Zimmermann, Encrypted VoIP, and Uncle Sam 325
An anonymous reader noted that Phillip Zimmermann and his VoIP encryption software are the subject of a NY Times article today. The article touches on the FCC, privacy, and related issues. Given all the suspicious behavior of the Bush Administration relating to wiretaps and phone records, this sort of thing is all the more important to be very aware of.
Cryptome (Score:2, Informative)
http://cryptome.org/zfone-agree.htm [cryptome.org]
Re:Cryptome (Score:5, Informative)
Re:Cryptome (Score:3, Insightful)
Re:Cryptome (Score:5, Insightful)
For better or worse, people interested in this type of technology also have a vested interest in anonymity.
Re:Cryptome (Score:5, Informative)
Interesting... how does that work? (Score:3, Interesting)
How do you go about that? Suppose I were to set up a small business reselling GPG or something similar. Does the government simply hand me a copy of the watch list and let me do the checking myself? Or must I pass along the names of all my customers to them for
They give you the list (Score:4, Informative)
http://www.treas.gov/offices/enforcement/ofac/sdn
Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.
The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.
Re:They give you the list (Score:3, Insightful)
Re:Cryptome (Score:3, Informative)
http://www.philzimmermann.com/EN/zfone/index-regi
So why do you require registration?
Re:Misplaced paranoia (Score:4, Insightful)
From TFL:
Your going to a lot of trouble for just about no gain at all. This system can and probably does not in any substantive way impede anyone from a blacklisted nation from downloading the software. It only alienates people who are casually interested, i.e. your main user base.
I can understand your situation. You're in a country where it is effectively illegal to publish online any piece of software that contains even the most basic of encryption algorithims. The situation is of course ludacrious, as such algorithims have long been in the public domain, at least as far as knowladge is concerned.
The purpose of the law of course, is not to prevent the export of encryption to forgein countries. They already have these algorithims. Nor is it to prevent access to the terrorist boegyman. They either don't use it, or can easily get access to encryption.
No. The purpose of the law is to hang the sword of damocles over the head of anyone who wants to bring safe and secure communication to the masses. The government doesn't want the masses to encrypt their traffic, and they use this law to impede the distrobution of your software and others like it.
I think you need to give up the ghost here. If your government wants to shut you down. they will, regardless of how much you try to comply with export restrictions it will never be good enough. I think you need to stop playing by rules where you can't possibly win and simply go all out in an effort to get as many people using zfone as possible. All out. Unrestricted downloads, ease of use, ad campaign, browser plugins, whatever. Just do anything to get as many people using encrypted VOIP as you possibly can, because until then, your software will remain one the fringe where it's easier to shut down.
If everyone and the Senator's daughter is using secure VOIP, it's only then that people will realise they have somthing to lose, and you'll have a better defense. Before that everyone who uses SVOIP is "aiding terrorism", not protecting people's privacy. Until Aunt Tillie is using your software, this angle can and will be played. You should do everything to get her onside ASAP.
Re:Cryptome (Score:3, Interesting)
Re:Cryptome (Score:2, Funny)
Brave New World (Score:4, Insightful)
From another NYTimes article, Bush Aide Defends Eavesdropping on Phone Calls [nytimes.com](emphasis mine):
So why exactly is the government getting their knickers in a twist over Zfone? After all, the program is just intended to compile a database of call information, not actually listen to the content of the conversations. Doing that, as the administration has repeatedly told us, would require a court order.
So if you have a person you suspect from the numbers he's connected with, and you do obtain that court order, and it turns out he's using Zfone, there are other ways of getting the content of that conversation (hint: it has to be unencrypted at some point, so the 'terrorists' can understand each other). Arduous, sure, but since this will be done on only a select few, it's not that much of a hardship.
No, the reason the government doesn't like Zfone is because they want perform blanket surveillance on all American citizens; to listen to all our calls, all the time. By utilizing speech-recognition software and an ever growing list of suspect words and phrases, they will be able to keep tabs on the unruly U.S. population, weeding out terrorists, political dissidents, environmentalists, Democrats, and other 'undesirables'.
Re:Brave New World (Score:3, Insightful)
Because someday the FBI (or whoever) may find it harder to listen in on these encrypted conversations in cases where they have a court order to do so.
Re:Brave New World (Score:3, Insightful)
As I said in my previous post, there are other ways of getting the content of a conversation. Since the content must be decrypted at either end, listening devices positioned at either endpoint are easily capable of intercepting the communication, encrypted or not.
As I said, this is arduous...much harder than just listening to a line, but eavsedropping on American conversations shouldn't be easy. If the FBI (or whoever) is serious enough about capturing the content of a particular communication to obtain a
Re:Brave New World (Score:2, Insightful)
Maybe, maybe not... but then, there are times when time is of the essence, and even the time taken to decrypt something the hard way in a timely manner is of utmost importance if there are potential lives at stake. The world's first electronic computer, Colossus, was built to decrypt German encryption during WW2, and was specifically built to be as fast and efficient as p
Freedom is not safe or pretty. (Score:3, Insightful)
That's nice. But being at war with a country is different than spying on your own citizens.
There may be.
The problem is, far Far FAR FAR more often i
Re:Freedom is not safe or pretty. (Score:3, Insightful)
I'm very sure that both the UK and the United States during WW2 were very busy searching for saboteurs and pro-nazi sympathizers within their respective citizenry, and used quite an array of wiretapping and other techniques to do so.
"The problem is, far Far FAR FAR more often it is not."
Agreed, but it is still there. Another semi-related factor is that encrypted conversations are more likely to attract attenti
Re:Brave New World (Score:3, Insightful)
Maybe, maybe not... but then, there are times when time is of the essence, and even the time taken to decrypt something the hard way in a timely manner is of utmost importance if there are potential lives at stake.
I'm sorry, but that argument just doesn't hold water. Your statement is analagous to saying that clothing must be outlawed, since clothing can conceiveably be used to conceal weapons. Frisking certain suspect individuals simply isn't good enough, since locating the weapons in a timely manner is
Re:Brave New World (Score:2)
The Atanasoff-Berry computer was built 5 years before Colossus and was unrelated to decryption.
It's true that if we gave up our freedoms a police state could catch criminals easily. That's the problem with a police state.
Re:Brave New World (Score:2, Interesting)
Jesus...H... Christ... That's why they have supercomputers......... any comercial grade encryprtion/decryption program has to have a key short enough to enable real time encryption/decryption using normal computer chips... any key short enough for fast encryption/decryption of things like telephone conversations has to be easily brute forceable. The algorythm
Criptographical illiteracy (Score:3, Informative)
Re:Brave New World (Score:2)
While I am not any way in favor of government restrictions on encryption, I think this statement is patently false.
A common PC can do real-time encryption/decryption of a telephone-quality digital audio stream with significant key le
Re:Brave New World (Score:4, Informative)
So if you run it 3 times for triple des, that's approx 6000 instructions for every 8 bytes, or about 750 instruction cycles per byte. At 8000 bytes/sec for voice quality audio, my fast DES code would only need 6 MIPS on an 8 bit microcontroller. A slower version in C is readily available for free, which runs about 5X slower than my hand optimized assembly, requiring 30 MIPS.
Certainly strong encryption is feasible in real time for voice audio, even on very inexpensive 8-bit chips.
MOD PARENT UP (Score:4, Insightful)
Re:Brave New World (Score:5, Insightful)
From an old .sig quote:
Considering that most of the parents of new postdoctorate-level mathematicians probably live overseas nowadays (and whose conversations are therefore legal to record), maybe the old .sig quote was always more true than funny.
Re:Brave New World (Score:2)
The Narus software that Klein blew the whistle on (the stuff with AT&T), can decode nearly every well-used VOIP codec out there. I suspect that it was being used, heavily. I would imagine that the NSA has calls using VOIP software from lots of IP addresses they were looking at.
The irony is, that the old fashioned circuit switched network with channelized circuits, it would be a massive engineering effort to tap and do voice recognition on every call. It would be nearly impossible given the way
Evil Republicans!! (Score:5, Insightful)
> By utilizing speech-recognition software and an ever growing list of suspect words and phrases,
> they will be able to keep tabs on the unruly U.S. population, weeding out terrorists,
> political dissidents, environmentalists, Democrats, and other 'undesirables'.
Those evil Republicans! Except, wait... wasn't it the Clinton Administration that launched a 3-year criminal investigation of Phil Zimmerman in 1993?
And wasn't that the same President who championed the Clipper chip, so the government would have the keys it needed to decrypt your phone calls?Re:Evil Republicans!! (Score:3, Funny)
*sigh*
As I explained earlier, my inclusion of Democrats, along with environmentalists, was the use of hyperbole to make a point.
Apparently, I'm going to have to slow-pitch these in the future...perhaps if I included members of PETA, Linux enthusiasts, and musicians in my list, it would have been clearer.
This is why libertarians... (Score:4, Informative)
The lines between the Dems and the Reps here in the US have blurred to the point that distinction is negligible.
Re:Brave New World (Score:2)
You answered your own question. Even if you obtain a court order, you would not be able to listen in on a Zfone call since the encryption is done using the peer to peer model.
Re:Brave New World (Score:4, Insightful)
You can oppose anything by invoking the worst possible scenario consequences.
Worst-case scenario, huh? [abcnews.com]
Your 'worst-case scenarios' are happening.
Right now.
Get your head out of the sand.
Re:Brave New World (Score:3, Insightful)
Re:Brave New World (Score:2)
I was using hyperbole [wikipedia.org] to make a point. Pity you failed to realize that (I had thought the inclusion of 'environmentalists' and 'Democrats' would have made it obvious).
Re:Brave New World (Score:2)
Too late, you're already in it.
It's awfully convenient to just say "oh, they're all clowns, what's the use?" and tune out, isn't it? It just absolves you of any responsibility and you get to complain about how "those damn dirty politicians" keep screwing you. Sure, you did nothing to oppose their election, and sure, you actually got up on your high horse about how it's your right as an American to just sit back and drift with the flo
Re:Brave New World (Score:2)
Re:Haha (Score:3, Insightful)
Depends on the law. A substantial fraction of the recent ones are, in fact, pretty terrifying.
The laws and privacy concerns (Score:5, Interesting)
If all your telephone calls, emails, etc. are encrypted by you and the other intended party or parties involved, there simply is nothing the government can do about it. With probable cause, they can 'try' to compel you to divulge the encryption key, but then you don't have to testify against yourself in the U.S.
Neither can the government, church, or any other person(s) compel you to divulge your thoughts, or secrets.
Its time for the encryption phones to start appearing on the market.
This little problem will quickly spiral out of control until those that want to snoop on others have more work to do than they ever imagined. The basic problem here is that the people they say they want to spy on are not using the communication systems the same way as everyone else, and their communications are encrypted, or hidden in ways the government cannot prevent, nor detect with the laws and practices that they wish to install.
Wiretapping on the scales being talked about recently are stupid, prohibitively stupid, and will be nearly 100% ineffectual.
They can't find Bin Laden with all the military might, but somehow they are going to catch him making a phone call? uh, yeah right.... of course, its the little people that lead to the big ones, but they have been spying on the little ones all along... still haven't caught him.
Re:The laws and privacy concerns (Score:3, Informative)
That is exactly what my company is offering: IAX2/SIP (Asterisk) over VPN (FreeS/WAN, OpenVPN). It's getting easier to convince businesses to use encrypted communication channels nowadays.
US doesn't really want to find Bin Laden... (Score:2, Insightful)
I contend that they can find Bin Laden, but don't really want to. The minute he's captured, any (remaining) support for continuing the "War On Terror" goes right out the window. As long as he's out there, the administration can yell "9/11" to justify anything they want and the sheeple will buy it.
Flame me if you want, but the Bush Administration is EVIL. I'm not saying that Bush himself is evil (he's not that smart), but his policies and cronies
Re:The laws and privacy concerns (Score:2, Interesting)
I am not a lawyer (just a law student) but I am fairly certain that the government could compel you to divulge your encryption key as it would not be testimonial evidence (something akin to why you can be forced to give up your fingerprints, etc)
Re:The laws and privacy concerns (Score:3, Informative)
Know how it works... (Score:5, Informative)
Look for his techniques for peer to peer key setup, which again is very clever and well thought out, to be used in a variety of new ways. I expect you will see a bit-t client soon that can also generate this one time session key between peers. It will be much more computationally intense than what you see bit-t clients like Azureus do to the CPU now, but no more than using S/FTP. Well, maybe more, because of the number of keys being setup and destroyed and the memory allocation needed in a swarm situation. But for peer to peer calls, it's strong and I expect that Phil, who was nearly bankrupted by Uncle Sam, trying to defend himself, will again be the NSA crosshairs. The guy is just a warrior, what can you say? Guys like him and Klein who blew the whistle on AT&T are the ones fighting for privacy and against a police state. And they will not be treated kindly by this administration.
Re:Know how it works... (Score:3, Informative)
http://philzimmermann.com/EN/zfone/index-faq.html [philzimmermann.com]
Also OTR Messaging (Score:3, Informative)
In my opinion, it's a much better system than some of the other IM encryption setups, which give you authentication but not any forward secrecy or deniability. Basically it forces you to authenticate the other party via a side-channel, rather than using a trust framewor
Re:Know how it works... (Score:3, Informative)
Tapping and recording the bit stream is not a case of Man-in-the-middle attack [wikipedia.org]. This is just simple Eavesdropping [wikipedia.org]. The Diffie-Hellman key exchange [wikipedia.org] is in fact vulnerable [wikipedia.org] to a Man-in-the-middle attack. To address this, what is needed is some form of authentication, such as Public-key cryptography [wikipedia.org] or Password-authenticated key agreement [wikipedia.org].
I think Phil Zimmermann [philzimmermann.com] is smart enough about cryptography to know this. So hopefully, authentication will also be a part of this. The focus of Zfone [philzimmermann.com], however, is the fac
Re:Know how it works... (Score:2)
I would call this somewhat less clever than TLS.
Re:Reducing probability for key guessing? (Score:2)
silly NYT (Score:2)
Anyone spare a time's link w/o login?
Re:silly NYT (Score:2)
Just don't leave the country again Zimm (Score:3, Interesting)
PGP Story:
MPG 1.1G [uiuc.edu]
WMV 378M [uiuc.edu]
A band-aid over a Sucking Wound (Score:4, Interesting)
1. You are sending packets to and from specific IP addresses.
2. Grabbing copies of those packets.
3. Putting super-computers to work on them.
4. Discover you are ordering pizza over SIP. (whatever, it's funny)
The concept of "Privacy" was dead a long time ago. I *still* don't understand the outrage when most of your activity is available through many data brokers. What's not there, is available with little procedural check or balance.
Where it is very valuable is company to company communication. Where your competitors may not have the expertise to get the info.
But, then there's the encryption problem anyone has that uses it. It's stupifyingly easy to build a case on suspicion. Trying someone in the court of public opinion is easy and swift. "He uses encryption so he must be hiding something.." is all it takes to end a career, destroy your social status.
Cryptographer==criminal. Film at 11.
If one can codify it's everyday use, I think it's a big step forward.
Re:A band-aid over a Sucking Wound (Score:2)
The concept of "Privacy" was dead a long time ago.
Then I guess you won't mind when I publish video taken from inside your house of you screwing your wife or girlfriend.
I *still* don't understand the outrage when most of your activity is available through many data brokers.
Maybe it has something to do with the increase in identity theft, innacurate records, and increasing reliance on those records for everything from employment to being allowed to get on a airplane.
"He uses encryption so he must be h
Re:A band-aid over a Sucking Wound (Score:2)
No, the concept is alive and well. You just don't get much of it anymore because we don't have many laws to preserve it.
Re:A band-aid over a Sucking Wound (Score:3, Insightful)
You should study crypto before posting.
Re:A band-aid over a Sucking Wound (Score:3, Interesting)
My father was once arrested for "obstructing justice":
A police office pulled him over and performed a safety check on his car (Dad thought he had a burned out tail-light or something -- usually a "get it fixed in 48 hours warning" offence). This took about half an hour.
Finally, Dad asked the cop if he was free to go.
"No, you committed a very serious offence!"
???
"You were not wearing your seatb
Terrorists! (Score:5, Insightful)
Offtopic: on the subject of Bush criticism: (Score:5, Insightful)
Re:Offtopic: on the subject of Bush criticism: (Score:5, Interesting)
Good luck. One such politician (before he died in a plane crash) was Paul Wellstone. A little too far left for my tastes, but a nice guy from my conversations with him.
He went in all fire and zeal, and was basically told by the party leadership to STFU and play ball or he will get NO SUPPORT on ANYTHING - including basic normal federal funding for highway projects and such.
The system is broken - I don't care WHO you elect.
Comment removed (Score:5, Insightful)
Example of why you're right (Score:4, Informative)
What can we do? (Score:5, Insightful)
Not one of Sen. McCarthy's victims was actually thrown in a gulag. Think about that. They weren't fired by the government. They were fired by PHBs who acted in blind sympathy with loudmouthed bureaucrats. There would have been no McCarthyism if the public had not been willing to punish itself for unpopular thought and/or speech.
We need a society in which there's no difference between what's illegal and what harms others, and holds all other things not only legal, but acceptable. Once we have that society, people who have done nothing to harm others really will have little to fear. But there's one more thing: If we're going to use public safety as an excuse for universal surveillance, we have to give the power of surveillance to everyone, not just government.
Privacy advocates might cringe at that last statment, but consider this: People are getting more wired, surveillance is getting easier and cheaper, and that trend may never reverse. There may be nothing we can do to stop privacy from dying. Maybe we should start thinking about what we're going to do when it does.
Re:What can we do? (Score:2)
No, actually, Milo Radulovich [wikipedia.org] was fired by the government, the US Air Force. Three cheers for minimal research, kids!
Swatting flies with a sledgehammer (Score:3, Interesting)
Gurrrk.
Put some more thought into this one. There are any number of things that are "unacceptable" that aren't bad enough to merit applying the might and majesty of the State's criminal justice system. By denying all social sanctions short of criminal prosecution, you create a society with the worst of both worlds: a plague of officers (lawyers) wors
You're right - I used too much hyperbole. (Score:3, Insightful)
Gay marriage is a perfect example. When this subject comes up, people turn out in droves to vote against other people's freedom. And then they complain when the majority votes to out
Re:What can we do? (Score:3, Interesting)
The problem with your viewpoint is that it equates legality with morality. You're not much different from those that would legislate morality. But instead of expanding the law to encompass all of morality, you're shrinking morality to fit within the narrow confines of the law. Both are wrong.
I can agree with the idea that the government should not be banning non-violent actions, but as for accepting them, that's going too far. There
SIP Zfone? (Score:3, Interesting)
Re:SIP Zfone? (Score:3, Informative)
According to him, there are no ATA devices or any other hardware-based Voip phones that support ZRTP (the zfone encryption protocol). I doubt that Vonage or any other large VoIP service provider will ever offer a phone with ZRTP support due to pressure from the US government.
According to my understanding, Zfone will intercept any SIP call made from your PC and encrypt it on the fly. This means that you should be able to use any software based SIP phone with Zfone.
It wasn't all Bush (Score:4, Informative)
Re:It wasn't all Bush (Score:4, Interesting)
Hardware solutions (Score:4, Interesting)
Secondly, am I missing the hardware solutions for things like this? I've been a Vonage customer for some time, and while Vonage seems to take a blind eye to security (just ask them they'll tell you they are happy to work with the local and federal law enforcement agencies). When will I be able to use a handheld, encrypted VOIP device, and be sure that its secure?
Only a Terrorist Wants to be Free! (Score:3, Insightful)
Yeah, real suspicious (Score:4, Funny)
Incredibly suspicious.
What's this about Skype being cracked? (Score:3, Interesting)
I'll try to save myself from being offtopic by asking whether zFone might be equally vulnerable (probably not, the few leaks about Skype's crypto haven't sounded encouraging).
Re:What's this about Skype being cracked? (Score:3, Informative)
Re:nothing to hide (Score:5, Interesting)
Re:nothing to hide (Score:4, Informative)
Re:nothing to hide (Score:3, Interesting)
Re:nothing to hide (Score:5, Informative)
Re:nothing to hide (Score:3, Funny)
AMEN to that!
Re:nothing to hide (Score:3, Funny)
I'm at work at the moment so I can't do a proper search for images but think about it: would you want to see Margaret Thatcher walking around naked?
Re:nothing to hide (Score:2)
Re:nothing to hide (Score:3, Funny)
I tried that. They sent a bunch of burly guys to force me into a striped one-piece jumpsuit.
Re:nothing to hide (Score:3, Funny)
Nothing to hide? (Score:2)
Dude, that's because most of them have *a lot* to hide!
Re:nothing to hide (Score:5, Interesting)
The meaning of the word terrorist could change at any moment and the deffinition of enemy combatant is equaly fluid.
Your logic is flawed anyway... criminals are not the only group who like privacy.
Re:nothing to hide (Score:2)
same reason we keep the curtains drawn @ home? (Score:5, Insightful)
For the same reason I keep the curtains drawn in my bedroom windows at night, esp. when the s/o gets frisky.
Just because me and my s/o's bedroom activities are perfectly legal doesn't mean I want everyone else (let alone the government) monitoring it.
Illegal bedtime (Score:2)
The supreme court recently struck down sodomy laws between consenting adults, but we still have laws on the books.
Re:same reason we keep the curtains drawn @ home? (Score:2)
Sorry - forgot I was posting to Slashdot where such types of people may not always be a common occurence :)
Re:same reason we keep the curtains drawn @ home? (Score:2, Funny)
Re:nothing to hide (Score:2)
Re:nothing to hide (Score:2, Insightful)
From "The Eternal Value of Privacy" by Bruce Schneier in Wired (http://www.wired.com/news/columns/0,70886-0.html
"... accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect."
Re:nothing to hide (Score:2)
Because the dudes at NSA can google for porn if they need some instead of listening in on me and my girl.
Everyone has something to hide. For 99.999% of us it isn't bomb plans or drug deals, but what you did to your secretary yesterday or even just that embarassing personal secret from your teenager days.
One of the very core principles of privacy is that I get to decide what I consider private, not you or the government. Your interest
Re:nothing to hide (Score:3, Insightful)
Because it's none of your fucking business that's why
Re:nothing to hide (Score:3, Interesting)
It's pretty clear that the War of Independance would have never begun if Britain had had the technology and power currently available to the US Government.
The various colonies in North America had mee
Re:nothing to hide (Score:2)
So that it's harder for identity theives to gather personal information.
Cellphones and landlines aren't secure. Encrypted voice adds a layer of security so that when your bank asks for your SSN, you are a little safer giving it over the phone.
Re:Didn't read the tech specs ... (Score:3, Informative)
This has a reasonable set of diagrams which describe the process:
http://www.n [netip.com]
Re:Didn't read the tech specs ... (Score:5, Insightful)
The system does a standard Diffie-Hellman key exchange between the two softphones, and hashes that exchange to words that each caller is supposed to read to the other (you see what they're supposed to say, and they see what you're supposed to say). So, unless the man-in-the-middle can also impersonate your voice, MITM'ing the connection is very difficult.
Also, the hashes used to generate that vocal exchange are stored for each destination you call for every call, and fed into the new hash generation. So, even if you skip a round of comparing the hashes, if you do it for a later call & it works, you can be assured that the *previous* call was also clean.
I have zero problems with that (Score:3, Interesting)
"Yes officer?"
"You had a conversation with unlicensed encryption keys."
"I did not, I sent my keys to the government as ordered."
"They don't fit."
"Gee, beats me, I never really figure out those tech thingies, must've done something when I wasn't looking, I'm sooooo sorry."
Hey, why should claiming stupidity only work when you're spreading malware?