Hacker News Comments on
Live Test of an Encrypted Call on Android phone using Cellcrypt Mobile
MobileAppTester
·
Youtube
·
1
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.I'm going to focus on voice as messengers are all over the place. People originally wanted secure voice. They started out as custom or value-added devices that, if worth a crap, often had special protections like dedicated IC's for crypto and TEMPEST protection:https://electrospaces.blogspot.com/2012/06/highly-secure-mob...
Those were usually very simple. A good thing compared to modern ones. They all cost in the $1,000-3,000 per unit range due to extra costs and low volume. Sectera Edge was probably most secure and rugged. Cryptophone was easy to use plus had nice features like hardened Windows and published source for crypto. You basically called the person, read out what was on your screen, listened to them do the same, and listen to each other's voices to make sure you recognized them. It was favorite outside of just defense use. Switched to Android later. That's the demo I found.
http://www.cryptophone.de/en/products/mobile/
https://www.youtube.com/watch?v=RchMr2B1KuU
Note: The letters you see are the codes you read.
These were pretty expensive. So, companies started developing software for regular phones... often one or two models... that turned them into encrypted phones optionally with hardening. Prior list had some. SecureStar (PhoneCrypt), SecureGSM, and Cellcrypt come to mind. Eventually, recognizing encryption wasn't enough, this segment sort of combined with Android and other software to produce dedicated phones that were cheaper than older cryptophones. Well, some of them haha. Two examples with second being the open Redphone.
https://www.youtube.com/watch?v=8TIBtOdioYE
http://www.pcmag.com/article2/0,2817,2415410,00.asp
Examples of the phones produced include Boeing Black, Bull Hoox, the Cryptophones, and recently the Blackphones w/ Silent Circle. Blackphone was among the cheapest we saw at regular, smartphone prices. It was common for crypto phones to come with voice and SMS at least. Blackphone added quite a few privacy-oriented apps over most to be all-in-one solution. I remember that as an advantage.
https://www.silentcircle.com/products-and-solutions/devices/
Far as messengers, we have good open ones these days so I mostly forgot the others outside cryptophones and above. Signal is super easy, free, and quite secure. Main recommendation. There was also ChatSecure and TextSecure. Given open ones, no reason to trust commercial ones since subversion and BS is high in this industry. Still worth looking at them for how they do usability aspect to increase adoption. I know Threema got significant adoption. Worth looking at. I'm open to others' suggestions here on crypto apps with good security protocols that also have great usability. Thing is, if it's really end-to-end, usability is inherently lower than centralized one due to verification aspect. Anything truly frictionless is suspect in my view with Signal representing the high end of what I'm expecting.
Bruce Schneier, for Congressional submission, did ask us all to list as many crypto products as possible for him. You might find something of interest there. Here's that thread:
https://www.schneier.com/blog/archives/2015/09/wanted_crypto...
https://www.schneier.com/blog/archives/2016/02/worldwide_enc...
Note: Also, the original way we did this outside expensive cryptophones is called Voice over Secure IP (VoSIP). That means you set up the strongest VPN (or link encryptor) between two points that are communicating. Then, you force a normal app to go through it. One can automate this process so it's painless for users. Often stronger than average secure voice app given what scrutiny goes into some implementations of transport-level security. Or existence of dedicated lines between branches.
"I view this sort of like the people who got away from the Matrix in the movies; as the Architect and the Oracle implied, as long as these people aren't an escalating threat for the entire system, they're allowed to live however they choose."
Possibly but don't count on it. Depends where you live. The U.S. increasingly targets harmless citizens with anything it can up to and including just stealing their money without charges under civil forfeiture laws. Just using Tor or crypto is grounds for NSA to put increased scrutiny on you per the leaks. So, this isn't guaranteed. Keep real secrets off online or wireless devices period. Face-to-face only. The rest we have to keep doing more and more to protect. Can incrementally deploy it, though, where sales drive increases in not just features but assurance of more of the stack. My recommendation.
"What's your opinion on the Turing Phone and Sailfish OS in general, by the way? Do you think that it gives us a fair progress in the direction of the more snoop-proof end-user tech?"
Let me help you out by showing you what all they have to protect. You can look at this list, look at the marketing/technical material, and usually tell if it's going to be victim to future attacks.
https://news.ycombinator.com/item?id=10906999
By those standards, the above aren't even close. I haven't studied these phones where I can say much more, though. I do like aspects of Sailfish in terms of a more open phone but it's still owned by one company from Wikipedia's description. That one also licenses key I.P. in proprietary fashion. So, there is risk of it being another Google Android situation. Turing Phone article I read on Wired sounds like a pile of marketing BS plus lock-in waiting to happen. People are better off using apps like Signal, Redphone, Cryptophone, or Silent Circle that at least come from people who know what they're doing. Who we know have a track record. That's my (common) initial impression.
⬐ dlmetcalfThe big issue with Signal at the moment, is that it doesn't work on AOSP.You can't use it without installing closed-source Google Apps (Play Services for GCM at minimum), and means you agree to hand over your phone metadata to Google (per the OP's top-thread). Moxie has stated he is open to consider high quality PR's to add Websocket functionality. (Removing close-source binary blobs would be a prerequisite to distributing on anything other than Google Play to though, which Moxie's also said isn't on the roadmap - I assume primarily because of resources).
In the meantime, Conversations.IM has OMEMO and Vector.IM has Olm/MegOlm.
There's not a lot of good voice options. Vector.IM's just added WebRTC, which is meant to be DTLS secured. CSipSimple does ZRTP, but it hasn't been updated in a long time.
None of the apps mentioned above has been audited and scrutinised to the extent Signal has.
If you really need privacy & security, CopperheadOS is the only Android distro AFAIAA that fits the bill at the moment.
⬐ nickpsecurity⬐ pdimitarThanks for the tips on other apps and the Android distro. Much appreciated. Far as Signal issue, I did find this:https://www.reddit.com/r/gnu/comments/4cd451/libresignal_sig...
Perhaps some more volunteers putting effort in could remedy the situation.
⬐ dlmetcalfYou're welcome. Unfortunately, LibreSignal was shut down due to: https://github.com/LibreSignal/LibreSignal/issues/37#issueco....I wouldn't pin too much hope on having a high quality PR written and integrated back to Signal soon. It doesn't look like a top priority for them. OWS also like the telemetry that Play gives them for diagnostics and have stated they won't be looking at FDroid unless someone can replace that.
⬐ nickpsecurityThanks for the link. That conversation was a bit disturbing as I read on. Least Moxie is allowing the code to be used.Thanks a lot! Bookmarking and downloading your reply. I'll most certainly use the following months to try and find the perfect balance between usable and secure app.Sadly, on the topic of the Turing Phone, I suspected as much. I really like to believe but yes, they're quite new to the market and are still closed in terms of what they use for this alleged "more secure" phone/OS. I'm still interested but my enthusiasm is not so high compared to the time of the original announcement...
I wanted to use Signal several times but I have to admit, it's use-case and convenience points aren't looking well. I'll take a more serious look, though.