Re: [liberationtech] Silent Circle to publish source code?

2012-10-13 Thread Eugen Leitl
On Fri, Oct 12, 2012 at 08:16:52PM +0200, Julian Oliver wrote:
 
 This should help clear things up:
 
 http://is.gd/ZmBaMD
 
 (Featuring VJ Ann O'Nymous)

Please do not use URL shorteners, particularly on this list.
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-12 Thread Julian Oliver

This should help clear things up:

http://is.gd/ZmBaMD

(Featuring VJ Ann O'Nymous)

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-12 Thread Fran Parker

Excellent Julian!

Here's the direct link for all three videos by CircledUp 
(http://www.youtube.com/user/CircledUp) over at Youtube:


http://preview.tinyurl.com/8d3wrs6

and raw URL:

http://www.youtube.com/watch?v=rhEzawkDTgEfeature=bf_prevlist=ULDhyUkrGcidQ



On 10/12/12 2:16 PM, Julian Oliver wrote:


This should help clear things up:

 http://is.gd/ZmBaMD

(Featuring VJ Ann O'Nymous)


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-12 Thread Fran Parker
I love what they say in the videos. The videos are very well done and 
immediately put you at ease. I have dealt with Phil's products for a 
very long time, and I would trust that what he says is true as far as he 
knows about this product.


However, open scrutiny of the code is the only way to truly know it's 
hostile environment safe. To have the programmer community pour over the 
code and test it six ways to Sunday. Not only by the developers 
themselves. As good as Phil and the other developers are, it almost 
always takes a fresh eye to pour over code to put it through tests even 
the developers haven't foreseen.


Even when code is supposedly closed, it will ultimately be cracked, and 
then the vulnerabilities will be known but to the bad guys only.


I would like to have seen them address the question of opening up the 
code to the community for scrutiny in the videos.


And the following is also worrisome:

Google Chrome says silentcircle.com certificate is invalid and you have 
to click through like it is a bad site to see the site.


Firefox, says that although it is https, only part of the site is 
encrypted and only partially protected communication, and does not 
prevent eavesdropping.


Safari does not go to the site, but instead puts up box saying Safari 
can't verify the identity of the website 'silentcircle.com'


Interestingly enough, Opera showed it as Trusted. Go figure.

If they want people to trust their product, the site itself should be 
trustworthy as well, don't you think?


If someone is close with these guys, maybe you could mention this to 
them. I am sure they want everything to vibrate safe, secure, etc.






On 10/12/12 2:16 PM, Julian Oliver wrote:


This should help clear things up:

 http://is.gd/ZmBaMD

(Featuring VJ Ann O'Nymous)


--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nadim Kobeissi
It would have been much nicer to create this thread based on real source
code, instead of a tweet based on word of mouth. We'll see.

NK

On 10/11/2012 3:27 PM, Yosem Companys wrote:
 Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
 that Silent Circle (contrary to what you say in your post) will
 publish source code.
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Yosem Companys
We both received the same messages from Ryan Gallagher and Dan Gillmor:

@rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
doing + he told me they'll be making everything open source.

That's why I added the question mark, in case someone on the list knew
anymore (for example, when -- what date? -- do they plan to publish
the code).

I've contacted @Silent_Circle via Twitter and invited them on to
Liberationtech.  If anyone knows how to reach someone on the team
directly, please let me know.

It'd be nice to send them a personal invitation, so we can talk to the
team directly rather than have a secondhand conversation.

Best,
Yosem

On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc wrote:
 It would have been much nicer to create this thread based on real source
 code, instead of a tweet based on word of mouth. We'll see.

 NK

 On 10/11/2012 3:27 PM, Yosem Companys wrote:
 Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
 that Silent Circle (contrary to what you say in your post) will
 publish source code.
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Katrin Verclas
Copying Susan Alderson, VP of Informatics, Silent Circle who was also in the 
meeting Eric and I referred to. 

Susan, forwarding you a thread from the Liberation Tech discussion list about 
Silent Circle source code, location of servers, etc.  Please feel free to chime 
in, and nice to meet you!

Cheers,

Katrin 


On Oct 11, 2012, at 3:48 PM, Yosem Companys wrote:

 We both received the same messages from Ryan Gallagher and Dan Gillmor:
 
 @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
 doing + he told me they'll be making everything open source.
 
 That's why I added the question mark, in case someone on the list knew
 anymore (for example, when -- what date? -- do they plan to publish
 the code).
 
 I've contacted @Silent_Circle via Twitter and invited them on to
 Liberationtech.  If anyone knows how to reach someone on the team
 directly, please let me know.
 
 It'd be nice to send them a personal invitation, so we can talk to the
 team directly rather than have a secondhand conversation.
 
 Best,
 Yosem
 
 On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc wrote:
 It would have been much nicer to create this thread based on real source
 code, instead of a tweet based on word of mouth. We'll see.
 
 NK
 
 On 10/11/2012 3:27 PM, Yosem Companys wrote:
 Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
 that Silent Circle (contrary to what you say in your post) will
 publish source code.
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech


Katrin Verclas
MobileActive.org
kat...@mobileactive.org

skype/twitter: katrinskaya
(347) 281-7191

A global network of people using mobile technology for social impact
http://mobileactive.org

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nathan
Can someone explain what this big secret briefing was? Are they making the PR 
rounds in DC?

Yosem Companys compa...@stanford.edu wrote:

We both received the same messages from Ryan Gallagher and Dan Gillmor:

@rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
doing + he told me they'll be making everything open source.

That's why I added the question mark, in case someone on the list knew
anymore (for example, when -- what date? -- do they plan to publish
the code).

I've contacted @Silent_Circle via Twitter and invited them on to
Liberationtech.  If anyone knows how to reach someone on the team
directly, please let me know.

It'd be nice to send them a personal invitation, so we can talk to the
team directly rather than have a secondhand conversation.

Best,
Yosem

On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc wrote:
 It would have been much nicer to create this thread based on real source
 code, instead of a tweet based on word of mouth. We'll see.

 NK

 On 10/11/2012 3:27 PM, Yosem Companys wrote:
 Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
 that Silent Circle (contrary to what you say in your post) will
 publish source code.
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nathan
Here's my prediction: Silent Circle will not fundamentally change anything. It 
will have no where near the impact that Phil's work on open cryptography 
standards has. It may be a great niche product for businesses, professional 
journalist groups and large NGOs looking for a turnkey solution. It will not be 
relevant for the majority people on the ground in high risk places with state 
based surveillance. It will not satisfy the most privacy concerned users in 
free countries either. 

Ultimately it is a *commercial product* aiming to package up complex 
capabilities into a promise of a tidy easy to use solutions. It is a worthy 
endeavor but there are many, many people out there trying to go the business 
route and I don't believe there is actually enough of a market for this to 
satisfy a venture capitalist or organic revenue to sustain itself. Cryptophone, 
WaveSecure, Cryptcell, IronKey, ZeroBank, Hushmail are just a few attempted 
similar efforts. All worthy efforts... but niche and ultimately not having the 
large impact we all might hope, and perhaps some even doing damage by promoting 
forked, out of date solutions.

I fundamentally believe you can't design a product both for CEOs and 
revolutionaries. The threat models are entirely different. You can't be all 
things to all people especially if you are charging 20 USD per user per month, 
on top of a users existing 3g data plan.

+n8fr8



Nadim Kobeissi na...@nadim.cc wrote:

It would have been much nicer to create this thread based on real source
code, instead of a tweet based on word of mouth. We'll see.

NK

On 10/11/2012 3:27 PM, Yosem Companys wrote:
 Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
 that Silent Circle (contrary to what you say in your post) will
 publish source code.
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nadim Kobeissi
On 10/11/2012 5:51 PM, Ryan Gallagher wrote:
 To Nadim: I'm interested to know, did you contact anyone at SC before
 writing your blog post? Seems to me you arrived at your rather scathing
 conclusion largely on the basis of an assumption. A sort of shoot first,
 ask questions later approach. It actually says on the SC website that SC
 will use Open Source Peer-Reviewed Encryption. It also says,
 unambiguously, /We believe in open source/.

It's almost impossible to develop the software Silent Circle is
attempting to develop without using at least one open source library -
this is in fact accentuated in my blog post.
I sincerely apologize if my post is jumping the gun a bit, but aside
from reassurances in private press conferences, Silent Circle hasn't
made any statement that supports their releasing their code as open
source. In fact, they have been very ambiguous on this issue prior to
their alleged private statements yesterday and today.

I will update my blog post the moment they announce that Silent Circle
will be open source. I don't mean to shoot first, ask questions later,
but rather highlight serious potential dangers.


 
 
 From: compa...@stanford.edu
 Date: Thu, 11 Oct 2012 12:48:03 -0700
 To: liberationtech@lists.stanford.edu
 Subject: Re: [liberationtech] Silent Circle to publish source code?

 We both received the same messages from Ryan Gallagher and Dan Gillmor:

 @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
 doing + he told me they'll be making everything open source.

 That's why I added the question mark, in case someone on the list knew
 anymore (for example, when -- what date? -- do they plan to publish
 the code).

 I've contacted @Silent_Circle via Twitter and invited them on to
 Liberationtech. If anyone knows how to reach someone on the team
 directly, please let me know.

 It'd be nice to send them a personal invitation, so we can talk to the
 team directly rather than have a secondhand conversation.

 Best,
 Yosem

 On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc wrote:
  It would have been much nicer to create this thread based on real source
  code, instead of a tweet based on word of mouth. We'll see.
 
  NK
 
  On 10/11/2012 3:27 PM, Yosem Companys wrote:
  Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
  that Silent Circle (contrary to what you say in your post) will
  publish source code.
  --
  Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
  --
  Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Ryan Gallagher

 On 10/11/2012 18:26 PM, Nadim Kobeissi wrote:
 I sincerely apologize if my post is jumping the gun a bit, but aside
 from reassurances in private press conferences, Silent Circle hasn't
 made any statement that supports their releasing their code as open
 source. In fact, they have been very ambiguous on this issue prior to
 their alleged private statements yesterday and today.

Hmm. It says on the SC website that it will use Open Source Peer-Reviewed 
Encryption, Peer Reviewed Encryption and Hashing Algorithms, and also says 
we believe in open source. Is that very ambiguous?

 Date: Thu, 11 Oct 2012 18:26:28 -0400
 From: na...@nadim.cc
 To: liberationtech@lists.stanford.edu
 Subject: Re: [liberationtech] Silent Circle to publish source code?
 
 On 10/11/2012 5:51 PM, Ryan Gallagher wrote:
  To Nadim: I'm interested to know, did you contact anyone at SC before
  writing your blog post? Seems to me you arrived at your rather scathing
  conclusion largely on the basis of an assumption. A sort of shoot first,
  ask questions later approach. It actually says on the SC website that SC
  will use Open Source Peer-Reviewed Encryption. It also says,
  unambiguously, /We believe in open source/.
 
 It's almost impossible to develop the software Silent Circle is
 attempting to develop without using at least one open source library -
 this is in fact accentuated in my blog post.
 I sincerely apologize if my post is jumping the gun a bit, but aside
 from reassurances in private press conferences, Silent Circle hasn't
 made any statement that supports their releasing their code as open
 source. In fact, they have been very ambiguous on this issue prior to
 their alleged private statements yesterday and today.
 
 I will update my blog post the moment they announce that Silent Circle
 will be open source. I don't mean to shoot first, ask questions later,
 but rather highlight serious potential dangers.
 
 
  
  
  From: compa...@stanford.edu
  Date: Thu, 11 Oct 2012 12:48:03 -0700
  To: liberationtech@lists.stanford.edu
  Subject: Re: [liberationtech] Silent Circle to publish source code?
 
  We both received the same messages from Ryan Gallagher and Dan Gillmor:
 
  @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
  doing + he told me they'll be making everything open source.
 
  That's why I added the question mark, in case someone on the list knew
  anymore (for example, when -- what date? -- do they plan to publish
  the code).
 
  I've contacted @Silent_Circle via Twitter and invited them on to
  Liberationtech. If anyone knows how to reach someone on the team
  directly, please let me know.
 
  It'd be nice to send them a personal invitation, so we can talk to the
  team directly rather than have a secondhand conversation.
 
  Best,
  Yosem
 
  On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc wrote:
   It would have been much nicer to create this thread based on real source
   code, instead of a tweet based on word of mouth. We'll see.
  
   NK
  
   On 10/11/2012 3:27 PM, Yosem Companys wrote:
   Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
   that Silent Circle (contrary to what you say in your post) will
   publish source code.
   --
   Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
   --
   Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  --
  Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
  
  --
  Unsubscribe, change to digest, or change password at: 
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
 --
 Unsubscribe, change to digest, or change password at: 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
  --
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Christopher Soghoian
Hi Nadim,

You didn't directly respond to Ryan's question. Have you actually spoken to
anyone at Silent Circle?

The Silent Circle App isn't available for download to the general public
yet. As such, I think the company can be forgiven for not having source
code available just yet. Why not wait until the product is actually
available for download before you jump the gun and state that the company
is damaging the state of the cryptography community?

I've met with the CEO a couple times in person and I've spoken with Phil
and Jon. Although I'm by no means ready to bless the product -- not only do
I want to see it open sourced, but I also want to see a published, thorough
audit by a respected security consulting firm -- I am at least excited to
see folks building a business around encrypted communications (where the
crypto is the selling point, rather than an unadvertised feature, like
Skype).

Jon and Phil is are not strangers to the security community and their email
addresses can be found with about 2 seconds of Googling. If you have
questions, why not contact them?

Chris

[Full disclosure: They've loaned me an ipod touch with a beta copy of the
app so that I can try it out. As soon as the Android version is ready to
go, I'll promptly give the iPod back to them. I'm not a Silent Circle
investor, consultant, etc]


On Thu, Oct 11, 2012 at 6:26 PM, Nadim Kobeissi na...@nadim.cc wrote:

 On 10/11/2012 5:51 PM, Ryan Gallagher wrote:
  To Nadim: I'm interested to know, did you contact anyone at SC before
  writing your blog post? Seems to me you arrived at your rather scathing
  conclusion largely on the basis of an assumption. A sort of shoot first,
  ask questions later approach. It actually says on the SC website that SC
  will use Open Source Peer-Reviewed Encryption. It also says,
  unambiguously, /We believe in open source/.

 It's almost impossible to develop the software Silent Circle is
 attempting to develop without using at least one open source library -
 this is in fact accentuated in my blog post.
 I sincerely apologize if my post is jumping the gun a bit, but aside
 from reassurances in private press conferences, Silent Circle hasn't
 made any statement that supports their releasing their code as open
 source. In fact, they have been very ambiguous on this issue prior to
 their alleged private statements yesterday and today.

 I will update my blog post the moment they announce that Silent Circle
 will be open source. I don't mean to shoot first, ask questions later,
 but rather highlight serious potential dangers.


 
  
  From: compa...@stanford.edu
  Date: Thu, 11 Oct 2012 12:48:03 -0700
  To: liberationtech@lists.stanford.edu
  Subject: Re: [liberationtech] Silent Circle to publish source code?
 
  We both received the same messages from Ryan Gallagher and Dan Gillmor:
 
  @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
  doing + he told me they'll be making everything open source.
 
  That's why I added the question mark, in case someone on the list knew
  anymore (for example, when -- what date? -- do they plan to publish
  the code).
 
  I've contacted @Silent_Circle via Twitter and invited them on to
  Liberationtech. If anyone knows how to reach someone on the team
  directly, please let me know.
 
  It'd be nice to send them a personal invitation, so we can talk to the
  team directly rather than have a secondhand conversation.
 
  Best,
  Yosem
 
  On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc
 wrote:
   It would have been much nicer to create this thread based on real
 source
   code, instead of a tweet based on word of mouth. We'll see.
  
   NK
  
   On 10/11/2012 3:27 PM, Yosem Companys wrote:
   Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
   that Silent Circle (contrary to what you say in your post) will
   publish source code.
   --
   Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
   --
   Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  --
  Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
  --
  Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nadim Kobeissi
I'm sorry but this could easily refer to open source libraries, and
commonly does. I will update my blog post again once source code is
available, which should hopefully be when the app is released next week.

NK

On Oct 11, 2012 6:49 PM, Ryan Gallagher r...@rjgallagher.co.uk wrote:

  On 10/11/2012 18:26 PM, Nadim Kobeissi wrote:
  I sincerely apologize if my post is jumping the gun a bit, but aside
  from reassurances in private press conferences, Silent Circle hasn't
  made any statement that supports their releasing their code as open
  source. In fact, they have been very ambiguous on this issue prior to
  their alleged private statements yesterday and today.

 Hmm. It says on the SC website that it will use Open Source
Peer-Reviewed Encryption, Peer Reviewed Encryption and Hashing
Algorithms, and also says we believe in open source. Is that very
ambiguous?

 
  Date: Thu, 11 Oct 2012 18:26:28 -0400
  From: na...@nadim.cc

  To: liberationtech@lists.stanford.edu
  Subject: Re: [liberationtech] Silent Circle to publish source code?
 
  On 10/11/2012 5:51 PM, Ryan Gallagher wrote:
   To Nadim: I'm interested to know, did you contact anyone at SC before
   writing your blog post? Seems to me you arrived at your rather
scathing
   conclusion largely on the basis of an assumption. A sort of shoot
first,
   ask questions later approach. It actually says on the SC website that
SC
   will use Open Source Peer-Reviewed Encryption. It also says,
   unambiguously, /We believe in open source/.
 
  It's almost impossible to develop the software Silent Circle is
  attempting to develop without using at least one open source library -
  this is in fact accentuated in my blog post.
  I sincerely apologize if my post is jumping the gun a bit, but aside
  from reassurances in private press conferences, Silent Circle hasn't
  made any statement that supports their releasing their code as open
  source. In fact, they have been very ambiguous on this issue prior to
  their alleged private statements yesterday and today.
 
  I will update my blog post the moment they announce that Silent Circle
  will be open source. I don't mean to shoot first, ask questions later,
  but rather highlight serious potential dangers.
 
 
  
  

   From: compa...@stanford.edu
   Date: Thu, 11 Oct 2012 12:48:03 -0700
   To: liberationtech@lists.stanford.edu
   Subject: Re: [liberationtech] Silent Circle to publish source code?
  
   We both received the same messages from Ryan Gallagher and Dan
Gillmor:
  
   @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
   doing + he told me they'll be making everything open source.
  
   That's why I added the question mark, in case someone on the list
knew
   anymore (for example, when -- what date? -- do they plan to publish
   the code).
  
   I've contacted @Silent_Circle via Twitter and invited them on to
   Liberationtech. If anyone knows how to reach someone on the team
   directly, please let me know.
  
   It'd be nice to send them a personal invitation, so we can talk to
the
   team directly rather than have a secondhand conversation.
  
   Best,
   Yosem
  
   On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc
wrote:
It would have been much nicer to create this thread based on real
source
code, instead of a tweet based on word of mouth. We'll see.
   
NK
   
On 10/11/2012 3:27 PM, Yosem Companys wrote:
Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
that Silent Circle (contrary to what you say in your post) will
publish source code.
--
Unsubscribe, change to digest, or change password at:
   https://mailman.stanford.edu/mailman/listinfo/liberationtech
   
--
Unsubscribe, change to digest, or change password at:
   https://mailman.stanford.edu/mailman/listinfo/liberationtech
   --
   Unsubscribe, change to digest, or change password at:
   https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
  
   --
   Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
  --
  Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech

 --
 Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nadim Kobeissi
Hi Chris,

I regrettably did not speak to anyone from Silent Circle. This is
off-topic, but I find it kind of ironic for you to be asking me this; you
have written scathing critiques involving my own software efforts without
once contacting me, and I believe you to be much more guilty of jumping
the gun than I could be in this occasion. But this is beside the point.

I've spoken to people who have been contacted by Phil and John and I have
been told prior to writing my post that both have been very ambiguous
regarding the availability of Silent Circle source code in its entirety on
the day of release. No formal statement has yet been made by Silent Circle;
If the source code is released when the software ships, I have absolutely
no problem admitting that I jumped the gun a bit; but aside from references
to open source (which could very well be limited to libraries (such as
libssl) or protocols (such as ZRTP), I'm still waiting on the status of the
software.


NK


On Oct 11, 2012 7:10 PM, Christopher Soghoian ch...@soghoian.net wrote:

 Hi Nadim,

 You didn't directly respond to Ryan's question. Have you actually spoken
to anyone at Silent Circle?

 The Silent Circle App isn't available for download to the general public
yet. As such, I think the company can be forgiven for not having source
code available just yet. Why not wait until the product is actually
available for download before you jump the gun and state that the company
is damaging the state of the cryptography community?

 I've met with the CEO a couple times in person and I've spoken with Phil
and Jon. Although I'm by no means ready to bless the product -- not only do
I want to see it open sourced, but I also want to see a published, thorough
audit by a respected security consulting firm -- I am at least excited to
see folks building a business around encrypted communications (where the
crypto is the selling point, rather than an unadvertised feature, like
Skype).

 Jon and Phil is are not strangers to the security community and their
email addresses can be found with about 2 seconds of Googling. If you have
questions, why not contact them?

 Chris

 [Full disclosure: They've loaned me an ipod touch with a beta copy of the
app so that I can try it out. As soon as the Android version is ready to
go, I'll promptly give the iPod back to them. I'm not a Silent Circle
investor, consultant, etc]


 On Thu, Oct 11, 2012 at 6:26 PM, Nadim Kobeissi na...@nadim.cc wrote:

 On 10/11/2012 5:51 PM, Ryan Gallagher wrote:
  To Nadim: I'm interested to know, did you contact anyone at SC before
  writing your blog post? Seems to me you arrived at your rather scathing
  conclusion largely on the basis of an assumption. A sort of shoot
first,
  ask questions later approach. It actually says on the SC website that
SC
  will use Open Source Peer-Reviewed Encryption. It also says,
  unambiguously, /We believe in open source/.

 It's almost impossible to develop the software Silent Circle is
 attempting to develop without using at least one open source library -
 this is in fact accentuated in my blog post.
 I sincerely apologize if my post is jumping the gun a bit, but aside
 from reassurances in private press conferences, Silent Circle hasn't
 made any statement that supports their releasing their code as open
 source. In fact, they have been very ambiguous on this issue prior to
 their alleged private statements yesterday and today.

 I will update my blog post the moment they announce that Silent Circle
 will be open source. I don't mean to shoot first, ask questions later,
 but rather highlight serious potential dangers.


 
 

  From: compa...@stanford.edu
  Date: Thu, 11 Oct 2012 12:48:03 -0700
  To: liberationtech@lists.stanford.edu
  Subject: Re: [liberationtech] Silent Circle to publish source code?
 
  We both received the same messages from Ryan Gallagher and Dan
Gillmor:
 
  @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
  doing + he told me they'll be making everything open source.
 
  That's why I added the question mark, in case someone on the list knew
  anymore (for example, when -- what date? -- do they plan to publish
  the code).
 
  I've contacted @Silent_Circle via Twitter and invited them on to
  Liberationtech. If anyone knows how to reach someone on the team
  directly, please let me know.
 
  It'd be nice to send them a personal invitation, so we can talk to the
  team directly rather than have a secondhand conversation.
 
  Best,
  Yosem
 
  On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc
wrote:
   It would have been much nicer to create this thread based on real
source
   code, instead of a tweet based on word of mouth. We'll see.
  
   NK
  
   On 10/11/2012 3:27 PM, Yosem Companys wrote:
   Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
   that Silent Circle (contrary to what you say in your post

Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Bernard Tyers - ei8fdb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Is this a case of people (lib tech/security community) trusting people  of 
up-to-now good security community reputation (Phil Zimmerman and Jon Callas) 
combined with public statements (to the affect of we will be releasing the 
source code) combined with briefings with selected groups?

Just curious. It goes back to the discussion about trusting open source 
software, or trusting people who we believe to have good intentions.

Bernard


PS: To try and keep the mood light: I wonder if the founders are fans of 
mid-80s German Euro-disco bands?


On 12 Oct 2012, at 00:09, Christopher Soghoian wrote:

 Hi Nadim,
 
 You didn't directly respond to Ryan's question. Have you actually spoken to 
 anyone at Silent Circle?
 
 The Silent Circle App isn't available for download to the general public yet. 
 As such, I think the company can be forgiven for not having source code 
 available just yet. Why not wait until the product is actually available for 
 download before you jump the gun and state that the company is damaging the 
 state of the cryptography community?
 
 I've met with the CEO a couple times in person and I've spoken with Phil and 
 Jon. Although I'm by no means ready to bless the product -- not only do I 
 want to see it open sourced, but I also want to see a published, thorough 
 audit by a respected security consulting firm -- I am at least excited to see 
 folks building a business around encrypted communications (where the crypto 
 is the selling point, rather than an unadvertised feature, like Skype).
 
 Jon and Phil is are not strangers to the security community and their email 
 addresses can be found with about 2 seconds of Googling. If you have 
 questions, why not contact them?
 
 Chris
 
 [Full disclosure: They've loaned me an ipod touch with a beta copy of the app 
 so that I can try it out. As soon as the Android version is ready to go, I'll 
 promptly give the iPod back to them. I'm not a Silent Circle investor, 
 consultant, etc]
 
 
 On Thu, Oct 11, 2012 at 6:26 PM, Nadim Kobeissi na...@nadim.cc wrote:
 On 10/11/2012 5:51 PM, Ryan Gallagher wrote:
  To Nadim: I'm interested to know, did you contact anyone at SC before
  writing your blog post? Seems to me you arrived at your rather scathing
  conclusion largely on the basis of an assumption. A sort of shoot first,
  ask questions later approach. It actually says on the SC website that SC
  will use Open Source Peer-Reviewed Encryption. It also says,
  unambiguously, /We believe in open source/.
 
 It's almost impossible to develop the software Silent Circle is
 attempting to develop without using at least one open source library -
 this is in fact accentuated in my blog post.
 I sincerely apologize if my post is jumping the gun a bit, but aside
 from reassurances in private press conferences, Silent Circle hasn't
 made any statement that supports their releasing their code as open
 source. In fact, they have been very ambiguous on this issue prior to
 their alleged private statements yesterday and today.
 
 I will update my blog post the moment they announce that Silent Circle
 will be open source. I don't mean to shoot first, ask questions later,
 but rather highlight serious potential dangers.
 
 
 
  
  From: compa...@stanford.edu
  Date: Thu, 11 Oct 2012 12:48:03 -0700
  To: liberationtech@lists.stanford.edu
  Subject: Re: [liberationtech] Silent Circle to publish source code?
 
  We both received the same messages from Ryan Gallagher and Dan Gillmor:
 
  @rj_gallagher: @kaepora FYI I met with SC's CEO today for piece I'm
  doing + he told me they'll be making everything open source.
 
  That's why I added the question mark, in case someone on the list knew
  anymore (for example, when -- what date? -- do they plan to publish
  the code).
 
  I've contacted @Silent_Circle via Twitter and invited them on to
  Liberationtech. If anyone knows how to reach someone on the team
  directly, please let me know.
 
  It'd be nice to send them a personal invitation, so we can talk to the
  team directly rather than have a secondhand conversation.
 
  Best,
  Yosem
 
  On Thu, Oct 11, 2012 at 12:35 PM, Nadim Kobeissi na...@nadim.cc wrote:
   It would have been much nicer to create this thread based on real source
   code, instead of a tweet based on word of mouth. We'll see.
  
   NK
  
   On 10/11/2012 3:27 PM, Yosem Companys wrote:
   Dan Gillmor @dangillmor: @kaepora Phil Zimmerman told me yesterday
   that Silent Circle (contrary to what you say in your post) will
   publish source code.
   --
   Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  
   --
   Unsubscribe, change to digest, or change password at:
  https://mailman.stanford.edu/mailman/listinfo/liberationtech
  --
  Unsubscribe, change to digest, or change password at:
  https

Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Nadim Kobeissi
Thanks for spelling it out, and Nathan.
NK
On Oct 11, 2012 8:12 PM, Nathan nat...@freitas.net wrote:

 Ryan,

  mm. It says on the SC website that it will use
 Open Source Peer-Reviewed Encryption,
  Peer Reviewed Encryption and Hashing Algorithms,
  and also says we believe in open source. Is that very ambiguous

 As a reporter working on a piece, you should make sure you understand
 the different between using open-source and being open-source. Having code
 availability for private audit or dumping a zip file of code that doesn't
 quite build entirely is very different from bring a fully transparent
 open-source project. I am not splitting hairs here, just trying to make
 sure that you look beyond vague statements and perhaps ask where's your
 git repo going to be hosted? or what license are you planning to use? or
 even will an independent developer be able to compile and run their own
 version of your software?.

 As an example, Phil's much heralded ZRTP protocol was openly published but
 server code to enable Asterisk support for it had a very ambiguous license
 that made it unusable in anything but a pure academic setting.

 Like organic, open-source is a term that is easily claimed but not often
 truly fulfilled. Nadim should be given more credit for the completely
 transparent and engaged open-source project he runs, and for defending an
 approach and philosophy that he is completely living up to.

 +n8fr8
 --
 Unsubscribe, change to digest, or change password at:
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Seth David Schoen
Ryan Gallagher writes:

  On 10/11/2012 18:26 PM, Nadim Kobeissi wrote:
  I sincerely apologize if my post is jumping the gun a bit, but aside
  from reassurances in private press conferences, Silent Circle hasn't
  made any statement that supports their releasing their code as open
  source. In fact, they have been very ambiguous on this issue prior to
  their alleged private statements yesterday and today.
 
 Hmm. It says on the SC website that it will use Open Source Peer-Reviewed 
 Encryption, Peer Reviewed Encryption and Hashing Algorithms, and also says 
 we believe in open source. Is that very ambiguous?

I think Google, or even Apple (!), could truthfully make the same
statements, but that doesn't mean that they've committed not to
develop proprietary software.  (In fact, a number of quite
significant open source contributions come from proprietary software
vendors.)

-- 
Seth Schoen  sch...@eff.org
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech


Re: [liberationtech] Silent Circle to publish source code?

2012-10-11 Thread Seth David Schoen
Nathan writes:

 Like organic, open-source is a term that is easily claimed but
 not often truly fulfilled. Nadim should be given more credit for the
 completely transparent and engaged open-source project he runs, and for
 defending an approach and philosophy that he is completely living up to.

Further to that, I hope people in situations like this won't be sloppy
with the distinction between open source and viewable source code.
Publishing source code gives some of the important benefits of open
source, but not all of them.

Open source doesn't just mean access to the source code.
http://opensource.org/osd.html

-- 
Seth Schoen  sch...@eff.org
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
--
Unsubscribe, change to digest, or change password at: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech