50 comments

[ 3.8 ms ] story [ 125 ms ] thread
How far will they go to save the company? Let's hope they don't take money from In-Q-Tel[1] which is probably eager to give them what they need (in exchange for certain things of course).

[1] https://en.wikipedia.org/wiki/In-Q-Tel

They are based in MD with military people as founders so I would think this would be the desired outcome. Sad but kind of expected.
Yes and no. Getting paid to produce a very secure device to their specs would be a great option for survival, provided they don't insert a backdoor because of their customer's demands.
People who say things like this generally have no idea what In-Q-Tel actually is. Wait'll they find out where Tor's funding came from!
Heck, not even that. The original funding for computers as we know them came from that general area as well.
When I clicked the link, I got a gray page with a "Quote of the day" in big font. Nothing else visible on the page, no X to close this or similar.

I was about to close the tab when it suddenly redirected to the article.

What kind of nonsense is this? I mean, seriously Forbes?

http://i.imgur.com/ALe3s1v.png

Closing the tab, and then clicking the link again makes it go away. I think Forbes links need to be banned on HN until Forbes stops doing this shit.
(comment deleted)
Apologies for the meta comment: I'd like to read the article, but the obnoxious ads on Forbes and the even more obnoxious splash screen that won't let you through if you use a blocker show me that Forbes web presence is obviously in a troubled period. Does someone have the text of the article elsewhere?
Having the article open without an ad blocker increased my battery utilization by well over 1000 mA.
What software do you use to measure utilization?
It let me through the spash just fine, using AdBlock Plus and NoScript on Firefox.
Archive.is seems to work without showing you that overlay: http://archive.is/76nRX

I removed the trailing hash after #, 'a2fe2c560df31', in the original URL, before posting it to archive.is. What is that for anyway? For them to log the source of the URL?

Yes, the hash is a way to track referrals without relying on the Referer header, especially in situations that don't involve such headers. (E.g., when you click on a link in an email, or post to a social site like HN.) I think you are right to strip the hash before posting, for your own privacy if for no other reason.
It continually depresses me that privacy and software security products have such a difficult time. I very much hope that Silent Circle makes it, but the landscape is littered with privacy/security products that went nowhere.

But there have been some billion-dollar success stories. Off the top of my head, they are:

(1) Security Dynamics who invented the little token with ever-changing 6-digit numbers that you have to enter to login to your remote office computer. You probably know it today as the RSA SecurID: https://upload.wikimedia.org/wikipedia/commons/3/33/RSA-Secu...

The hardware was simple (microcontroller, real time clock, and an LCD display) and the proof of concept for the software could've been written in an afternoon by a crypto-knowledgable programmer. I genuinely admire this idea as having the least amount of technical development required to create a billion-dollar market.

(2) Paper shredders. Fellowes created a billion-dollar market for personal shredders. Seriously, before this market existed, if you told the average Joe that they needed a shredder for their home, you would have been laughed at. Then came along all the brouhaha about identity theft, and now Office Depot and Staples sell dozens of home models.

(3) Firewalls. When I first heard the concept of a network firewall--and this is going back a long time--my first thought was "What a stupid idea, why don't they instead fix the bugs that would allow you to penetrate the network?" Turns out to be a multi-billion dollar market.

(4) Password managers like LastPass and 1Password. I doubt these have reached a billion in sales, but I figure they will.

(5) Certificate authorities. An early implementation of that idea made Mark Shuttleworth into a billionaire with enough money to visit the International Space Station just for fun.

Looking at the list, the threats are sometimes abstract. I do have a home shredder, but I'll admit that it's very unlikely I'd be a victim of identity theft if I never shredded. However, the threat that Silent Circle addresses is proven worldwide surveillance, yet it's a much harder sale. It's very difficult to predict what privacy/security product will succeed.

Great list. I am wondering what is going to be next?
2FA. As much as I like password managers, I feel like they're solving a problem that has come about because our method of authenticating users hasn't kept up with developments in tech.

some kind of 2FA variation (probably not what we currently have) that uses trust chains anchored at individuals will hopefully revolutionize authC. Duo, Yubikey, etc are all really effective steps in the right direction if not already great products that are actually effective and do what they say they will.

mass market is the next hurdle.

Great list. I would also add PayPal. I know not everyone likes them but most people never had to do online payments before it was a thing. When you had to write a check and put it in the mail. Or even worse, give whoever ACH access to do whatever with your bank account.
Internet porn billing/Paycom came some time before PayPal. See movie "Middle Men" for reference.
I have no doubt there were many before PayPal. If you weren't looking for porn or looking to pay for it then there weren't a lot of options. Especially, in the early days of the WWW. When there was an actual yellow pages of the entirety of the web.
I would think that with Zimmerman and Callas that there could have been the chance to create a secure android. If it was possible I would say they should have been the guys, with recent departures I would say that they are no longer interested in that vision of the product.
Yeah I thought the same thing. Although, if Telegram is any indication, mass market is not a matter of how strong your implementation is, more of a marketing/business problem to be solved.
Is Telegram not secure?
No, it's not.
not entirely true... its authentication can be subverted allowing impersonation.

but its a lot more secure than some....

At a minimum, they've made a number of choices which go against (fairly widely considered) good cryptographic principles.

This in itself wouldn't even be that bad if they weren't then trying pretty hard to convince the general public that it's super secure with massively flawed stunts as explained here: https://moxie.org/blog/telegram-crypto-challenge/

When I first met Silent Circle and its products, my opinion was that their product design is impractical and not convincing for customers. With all respect to Phil Zimmermann (he really deserves a decent pension).

Either you ditch Android and go fully FOSS (no firmware blobs!) and OSHW with as little software footprint as possible and get software stack audited and thoroughly pentested.

Or you are fine with Android and you just provide some additional applications and maybe services. But this doesn't justify selling a _device_. You know, there's no such thing like Angry Birds Phone. There's no Facebook Phone either.

But it's hard to go full tinfoil without owning the device. I applaud their effort, but there are just too many interests vested against it.
But you cannot be owning the Android device because Google is owning it by means of closed-source core components.

Well, manufacturers also aren't going to let you own your device because they release only blob-stuffed devices.

There's actually no such thing as fully open-source Android: https://plus.google.com/+JeanBaptisteQueru/posts/9HHRURorE7g

It feels very silly, but still running Linux kernel self-built from sources on modern ARM devices is mostly discouraged, and if it works, it's result of volunteer effort. And even if drivers are there in source, datasheets for hardware are often not public and one needs to sign NDA to read it.

Honest question - who is the market for this phone?

Very security minded corporate it departments?

From first glance it would seem I would need other people to have silence circle in order for most of the features to be useful...I don't know anyone who uses it - why would I be an early adopter as a consumer?

That's always the problem. They had an app before (maybe they still do) that worked great for me for calls and texts, but I know knew one person who had it. I'm better of with Signal, but even there I only have a few contacts on it.
I've followed the blackphone for a while with quite a bit of interest, and TBH I didn't get a strong indication that they knew who their target market was. BP1 was aimed at individuals I think, and when they realised they weren't selling like hotcakes decided that enterprise may be a better chance for BP2?
I have the phone. Despite its problems and my plan to ditch it soon, I do hope that silent circle survives and eventually thrives. I support their purpose and ideals, even if it hasn't worked out for me personally with them.
we bought a handful of these. The execs demanded them.

Then, they sat in the bottom drawer of each of their desks because their iphones were a lot simpler and more useful to them.

(multi billion $$ Mining company)

> in the belief it had secured big distributor agreements with three partners

This line reads very strangely, especially with the followup about one agreement having some legitimacy.

Did Silent Circle have actual, signed purchase agreements with these distributors? If so, are they suing, and why is it not mentioned in the article? If not, why did they think they had agreements?

With how intrusive Forbes's ads are, even with uBlock origin, I wish HN would just disallow stories from forbes.
With the adblocker, the full-page quote will only show up once per day. Reload the page and it goes away.
Who provides the baseband for the Blackphone?

EDIT: To answer my own question. Qualcomm

I interviewed with them. It was team of very bright people and I enjoyed interacting with them. Hopefully everyone I talked to is still there and didn't have to be let go. Wish them all the best.

In general, for privacy related software there these large segments -- the enterprise, the government, personal / casual. Sometimes it is hard to find a single product to appeal to entice all of those segments. The requirements are just so different. (Well there is also the other type of segment -- the criminal segment, drug lords will pay cold hard cash for ability to secure their communications, but you know building a business selling mostly to them is not healthy for doing well in other segments).

Government wants to control and certify the system in certain ways. Just getting over the certification red tape mountain is huge hassle. Spending time doing that means ignoring other segments largely, just because of costs and time involved. Enterprise wants centralized management of devices (they'd have thousands or more potentially), that means monitoring and controlling what employees do or who they use the phones. Personal / casual might involve a free tier or being able to pay less, this needs to be very user friendly, with no hassles, and the biggest thing needed is a network effect. If none of ones' friends are on the network, it is hard to justify using the service.

As for Blackphone, SEAndroid (NSA Secure Android) research project has slowly been incorporated into latest version of Android but hardware remains a problem. If there is a closed source firmware blob running on the baseband processor, and if it can read main system memory, the situation is quite bleak, it is hard to convince governments or serious enterprise customers that the platform is secure. I believe the idea with Blackphone to address that was to ensure baseband processor talks to the main system via a serial interface + AT style model commands. So perhaps Silent Circle just need to publicize more those features?

Focusing on the Enterprise market is smart but perhaps it will take another Sony-like enterprise breach before companies will get scared into spending more on this.

I been involved in the cryptography/security community for many years. I continually see privacy/security start-ups struggle. There are lots of reasons. But, I think the key one is that doing something online securely will always be more difficult and expensive that doing it insecurely. This truth was instilled like a law of physics when the internet was first designed.

There's only a certain number of people that are deeply passionate enough about their privacy to put in the extra effort or pay the extra cost. So, companies in the space tend to plateau after 2-4 years. They essentially saturate their markets and the (rather static) size of these markets are rarely large enough to sustain the company (this is especially true when hardware is involved in the business plan). In cases where they are sustainable, I have seen it be at the level of "life style business" rather than exponentially growing startup that can IPO at a level that will provide investors a significant return. While there have been exceptions over the years, I would caution people on HN from doing privacy and security startups until you sit down and honestly and truthfully estimate the size of the market that you are targeting.

Us old folk remember another secure phone company before SilentCircle/Blackphone - CryptoPhone. I have talked with some friends that remember the CryptoPhone product failure. Some thought that the Snowden revelations changed things. They thought that such companies would be viable now due to mainstream market apatite. But, I think over the next few years we'll see more evidence that this isn't the case.

Privacy is an area that is very easy to get passionate about and become emotionally invested in. But, it's probably not a great space for your startup (or for your investment).

> But, I think the key one is that doing something online securely will always be more difficult and expensive that doing it insecurely.

Yeah that is a good way to put it. There are periodic spikes for demand when there are large publicized security breaches -- Snowden, Sony, Target etc.

Most people out there are hard to convince to jump through extra hoops to get more security unless they see those around them or themselves being hurt by not having it.

There is market for silly "rfid wallet blockers" because the story is "it protects you against identity theft". It is mostly a scam, but the point is people relate to identity theft, it happened to someone they know probably.

> There's only a certain number of people that are deeply passionate enough

Yap. An additional observation, from talking to a few people at Silent Circle is that those working there are also deeply passionate about it (why would they hire anyone who isn't, right?). That is good of course, but is also bad, because it translates to rose colored glasses when it comes to market demand.

Everyone thinks there are many others out there, who are just as interested and passionate as themselves, so it is easy to overestimate demand. I think to a certain extent that the idea behind the lawsuit. Someone somewhere massively overestimated the market demand.

I feel sad reading this post. Silent Circle might be having some issues but cryptophone.de & esdcryptophone.com have been going strong for over 10 years. In fact our product groups have grown. We now offer intrusion detection for cellular networks esdoversight.com and the highly successful esdoverwatch.com imsi catcher detection system.