PGP Zimmermann teams with Navy SEALs, SAS techies in London
Offers 'Silent Phone' crypto to biz, aid workers
Encryption guru Phil Zimmermann is going after security conscious users with his new venture Silent Circle, a security start-up offering ultra-secure VoIP and texting services.
Silent Circle, which opened a UK office this week, charges a monthly subscription of $20 (£13) per month for a bundle of secure voice, text and video services.
Zimmermann, creator of the Pretty Good Privacy (PGP) program, told El Reg that he's done with "trying to convince people that didn't know about crypto that they needed to use encryption". Instead Silent Circle is targeting US forces based overseas, businessmen visiting China and human rights workers: "who know that they need crypto because they are under high threat".
Silent Circle chief exec and co-founder, Mike Janke, said the start-up had ambitions to target the business community as well as power users, thereby gaining a foothold into the enterprise through the industry-wide Bring Your Own Device Trend. Janke is an former Navy SEAL sniper who approached Zimmermann with the idea for a business that became Silent Circle around a year ago.
Silent Circle released a suite of iOS apps in October, and plans to release complementary Android apps in December. The "curated crypto apps", as Zimmermann describes them, offer Silent Phone (secure VoIP), Silent Text (encrypted messaging) and Silent Eyes (desktop videoconferencing, initially only Windows compatible).
Silent Phone offers secure mobile video and voice. The technology uses the ZRTP encryption developed by Zimmermann, and is designed to work over mobile and WiFi networks.
A forthcoming Silent Mail product will be based on PGP Universal and designed to run on smartphones, tablets, and computers using your existing mail program (Outlook, Mac Mail). Secure business packages, calling plans and enterprise packages are also in the works.
Client to client communications using Silent Circle will offer end to end encryption. Users using Silent Circle apps to call from China to landlines in the West, for example, will get the benefit of encryption on the first leg of their journey, to Silent Circle's dedicated servers in Canada. Crypto keys for VoIP calls are thrown away as soon as they are used and texts are encrypted on a device. Communications data, such as IP logs, are kept for 24 hours, and only used for debugging.
"Users don't even have to trust us. They don't have to be worried about Silent Circle being coerced into doing wiretapping," Zimmerman explained.
Janke added that Silent Circle "retained the least amount of data possible" limited to username, email address, hashed password, short-term IP logs and 10 digit private phone number. Credit Card processor Stripe holds the customer credit card data, not Silent Circle.
Silent Circle's site explains the benefits and limitations (the risk of shoulder surfing, malware etc) of its technology.
Our secure communications products use “Device to Device Encryption” – the keys that encrypt your communications are generated on your device and discarded when unneeded. The only exception is Silent Mail which either uses PGP keys you create and manage yourself or allows you to have our PGP Universal server generate them for you.
We do not have the ability to decrypt your communications across our network and nor will anyone else - ever. Silent Phone, Silent Text and Silent Eyes all use end-to-end encryption and erase the session keys from your device once the call or text is finished. Our servers don’t hold the keys.
The technology distinguishes itself from Skype and most mobile voice encryption products by publishing source code, something Janke said appealed to its potential government customers.
Faced with the challenge of intercepting the Skype and IM conversations of terrorist and criminal suspects, law enforcement agencies have increasingly decided to use Trojans as wiretapping tools rather than trying to decipher encrypted traffic. Both Janke and Zimmermann readily conceded that Silent Circle was "not a magic bullet" and wouldn't protect users of compromised devices.
However Zimmermann said that Silent Circle's trust model is specially designed to detect and block man in the middle digital certificate attacks such as the DigiNotar compromise that exposed the privacy of Gmail, Skype and Yahoo users in Iran last year.
The level of security offered by Silent Circle might have appeared to appeal to only a paranoid niche, who would probably have insisted on hardware-based encryption anyway, just a few years ago. But the desire to use the latest smartphones or tablets combined with growing concerns about industrial espionage and privacy have created a potential market for its services and technology.
The combination of the PGP founder teaming up with two Navy SEALs and three British SAS Special Forces communications experts* offers frankly unmatchable geek credibility. ®
*Perhaps actually from 18 Signals Regiment, the electronic warfare/SIGINT/ELINT/communications formation supporting the UK Special Forces. Though there are signaller specialists who are fully badged members of the SAS itself, 18 Regiment would probably have a higher level of corporate expertise.
Quote 'We do not have the ability to decrypt your communications'.
Quote ' Users using Silent Circle apps to call from China to landlines in the West, for example, will get the benefit of encryption on the first leg of their journey, to Silent Circle's dedicated servers in Canada.'
If they can't decrypt, how can the servers in Canada convert an encrypted call into an unencrypted call to pass back onto the public phone system?
From Silent Circle CEO
Really great in depth questions and comments here. I will try to clear up any of the misconceptions that always happen when things hit the press. At Silent Circle- we are a small tribe of only 30 people, so it's important to us that we try our best to clear up any questions about what we do- and how we do it...I will try my best to give this a shot and address some of the above comments..
- we offer Peer-to-Peer encrypted mobile voice, video and text. Our email is encrypted using Phil's PGP protocol. We use a newer stack of his ZRTP voice-video encryption for voice- video. If a silent circle subscriber calls another subscriber on our silent phone app- that call is encrypted phone to phone- the callers generate the keys- when the call is done- the keys are deleted.
- we are not subject to CALEA or any similiar European law- why? Because they all explicitly allow end to end encrypted VOIP or communications previously encrypted before hitting the cell network- to be allowed without requiring a wiretap capability. We are doing our best to ensure this right is not taken away from the citizens. We are trying hard to educate the law enforcement agencies of US, Europe and around the world- that hundreds if studies have shown that if a Backdoor is mandated- this can be exploited by criminal hackers, competing intell agencies and others- exposing everyone to risk.
- SEALs and SAS. Yes- part of our tribe is made up if two SEALs and three SAS members- they are communications experts in hostile and austere environments, but are highly trained in navigating and understanding the threats of communication networks in not only countries with horrible human rights records- but first-world countries that have sophisticated wiretapping and data collection technologies. Think France or Italy or Brazil...most people don't realize that all of us came together because there was no viable commercial encrypted communications service for the citizens of the world- no way to call home when deployed as a military member, human rights activists or just a businessman protecting his company's secrets. The SEALs and SAS members had the same problem. Prohibited from using the militaries system- it became impossible or even dangerous just to say goodnight to the kids...until now.
- law enforcement leaning on us does no good. We cannot decrypt anything that runs thru our servers- the keys are generated and destroyed on the users device- we have nothing but encrypted junk. That is why peer to peer using ZRTP is so powerful when built correctly. We hold the least possible data - only a username, hashed password and 10-digit phone number we issue the subscriber. Our IP logs are aggregated and deleted after 5 days- we expect to get this down to 24 hours shortly.
- we will offer a Secure Calling Plan feature here in December with 3000 minutes per month.This add-on option allows subscribers to also call someone or reciece calls- to any regular phone number- not just silent phone users. This is to allow everyday functionality and still provide encryption on one end of the call. If you want your call encrypted end to end- both people should use silent phone.
Hope this helps- we are not the answer to everything, and not for everyone- we want to let people know what we can and cannot do-feel free to send any questions thru our site.
The nosiest b*stards are in the West
I travel / cross borders frequently and in my experience the US is by far the worst, followed by the UK and Canada. I don't go to Australia.
Once you have had equipment 'borrowed' by the USA, they will annotate your ICE/Customs profile and being stopped will likely increase. The UK are a little better, at least they treat you with civility but just as pushy in seeking access. I have been given the usual "Password or 4 years" routine.
I explain it's kind of hard to use a password when there is no hard drive and it's like a car without an engine.
Canada Customs simply calls an RCMP tech who quickly copies the hard drive contents.
Smart-phones are treated similarly, they plug their little device into the unit and suck the contents - in the same countries.
In China and VietNam never a problem - they hardly even check baggage.
I wonder what the GCHQ wll do if Silent Circle proves they are eunuchs?