[cryptography] Reply to Zooko (in Markdown)

zooko zooko at zooko.com
Thu Aug 29 18:26:48 EDT 2013


On Sat, Aug 24, 2013 at 09:18:33PM +0300, ianG wrote:
> 
> I'm not convinced that the US feds can at this stage order the 
> backdooring of software, carte blanche.  Is there any evidence of 
> that?
> 
> (I suspect that all their powers in this area are from pressure and 
> horse trading.  E.g., the export of cryptomunitions needs a 
> licence...)

I don't know. I asked a lawyer a few days ago -- a person who is, as far as I
can tell, one of the leading experts in this field. Their answer was that
nobody knows.

In any case, you don't appear to be arguing that Silent Text is different than
Silent Mail, only that the U.S. Federal Government would not require Silent
Circle to actively backdoor their own products. This argument applies equally
to the canceled product and the current ones.

In fact, I don't think it is a useful question for evaluating the security of
services that you rely on. If a service provider could spy on you at the behest
of their government, then an attacker who infiltrated that service provider's
systems could also spy on you.

Imagine that your adversary is not the U.S. NSA, but instead Chinese
cyber-warriors, and instead of contacting your service provider and demanding
cooperation, they simply remotely infiltrate your service provider's employee's
laptops. They've apparently done this many times in recent years, to Adobe,
Google, Microsoft, Nortel Networks, and basically every other company you can
name.

So I don't think the question of "To whom is my service provider vulnerable?"
is the right question. You can't really know the answer, so it doesn't help you
much to wonder about it. The right question is "Am I vulnerable to my service
provider?". The answer, as far as Silent Circle's current products go, is
"Yes.".


> I would be surprised if there was a single stated reason.

Here are the first five hits from DuckDuckGo for the query "silent circle
mail":

    "We knew USG would come after us." That's why Silent Circle CEO Michael
    Janke tells TechCrunch his company shut down its Silent Mail encrypted
    email service.

    http://techcrunch.com/2013/08/08/silent-circle-preemptively-shuts-down-encrypted-email-service-to-prevent-nsa-spying/

    Silent Circle, the provider of a range of secure communications services,
    has pre-emptively closed its Silent Mail email service in order to stop
    U.S.  authorities from spying on its customers

    http://gigaom.com/2013/08/09/another-u-s-secure-email-service-shuts-down-to-protect-customers-from-authorities/

    Silent Circle, the global encrypted communications firm revolutionizing
    mobile security for organizations and individuals alike, today announced it
    has discontinued its Silent Mail e-mail encryption service in order to
    preempt governments' demands for customer information in the escalating
    surveillance environment targeting global communications. 

    http://www.darkreading.com/privacy/silent-circle-ends-silent-mail-service-t/240159779

    the Lavabit e-mail service used by National Security Agency leaker Edward
    Snowden announced Thursday that it would shut down, implying heavily that
    it had received some sort of government request for information. Hours
    later ... Silent Circle, said it would preemptively shut down its Silent
    Mail service to avoid ending up in the same position.

    http://m.washingtonpost.com/business/technology/lavabit-silent-circle-shut-down-e-mail-what-alternatives-are-left/2013/08/09/639230ec-00ee-11e3-96a8-d3b921c0924a_story.html

    There are far too many leaks of information and metadata intrinsically in
    the email protocols themselves. Email as we know it with SMTP, POP3, and
    IMAP cannot be secure.

    https://silentcircle.wordpress.com/2013/08/09/to-our-customers/

(Kudos to Jon for saying something sensical in that last one!)

Regards,

Zooko


More information about the cryptography mailing list