1
Blackphone: Privacy People WANT to Buy
2
Why Are We Competing with Phone Makers, Skype and Telecom Carriers – All in the Same Week?
3
Silent Text 2.0: The next generation of private messaging
4
Our Move to Switzerland
5
10 Tips To Protect Your Privacy While Traveling
6
Finishing Up From Heartbleed
7
Heartbleed Bug
8
Our Transparency Report
9
IT’S HERE!
10
Are You Guys Crazy?

Blackphone: Privacy People WANT to Buy

This is a direct excerpt from Toby Weir-Jones, CEO of SGP Technologies (maker of Blackphone) in response to a recent Blackberry Blog post – Mike Janke:

Dear Privacy Enthusiast,

On July 11, our friends at Blackberry posted an article about, of all things, us! The piece goes to some effort to suggest that BP1 is “consumer-grade”, and therefore “inadequate” for business users. Setting aside the fact that we think consumers deserve the same security as companies, we weren’t surprised the piece extols the virtues of Blackberry’s own solutions at our expense…

Read the rest of Toby’s comments here.

Why Are We Competing with Phone Makers, Skype and Telecom Carriers – All in the Same Week?

It’s simple: because we believe that technology should be a force for good. As a result, we’re developing technologies and products that disrupt the industries we’ve rapidly come to accept as “traditional” industries – telcos, tech companies, phone makers. Why – because those industries have ended up as a raw deal for people.

The result is we offer better value and a more secure communication ecosystem for enterprises and individuals seeking privacy and security. And we’re only just getting started.

Last week we shipped our Blackphone. Selected as one of the Top 10 Devices of the Year at Mobile World Congress as well as one of the Top 10 Breakthrough Technologies of 2014 by MIT Technology Review.

Today, we launched the world’s first Global Encrypted Calling Plan. The first of its kind, a pink unicorn that is the brainchild of my co-founders Phil Zimmermann and Jon Callas. This unique innovation is already causing serious concern among major telecom companies around the world. We are not only exploiting massive holes in the market, we are attacking them. Our newly expanded Global Encrypted Calling Plans are up to 50% less expensive than many of the telecom’s existing plans, but our coverage offers about 45 more countries than they do; and oh, by the way it’s encrypted to the public switch telephone network. That is something no other company offers in the marketplace today. We are literally saving businesses tens-of-thousands of dollars a month.

With each of our products, we are doing things that no one else does. Individually they are best-in-class. In combination, it’s a new approach to communication. It’s as simple as that.

The Skype Disruption

Now lets talk about Skype. The wiretap-friendly communication tool that started out with great intentions, and was a real breakthrough many years ago. Today, Skype is banned from being used in many of the Fortune 1000 companies and shunned by anyone expecting some level of privacy. I don’t necessarily fault Microsoft, as prior to the summer of Snowden every major technology company was capitulating on some level to its host-country intelligence service – in almost every country. Things are different now. The world now understands that a Skype call is not private between users and if you are fine with that, well I see no reason to fault you. Businesses understand that their intellectual property and competitive edge can be destroyed literally overnight by a communication leak.

oca-vs-skype

Today, we take on Skype, Viber, Ring Central and others as well. Not only by providing a secure alternative but also in price and reach. Skype’s website lists it’s premier global plan as covering 8 countries mobile and 63 landline for $13.99 per month. Our encrypted calling is secure to a country’s PSTN network, covers 41 Mobile and 79 landline countries, allows you to choose a phone number from 26 countries, receive calls from anywhere, anytime and you can choose 100, 250, 500 or 1000 global minutes. Oh, we also give you all three of our secure apps with the plan, so you can call, text or video-chat completely end-to-end encrypted. Skype? Uh no.

A True Virtual Operator – Disrupting the Telecoms

If there was one industry that is ripe for disruption – I would choose the telecommunications industry. In some countries and regions, the evil “roaming charge” represents up to 30% of a Telecom’s EBIDA. In Europe alone, one of the top expenses for a business or consumer is simply roaming and long distance charges. One of my good friends, Beat Geissler, is a Swiss native, former Swisscom executive, entrepreneur and investor who lives now in Berlin. He spends upwards of 2,500 CHF on roaming and long distance calls – a month! Now as a member of Silent Circle, its just $40 a month. One of our Fortune 100 customers in Zurich has estimated they will save over $38,000 a month AND be secure using Silent Phone. That is real disruption, not just a stupid word that gets tossed around management meetings.

We are now becoming a “Secure Virtual Operator” in the truest sense. We can challenge phone makers and telecoms from our office and network in Switzerland. We do not incur the billions of dollars of CAPEX and expenses that Telecoms spend on infrastructure a year – instead we utilize that infrastructure to send encrypted voice, video, text, files, conference calls and secure-to-PSTN calls over the world’s existing backbone, less expense and more secure than any telecom can.

There are however a few unique and innovative Telecom leaders out there. Carlos Slim at América Movíl, Eelco Block at KPN, Olaf Swantee at EE and Augie Fabela at Vimpelcom are the real visionaries who look beyond each quarter result and try to embrace the future while helping shape it. They get it. The others? Well, so far – no. These innovators have embraced Blackphone, our Global Encrypted Calling Plans and our Software-as-a Service to stay ahead of disruption and shape their future markets. They also see things that others are too slow to react to. They actually do things “FOR” the customer, not “TO” the customer. Eventually, we will handle every facet of operations – virtually. We will not need 10,000 customer service reps in Bangladesh or confusing options and massive CAPEX expenses. All of it end-to-end encrypted or secure to the PSTN network.

Becoming The Enterprise Device of Choice

Many of the prognosticators and pundits did not see this global shift coming. Only two of the phone makers are making money, Apple and Samsung. Those two also happen to be squeezing the Telecoms by taking a percentage of their data plans sold and forcing things on them. The rest of the pack (LG, Nokia, Sony, Motorola, Blackberry, etc.) have been losing billions. Some have decided to give up on chasing Apple and Samsung and instead have chosen to chase the $100-phone emerging markets; others are still in limbo trying to figure out what they will do next. We snuck in the back door, by offering the most secure commercial device system on the market. We don’t want to sell 100 million phones, we simply want to own the secure enterprise and prosumer market. It’s a journey for us and will take time, but it’s already happening. Come join us for the ride.

Mike Janke

CEO, Silent Circle.

Silent Text 2.0: The next generation of private messaging

Our release of Silent Text 2.0 (ST-2) is a major rewrite of our previous product and harbinger of some of the technology that Silent Circle will be using to improve the security and refine the user experience of our customers. We have learned quite a bit about how our customers use messaging over mobile devices and have rolled much of their feedback into this release.

The primary impetus behind ST-2 was to address the following:

Eliminate the keying delay.

The prevailing end to end security algorithms were designed with the assumption that both parties are concurrently present on the network. This isn’t often the case for mobile devices. Ideally you should be able to start sending secure messages without waiting for the recipient to respond, but without sacrificing the same level of security and end to end encryption provided by the key exchange that we employ our current product.

To this end we have invented Progressive Encryption technology, a hybrid of both public key and ephemeral key agreement protocols. The SCIMP protocol used by Silent Text 2 incorporates this technology, enabling the sender to securely transport messages on the first packet and simultaneously transition to hash-committed Diffie-Hellman. All without the annoying push notifications for keying events.

We have also added some new non-NIST cryptographic algorithms to our protocol including TwoFish, SKEIN and Bernstein–Lange Elliptic Curve 41417.

Better security for data at rest.

The iOS implementation has been substantially rewritten. We walked away from Apple’s CoreData and didn’t look back. We replaced it with YapDatabase, developed by our own very talented Robbie Hanson. This gave us amazing improvements in performance and reliability as well as substantially better anti-forensics on the data at rest. All the protocol security in the world won’t help you if your device is not well protected and so we treat that with the same amount of concern. Robbie also wrote the XMPP Framework used by us, and it would seem by many other IOS messaging apps.

Improvements in user experience.

We have come a long way here, too. On Silent Text iOS we have done a major redesign of the user experience to improve the standards of secure mobile messaging. You will find a plethora of new features not the least of which is a native iPad split screen experience as well as Silent Contacts; a built-in secure contacts book. Other highlights include: messages can be queued while offline and sent later. Return receipts for messages, which can be turned off on a per conversation basis. There is also a secure media shelf to keep track of items such as documents and photos that are enclosed in the messages.

The Future.

We have a number of things in the works across all of our platforms in the near future. Expect to see secure group conversations, as well as major improvements in cloud storage management. We have come a long way in the last two years and I believe you will be happy with where we are going.

Silent Text iPad

Silent Text 2.0 iOS

Our Move to Switzerland

Switzerland – the land of Privacy, Neutrality and now Silent Circle (not to mention great cheese, chocolate and watches). We are very much an international firm. We have employees scattered among 9 countries, data centers in Canada and Switzerland, and we count customers from over 130 countries with a heavy concentration of Global 1000 enterprise customers outside of North America. We decided to move our Headquarters from the Caribbean island of Nevis to Switzerland and move a lot of our customer service, finance, sales and operations into this new large office.

It was very important for us to remain a “Global Neutral Privacy Provider”, as well as a political and religious agnostic company. Switzerland has the world’s most robust privacy laws, fantastic business and financial resources and an incredible business-friendly atmosphere. In addition to being the world’s center for Human Rights, Global freedom of speech and an innovative technology hub, Switzerland is our perfect home. This move was a logical an easy decision for us. With over 75% of our customer base outside of North America and our Joint Venture company Blackphone also headquartered in our joint new office space in Switzerland – it was a natural move.

We will continue to grow our North America office in Washington, DC as well as our London office, but most of our new growth will take place in our new headquarters. So, if you find yourself in Europe or close to Switzerland, we are only a short hop or train ride away – so please do stop into our new Headquarters office to say hi.

10 Tips To Protect Your Privacy While Traveling

Girl traveling

As the warmer weather of summer approaches you may be thinking about a trip or weekend getaway. Whether you’re planning on kicking it in Cabo or frolicking in the French Riviera- Silent Circle’s privacy gurus can help you to protect your privacy while traveling. Here is a countdown of some best practices…

10. Know your destinationIf certain types of content are illegal in the jurisdiction of your destination or are at risk of being stolen, don’t bring it with you. Possessing illegal or enticing content will make your device an attractive target for confiscation or theft.

9. Use a screen filter - If you want to avoid those wandering eyes at the airport or the coffee shop when you are using your laptop, tablet, or phone, protect your information with a screen filter.  This allows you keep your electronic information  private and confidential working in a public place.  There are a number of products on the market around $20 – $40 and the materials for the filters have improved over the last few years.

8. Keep a backup - Before you leave make a backup of all the contents of the devices that you plan on taking on your trip.  Delete any items off the device that you will not need because if this isn’t there, it can’t be stolen!  Be sure to password protect the backup and keep it safe at home. This way if something happens to your device there is no need to fret (and it’s probably time to order a Blackphone anyway- shameless plug).

7. Don’t put devices in checked bags - While traveling keep your devices with you at all times.  Checking your devices makes them vulnerable for theft, damage, or loss. D’oh!

6. Keep things locked up - Your hotel room should have a safe and it is important to use it to store valuables and devices.  Be sure to lock up your valuables after you check in.  It is a good idea to ask the hotel before making the reservation if they have a safe in the room. Conde Nast had some further advice on this topic. Note* – 1234 is NOT a good passcode.

5. Use strong passwords - Enable password protection on your devices and give them a strong password. For best practices on password protection visit our previous post on online privacy.

4. Turn off Bluetooth - Scammers are continuing to find new ways to exploit your device.  In addition to WiFi, Bluetooth also creates vulnerabilities.  If you do want to use Bluetooth, be smart about it and don’t accept pairing requests from unknown parties. Also, try to use a minimum of eight (8!) characters in your PIN.  Of course, turn off your Bluetooth connection when you aren’t using it especially in public areas- your credit history, your contacts, and your battery will thank you.

3. Be smart when using WiFi - If you follow a simple metaphor, we all need water, but you wouldn’t drink ANY water you could find. Well, the same is true for WiFi. Don’t trust any old network that you are connecting to – you never know what’s “floating” around in it (OK- no more metaphors).  Use a VPN to connect to the Internet (perhaps Hotspot Shield, VyprVPN, Private WiFi, to name a few). Plus, it’s a good idea to turn off WiFi when you do not need access to the Internet. 

2. Don’t announce on social media that you will be traveling - Posting about your upcoming travel plans on social media can make you or your property an easy target.  If you use a travel site to book your trip make sure to turn off the social sharing options that dump your travel details into someone else’s news feed.  Stay mum about your next trip (don’t “check-in” or use anything with geolocation) and wait until you get back to post pictures to make your friends jealous.  Also, be mindful of your privacy settings on social regarding who has access to your photos.

1. Use encryption - We’d be remiss not to mention this one. If your devices have the option to encrypt the storage, do it!  This will give you peace of mind in the event your device is lost or stolen.  If you haven’t encrypted your storage yet, try not to leave it to the last minute- it can take over an hour to encrypt. Don’t even get us started on encrypted calling…

Always use caution when traveling and be mindful of your surroundings.  Safe travels.

Finishing Up From Heartbleed

In our previous blog post on Heartbleed we said that we would tell you more when we had finished our own cleanup. We completed our work this weekend. We replaced all our SSL certificates, and that required us to update the Silent Text apps themselves. We would also like to give a shout-out to our CA, Entrust, who is giving free updates to certificates for any of their customers who want to replace an SSL certificate over this issue.

ComputerWe have thus updated all of our affected servers, replaced all our certificates, updated our apps, and tested and verified everything. It’s been a busy few days, and our team has done a fantastic job keeping many things working as we revised the working infrastructure.

That means that there are two things that are a good idea for you, a subscriber, to do:

1. Change your password. Now that the servers have new certificates, it’s a good idea to do that now.

2. Reset your devices. Silent Circle apps get provisioned with authentication tokens that let the app automatically connect to our servers and authenticate properly as a subscriber. There’s a unique authentication secret for every service (Silent Phone and Silent Text) and every device that you provision.

Just as in theory, Heartbleed could leak passwords and keys, it could in theory leak the authentication tokens. By resetting the devices connected to your account, you throw away the existing tokens. You will need to re-provision your devices, but that’s simple.

You reset your devices by going to this page on accounts.silentcircle.com and click the reset button. That breaks the connection between our server and your apps.

Then restart the apps, and re-provision. On Android, you only need to type your username and password once, and that provisions all the apps. On iOS, you’ll need to type a username and password for Silent Phone, and get a provisioning code for Silent Text. We’ll have an update for Silent Text that makes this easier soon.

That’s it. Changing your password and resetting the apps tidies up all the security that could possibly have been leaked by Heartbleed.

Heartbleed Bug

heartbleed

We are sure that you have heard about the Heartbleed bug. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. We want to give an update about how it does and does not affect Silent Circle.

We use a diversity of SSL systems in Silent Circle. Our whole Silent Phone infrastructure uses PolarSSL, not OpenSSL, and consequently is unaffected by this bug. Silent Text clients use the native SSL for iOS and Android, which is sometimes OpenSSL on Android, but the problem is primarily a server issue.

Our Silent Text servers and web servers use OpenSSL. All of our servers that  use OpenSSL were upgraded within two hours of hearing about the Heartbleed bug. To those servers, over 99% of the observable traffic uses the Perfect Forward Secrecy crypto suites, and thus the existing risk is mitigated. We say “observable” because our customer account servers don’t log and we had to infer the statistics.

Silent Circle is secure, the threat has passed; the few servers that were vulnerable are upgraded. We are now looking at additional mitigations that we feel we should do, including replacing SSL server certificates. We’ll update you as soon as we have more to say.

Our Transparency Report

Every three months, we compile a Transparency Report to document the number of law enforcement requests we’ve received. Companies do this to show that they’re responsible to their customers about protecting their privacy.

In a Transparency Report, there are typically three columns of data: one for “Who asked,” one for “How many times did they ask,” and one for “How many times did we say ‘yes’ and give them what they asked for.”

We’ve had no law enforcement requests, which makes the reports a bit uninteresting compared to others in the industry. I mean, who wants to look at all zeros? But while the data represented by those numbers is uninteresting, the metadata represented by them says a lot about our company and its values.

From a data and metadata-harvesting perspective, we are an unusual company. We don’t keep logs of customer activity. We don’t have access to the keys our customers use to encrypt their data. Our privacy statement is pretty much a laundry list of data we don’t have to offer. So nobody to date has wanted to waste their time getting data from us that we don’t have.

The first Transparency Report we did was on November 15th 2013, which is here.

All zeros. You will find the same in our current report.

We expect the trend to continue. But what about requests that we can’t disclose? The only thing you would see in the report is that the count for secret requests changes from zero to some higher number range.

So, taking a page from rsync.net’s playbook, we’ve implemented a Warrant Canary. The assumption is that, while we cannot say we have received a secret order, there is nothing preventing us from not saying that we haven’t. So, once a week, we will be updating a page here, signed digitally, stating that we have not been compelled by a secret order: https://canary.silentcircle.com/

The threat of a warrant or subpoena is not much of a threat to us or to our customers because, unlike other companies, we have nothing to share. Even if we are the subject of a secret court warrant or subpoena, any data we could hand over would be useless. So the Warrant Canary is just another way of reporting that all is well, not a warning that the walls protecting your private data have been breached.

IT’S HERE!

Blackphone crop

The wait is over! After weeks of build-up and anticipation, Blackphone has been officially released at Mobile World Congress in Barcelona Spain! Blackphone is now available for pre-order at https://store.blackphone.ch/.

Are You Guys Crazy?

Challenging Conventional Wisdom

Since we announced the launch of our new high-end mobile phone, Blackphone, Jon, Phil and I have been hearing this statement a lot – “Are you guys crazy?”  I have spoken to CEOs of large phone makers, security app developers, tech companies and some heavy-hitting industry folks who all seem quite curious as to why we would take on “The Big Guys” by partnering with Geeksphone to produce our own Privacy and Security-centered Smartphone.

Everyone likes to point out that this is not the way it works and we don’t seem to understand the “hierarchy” here.  “Its not how things are done” is a common statement we hear. Samsung, Apple, HTC, Nokia, LG, etc. ship hundreds of millions of smartphones and “own” this particular playground. This is changing rapidly –we see the need for an entirely new ecosystem. When we announce our other partners on this project – it will become much clearer as to why we believe we can take on “the big dogs” and provide the world with a more secure platform.

We also hear “What makes you think you can challenge Blackberry or Samsung KNOX?” Well, partly due to the massive changing landscape of mobile manufacturing, mobile security trends and partly due to some very cool innovation from our Blackphone Team. It is impossible for these giant phone makers to sell hundreds-of-millions of phones and care about privacy.

As Phil Zimmermann pointed out to a reporter last week….

Just as PCs are going the way of the Dinosaur, so too is the current model of smartphone saturation. Just as PCs came loaded with Bloatware and software contracts that forced us to have a terrible technology experience –the same has happened today with the smartphone.

Go buy a smartphone in a store today, there are at least 10 apps preloaded from the carrier or manufacturer as well as other third parties. You cannot stop this “bloatware” from sucking up your contact list or from sending usage, browsing, app and personal data to all of these stakeholders.

Today’s “prosumer” has little to no control over the river of personal data being sucked up hourly in exchange for these “free services”, let alone have some small protection against the massive surveillance of the 72 NSA-like agencies in the world.  Today’s consumer has become the host to a hundred data-parasites on every smartphone and they have no control, no say, and no other option. Until now…

Contrary to a lot of the recent press, Blackphone is not “NSA Proof”. There is no such thing as a 100% secure smartphone. Blackphone is much, much more secure than normal phones, but it also allow users to work, play and interact like normal.  Users control who sees what data, how much, where and when. A different model all-together.

Subverting The Dominant Paradigm

Blackphone is an innovative new ecosystem. The idea of creating an entirely new ecosystem is not new. Microsoft had its run with Windows, Skype, and Bing. They created an entire ecosystem behind the hardware and software, but failed to innovate ahead of the curve. Blackberry had its run with the phones, BEZ servers and BBM messaging. They are now dying a thousand little deaths because they did not innovate quickly enough. Google, Apple, Samsung and others have created dominant ecosystems that tie in software, hardware, wearables, media, music and services.  They rapidly innovated new platforms and models that left Microsoft, Blackberry, Nokia, HTC and others behind quickly. It’s been an amazing run for them, but this model too is dwindling. Fast movers like Xiaomi are killing them. Innovation, security and privacy demands are already putting cracks in this windshield. The fuel that feeds their ecosystem machine is customer data… Your data. It is pure gold to them.

It’s time for a different approach, a different type of ecosystem.  One built upon user control, security and privacy. Blackphone is that new ecosystem.

At Silent Circle, our secure communications products, calling plans and services are used by consumers from over 100 countries, Fortune 500 companies, and international businesses of all sizes and by Government customers from many, many countries.  Because we don’t collect, hold, or use customer data –it’s virtually impossible to run our business the “Customer Analytics Way”. Yet, we also realized a secure communications service could only be as good as the platform it’s delivered on. We looked all over the world for a partner who had the same ideals, the same “crazy” nature, and one that had shipped smartphones to consumers without relying on customer data as the main profit center. There was only one like this in the world –Geeksphone out of Spain. A perfect innovative partner.

We realized we had to create and deliver an entirely new international ecosystem in order to break the chains of the existing platforms where monetization of customer data is priority number one.

Enterprise is Being Suffocated

Our enterprise customers are drowning in BYOD and theft of IP issues.  They are trying to deal with a multitude of devices from 30+ phone makers. CIOs and IT staff are inundated with 100+ mobile security/control solutions that each only covers one small part of their overall problem. They are floundering under the pile of over 110 MDM and MAM solutions that are quickly becoming freeware. They have thousands of employees bringing in personal smartphones made by giant companies who are in the business of sucking out every drop of data of those who buy their phones. The very nature of this model, this ecosystem, is counter to the mission of IT.

Today’s Enterprise battlefield has become a free-for-all. Government entities, hackers, business competitors and foreign multinationals are all trying to get a company’s data –anyway they can. Industrial espionage is the new “Gold Market”.  The only way less-innovative countries can compete in today’s business world is to focus their resources to steal the innovation and IP from those industries that exist in economic powerhouses. If Enterprise wants a more secure internal ecosystem –they have to piece meal products/services/hardware together. So, we are building Blackphone to be the 95% solution for Enterprise, right out of the box.

The Rise of a New Ecosystem

In 2013 we quietly went about creating secure device-to-device encrypted products and services that cover phone calls, texting, sending large files, video chats, conference calling, contacts and secure-to-server VOIP calling plans. Our products and services are device and OS agnostic (IOS/Android), but they are being put on smartphones and tablets whose ecosystem is geared toward “maximum collection of customer data”. Millions of Freemium apps that do cool things are free because they are sucking up your personal and usage data. Your data is being sold to advertisers as well as thousands of other companies to use as they wish on a daily basis.

The only way we saw to deliver true privacy and security to customers was to build our own smartphone and more secure ecosystem.  One that allows the user to control what level of privacy they want and to allow users to communicate securely by default. To free consumers and enterprise from being blackmailed into data plans or subjected to “bloatware” without having a say in it.

We don’t want, nor care to sell tens-of-millions of phones. We are not going to mass-produce cheap smartphones to sell them at cost, just to make our money by monetizing your data or forcing you into some burdensome data plan. We have built a new model, a new ecosystem, a new way of delivering privacy, security and control for those who need and care about it.

Are we crazy, stupid, or are we just biting at the ankles of the giants? All three most likely. Do we expect everything to go smoothly? Of course not. Will we make mistakes?  Count on it. Do we expect to compete with Samsung KNOX, Blackberry, HTC and others?  Absolutely!  Later in the year we are going to take on business productivity market segments with what we think is another game-changing facet of the new ecosystem.

We are not alone in this new era of innovation. We have assembled a team of audacious new companies whose tools and services enable a more private smart phone user experience on the Blackphone. These companion services will insure a robust user experience that enables the users of our new smartphone to be both more productive and private than the alternatives.

Our goal with Blackphone is a very simple one:  execute on delivering our high-end smartphone (and coming family of devices) built from the ground up upon the foundation of user-control, privacy and security –all fed from our own ecosystem that allows the user to choose the level of privacy they want. As with all industries, innovation changes the existing model as a ripple at first, but eventually forces the “big dogs” to adapt or die. Innovation is the engine that alters landscapes. Massive monetization of user data is the current model. Blackphone is about to disrupt that. It’s time for a change, it’s time for Blackphone on February 24, 2014.

© 2014 Silent Circle | Private Communications