[liberationtech] Fwd: Answers to some of your questions (Silent Circle responds..)

Thu Feb 14 09:27:20 PST 2013

Wow, nice! :-) Perhaps also ask him if he can make Silent Phone easier to
build in Xcode?

NK

On Thu, Feb 14, 2013 at 11:51 AM, Ali-Reza Anghaie <ali at packetknife.com>wrote:

> Mr. Jon Callas of Silent Circle was kind enough to field questions on
> another list and also pay attention to the Pastebit of the pad everyone was
> commenting on before things went awry.
>
> See the below - complete with an invitation for cool ideas w/ resumes.
>
> Thank you VERY much to Mr. Callas for entering the fray and helping tune
> the accuracy of the overall discussion. Cheers, -Ali
>
>
> ---------- Forwarded message ----------
> From: Jon Callas <jon at silentcircle.com>
> Date: Thu, Feb 14, 2013 at 11:28 AM
> Subject: Answers to some of your questions
> To: Ali-Reza Anghaie <ali at packetknife.com>
> Cc: Jon Callas <jon at silentcircle.com>
>
>
> Hi, Ali-Reza.
>
> I saw your pastebit with some questions, and let me answer. You may repost
> this mail to liberation tech or anywhere else.
>
> * A Latvian company wrote most of the software, not SilentCircle
>
> When we formed Silent Circle, we looked around for people to partner with.
> We selected Tivi because they're really cool people -- I used their
> ZRTP-enabled VOIP client back in the days when I had a Nokia N95. We picked
> them in part because they were willing to release source code. (Other
> potential partners were not willing.)
>
> Our partnership with them includes that code base, and that they work for
> us full-time now. They're some of our main developers now.
>
> I have a bit of a raised eyebrow at this comment. (Yes, I know it's not
> your words, you're also explaining.) It sounds to me like whoever is making
> that comment is implying that there's something wrong with Latvia. Riga was
> for many, many years a center of European high-tech until the dark days of
> WWII and Soviet occupation. It's a lovely place filled with incredibly
> smart, friendly people. It is a part of the EU, and also a NATO nation. Our
> team in Riga. We picked them because they rock.
>
> Perhaps the comment comes from the fact that they were in business before
> our partnership. It's relatively common in high-tech that companies enter
> into partnerships with others. Google, Microsoft, Apple, Facebook, and
> others often use some sort of relationship like this to get software or
> technologies that they didn't have, so that it speeds up development. We
> are hardly unique in this.
>
> Perhaps I don't understand. If someone could explain the objection to me,
> I'm happy to address it further.
>
> * Application is designed for VoIP, not specifically for Security
>
> It's a secure VOIP client. Because of its history, there's a lot of latent
> capability in it that is VOIP related. Is there an actual question or
> objection?
>
> * It does use an outdated SSL library (PolarSSL 1.1.1) with some known
> security vulnerabilities ?
>
> No, we're using PolarSSL 1.1.4. We did not include the PolarSSL code in
> the drop because we didn't want to figure out the licensing details.
>
> * It does not use LibZRTP by Philip Zimmermann used in Zfone but ZRTPCPP
>
> That is correct. We're using Werner Dittmann's library. We like it. We
> like it so much that Werner is working for us. Werner rocks.
>
> * It does use an outdated version of ZRTPCPP library?
>
> I don't believe so. If anything, we're using a version of it that is newer
> than anyone else's; Werner works for us, now.
>
> Should we need release a new version, we will.
>
> * It does reveal their test/development server?
>
> - "I wonder if they are hiring new iOS devs now?"
>
> Yes, we are. We also need Android devs, and need them more than iOS devs.
> Feel free to send résumés to <jobs at silentcircle.com>. Note that we are a
> highly-distributed company with developers and staff stretched from Latvia
> to Greece, to the Pacific West. Location almost does not matter. 31337
> skillz do.
>
> I will also note that the code of the VOIP system is the same across all
> our apps. It gets compiled for iOS and Android, as well as Windows (Silent
> Eyes). Each OS has its own UX skin on top of the code VOIP system.
>
> - "I'd say anything that gets Silent Circle to actually answer questions
> proper is useful, if that is the result."
>
> Feel free to send questions to me, or to "security at silentcircle.com"
>
> * In ./silentphone/tiviengine/prov.cpp there is some kind of provisioning
> protocols, used probably to auto-configure the voip clients.
>
> Good catch! Yes, indeed, we provision the clients ourselves. Silent Circle
> is a *SERVICE* not an app.
>
> * It should be evaluated the capability for a government
> censoring/filtering host to block the user out by blocking
> accounts.silentcircle.com or sccps.silentcircle.com. Maybe some dynamic
> methods is in place?
>
> We'd love to hear suggestions. If someone's suggestion is particularly
> clever, feel free to attach a résumé.
>
> * It should be asked what are the privacy handling for those data and if
> those can be additionally "privacy enforced" .
>
> Feel free to ask. I don't understand the question, myself.
>
> * QUESTION: What this certificate is used for ?
> TODO: We should check to see if this certificate is used for TLS
> Validation? If so that's cool, that it does not rely on third party CA.
>
> Got it in one! Thank you for thinking it's cool.
>
> Again, feel free to forward this mail to anyone, and I'm happy to
> entertain questions from anyone.
>
>         Jon
>
> -----
> Jon Callas
> Chief Technical Officer
> Silent Circle, LLC
> email: jon at silentcircle.com Silent Phone: jon
>
>
>
>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130214/cadcf52b/attachment.html>