1
10 Tips To Protect Your Privacy While Traveling
2
Finishing Up From Heartbleed
3
Heartbleed Bug
4
Our Transparency Report
5
IT’S HERE!
6
Are You Guys Crazy?
7
The Back Channel – A Cutting Edge Radio Show
8
Olympic Level Privacy – Go For The Gold!
9
Silent Phone 1.8.2 for iOS and Android – Now Available
10
Silent Contacts for Android

10 Tips To Protect Your Privacy While Traveling

Girl traveling

As the warmer weather of summer approaches you may be thinking about a trip or weekend getaway. Whether you’re planning on kicking it in Cabo or frolicking in the French Riviera- Silent Circle’s privacy gurus can help you to protect your privacy while traveling. Here is a countdown of some best practices…

10. Know your destinationIf certain types of content are illegal in the jurisdiction of your destination or are at risk of being stolen, don’t bring it with you. Possessing illegal or enticing content will make your device an attractive target for confiscation or theft.

9. Use a screen filter - If you want to avoid those wandering eyes at the airport or the coffee shop when you are using your laptop, tablet, or phone, protect your information with a screen filter.  This allows you keep your electronic information  private and confidential working in a public place.  There are a number of products on the market around $20 – $40 and the materials for the filters have improved over the last few years.

8. Keep a backup - Before you leave make a backup of all the contents of the devices that you plan on taking on your trip.  Delete any items off the device that you will not need because if this isn’t there, it can’t be stolen!  Be sure to password protect the backup and keep it safe at home. This way if something happens to your device there is no need to fret (and it’s probably time to order a Blackphone anyway- shameless plug).

7. Don’t put devices in checked bags - While traveling keep your devices with you at all times.  Checking your devices makes them vulnerable for theft, damage, or loss. D’oh!

6. Keep things locked up - Your hotel room should have a safe and it is important to use it to store valuables and devices.  Be sure to lock up your valuables after you check in.  It is a good idea to ask the hotel before making the reservation if they have a safe in the room. Conde Nast had some further advice on this topic. Note* – 1234 is NOT a good passcode.

5. Use strong passwords - Enable password protection on your devices and give them a strong password. For best practices on password protection visit our previous post on online privacy.

4. Turn off Bluetooth - Scammers are continuing to find new ways to exploit your device.  In addition to WiFi, Bluetooth also creates vulnerabilities.  If you do want to use Bluetooth, be smart about it and don’t accept pairing requests from unknown parties. Also, try to use a minimum of eight (8!) characters in your PIN.  Of course, turn off your Bluetooth connection when you aren’t using it especially in public areas- your credit history, your contacts, and your battery will thank you.

3. Be smart when using WiFi - If you follow a simple metaphor, we all need water, but you wouldn’t drink ANY water you could find. Well, the same is true for WiFi. Don’t trust any old network that you are connecting to – you never know what’s “floating” around in it (OK- no more metaphors).  Use a VPN to connect to the Internet (perhaps Hotspot Shield, VyprVPN, Private WiFi, to name a few). Plus, it’s a good idea to turn off WiFi when you do not need access to the Internet. 

2. Don’t announce on social media that you will be traveling - Posting about your upcoming travel plans on social media can make you or your property an easy target.  If you use a travel site to book your trip make sure to turn off the social sharing options that dump your travel details into someone else’s news feed.  Stay mum about your next trip (don’t “check-in” or use anything with geolocation) and wait until you get back to post pictures to make your friends jealous.  Also, be mindful of your privacy settings on social regarding who has access to your photos.

1. Use encryption - We’d be remiss not to mention this one. If your devices have the option to encrypt the storage, do it!  This will give you peace of mind in the event your device is lost or stolen.  If you haven’t encrypted your storage yet, try not to leave it to the last minute- it can take over an hour to encrypt. Don’t even get us started on encrypted calling…

Always use caution when traveling and be mindful of your surroundings.  Safe travels.

Finishing Up From Heartbleed

In our previous blog post on Heartbleed we said that we would tell you more when we had finished our own cleanup. We completed our work this weekend. We replaced all our SSL certificates, and that required us to update the Silent Text apps themselves. We would also like to give a shout-out to our CA, Entrust, who is giving free updates to certificates for any of their customers who want to replace an SSL certificate over this issue.

ComputerWe have thus updated all of our affected servers, replaced all our certificates, updated our apps, and tested and verified everything. It’s been a busy few days, and our team has done a fantastic job keeping many things working as we revised the working infrastructure.

That means that there are two things that are a good idea for you, a subscriber, to do:

1. Change your password. Now that the servers have new certificates, it’s a good idea to do that now.

2. Reset your devices. Silent Circle apps get provisioned with authentication tokens that let the app automatically connect to our servers and authenticate properly as a subscriber. There’s a unique authentication secret for every service (Silent Phone and Silent Text) and every device that you provision.

Just as in theory, Heartbleed could leak passwords and keys, it could in theory leak the authentication tokens. By resetting the devices connected to your account, you throw away the existing tokens. You will need to re-provision your devices, but that’s simple.

You reset your devices by going to this page on accounts.silentcircle.com and click the reset button. That breaks the connection between our server and your apps.

Then restart the apps, and re-provision. On Android, you only need to type your username and password once, and that provisions all the apps. On iOS, you’ll need to type a username and password for Silent Phone, and get a provisioning code for Silent Text. We’ll have an update for Silent Text that makes this easier soon.

That’s it. Changing your password and resetting the apps tidies up all the security that could possibly have been leaked by Heartbleed.

Heartbleed Bug

heartbleed

We are sure that you have heard about the Heartbleed bug. Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL. The official reference to the Heartbleed bug is CVE-2014-0160. We want to give an update about how it does and does not affect Silent Circle.

We use a diversity of SSL systems in Silent Circle. Our whole Silent Phone infrastructure uses PolarSSL, not OpenSSL, and consequently is unaffected by this bug. Silent Text clients use the native SSL for iOS and Android, which is sometimes OpenSSL on Android, but the problem is primarily a server issue.

Our Silent Text servers and web servers use OpenSSL. All of our servers that  use OpenSSL were upgraded within two hours of hearing about the Heartbleed bug. To those servers, over 99% of the observable traffic uses the Perfect Forward Secrecy crypto suites, and thus the existing risk is mitigated. We say “observable” because our customer account servers don’t log and we had to infer the statistics.

Silent Circle is secure, the threat has passed; the few servers that were vulnerable are upgraded. We are now looking at additional mitigations that we feel we should do, including replacing SSL server certificates. We’ll update you as soon as we have more to say.

Our Transparency Report

Every three months, we compile a Transparency Report to document the number of law enforcement requests we’ve received. Companies do this to show that they’re responsible to their customers about protecting their privacy.

In a Transparency Report, there are typically three columns of data: one for “Who asked,” one for “How many times did they ask,” and one for “How many times did we say ‘yes’ and give them what they asked for.”

We’ve had no law enforcement requests, which makes the reports a bit uninteresting compared to others in the industry. I mean, who wants to look at all zeros? But while the data represented by those numbers is uninteresting, the metadata represented by them says a lot about our company and its values.

From a data and metadata-harvesting perspective, we are an unusual company. We don’t keep logs of customer activity. We don’t have access to the keys our customers use to encrypt their data. Our privacy statement is pretty much a laundry list of data we don’t have to offer. So nobody to date has wanted to waste their time getting data from us that we don’t have.

The first Transparency Report we did was on November 15th 2013, which is here.

All zeros. You will find the same in our current report.

We expect the trend to continue. But what about requests that we can’t disclose? The only thing you would see in the report is that the count for secret requests changes from zero to some higher number range.

So, taking a page from rsync.net’s playbook, we’ve implemented a Warrant Canary. The assumption is that, while we cannot say we have received a secret order, there is nothing preventing us from not saying that we haven’t. So, once a week, we will be updating a page here, signed digitally, stating that we have not been compelled by a secret order: https://canary.silentcircle.com/

The threat of a warrant or subpoena is not much of a threat to us or to our customers because, unlike other companies, we have nothing to share. Even if we are the subject of a secret court warrant or subpoena, any data we could hand over would be useless. So the Warrant Canary is just another way of reporting that all is well, not a warning that the walls protecting your private data have been breached.

IT’S HERE!

Blackphone crop

The wait is over! After weeks of build-up and anticipation, Blackphone has been officially released at Mobile World Congress in Barcelona Spain! Blackphone is now available for pre-order at https://store.blackphone.ch/.

Are You Guys Crazy?

Challenging Conventional Wisdom

Since we announced the launch of our new high-end mobile phone, Blackphone, Jon, Phil and I have been hearing this statement a lot – “Are you guys crazy?”  I have spoken to CEOs of large phone makers, security app developers, tech companies and some heavy-hitting industry folks who all seem quite curious as to why we would take on “The Big Guys” by partnering with Geeksphone to produce our own Privacy and Security-centered Smartphone.

Everyone likes to point out that this is not the way it works and we don’t seem to understand the “hierarchy” here.  “Its not how things are done” is a common statement we hear. Samsung, Apple, HTC, Nokia, LG, etc. ship hundreds of millions of smartphones and “own” this particular playground. This is changing rapidly –we see the need for an entirely new ecosystem. When we announce our other partners on this project – it will become much clearer as to why we believe we can take on “the big dogs” and provide the world with a more secure platform.

We also hear “What makes you think you can challenge Blackberry or Samsung KNOX?” Well, partly due to the massive changing landscape of mobile manufacturing, mobile security trends and partly due to some very cool innovation from our Blackphone Team. It is impossible for these giant phone makers to sell hundreds-of-millions of phones and care about privacy.

As Phil Zimmermann pointed out to a reporter last week….

Just as PCs are going the way of the Dinosaur, so too is the current model of smartphone saturation. Just as PCs came loaded with Bloatware and software contracts that forced us to have a terrible technology experience –the same has happened today with the smartphone.

Go buy a smartphone in a store today, there are at least 10 apps preloaded from the carrier or manufacturer as well as other third parties. You cannot stop this “bloatware” from sucking up your contact list or from sending usage, browsing, app and personal data to all of these stakeholders.

Today’s “prosumer” has little to no control over the river of personal data being sucked up hourly in exchange for these “free services”, let alone have some small protection against the massive surveillance of the 72 NSA-like agencies in the world.  Today’s consumer has become the host to a hundred data-parasites on every smartphone and they have no control, no say, and no other option. Until now…

Contrary to a lot of the recent press, Blackphone is not “NSA Proof”. There is no such thing as a 100% secure smartphone. Blackphone is much, much more secure than normal phones, but it also allow users to work, play and interact like normal.  Users control who sees what data, how much, where and when. A different model all-together.

Subverting The Dominant Paradigm

Blackphone is an innovative new ecosystem. The idea of creating an entirely new ecosystem is not new. Microsoft had its run with Windows, Skype, and Bing. They created an entire ecosystem behind the hardware and software, but failed to innovate ahead of the curve. Blackberry had its run with the phones, BEZ servers and BBM messaging. They are now dying a thousand little deaths because they did not innovate quickly enough. Google, Apple, Samsung and others have created dominant ecosystems that tie in software, hardware, wearables, media, music and services.  They rapidly innovated new platforms and models that left Microsoft, Blackberry, Nokia, HTC and others behind quickly. It’s been an amazing run for them, but this model too is dwindling. Fast movers like Xiaomi are killing them. Innovation, security and privacy demands are already putting cracks in this windshield. The fuel that feeds their ecosystem machine is customer data… Your data. It is pure gold to them.

It’s time for a different approach, a different type of ecosystem.  One built upon user control, security and privacy. Blackphone is that new ecosystem.

At Silent Circle, our secure communications products, calling plans and services are used by consumers from over 100 countries, Fortune 500 companies, and international businesses of all sizes and by Government customers from many, many countries.  Because we don’t collect, hold, or use customer data –it’s virtually impossible to run our business the “Customer Analytics Way”. Yet, we also realized a secure communications service could only be as good as the platform it’s delivered on. We looked all over the world for a partner who had the same ideals, the same “crazy” nature, and one that had shipped smartphones to consumers without relying on customer data as the main profit center. There was only one like this in the world –Geeksphone out of Spain. A perfect innovative partner.

We realized we had to create and deliver an entirely new international ecosystem in order to break the chains of the existing platforms where monetization of customer data is priority number one.

Enterprise is Being Suffocated

Our enterprise customers are drowning in BYOD and theft of IP issues.  They are trying to deal with a multitude of devices from 30+ phone makers. CIOs and IT staff are inundated with 100+ mobile security/control solutions that each only covers one small part of their overall problem. They are floundering under the pile of over 110 MDM and MAM solutions that are quickly becoming freeware. They have thousands of employees bringing in personal smartphones made by giant companies who are in the business of sucking out every drop of data of those who buy their phones. The very nature of this model, this ecosystem, is counter to the mission of IT.

Today’s Enterprise battlefield has become a free-for-all. Government entities, hackers, business competitors and foreign multinationals are all trying to get a company’s data –anyway they can. Industrial espionage is the new “Gold Market”.  The only way less-innovative countries can compete in today’s business world is to focus their resources to steal the innovation and IP from those industries that exist in economic powerhouses. If Enterprise wants a more secure internal ecosystem –they have to piece meal products/services/hardware together. So, we are building Blackphone to be the 95% solution for Enterprise, right out of the box.

The Rise of a New Ecosystem

In 2013 we quietly went about creating secure device-to-device encrypted products and services that cover phone calls, texting, sending large files, video chats, conference calling, contacts and secure-to-server VOIP calling plans. Our products and services are device and OS agnostic (IOS/Android), but they are being put on smartphones and tablets whose ecosystem is geared toward “maximum collection of customer data”. Millions of Freemium apps that do cool things are free because they are sucking up your personal and usage data. Your data is being sold to advertisers as well as thousands of other companies to use as they wish on a daily basis.

The only way we saw to deliver true privacy and security to customers was to build our own smartphone and more secure ecosystem.  One that allows the user to control what level of privacy they want and to allow users to communicate securely by default. To free consumers and enterprise from being blackmailed into data plans or subjected to “bloatware” without having a say in it.

We don’t want, nor care to sell tens-of-millions of phones. We are not going to mass-produce cheap smartphones to sell them at cost, just to make our money by monetizing your data or forcing you into some burdensome data plan. We have built a new model, a new ecosystem, a new way of delivering privacy, security and control for those who need and care about it.

Are we crazy, stupid, or are we just biting at the ankles of the giants? All three most likely. Do we expect everything to go smoothly? Of course not. Will we make mistakes?  Count on it. Do we expect to compete with Samsung KNOX, Blackberry, HTC and others?  Absolutely!  Later in the year we are going to take on business productivity market segments with what we think is another game-changing facet of the new ecosystem.

We are not alone in this new era of innovation. We have assembled a team of audacious new companies whose tools and services enable a more private smart phone user experience on the Blackphone. These companion services will insure a robust user experience that enables the users of our new smartphone to be both more productive and private than the alternatives.

Our goal with Blackphone is a very simple one:  execute on delivering our high-end smartphone (and coming family of devices) built from the ground up upon the foundation of user-control, privacy and security –all fed from our own ecosystem that allows the user to choose the level of privacy they want. As with all industries, innovation changes the existing model as a ripple at first, but eventually forces the “big dogs” to adapt or die. Innovation is the engine that alters landscapes. Massive monetization of user data is the current model. Blackphone is about to disrupt that. It’s time for a change, it’s time for Blackphone on February 24, 2014.

The Back Channel – A Cutting Edge Radio Show

the-backchannel-logo.9f530ebc2b9a

Silent Circle is excited to introduce The Back Channel, a cutting edge radio show focused on Technology, Privacy, Security and policy on an international scale. Bringing together luminaries from the technology sector, Hackers, privacy advocates and world-renowned experts in a conversational forum to discuss the intersections of technology, privacy and government. The show itself touches upon controversial topics and digs into tension-filled public policy areas with a list of personalities and luminaries from around the world. Hosted by two world famous cryptographers, a former Navy SEAL and privacy advocate and a Silicon Valley security dilettante – The Back Channel is the one place where both Hackers and Government officials can come and “clear the air”

Olympic Level Privacy – Go For The Gold!

250px-Sochi_2014.ru_logo

Today’s opening ceremonies mark the start of the 2014 Winter Olympic Games in Sochi, Russia. During the excitement of watching the world’s top athletes put their hard work and training to the test in pursuit of gold, it is also important to recognize severe privacy risks Olympic visitors face – particularly well-connected executives, sponsors, journalists and even athletes attending the games. Specifically, Russian authorities have openly acknowledged that widespread monitoring of phone, Internet and other communications systems is in place during the games and have framed these measures as part of overall security preparedness. Safety and security aside, this degree of persistent surveillance creates severe risks for visitors worried about sensitive personal and business communications being compromised when they keep in touch with colleagues and others from Sochi. There have been a number of stories over the past week warning that visitors and athletes can expect to be hacked, noting “it isn’t a mater of ‘if,” but a matter of ‘when.’” It is important that visitors be aware of these threats and use technology wisely while in Sochi. According to one report:

Russian law allows its intelligence agents to do electronic snooping on anyone inside the country, meaning the phones and personal computers of thousands of foreign visitors, including Americans, are fair game. But even outside of the law, Russian organized crime groups also are well known for hacking smartphones and email for information they use for illicit profit. 

It’s not too late to do something to protect your privacy if you are at, or plan to attend the Olympics. Silent Circle is here to help! Silent Phone is your answer for secure voice and video calls. Silent Text allows you to send texts and encrypted files up to 100MB privately. Download these apps in seconds from the App Store and Google Play to “Get in the Circle” and know that you can keep your privacy intact whether you are reporting from the games, watching your favorite event, or competing for the gold.

Silent Phone 1.8.2 for iOS and Android – Now Available

SP_UsernameActivate_640x1136Silent Phone version 1.8.2 was just released for iOS and Android. On iOS we have changed the interface to activate Silent Phone with your Silent Circle Username and Password instead of using an Activation Code. There are also additional ringtones to select from in user preferences on iOS.

On both iOS and Android enhanced security was added to use non-NIST encryption by default. Silent Circle is really excited about this! The non-NIST security options will be using the new elliptic curve that Dan and Tanja created. They are calling the curve Curve41417. For details on the elliptic curve strength and safety, see Dan and Tanja’s site here. We have abbreviated it as “ECHDH-414” short for “Elliptic Curve/Diffie Hellman using Curve41417”. Make sure you update your Silent Phone apps. Circle up!

SP_Security_640x960

Nist

Silent Contacts for Android

silent-contacts-icon

Today we are excited to announce the availability of the Silent Contacts app for Android in Google Play. Silent Contacts is a companion application free for Silent Circle subscribers that gives Silent Phone and Silent Text users an encrypted address book and full control of their call logs and contacts without compromising privacy. Silent Circle’s Android users now have the ability to communicate privately via secure voice, video, text and file transfers while protecting the integrity of their contacts.

Silent Contacts for Android’s key features include:

  • Encrypted storage of your Silent Circle contacts
  • Control over who can see your contacts’ information
  • Import existing contacts from legacy address book into Silent Contacts
  • Export contacts and share with other devices
  • Uses Silent KeyManager to securely store your encryption keys
  • Encrypted password protection for your Silent Phone application

“Silent Contacts for Android was developed as an enhancement to our current suite of services to ensure our Android customers are provided with the best possible options for added reliability and privacy controls,” said Silent Circle CTO and co-founder Jon Callas. “In 2014, we will look to expand our Silent Contacts platform with more robust features that further strengthen privacy protection for iOS users of our services.”

Silent Contacts for Android complements Silent Circle’s private communications services including Silent Phone & Silent Text applications for secure mobile voice, video calling, text messaging and file transfers by offering additional privacy and security for Silent Circle’s subscribers.

SCA-SetProfile-720x1280 SCA-vCard-720x1280 SCA-GroupContacts-720x1280

© 2014 Silent Circle | Private Communications | Silicon Valley . Washington DC . London