[liberationtech] Fwd: Answers to some of your questions (Silent Circle responds..)

Ali-Reza Anghaie ali at packetknife.com
Thu Feb 14 08:51:50 PST 2013 

Mr. Jon Callas of Silent Circle was kind enough to field questions on
another list and also pay attention to the Pastebit of the pad everyone was
commenting on before things went awry.

See the below - complete with an invitation for cool ideas w/ resumes.

Thank you VERY much to Mr. Callas for entering the fray and helping tune
the accuracy of the overall discussion. Cheers, -Ali


---------- Forwarded message ----------
From: Jon Callas <jon at silentcircle.com>
Date: Thu, Feb 14, 2013 at 11:28 AM
Subject: Answers to some of your questions
To: Ali-Reza Anghaie <ali at packetknife.com>
Cc: Jon Callas <jon at silentcircle.com>


Hi, Ali-Reza.

I saw your pastebit with some questions, and let me answer. You may repost
this mail to liberation tech or anywhere else.

* A Latvian company wrote most of the software, not SilentCircle

When we formed Silent Circle, we looked around for people to partner with.
We selected Tivi because they're really cool people -- I used their
ZRTP-enabled VOIP client back in the days when I had a Nokia N95. We picked
them in part because they were willing to release source code. (Other
potential partners were not willing.)

Our partnership with them includes that code base, and that they work for
us full-time now. They're some of our main developers now.

I have a bit of a raised eyebrow at this comment. (Yes, I know it's not
your words, you're also explaining.) It sounds to me like whoever is making
that comment is implying that there's something wrong with Latvia. Riga was
for many, many years a center of European high-tech until the dark days of
WWII and Soviet occupation. It's a lovely place filled with incredibly
smart, friendly people. It is a part of the EU, and also a NATO nation. Our
team in Riga. We picked them because they rock.

Perhaps the comment comes from the fact that they were in business before
our partnership. It's relatively common in high-tech that companies enter
into partnerships with others. Google, Microsoft, Apple, Facebook, and
others often use some sort of relationship like this to get software or
technologies that they didn't have, so that it speeds up development. We
are hardly unique in this.

Perhaps I don't understand. If someone could explain the objection to me,
I'm happy to address it further.

* Application is designed for VoIP, not specifically for Security

It's a secure VOIP client. Because of its history, there's a lot of latent
capability in it that is VOIP related. Is there an actual question or
objection?

* It does use an outdated SSL library (PolarSSL 1.1.1) with some known
security vulnerabilities ?

No, we're using PolarSSL 1.1.4. We did not include the PolarSSL code in the
drop because we didn't want to figure out the licensing details.

* It does not use LibZRTP by Philip Zimmermann used in Zfone but ZRTPCPP

That is correct. We're using Werner Dittmann's library. We like it. We like
it so much that Werner is working for us. Werner rocks.

* It does use an outdated version of ZRTPCPP library?

I don't believe so. If anything, we're using a version of it that is newer
than anyone else's; Werner works for us, now.

Should we need release a new version, we will.

* It does reveal their test/development server?

- "I wonder if they are hiring new iOS devs now?"

Yes, we are. We also need Android devs, and need them more than iOS devs.
Feel free to send résumés to <jobs at silentcircle.com>. Note that we are a
highly-distributed company with developers and staff stretched from Latvia
to Greece, to the Pacific West. Location almost does not matter. 31337
skillz do.

I will also note that the code of the VOIP system is the same across all
our apps. It gets compiled for iOS and Android, as well as Windows (Silent
Eyes). Each OS has its own UX skin on top of the code VOIP system.

- "I'd say anything that gets Silent Circle to actually answer questions
proper is useful, if that is the result."

Feel free to send questions to me, or to "security at silentcircle.com"

* In ./silentphone/tiviengine/prov.cpp there is some kind of provisioning
protocols, used probably to auto-configure the voip clients.

Good catch! Yes, indeed, we provision the clients ourselves. Silent Circle
is a *SERVICE* not an app.

* It should be evaluated the capability for a government
censoring/filtering host to block the user out by blocking
accounts.silentcircle.com or sccps.silentcircle.com. Maybe some dynamic
methods is in place?

We'd love to hear suggestions. If someone's suggestion is particularly
clever, feel free to attach a résumé.

* It should be asked what are the privacy handling for those data and if
those can be additionally "privacy enforced" .

Feel free to ask. I don't understand the question, myself.

* QUESTION: What this certificate is used for ?
TODO: We should check to see if this certificate is used for TLS
Validation? If so that's cool, that it does not rely on third party CA.

Got it in one! Thank you for thinking it's cool.

Again, feel free to forward this mail to anyone, and I'm happy to entertain
questions from anyone.

        Jon

-----
Jon Callas
Chief Technical Officer
Silent Circle, LLC
email: jon at silentcircle.com Silent Phone: jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130214/5c6313a2/attachment.html>

More information about the liberationtech mailing list