1
Silent Text Version 1.8 Security Update
2
Privacy Is Good For Business
3
About That Metadata Claim…
4
Only Apple? We Beg To Differ…
5
The Two Year Anniversary
6
Privacy is a right.
7
Silent Circle’s Bug Bounty Program
8
Privacy Leaks: Who is to Blame?
9
Blackphone rooted at Defcon — Parts 1 & 2
10
News From The World Of Government Spyware

Silent Text Version 1.8 Security Update

In an effort to increase our product security and reward talented security researchers, Blackphone and Silent Circle launched the Bug Bounty program on September 23rd, 2014. We are very pleased with the level of participation from the research community as well as the progress of the Bug Bounty program itself. Further, we consider the collaboration between the research community and Silent Circle a huge success.

The success of the Bug Bounty program rests upon researchers submitting their findings safely and securely, without fear of retribution. When individuals who share our passion for security like Mark Dowd (@mdowd) submit valid findings, it is with respect and gratitude that we continue our mission to get the bugs fixed efficiently and effectively. Doing so allows us to collaboratively produce secure apps.

Mr. Dowd reported a vulnerability in the Silent Text application to Silent Circle. We have since patched that vulnerability and are pleased that Mr. Dowd agrees it has been resolved by an update to the application. Silent Text v1.8 contains the update to address this vulnerability; in order to ensure your client is not vulnerable, please download version 1.8 from the publicly available App Stores if you have not already done so. At this time there are no known publicly available exploits that would be capable of taking advantage of the vulnerability reported by Mr. Dowd.

The technical details of Mr. Dowd’s findings are available on his blog. This was an example of great research and we are extremely appreciative of his efforts.

Again, Silent Circle and Blackphone are proud to continue working with the research community through the Bug Bounty program to deliver secure products to the market. We encourage researchers to use this secure channel for reporting vulnerabilities such as this, and are pleased to reward their hard work.

Cheers to Security, Privacy, and Transparency

Privacy Is Good For Business

In 1991, at the start of the Crypto Wars, the idea of digital privacy was radical.  Today it’s required to do business.  Without an expectation our data is secure, online banking cannot work and doctors cannot store medical records electronically.

But I’m concerned we sometimes forget that it’s privacy we want; security is just one way we achieve that.  Your phone may connect securely to a social network, but if that network is plundering your intimate contacts and revealing them to the world, your privacy has still been lost.

So when I see what happened to Sony recently — the data stored on their servers leaked to the world — my mind goes to that difference between privacy and security.  I’m sure Sony had firewalls and VPNs, intrusion detection and antivirus, policies and procedures — all the usual artifacts of corporate information security.  Those things securely delivered a mountain of information to Sony’s servers, where it was lost all at once.

When it was lost, the privacy of Sony’s partners and employees went with it.  That’s what corporate privacy is — the privacy of the people in and around the corporation.

If we focus on their privacy rather than the corporation’s security maybe we can make better choices.  Many kinds of information don’t need to be stored for long, or at all.  If only participants keep a copy of their correspondence the company can’t lose it.  Imagine how much worse the damage of a security breach would be if companies routinely kept years of recordings of all employees’ phone calls.

Protecting the privacy of individuals is why I started PGP, and why Mike and I started Silent Circle.  But at Silent Circle we’ve come to realize that protecting individuals at work may be the strongest form of corporate security possible.  That’s what we’re working on, and we hope that you’ll join us.

Phil Zimmermann Signature

Phil Zimmermann

Only Apple? We Beg To Differ…

Over the last few weeks we have heard Tim Cook claim time and again that ‘only Apple’ can combine software, services and devices into a simple, seamless ecosystem. There is a wonderful blog by John Gruber that highlights this issue and really brings some well-thought out details to it.

We find ourselves agreeing with John on a lot of this. Yes, Google is also doing a great job of ‘owning an ecosystem’ and now Microsoft also has it’s own (Windows, Nokia, Skype, App store, etc.). Samsung, cloud companies, Cisco, HP, Dell and all the others simply are just throwing stuff against the wall and hoping 10% sticks.

Amazon can certainly be argued for in creating an ecosystem, albeit from a different category (Fire Devices, shopping, entertainment, media consumption). However, they have a very narrow focus that is not meant for enterprise, non-media functions and lacking in any real hardware for the mobile space. It is an ecosystem but not in the true sense.

Our approach is similar to Apple and Google’s, but with a very different focus. We are building out an ecosystem of software, services and hardware, focused on ideals that these companies cannot compete against. While any of them could build this out—technically­­—no one would buy it.

I am talking about an ecosystem built around Privacy, Control and Security. Not built around the massive vacuuming of user data. Not built around the all-mighty advertising dollar or movies, songs and cloud storage. Yes, companies will add ‘privacy products’ to their offering, but they can never create an ecosystem built from the ground up to be private by design. And neither would they want to—it’s simply counter to their business models.

Our approach is not to build and sell 100 million phones. Our approach is not to give everything away for free and use your personal data to monetize in some other fashion. We charge you for our software, services and devices and in return, we don’t have, cannot get to, nor want your data.

At present, we count over 30 of the Global Fortune 50 as enterprise customers who purchase our Blackphone, Apps, Calling plans and management console to help secure communications and mobile productivity. For consumers, the 10-15% of the world who cares about privacy – they buy our products to gain control of their personal data, their communications, their mobile footprint and reduce costs with our global calling plans. Our job is to build out our ecosystem to secure more of the daily digital activity of both enterprise and consumers. Stand by as we launch 6 new products in the next 6 months—all to expand our platform.

One of the top questions I seem to always get from the media is “can you realistically compete with Google, Microsoft, Samsung, Amazon, etc. as a system?” The short answer is, we don’t have to. Why? Well people don’t use Skype because they want to have a secure video chat. Companies don’t buy a Samsung phone to secure their enterprise or intellectual property. They don’t store all of their naughty personal pictures in iCloud because it’s so secure. Nor do they use Google Play services because they feel it’s preserving their privacy. They use these products because there are no secure or private alternatives that are of the same quality—yet. With partners like Disconnect.me and Spideroak we are partnering to provide secure and private alternatives to the ‘free’ services these ecosystem giants prey upon.

As we roll into fall/winter, we continue to replace Blackberry in the enterprise at a staggering pace. We are having a hard time manufacturing enough devices to keep up with sales into global enterprises that are getting rid of BES servers behind the firewall and non IOS/Android platforms. We almost never encounter Microsoft mobile devices, they just don’t have a home in enterprise at this point. At the same time, just about every enterprise counts on Good, Mobile Iron, Mass360 or Airwatch to try and control the loose bag of androids in their company. It seems that Samsung, Lenovo, Sony, etc. are making their devices less secure and adding even more “bloatware” that siphons off user data—not moving to more security.

So, yes—Apple has a dominant ecosystem, but when we continually hear ‘only Apple can do this’ or ‘you guys are too small to compete with the giants,’ well, we beg to differ.

The Two Year Anniversary

It’s pretty hard to believe that it’s only been two years since we launched Silent Circle. Although it’s a little over three years since we all got together to build out this amazing company –we launched our first products to the world October 16th, 2012. Last year when I wrote about our first year anniversary, we were at 74 employees. Today, we are on track to finish 2014 with over 130 employees. A year ago, we were a robust secure communications software company, today we are a global platform of software, services and devices. The fun part of this is that we have so much more coming down the pipeline.

So much has transpired in the past 12 months, with the creation and launch of blackphone, moving our headquarters to Geneva, the launch of our global dial calling plans to 120 countries, and the constant build-out of our products, backend, network and services. Last year, the average age of our employees was 42, but we hired lots of young talent from all over the world and now our average age is right around 40 years old – and going down. However, there is still a lot of gray hair in the org chart to be sure. We have opened offices in Mexico City, Madrid, San Ramon, CA and soon Amsterdam. Our friends at Geeksphone in Spain are now family and part of the amazing ride that is our mobile device business.

So many changes have happened in the world, not just our company – that it’s hard to keep track. Some of the really interesting surprises have been the innovation by some giant telecom companies that have embraced privacy and security – like America Movil and Telcel in Latin America, KPN in Netherlands and Belgium, and BigOn in the Middle East. If someone told me two years ago that I would live to see the day that major telecom companies would alter their business model to focus on privacy and enterprise secure communications – well, I would have laughed in your face. It is truly an honor and privilege to be partnered with such innovators. It is a bit of a paradox that we focus so much on stories of innovation coming out of Silicon Valley, when not much press is given to the massive and global innovations that are coming out of Latin America and Europe.

Another interesting occurrence happened when our friends in Canada (Blackberry) starting firing some nasty shots in the press at us over our rising dominance in the enterprise space – which we tried hard to stay above and act professional. As we continue to disrupt the secure communications space, we don’t expect that the big device makers and data companies will hold hands with us and blow kisses – so we are learning that disruption does not come without a few scrapes and bruises.

Lastly, with all of the cool things that have happened to us in the past 12 months, most of the world will never see the sacrifice, rough-times, all-nighters, nail biting moments and selfless dedication that so many people in our tribe have gone through to get us where we are today. For that, Phil, Jon and I are truly humbled and can only say “thank you”.  Our collective goal of bringing privacy, secure communications and the ability to whisper in someone’s ear 10,000 miles away –regardless of your background, ethnicity, country of origin or political leaning, remains the #1 goal of this company.

Privacy is a right.

This may seem like something we can all agree on. But technology has made this an ideal that is increasingly hard to obtain. And it slips further away from us with each second.

We don’t have a moment to lose.

That’s why Silent Circle and Geeksphone started the blackphone project. We want to put you back in control of your data. And with that, we’re proud to announce the release of an updated version of PrivatOS, coming to your blackphone this week.

We know we need to stay ahead of the continually changing digital landscape. It’s why we’ve built Over The Air updates into our core product proposition.  Our newest PrivatOS update will be the 5th such release since we launched the product – not bad for a company with a product that only launched this past June.  You’ll also notice the addition of the K-9 email service.  Particularly with it being Open Source Software, we believe this is one of the most secure email clients around and one that we’re happy to host on our device.

To build a truly private phone, you have to build a truly private company.  It’s the reason we’re headquartered in Switzerland, where the laws are better designed to protect peoples’ privacy.  To further reinforce our commitment, we’ve also launched a new brand identity today. The logo itself was inspired by security and data systems that put the user in control. And you’ll notice a more elegant and refined design throughout all of our presence, alongside a new color palette.

Continually seeking new, secure applications and an updated operating system are just steps along the path to achieve our goal of becoming the default thought leader in the privacy space, setting the standards for our collective privacy and creating the digital world we should live in.

Our privacy is indeed a right. Together, we can keep it that way.

We hope you’ll come on this journey with us.

Kind regards

Rob Smith

VP Marketing, Silent Circle & blackphone.

Silent Circle’s Bug Bounty Program

My first official blog post as CSO for Silent Circle and the topic is one that is very exciting – today we officially launch our bug bounty program! We have been providing secure and private communications across Apple iOS smartdevices, Google Android smartdevices, and of course Blackphone. In the past, we have only provided our source code for public review, but we did not have a method in which we could offer the security researcher community to publicly submit and track security bugs. Today that changes.

The need for secure and private communications continues to grow every day. Whether it is because we learn more about improper surveillance or phony cell towers the people of the world have degraded capabilities to have a private and secure conversation and that is a travesty. We have been very clear to industry that we do not keep customer records, therefore we know we are a target, because our customer list is precious. So, in order to expand our capabilities of catching and fixing security bugs we decided now was the right time to launch our program and reward those that are willing to spend their time in ensuring we continue to offer secure software.

For the moment, our minimum reward will be $128 and we have no maximum at this time. We will reward monies, prizes, and gifts based upon the significance the vulnerability has on the Silent Circle mission. An annual award is also in the works. What exactly is included in this program? Full rules and details are located at www.bugcrowd.com/silentcircle. To be even more clear – everything is on the table. Nation states and bad actors don’t care about rules. We do ask that you not disrupt service to our customers, because that would be bad form. At some point in the future we will have test systems in place where DDOS and other service interruption techniques can be tested.

I truly hope each and every one of you will participate in our bug bounty program and join our cause for providing the most secure and private multi-platform communication software.

Privacy Leaks: Who is to Blame?

Over the last 24 hours the Internet has been a-buzz with the leaked nude photos of celebrities including A-List starlet, Jennifer Lawrence.

While leaked celebrity photos wouldn’t normally be our thing (you’ll notice we do not use “sexting” as a use-case for our encrypted communication services), our name has come up due to the level of privacy. The much more relevant fact of the matter is that Silent Circle as a company believes that privacy is a right. These pictures, as far as we know (and as far as Twitter suggests), were never meant for public eyes and this leak therefore directly violates privacy rights. We don’t like that. Yet the privacy rights of every individual are violated every hour of every day simply by the free apps we place on our phones. Yes, this is a much more high profile leak and gets all the buzz words of “sex, nudity, and celebrity,” but it pales in comparison to the massive theft of private information on every commercial device.

The debate on Twitter and in a several articles, including Forbes article mentioned above, presses the question: Who is to blame – the victim, the hacker, or the technology?

For the sake of time – I’ll try to be more direct on this sensitive issue.

The Victim:
Is it the celebrities’ fault that they were hacked? We definitely don’t think so. Everyone deserves privacy. While it is easy to conclude that individuals should not take and share nude photos for fear of a leak, a significant change in behavior is not so easy to prescribe. Likewise, it is more beneficial and forward-looking to focus on preventive behavior rather than passing judgment on any individual in hindsight. The alleged source of the images was through an iCloud hack (though we do not speculate and cannot confirm), so a simple preventative measure would be to follow this guide outlined by the Daily Mail to prevent iCloud back-up of your private photos. Get educated on your communication tools to know how you are (or are not) protected.

The Hacker:
Should we blame the individual or collection of individuals responsible for the breach of privacy? Most definitely. If laws were broken to retrieve the images, criminals should be justly prosecuted for their crimes. In many cases, hackers benefit from the monetary gains of selling leaked celebrity photos. While Silent Circle condones responsible “white hat” hacking practices to explore and report vulnerabilities within networks so that fixes can be implemented (which is why we open-source our protocols). We do not condone “Black Hat” practices such as this. But If we are going to blame the hackers here and bring jail-time into the equation, shouldn’t we have similar stances against Facebook, Google, Ad Companies, and freemium apps that don’t tell you about the troves of data they take? It might not be a “hack” that grabs your personal data, but it is clearly a theft of our personal data nonetheless. Where does crime start and where do  “business practices” begin? You can see this is no easy to solve topic.

The Technology:
Our most common forms of communication, telephone, emails, and text messages all give us a false security that most people blindly accept. We have no evidence (or at least we didn’t up until a year ago) that our day-to-day communications were the concern of anyone, really. Moreover, smartphones and digital applications have made it even easier to ‘feel’ secure without actually being secure. Perhaps the fault is on the technology. Perhaps the technology perpetuates the confidence in the security of our everyday communication tools when in fact they were never intended to be private or secure. Again, blaming the technology and not the creators and sellers of this technology is an empty argument.

On another note, we also see in the Twittersphere that Mark Cuban has been pitching Cyberdust, his new entry into private communication intended to compete with Snapchat. We welcome any new participants in the privacy space, but would ask that consumers question how data is being protected. For example, Cyberdust FAQs are ambiguous:
“Are my messages encrypted?
Yes! Cyber Dust messages are fully encrypted. We are taking all of the industry standard precautions necessary to make sure your messages are not accessible while they exist.”

So it wouldn’t be a bad idea to ask: ‘”What are the ‘industry standards?’” and “What does ‘fully encrypted’ mean?” Or “who built it and is it open-source for review?” In other words, let’s get past the snake-oil sales pitch and tell us why and how it is secure. Let’s see the proof.

With all of this in mind, here are some (surely debatable) conclusions:

  • We need to encourage young people to become more involved in computer science and open-source software development communities so that we can develop more innovative and secure products that allow users to communicate both privately and effectively without speculation.
  • Technology and telecommunication companies need to be more transparent about what and how they are protecting user data.
  • Individuals need to understand the limitations of their communication providers and have the ability to explore alternatives that provide more intrinsically secure options.

Blackphone rooted at Defcon — Parts 1 & 2

From Dan Ford, Chief Security Officer of SGP Technologies at this year’s Def Con – Mike Janke:

Greetings from Def Con! Thus far Team Blackphone has been having a very positive Con. We have been receiving a lot of positive feedback and praise for taking on the flag of building and maintaining a secure and private smartphone system. This was a challenge that we knew full well would not be easy, but if it were easy then anyone could do it.

The researcher @TeamAndIRC was a little miffed at our initial response to his inquiry and I understand his point. In response, he had a t-shirt made that stated he rooted the Blackphone at Def Con. The ironic part to this is I would have absolutely gone over and made that t-shirt for him myself once the full vulnerability was explained.

Read the entire post here.

For Dan’s Part 2 post click here.

News From The World Of Government Spyware

silentcircle-logo300.41268926acf8
We have gotten a report that the commercial/government spyware system FinFisher has themselves been hacked and that documents, code, etc. have been posted online. Our friends who have looked at some of these leaked documents have told us that they have a module using some set of malware to get to the video camera of a cell phone. We have been told that there are decode modules for pictures and video of a variety of systems including Silent Phone.

Our understanding is that this is a compromise of the base system itself, and not our apps or services. We also understand that this requires a jail broken or rooted device to work at all. We are evaluating our software and systems to see if there is anything we need to do ourselves. We will let you know more as we do.

© 2015 Silent Circle | Private Communications