Silent Circle Promises Spy-Proof Calls
Your communication online can be easy, or it can be encrypted. Good luck combining both: Any service secure enough to defeat eavesdropping by three-letter government agencies has come with a payload of added complexity.
A new company called Silent Circle says it's cracked that equation. And it has credentials to make such a claim: Its founders include one of the most famous names in cryptography, Pretty Good Privacy developer Phil Zimmermann, plus other security experts and several U.S. and British special-operations veterans.
"PGP" exhibited the promise and peril of strong cryptography when it debuted in 1991. This open-source software worked well enough for the U.S. government to investigate Zimmermann (the feds dropped the case in 1996), but it was sufficiently tricky that relatively few people adopted it.
Silent Circle promises the same uncrackable encryption in simple iOS and Windows apps for voice, video and text-message communication, with Android support coming later. That's a compelling pitch, and it's gotten this National Harbor, Md., firm attention after its Oct. 15 launch.
One holdup involved its setup. After you create an account at Silent Circle's site, you must generate a different activation code there to type into each app you install; its apps don't explain this step well.
DNEWS VIDEO: COOL JOBS: HACKER
After that, however, the encryption becomes invisible. When you contact another Silent Circle user, the two apps quickly exchange data to set up a one-time encryption key; you both confirm it worked by verifying that you see the same sequence of words in the app. In one call, this was the unintentionally-timely "stormy handiwork"; in a text, it was "Uniform Quebec One One."
After each exchange, the software destroys that key after computing a "hash" value from it, which it will use to generate the next one-time key. The company never sees each key.
Silent Circle says it will publish its source code for others to inspect. Matthew Green, a computer-science professor at Johns Hopkins University, is waiting for that but said its system "looks like a pretty solid protocol."
Green also noted one unavoidable vulnerability: You can be spoofed if somebody takes a caller's phone and imitates their voice. Zimmermann called that the "Rich Little attack" at a meeting in September.
Christopher Soghoian, a privacy researcher with the American Civil Liberties Union, also wanted to see Silent Circle show its code so outside researchers could "beat up their text encryption protocol" to test for any vulnerabilities.
(My conversations with Green and Soghoian happened over unencrypted e-mail.)
Over a series of calls, I ran into a different issue: audio dropped out briefly, and video calling suffered from sluggish frame rates and sometimes the absence of audio. There's also no voicemail.
The Silent Text app requires more trust, since you can't verify a person's identity by their voice in it. Its "Burn Notice" feature can wipe messages after a preset interval, but you can defeat that with screen captures.
In the coming weeks, Silent Circle plans to offer the option to call conventional numbers from the app–which could help travelers calling the U.S. from countries that tap phone lines. A Silent Mail service is also on the way.
The company has already drawn business from governments and corporations (not to mention some anxiety from the latter), and it will offer free service to human-rights organizations. Will individuals pay $20 a month for calls no government can tap? You tell me.
Credit: Rob Pegoraro/Discovery