First off I have no standing here, and I am nobody. I am a customer of Silent Circle though. (or so I claim)<p>I am sure that StavrosK is well known by the community and it is my fault that I dont know his connection with SilentCircle. His profile points to stavros at stochastic dot io.<p>But more importantly HackerNews is not a very secure platform.<p>We have no real way of knowing StavrosK is StavrosK, or if ThinkBeat is the same ThinkBeat as last week. Using Hackernews or any social media as a platform to "override" a warrant canary is ill advised. In fact I think it makes matters worse.<p>Properly signed messages through the announced channel is the way to go.
Ok, so from a conspiracy perspective:<p>Lets say there was a good reason for the canary not being updated.<p>I the FBI or whichever law enforcement agency was involved in the process noticed that updates were missing, (or saw it because it was pointed out on a well trafficked website)<p>Could the law enforcement agency then compel the employees to post a note that it was just a mistake and it will be rectified soon? And then have them update it?<p>Since not updating it when asked would equal disclosing that the event had taken place, which under certain laws might be illegal?<p>This hurts my head.
Is a warrant canary even legal? If it isn't, what's the point of having them?<p>From <a href="http://en.wikipedia.org/wiki/Warrant_canary" rel="nofollow">http://en.wikipedia.org/wiki/Warrant_canary</a><p><i>The US security researcher Moxie Marlinspike states that "every lawyer we've spoken to has confirmed that [a warrant canary] would not work" for the TextSecure server.</i><p>Direct link: <a href="https://github.com/WhisperSystems/whispersystems.org/issues/34#issuecomment-49910725" rel="nofollow">https://github.com/WhisperSystems/whispersystems.org/issues/...</a>
Reading this canary has me worried, it doesn't actually say that "no warrants have been served, nor have any searches or seizures taken place", it only says that a declaration stating that will be provided.<p>Compare this to rsync's (<a href="http://www.rsync.net/resources/notices/canary.txt" rel="nofollow">http://www.rsync.net/resources/notices/canary.txt</a>), which this seems to have been based off of. It explicitly states "No warrants have ever been served to rsync.net, or rsync.net principals or employees. No searches or seizures of any kind have ever been performed on rsync.net assets, including:..."
Maybe they were indeed slapped with an NSL. What a nice christmas present, huh!?<p>If they failed their own canary - how could you believe them in terms of their warant canaray setup ever again? Not so much at all, I'd say.
So it looks now, that the canary got updated. No other information given, at least not within the canary itself.<p><a href="https://canary.silentcircle.com/" rel="nofollow">https://canary.silentcircle.com/</a>
Does the US Patriot Act even apply to them anymore? They moved to Switzerland this year. Still, they should probably look into doing the same kind of thing for Swiss laws.<p><a href="https://blog.silentcircle.com/our-move-to-switzerland/" rel="nofollow">https://blog.silentcircle.com/our-move-to-switzerland/</a><p>If the warrant canary is out of date, though, I wonder if they moved to Switzerland <i>because</i> the US government tried to get to them, and it wasn't just a forward-thinking action.
The purpose of the canary is to provide the issuer with a way of saying "I am no longer trustworthy". Since the canary has not been updated, nothing that can be said in favor of Silent Circle should be trusted. When the canary is again updated, it will be Silent Circle saying "I can be trusted again" (subject to the limitations about coercion as described in the canary message).<p>For now, do not trust that Silent Circle has not been compromised despite anything you may read in this thread. When the canary is updated, then you may return to the state that you had before: you can speculate that they are being coerced into lying about the canary, or that they are trustworthy. That choice is an has always been yours to make.
I hadn't heard of Silent Circle before so I looked at their offerings. Is it any different than what you get from TextSecure and RedPhone for free?
It seems to me that a warrant canary being updated after public notice is the <i>most</i> definitive proof we have that Silent Circle hasn't been served with an NSL.<p>If the NSL had the ability to force an update, the canary would have been updated before anyone noticed it was a problem. If the NSL didn't have the ability to force an update, the canary would still remain un-updated.
That canary sits in direct reach of a LE (Law enforcement) of the US.<p>$> whois 199.217.106.243<p><a href="http://myip.ms/view/ip_addresses/3352914432/199.217.106.0_199.217.106.255" rel="nofollow">http://myip.ms/view/ip_addresses/3352914432/199.217.106.0_19...</a><p>Edit: Typo law enforcement.
As long as it's a false alarm, we'll demote this story.<p>Edit: Ok, we restored it with a question mark. That's a more balanced way to handle these; I just forgot about it.<p>Edit 2: Now that I think about it, there's no need for a question mark on a factual statement. Sorry—I'm a little distracted right now! (We can change "is" to "was" if they update it, but someone will have to let us know.)<p>I'm going to detach this subthread now so it can go to the bottom as off-topic.