This is actually quite telling, not so much from a technical point of view (Lee and Nathan's comments are absolutely right - once you enter PSTN land your call is as tappable as any other), but from a marketing/business and specially ethics view. Basically, it seems that SC are taking advantage of the lack of knowledge among 99% of the population to sell them "snake oil". Now maybe that's a little strong and unfair, but if you go to their snazzy new website you'll read about all the wonderful benefits of Out Circle, and if you didn't know any better, you'd be convinced that your calls to PSTN were also secure. How many people are going to get hurt by talking freely through their SC out circle, convinced that their conversation in truly private? Not only is it not secure, it is even more expensive than most VoIP calling solutions out there, so I don't see any real benefit except for the owners of SC and their bank acounts. In fact, one could even argue that out circle calls are even less secure than PSTN calls because they will likely be the target of special attention by the usual suspects. To quote Top Gun, that's a target rich environment, and most will speak freely because they're "protected" by super duper cripto, right?
Bottomline: I understand SC is a business and its objective is to make money. Nothing wrong with that. But "deceiving" (or at least failing to properly educate its clients about the true protection they afford) their customers and lulling them into a false sense of security for the sake of a buck, is extremely dissapointing. After all, what they're really selling is trust, not so much tech. And by proceeding as they've done, it shows they care a lot more about image and marketing rather than substance and security. I'm specially disappointed in the likes of Callas and Zimmerman. It takes a life time to build a reputation, and it takes a second of letting greed take over to ruin it. On Tue, Jul 15, 2014 at 3:53 AM, Nathan of Guardian < [email protected]> wrote: > Exactly... Once you go "out of circle" all of that zrtp encryption and "we > aren't affected by calea" talk goes out the window. > > On July 14, 2014 9:20:48 PM EDT, Lee Azzarello <[email protected]> > wrote: > >SS will not encrypt your PSTN calls. ZRTP is an end to end protocol. > >There > >are no PSTN devices which have ZRTP capabilities. > > > >If someone were to wiretap a conversation like this the requirement > >would > >be to target the PSTN endpoint and record. That would produce both > >sides in > >the clear. > > > >-lee > > > >On Monday, July 14, 2014, [email protected] <[email protected]> wrote: > > > >> > >> > >> Nathan of Guardian: > >> > > >> > > >> > On Mon, Jul 14, 2014 at 1:36 PM, Lee Azzarello > >> > <[email protected] <javascript:;>> wrote: > >> >> -----BEGIN PGP SIGNED MESSAGE----- > >> >> Hash: SHA1 > >> >> > >> >> There's no advantage to use SS for PSTN calls from a security > >> >> perspective. If the pricing is attractive to you, give it a shot. > >> > > >> > It also opens them up to a bunch CALEA-like requirements since they > >are > >> > now operating as a "plain old telephone service". I am curious how > >they > >> > are managing this. > >> > >> their thinking: > >> > >> https://www.silentcircle.com/faq-zrtp > >> > >> 4. Is ZRTP CALEA compliant? > >> Only Silent Phone’s end users are involved in the key > >negotiation, > >> and CALEA does not apply to end users. > >> > >> Our architecture likely renders that question moot. The > >> Communications Assistance for Law Enforcement Act applies in the US > >to > >> the PSTN phone companies and VoIP service providers, such as Vonage. > >> CALEA imposes requirements on VoIP service providers to give law > >> enforcement access to whatever they have at the service provider, > >which > >> would be only encrypted voice packets. ZRTP does all its key > >management > >> in a peer-to-peer manner, so the service provider does not have > >access > >> to any of the keys. Only the end users are involved in the key > >> negotiation, and CALEA does not apply to end users. > >> > >> Here is the operative language from CALEA itself: > >> > >> 47 U.S.C. 1002(b)(3): ENCRYPTION - A telecommunications carrier > >> shall not be responsible for decrypting, or ensuring the government’s > >> ability to decrypt, any communication encrypted by a subscriber or > >> customer, unless the encryption was provided by the carrier and the > >> carrier possesses the information necessary to decrypt the > >> communication. [emphasis added] > >> > >> Also, from the CALEA legislative history : > >> > >> Finally, telecommunications carriers have no responsibility to > >> decrypt encrypted communications that are the subject of > >court-ordered > >> wiretaps, unless the carrier provided the encryption and can decrypt > >it. > >> This obligation is consistent with the obligation to furnish all > >> necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this > >> paragraph would prohibit a carrier from deploying an encryption > >service > >> for which it does not retain the ability to decrypt communications > >for > >> law enforcement access. [...] Nothing in the bill is intended to > >limit > >> or otherwise prevent the use of any type of encryption within the > >United > >> States. Nor does the Committee intend this bill to be in any way a > >> precursor to any kind of ban or limitation on encryption technology. > >To > >> the contrary, section 2602 protects the right to use encryption. > >> > >> > > >> >> > >> >> > >> >> - -lee > >> >> > >> >> On 7/13/14, 7:40 PM, [email protected] <javascript:;> wrote: > >> >>> has anybody tested or used silent circle for what they call > >> >>> out-of-circle calls ? > >> >>> > >> >>> what's been your quality experience ? anyone know their server > >> >>> addresses ? > >> >>> > >> >>> some claim the quality is better than their own mobile carrier > >and > >> >>> use it entirely for outbound calls > >> >>> > >> > > >> > +n > >> _______________________________________________ > >> Guardian-dev mailing list > >> > >> Post: [email protected] <javascript:;> > >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >> > >> To Unsubscribe > >> Send email to: [email protected] > >> <javascript:;> > >> Or visit: > >> > > > https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info > >> > >> You are subscribed as: [email protected] <javascript:;> > >> > > > > > >------------------------------------------------------------------------ > > > >_______________________________________________ > >Guardian-dev mailing list > > > >Post: [email protected] > >List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > > >To Unsubscribe > > Send email to: [email protected] > >Or visit: > > > https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info > > > >You are subscribed as: [email protected] > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/petervnv1%40gmail.com > > You are subscribed as: [email protected] >
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
