The Blackphone vs. the NSA

Well Linux bloggers have made it plain from the get-go that privacy is among their top concerns for 2014, and recent events have done nothing to shift that focus. President Obama’s momentous speech proposing NSA reforms wasn’t the only clarion call last week. We also heard from Mozilla, which appealed to security researchers around the world to help ensure that Firefox source code remain unadulterated and backdoor-free.

“Mozilla has one critical advantage over all other browser vendors,” explained Mozilla CTO Brendan Eich.

“Our products are truly open source. Internet Explorer is fully closed source, and while the rendering engines WebKit and Blink (chromium) are open source, the Safari and Chrome browsers that use them are not fully open source. Both contain significant fractions of closed source code,” he explained.

“Mozilla Firefox, in contrast, is 100 percent open source,” Eich pointed out.

That, of course, means its code can be inspected for tampering by government agencies, among other potential miscreants. Go FOSS!

‘Privacy and Control’

Continuing on a similar theme, there was Wired’s report on Project Novena and the effort to build a fully open source (read: NSA-proof) laptop.

Perhaps most exciting of all, however — at least in part because of the people behind it — was word of the Blackphone.

“Blackphone is the world’s first smartphone to put privacy and control ahead of everything else,” according to thewebsite for the project, which is led by none other than PGP creator and privacy guru Phil Zimmermann, along with Silent Circle and Geeksphone. “Ahead of carriers. Ahead of advertising. Blackphone is re-shaping the landscape of personal communications.”

Maybe it was the freely flowing tequila, but more than a few bloggers down at the blogosphere’s seedy Punchy Penguin Saloon quickly became uncharacteristically enthusiastic.

‘We NEED Products Like Blackphone’

“I love the idea!” enthused Linux Rants blogger Mike Stone, for instance.

At the same time, “I’m concerned about the initiative just based on the simple fact that people are uninterested in security,” Stone told Linux Girl.

“Too many feel that because they’re doing nothing wrong, they don’t care if they’re being snooped on. Maybe if there are products out there pointing out that this isn’t something that should be done, we’ll see more people taking an interest in it,” he said.

After all, “if we don’t look after our own security, no one else is going to do it,” Stone concluded. “The President recently announced some changes to the phone snooping that’s being done by the NSA, but I can’t bring myself to believe that the NSA is going to follow the rules just because the President says so. We NEED products like Blackphone to make sure that the government is holding up their end of the bargain.”

Similarly, “fantastic idea,” said consultant and Slashdot blogger Gerhard Mack. “Anything that provides more privacy in this world can only be a good thing.”

‘I Still Have Lots of Questions’

Google+ blogger Kevin O’Brien was also enthusiastic.

“If anyone can do it, Zimmermann is the one,” O’Brien said, “but I would also urge a measure of caution until the product has been carefully examined by other security pros, because this stuff is tricky.”

Information on the project site is less than complete, he pointed out.

For example, “if they need to produce a device to do this, does that mean it only works securely with others using the same device?” he mused. “If not, why wouldn’t they just produce the software suite?”

In short, “I still have lots of questions” O’Brien concluded.

A Heavy-Hitting Team

“There are no light-hitters on the list of founders,” agreed Chris Travers, a bloggerwho works on the LedgerSMBproject. “If there is a team that can pull this off, it is them.”

Nonetheless, “this is a niche product, at least in the U.S. — it may do better over here in Asia, actually,” he suggested. In the U.S., “most phones are sold with contracts, and telcos want phones to be locked to them if possible. Given the relationships between the telcos and the NSA, I don’t expect ever to see one of these sold subsidized by a two-year contract.”

In places where that’s the way phones are sold, “it is not likely to be more than a tool of the particularly wealthy with significant disposable income, or those who really prioritize this sort of thing,” Travers opined.

On the other hand, “over here in Asia, things are different,” he added. “Phones are never sold with contracts. You buy the phone. You buy the services separately. When you add to this the general distrust of governments and more, it may well find a significant market.”

‘By No Means a Magic Bullet’

Other Linux bloggers were also tempered in their enthusiasm.

“It is a good initiative to keep our privacy from the NSA or anyone that wants to pry into our private things,” said Google+ blogger Rodolfo Saenz, for example. “However, remember: There is no perfect defense — when it comes to cryptography, there’s always someone that cracks the code…”

Similarly, “I think that the Blackphone could be a useful tool for some people, but it is by no means a magic bullet,” Google+ blogger Brett Legree agreed. “Information security begins — and ends — with people and the processes they use.”

People who are “already ‘in the know’ could use Android phones with custom firmware and selected applications (e.g. RedPhone and TextSecure from Open WhisperSystems, GnuPG and a supported email client like K-9/Kaiten, and so on) in concert with robust processes to keep their sensitive data protected,” he pointed out.

Need-to-Know Sharing

“Anyone can be compromised, given enough time — organizations like the NSA have almost limitless resources — so to mitigate this, information should only be shared on a ‘need-to-know’ basis,” Legree suggested.

“That is what is done in my industry (nuclear) — if someone doesn’t need to know it, don’t tell them,” he continued.

“Don’t send certain things via email or text, even if encrypted, because the receiver could be compromised and forced to decrypt it, or may share it intentionally or accidentally,” Legree said. “Certain information is not permitted on networked computers (i.e., use an air gap), and even more sensitive material may only be stored in non-digital formats in secured vaults with multiple access controls.”

In short, “if you are the sort of person who requires a Blackphone, I expect that you already have systems in place to provide most if not all of the functionality that it would provide,” he concluded.

‘A Nice Way to Get a Honeypot Going’

Slashdot blogger hairyfeet saw even more potential problems:

1. “It has to go through the network, and with them having access to the backbone, they WILL know who you called and when,” he pointed out.

2. “Hope this guy never goes to the U.S.A.”

3. “How do we know he isn’t compromised, or a member of his team, as it sounds like a nice way to get a honeypot going?” hairyfeet mused. “After finding out how the RSA was bribed by NSA, frankly ALL of the current crypto standards should be suspect.”

Bottom line: “If there is one thing we should have learned from Snowden, it’s that we really are gonna have to start from scratch, as everything that came before is suspect and therefore might as well be considered tainted and worthless,” hairyfeet said.

“It’ll take years to write new ‘NSA-Free’ crypto from the ground up — heck, even Linux has had NSA influence in the form of SELinux — so nobody is 100 percent ‘pure’ anymore,” he concluded.

‘The Time Has Come’

Last but not least, “against the unlimited and hidden budget of the NSA, nothing is guaranteed secure,” blogger Robert Pogson conceded. “The best we can do is to constantly change methods to secure data and communications. That will maximize the cost of running the NSA and may give temporary windows of Freedom.”

Much stronger steps need to be taken, however, “like killing the U.S.A.’s satellites and cutting the U.S. off from the Internet and other global communication systems,” Pogson told Linux Girl.

“The U.S. is fond of declaring various countries with whom they disagree as ‘terrorists,'” he pointed out. “The time has come when the world should declare the U.S.A. cyber-terrorists. As the U.S. constantly tells us of other countries, only strong sanctions will persuade them to change their ways and discourage copycats.”