Tags

, , ,

I have noticed that liberals dominate the discussion about electronic privacy online and in conferences. The value and importance of encryption and privacy should be presented to both sides of the deeply divided political spectrum in America.  There is no one presenting a conservative argument for online privacy.  On this blog, we discuss privacy and security from a conservative view point in our series called the Patriot Darknet. A reminder using online encryption does not make you “invisible.” It is more like wearing camouflage or whispering online.

I decided to move back to Apple iPhone after my work with the Google based Blackphone 2. I feel that Google is more in bed with the “powers that be” and its Android operating system is designed to extract and maintain more data from you  than the iPhone.  Google also appears to have a caviler attitude when it comes to privacy.  When asked during an interview for CNBC’s  “Inside the Mind of Google” about whether users should be sharing information with Google as if it were a “trusted friend,” Schmidt the CEO of Google responded, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Schmidt also said “We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”

It is one thing for a private company to have this much data, that is just creepy, but Google regularly shares and sells this data to the US and other governments that have regulatory and law enforcement powers. That is very dangerous.  This can be lethal when you think of some countries that are cracking down on dissidents.  The Lord only knows what America is in for in the future. Thus I avoid Google based solutions and moved from the Android based Blackphone to the iPhone. This is my review of Wire using iPhone. I guess I should share some of the criteria we use for judging the privacy and anonymity products.

1. Cannot be based in the United States
2. Encrypted so the provider can’t read it
3. Must have transient message traffic
4. Must be peer reviewed by known entities
5. Can’t be owned by SJW
6. Cannot use Google code base

Patriot Act and privacy. The USA use to be “land of the free.” Post-modern dominated, post-Christian USA is not. If you base a company in the dis-United States, you are legally subject to the immoral and unchristian so-called Patriot Act and forced to respond to things like National Security Letters (NSL).  The Republican Party one of the main drivers of online snooping is now finding out about the immoral power mass surveillance gives the so-call “deep state.”  Private communications are being selectively leaked to destroy the careers of certain people.  We have warned of this for many, many years.   As long as the so-called Patriot Act or similar laws exist in the US, privacy and anonymity technology companies should base themselves and host their data outside of the United States. Wire Swiss GmbH (CH) is based in Switzerland a nation that has some of the strongest privacy laws in the world.  It is a nation a lot of our crony-capitalistic “betters”  do a lot of their banking in because of its strong privacy laws.  Switzerland has a long, proud history of neutrality from great powers.  Signal is based here in the United States.

You should also be concerned about the physical protection of the company servers.  When encryption privacy solutions are based outside of the US the US government has indicated it feels free to hack them with its intelligence services which are the best in the world.  When I asked Wire about its physical security they responded “It’s not something I can comment on other than saying that we follow the industry best practices with strict limit on people with access to critical server components.” This is another reason that we want transit data that is protected with end-to-end encryption.  The data simply does not exist on the company’s equipment.

e2e. A legal concept that has a great impact on online security in the US is that the Constitutional protections do not apply to data held by “third parties” i.e. your phone company or your security application you are using. This has been confirmed by SCOTUS.  Thus if your local anti-constitutional sheriff sends AT&T a National Security Letter (NSL) asking for data generated by your phone they will provide it. Actually, they must give it to him. No warrant, no judge, no protection. Leave your electronic devices at home when doing liberty operations. Please note if they want to hack your physical phone to get the same data, they need a warrant. Thus a major issue with privacy is how the data is encrypted so the provider can’t be forced to hand it over.

Previously when we looked at Wire, we did not think to recommend it to patriots.  One reason is that Wire did not have end-to-end encryption (e2e).  e2e keeps the Wire company itself from reading your messages. From its launch on 03DEC2014 until MAR2016, Wire’s messages were only encrypted between the client and the company’s server. If you hacked the company’s servers, all of your conversations would be exposed. This also allows the company to capture all messages if it wanted or was being forced too. In MAR2016, Wire added end-to-end encryption. Now all 1:1 and group calls and messages on Wire are end-to-end encrypted using SRTP with DTLS. This means your unencrypted messages are stored only on your device, not on Wire’s servers. End-to-End encryption with man in the middle attack detection should be “basic” or threshold requirement for privacy focused applications in the 21st century.

Another feature of Wire is that the applications support “self-deleting” or transient messages. You can set them to auto-delete after a certain time. You can set this by message or by person and change it at any time. From an organization’s perspective, this is a major benefit. You do not record your voice calls, why record all your written communications? There may be regulatory or legal reasons to record some of your written communications, but every stray thought an employee has had is permanently kept?  This is a major liability for an organization. Having the option for a transient nature to written communications is a very nice feature.

IMO one potential weakness of the design of Wire is that it keeps a list of who you communicated with on its servers. Not the message content, but the Contact List you have built. Thus it will have a list of all of the people in your Wire contact list. It does this so when you sign in on different devices like your PC or iPhone you don’t have to try and build your contact list again. However, it is important to know that this data of who is in your Wire contact list is kept on their servers and is potentially something the “powers that be” can take or legally demand.

Security audit. Wire has finally gone through external security audit. Wire published the results of an external audit of its crypto protocol and their implementation by two security researchers Jean-Philippe Aumasson from Kudelsky Security and Markus Vervier from X41 D-sec. The external review and some probing by freelance hackers specifically Membe in 27JAN2017 did find some weakness in Wire.  Wire fixed the “certificate pinning issue” that Membe found. Also, I reached out to the Wire team and they have confirmed that they addressed the weaknesses that the audit found by the time the audit was published on FEB2017. The external security auditors reported “The components reviewed were found to have a high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs. Issues were nonetheless found, with some of them potentially leading to a degraded security level. None of the issues found is critical regarding security.” We encourage Wire to support regular security audits of its solution.  We encourage freelance hackers to continue to probe.

SJW attacking free speech. Facebook WhatsApp is owned by globalist, anti-Christian Mark Zuckerberg who is toying with the idea of running as a liberal Democratic candidate for president. Thus he appears to oppose the goals of half of our nation. I believe you should never expect a company led by an anti-nationalistic, anti-Christian person to protect nationalistic, traditional Christian or conservative voices. This goes for Google including YouTube and Microsoft in large part. Wire Swiss GmbH was founded in fall 2012 by Jonathan Christensen, Alan Duric (CTO) of Denmark and Priidu Zilmer (head of design), who previously worked at Skype and Microsoft.

I can find very little about the politics of these men.  When I brought up the subject with Wire they responded “Our focus has always been to offer a private, secure place for people (and businesses) to talk, discuss and share without being a subject to surveillance capitalism and without the fear of their communications being easily accessible by hackers.  Lately its become almost impossible to stay apolitical with the developments in the US, UK’s anti-encryption stance and steps taken by the Russian, Turkish governments (and governments of many other countries) to curb open discussion and access to information.”

I have found interviews where Alan Duric talks about one of the main reasons he supports privacy.  I have included one of those above.   I also found one written article where Alan Duric responds to the globalist minded British Home Secretary Amber Rudd as she demands private companies weaken privacy for all citizens by giving governments the ability to ease drop on any conversation.  Secretary Rudd, I got an idea.  Change your immigration policies and leave our private conversations alone.  While  Alan Duric doesn’t sound like Eric Schmidt we do not know yet if Wire is as committed to security as saying Silent Circle or Lavabit.

Google. Something that greatly weakened Blackphone and Signal in our eyes is it has gotten into bed with Google. A nice thing about Wire is it does not depend upon Google at all to the best of my knowledge. Google is simply not trust worthy when it comes to protecting anyone’s privacy. They harvest as much data about you as they can, and they freely admit they give it to governments when asked.  Security developers should understand that reasonable people can have heightened concern about Google developed solutions.

Warrant canary. Another thing good security service companies can provide us a warrant canary.  What a warrant canary does is regularly (Silent Circle publishes weekly) publish a report saying that it “has not” received any warrants. If it does receive some form of request for user data, the company simply does not publish the warrant canary that week. As of yet, US law cannot compel speech, especially speech that is untrue. Wire’s take on the warrant canary is a bit different, most likely because it is based in Switzerland. Wire publishes an annual report on how many legal requests for user data it has received from “authorities.” As of this writing, it has received zero.

There are many abilities that Wire has that are very neat, but not strictly privacy focused.  Things like the ability to send voice messages, ability to draw free style pictures and use emojis which is very addictive.  What are some of the things I would like to add to Wire?  I would like the ability to set my own “display” name for people.  So many of my contacts use pseudonyms I need to remember who is who.  Same with contact photos. I believe there should be an option to set a separate password to protect the Wire application and keep Wire and the messages it in an encrypted state.  There should be an easier method to delete all passed messages with another contact.  When it asks to have access to your contact list during the setup process, what is being done with that data, and is it stored in any way?  An ability to purge the server side data.  Wire should publish its Warrant Canary at least monthly.  Wire should develop a solution to bypass State-level censors who will attempt to block their application as it gains popularity.  And what is up with Anna?  She is no Siri, that is for sure.

There are many other privacy attributes that we track that Wire does very well with.  Ability to give your username to others but not your phone number.  Signal demands you share your cell phone number with the other person.  A desktop application for use for people without cell phones.  Signal demands you have a cell phone.  The ability to verify contacts identity and provide a well defined security design document.  Wire provides all of these abilities.

Wire by all appearances is a good solid, secure application.   I strongly recommend you have the ability to communicate between your team with the best encrypted application solutions available. Wire should be considered for that solution.