40gmail.com
>>>
>>>     You are subscribed as: petervnv1 at gmail.com
>> <mailto:petervnv1 at gmail.com>
>>>
>>>
> 
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
> 
> You are subscribed as: hans at guardianproject.info
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list