Lets say there was a good reason for the canary not being updated.
I the FBI or whichever law enforcement agency was involved in the process noticed that updates were missing, (or saw it because it was pointed out on a well trafficked website)
Could the law enforcement agency then compel the employees to post a note that it was just a mistake and it will be rectified soon? And then have them update it?
Since not updating it when asked would equal disclosing that the event had taken place, which under certain laws might be illegal?
Or, since Silent Circle partakes of extremely misleading marketing and claims you can make encrypted calls all over the world, LE can just go tap the VoIP providers they use. Legally, or, since almost all VoIP is unencrypted, just by tapping Ethernet. Seriously, go read the press release for the BlackPhone and tell me you'd trust their CEO at all. Even Mr Zimmerman admits the entire business relies on LE not coming into their office with guns.
"enables Silent Circle members to make and receive encrypted, private voice calls through the company's Silent Phone service to non-Silent Circle subscribers in 79 total countries"
The PR goes on and in about how "disruptive" this is, even though it's much more expensive than Skype, and about as secure.
It's highly misleading. The PR obviously wants people to buy this product for security and encryption, but it can't deliver. It's about as good as using SIP+TLS/SRTP, Skype, or a VPN. Yet given the high cost (12 cents a minute) plus the marketing, it makes users believe they're getting actual encrypted calls. You guys should clearly state in the marketing and in-app that the call gets a first hop encrypted, then dumped unencrypted out to the Internet/PSTN (which nowadays are rather intermingled, sometimes when least expected).
Other stuff like "100% dedicated network – no sharing or leasing" sounds like it's probably untrue, or uses a special value of 100%. Either way, such statements should be backed with clarification.
Finally, there was a PR with Mike Janke, linked here on HN about a year ago. I can't seem to find it now, but he says a bunch of misleading/false things while writing off competition and makes SC come off rather slimy. Y'all shouldn't let him talk for the company as it makes the engineers look bad. (Not to mention the whole thing about Blackphone - a closed source fork of Android with a few 3rd party apps, no mention of the baseband processor issue, yet billed as some amazing breakthrough and it's own OS.)
SC should lower the hype and be transparent about things. Overall, I get the distinct impression it's a marketing joint bankrolled by a non technical founder, who hired some good names and provided a commercial vehicle for zRTP. Which by itself is fine, but the execution feels more marketing than technical.
PS, if you're using FreeSwitch, then I gotta ask: where are all the CVEs? Are you fixing them privately, publicly without announcement, or are you using FS without a security audit? (The only reason I mention this is SC often seems a major sponsor of ClueCon.) If not FS, what is your VoIP platform, and in what language is it written?
I would be worried about that long after I'd be worried about people simply striking a deal in some trumped up criminal lawsuit after being suitably intimidated.
Lets say there was a good reason for the canary not being updated.
I the FBI or whichever law enforcement agency was involved in the process noticed that updates were missing, (or saw it because it was pointed out on a well trafficked website)
Could the law enforcement agency then compel the employees to post a note that it was just a mistake and it will be rectified soon? And then have them update it?
Since not updating it when asked would equal disclosing that the event had taken place, which under certain laws might be illegal?
This hurts my head.