15 February 2013
Silent Circle Answers Questions
Date: Fri, 15 Feb 2013 10:19:55 -0500
From: Ali-Reza Anghaie <ali@packetknife.com>
To: cryptography[at]randombit.net
Subject: [cryptography] Fwd: Answers to some of your questions (Silent
Circle responds..)
This was circulated on libtech and here it is for your consideration too.
It confirms some of the ramblings on the pad, disposes of some others, ..
Also attached is a condensed version of the pad after "summary" was put at
the top.
Cheers, -Ali
---------- Forwarded message ----------
From: Jon Callas <jon[at]silentcircle.com>
Date: Thu, Feb 14, 2013 at 11:28 AM
Subject: Answers to some of your questions
To: Ali-Reza Anghaie <ali[at]packetknife.com>
Cc: Jon Callas <jon[at]silentcircle.com>
Hi, Ali-Reza.
I saw your pastebit with some questions, and let me answer. You may repost
this mail to liberation tech or anywhere else.
* A Latvian company wrote most of the software, not SilentCircle
When we formed Silent Circle, we looked around for people to partner with.
We selected Tivi because they're really cool people -- I used their ZRTP-enabled
VOIP client back in the days when I had a Nokia N95. We picked them in part
because they were willing to release source code. (Other potential partners
were not willing.)
Our partnership with them includes that code base, and that they work for
us full-time now. They're some of our main developers now.
I have a bit of a raised eyebrow at this comment. (Yes, I know it's not your
words, you're also explaining.) It sounds to me like whoever is making that
comment is implying that there's something wrong with Latvia. Riga was for
many, many years a center of European high-tech until the dark days of WWII
and Soviet occupation. It's a lovely place filled with incredibly smart,
friendly people. It is a part of the EU, and also a NATO nation. Our team
in Riga. We picked them because they rock.
Perhaps the comment comes from the fact that they were in business before
our partnership. It's relatively common in high-tech that companies enter
into partnerships with others. Google, Microsoft, Apple, Facebook, and others
often use some sort of relationship like this to get software or technologies
that they didn't have, so that it speeds up development. We are hardly unique
in this.
Perhaps I don't understand. If someone could explain the objection to me,
I'm happy to address it further.
* Application is designed for VoIP, not specifically for Security
It's a secure VOIP client. Because of its history, there's a lot of latent
capability in it that is VOIP related. Is there an actual question or objection?
* It does use an outdated SSL library (PolarSSL 1.1.1) with some known security
vulnerabilities?
No, we're using PolarSSL 1.1.4. We did not include the PolarSSL code in the
drop because we didn't want to figure out the licensing details.
* It does not use LibZRTP by Philip Zimmermann used in Zfone but ZRTPCPP
That is correct. We're using Werner Dittmann's library. We like it. We like
it so much that Werner is working for us. Werner rocks.
* It does use an outdated version of ZRTPCPP library?
I don't believe so. If anything, we're using a version of it that is newer
than anyone else's; Werner works for us, now.
Should we need release a new version, we will.
* It does reveal their test/development server?
- "I wonder if they are hiring new iOS devs now?"
Yes, we are. We also need Android devs, and need them more than iOS devs.
Feel free to send résumés to
<jobs[at]silentcircle.com>. Note that we are a highly-distributed company
with developers and staff stretched from Latvia to Greece, to the Pacific
West. Location almost does not matter. 31337 skillz do.
I will also note that the code of the VOIP system is the same across all
our apps. It gets compiled for iOS and Android, as well as Windows (Silent
Eyes). Each OS has its own UX skin on top of the code VOIP system.
- "I'd say anything that gets Silent Circle to actually answer questions
proper is useful, if that is the result."
Feel free to send questions to me, or to "security[at]silentcircle.com"
* In ./silentphone/tiviengine/prov.cpp there is some kind of provisioning
protocols, used probably to auto-configure the voip clients.
Good catch! Yes, indeed, we provision the clients ourselves. Silent Circle
is a *SERVICE* not an app.
* It should be evaluated the capability for a government censoring/filtering
host to block the user out by blocking accounts.silentcircle.com or
sccps.silentcircle.com. Maybe some dynamic methods is in place?
We'd love to hear suggestions. If someone's suggestion is particularly clever,
feel free to attach a résumé.
* It should be asked what are the privacy handling for those data and if
those can be additionally "privacy enforced" .
Feel free to ask. I don't understand the question, myself.
* QUESTION: What this certificate is used for ?
TODO: We should check to see if this certificate is used for TLS Validation?
If so that's cool, that it does not rely on third party CA.
Got it in one! Thank you for thinking it's cool.
Again, feel free to forward this mail to anyone, and I'm happy to entertain
questions from anyone.
Jon
-----
Jon Callas
Chief Technical Officer
Silent Circle, LLC
email: jon[at]silentcircle.com Silent Phone: jon
silentcircle_condensed_pad.txt [below]
_______________________________________________
cryptography mailing list
cryptography[at]randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
|