Snooping on VOIP 141
EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers:
FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."
Encryption? (Score:4, Interesting)
Re:Encryption? (Score:5, Informative)
Re:Encryption? (Score:5, Interesting)
In theory, the following applies... in practice I have no idea
Since VOIP is transferred in IP packets and packets can be encrypted encryption should be possible.
Since PGP is public key encryption and this is fairly standard there shouldn't be any problems there either.
The real issue is that whatever the solution it has to be part of the standard... otherwise it's pretty meaningless, unless your dodgy friend also has a custom encryption solution, and then I guess one could tunnel VOIP through an SSH tunnel just as well.
I suspect that VOIP technologies have incorporated encryption, but I'm not educated on the subject. Would someone care to fill in?
Re:Encryption? (Score:4, Interesting)
You can direct it though VPN or SSH tunnels to add another layer of encryption.
Re:Encryption? (Score:2)
Re:Encryption? (Score:1)
Re:Encryption? (Score:2)
Avaya is currently the market leader in VoIP shipments, and even their oldest, first generation IP hardphones are capable of media encryption. The above is a pretty overblown generalisation...
Re:Encryption? (Score:1, Informative)
Re:Encryption? - ULER (Score:2, Insightful)
Re:Encryption? (Score:3, Informative)
Depends on your setup (Score:1)
Re:Encryption? (Score:2, Informative)
However, encryption and decryption take time, and when using VoIP, LATENCY can be a big factor. A delay time of 250ms can be somewhat annoying and the term 'real time' communication is somewhat lessened.
So the slower the en/decryption, the more delay time you would have no matter how big the pipeline between the two people is.
I haven't tried PGPfone for a number of years, and computer speeds are quite a bit faster now. Maybe en/decryption time isn't much of a problem now. Wh
Free World Dialup? (Score:2, Funny)
Re:Free World Dialup? (Score:2)
I'm going to find a price for Cisco ATA 186s and Cisco 7960s.
Re:Free World Dialup? (Score:5, Informative)
Re:Free World Dialup? (Score:3, Interesting)
I'm happy too. (Score:2)
Pretty cool setup.
Re:Free World Dialup? (Score:1)
"Yes, I have weird phone number. No, I haven't moved."
BONUS INFO:
I have yet to receive a solicitation on my Vonage line! WooHoo! Take that all you people with too much alum
Monitoring ? (Score:5, Funny)
This is getting boring. Really.
Re:Monitoring ? (Score:5, Insightful)
Re:Monitoring ? (Score:2)
They were stopped from investigating because Bush, ordered investigators to back off from inquiries into Saudi financing of terrorism, particularly Saudi Royalty.
Clinton did his bit to protect the Saudis, too, and it was all largely done to protect the oil flow into the US.
Monitor the politicians. They're the ones that fsk things up with their shady dealings.
Re:Monitoring ? (Score:2)
Actually this is part of the problem. With Patriot Act and Patriot Act II
Re:Monitoring ? (Score:1)
That's not nearly as funny as some folks seem to think: I'd have modded it "insightful" myself. Witchfinder Ashcroft is almost certain to be looking into this very concern.
And now for my prediction: The 2004 elections will be postponed for security reasons. You heard it hear first.
Re:postponed elections (Score:1)
Amazing what the consequences of 157 votes and some hanging chads can be...
Time to revive pgpfone? (Score:3, Informative)
Re:Time to revive pgpfone? (Score:1)
Re:Time to revive pgpfone? (Score:1)
Re:Time to revive pgpfone? (Score:1)
Re:Time to revive pgpfone? (Score:1)
What would they do if.. (Score:5, Interesting)
Re:What would they do if.. (Score:4, Informative)
They would use traffic analysis. This allows you chart how the criminal networks are organized. There have been several convictions in Sweden where criminals used mobile phones during their crimes and traffic analysis provided the needed evidence. Traffic analysis has several benefits; it is very easy to automate it in computers (compared to having computers that actually analyze the spoken content), it is cheap (very little data is produced), and it doesn't matter if the content is encrypted or if you can't break the encryption.
Sometimes (when I'm feeling paranoid) I think there is a grand conspiracy from FBI, NSA, etc. They talk about encryption, make half-hearted attempts to ban it, etc. So that people in general think they are secure once they encrypt their communication. And then they can use traffic analysis to watch over the general public.
Re:What would they do if.. (Score:2)
Re:What would they do if.. (Score:2)
Maybe they don't, but it can be interesting anyway. And when they find interesting stuff, they can direct other types of surveillance on you. And in the end, break the crypto using knuckle-breaking
How does encryption protect you with this example:
From: diablobynight@slashdot.org
To: sales@al-qaida-store.af
djfwkjef kwbvwkev bwiweviwuegfwi eufgwkefb wkjefbwiuev
wejfhk we
Re:What would they do if.. (Score:2)
Re:What would they do if.. (Score:1)
Hmm, the last two times that diablobynight has run out of money only to mysteriously get some more there was an encrypted email from him to sales@internationalshipping.ath.cx in the preceding day. This internationalshipping.ath.cx warrants further investigation.
Re:What would they do if.. (Score:2)
What if you used stego on your own streaming media? Two porn feeds later, and you have a fairly secure(?) conference call.
It'd at least slow them down.
IPSEC is a better choice (Score:3, Insightful)
The right choice is to build the encryption into the VOIP protocols themselves, which the initia
farming in 84 (Score:5, Insightful)
Do not surrender your freedoms, granting increased voip snooping is just one more step to a totalitarian nation, where we justify acts like pre-emptive wars, racial profiling, internetwide snoop network with evil McCarthy databases,...
Oh shit it already happened...
Re:farming in 84 (Score:1)
The general public like sheep think that electing a "father figure" that tells them what is best will protect them when in fact they are being led to the slaughter house as the sheep they are.
Another generation got duped by the Reagan era and now we have George the II who is busy reshaping America back into the 1950's horror of privileged classes and ordered decorum and invisibl
ipsec (Score:1)
Re:ipsec (Score:2)
While it varies from country to country, getting a wiretap authorized, placed, monitored, and reported on is a big expense, and a big manpower drain.
I've dealt with the cops on a couple of incidents. Unless you're talking about a really big case, where someone's been killed, or massive thefts, you're lucky if one agent has more than a few hours to look into it.
Unless you're a creep on the level of Bernie Ebbers or Martha Stewart, it jus
Wouldn't you want your VoIP encrypted anyway? (Score:5, Insightful)
Even the simplest of key exchanges would stop any eavesdroppers, and making a man-in-the-middle attack requires so much more work, not to mention being detectable if verified through a secure channel.
That being said, I can understand the law enforcement agencies. It's not like it's the difference between a postcard and an envelope - it's the difference between a postcard and an indestructable envelope. Giving the police special permissions (e.g. to open your letters with a court order) doesn't work well in a world where encryption is in black and white - secure and insecure. Escrow keys and stuff like that to make it work like in the "real world" doesn't work well either.
Personally, I think I'd just write a AES wrapper if I'm busy planning to Take Over The World(tm Pinky & the Brain). Either that or I'll just send some PGP'd blueprints over freenet through a proxy from a webcafe wearing gloves or something
Kjella
Re:Wouldn't you want your VoIP encrypted anyway? (Score:2)
With UDP, you don't mind losing a packet or two to network congestion (and the voice stream comes through with garbled for half a second.) The idea is that if your network buffer (or stack) fills up, the UDP packets are thrown away first. I can't see encryption being speedy enough. I could very well be wrong.
But to me, encryp
Re:Wouldn't you want your VoIP encrypted anyway? (Score:2)
Now, if you planned on doing new IKE s every 10-15 packets as with SSL, then you'd run in to more problems, however what AV does today with VoIP encryption is prefectly workable and causes no noticeable affects on the call.
D
Re:Wouldn't you want your VoIP encrypted anyway? (Score:2)
Can you imagine how happy our clients would be if the VOIP call setup server got last week's WindowsUpdate WebDAV patch?
Gad.
Re:Wouldn't you want your VoIP encrypted anyway? (Score:3, Informative)
You're partially right. The sound data is indeed carried over UDP, almost always encapsulated by a UDP-based protocol called RTP (Real Time Protocol). RTP can also carry other time-based media like video.
There are 2 mail competing standards for call setup and tear-down:
Re:Wouldn't you want your VoIP encrypted anyway? (Score:2)
It is cool that RTP factored in a way to do encryption, even if implementation is left as an excercise for the VOIP engineer.
Re:Wouldn't you want your VoIP encrypted anyway? (Score:1)
Re:Wouldn't you want your VoIP encrypted anyway? (Score:2)
You have a point here, but if the police had just cause, couldn't they get a search warrant and get the key(s)? The way I understand encryption, it would work like this:
P2P VOIP? (Score:3, Insightful)
Of course, one can always use a pay phone. Cash still works.
Just my please-deposit-nintey-cents-for-the-first-three-m
RickTheWizKid
Re:P2P VOIP? (Score:2)
If you wanna go private you'd still have to use some sort of public access network unless you've got so much money that you might as well run for president and do your dirty deads legal...
Re:P2P VOIP? (Score:1)
Message sent to central sip server saying 'where is ext 1000'
(or whatever number you dial). Sip server comes back and can say 'no idea where that is', or provide a referal to another ip/dns name. The underlying request can look like 267@204.42.254.14 or 90753@iptel.org for example. Once it finds a positive answer for the lookup, it uses information conta
Re:P2P VOIP? (Score:2, Interesting)
CALEA works on the call manager. Heres a quick and dirty run down:
1)You pick up the phone
2)the MTA (you IP phone) sends an off hook to the call manager
3) the call manager send back dial tone.
4) you dial
5) the call manager hunts for a route either on net of to the SS7 network
6a) if on net the call manager send ring to other MTA
6b) if off net call manager send ring over SS7 (POT
Re:P2P VOIP? (Score:1)
Regards,
Tim.
Re:P2P VOIP? (Score:2)
Cisco does make SIP products, but they are for use with their SIP Proxy Server product or third-party SIP proxies.
Ciao.
Pat
Re:P2P VOIP? (Score:1)
Re:P2P VOIP? (Score:2)
-Pat
And non-criminals (Score:3, Interesting)
Us non-criminals can't have a safe haven either? Thanks.
Remember when ... (Score:3, Interesting)
Hmm, we could put this stuff on our answering machines too. As a way of supporting America's martial spirit, of course.
M-X Spook (Score:1)
(Standard M-X Spook word list follows)
Go ahead, put the whole list in your sig.
Cheers,
Jim
$400 million 1 October 15 May 17 November 3rd October ACLU ADF AES AIDS AIIB AK-47 ALIR ANO ARD ARN ASALA ASG Abu Nidal Abu Sayyaf Aceh Merdeka Aden-Abyan Ahl-e-Hadees Air Force One Al-Fatah Al-`Asifa Alamo Albanian Alex Boncayao Brigade Alliance of Eritrean National Force Alliance pour la resistance democratique Allied Democratic Forces American American Airlines Amn Araissi Arab Revolutionar
Re:M-X Spook (Score:1)
I made the mistake of Googling for the list and came up with someone's modified list. (And failed to read it before posting)
I first saw that feature years ago, back when I used to use emacs, but since then I have switched to vi and don't even install emacs any more.
The original list was a bit better, though now really dated.
I thought the whole idea of inserting keywords was a bit useless back then, but mildly amusing.
Sigh...the only tech needed. (Score:5, Insightful)
Re:Sigh...the only tech needed. (Score:2)
Orwell was wrong. (Score:4, Informative)
He was completely off by about 19 years.
It's tired by now (Score:2)
Re:Orwell was wrong. (Score:2)
Geeks unite (Score:1)
Re:Geeks unite (Score:1)
good luck with that one....
Re:Geeks unite (Score:1)
DMCA and others have proven it...
wiretap laws? (Score:1)
Re:wiretap laws? (Score:1)
The real question is whether the company operating the service has to comply with CALEA, which among other things requires the provider to create/maintain infrastructure to supply Law Enforcement Agencies (LEAs) with information like the following (when requested via a warrant, that is):
I'll take terrorism over totalitarianism (Score:5, Insightful)
The abundance of those who would trade freedom for the temporary illusion of security are proof positive that 50% of the population is of below average intelligence.
Re:I'll take terrorism over totalitarianism (Score:1)
TimeZone
Re:I'll take terrorism over totalitarianism (Score:2)
Eric Harris
Dylan Klebold
Timothy McVeigh
Bufford Furrow
Randall Terry
Any of those names ring a bell? They're all white guys who've committed terrorist acts on US soil. (Well, Terry excepted -- he's more like the local Imam, the guy who talks others into it on religious grounds.) McVeigh was part of our worst terrorist act prior to 9/11.
Scary thing is, the same people passing laws t
Re:I'll take terrorism over totalitarianism (Score:2)
DMCA (Score:1)
I wonder if it would be plausible to get these guys to cease-and-desist under the DMCA.
IANAL, but I kinda doubt it, but it's nice to dream about, no?
If you're interested... (Score:4, Interesting)
Safe Havens (Score:2)
The way things are going, that should read: "safe havens" for dissidents...
Re:Safe Havens (Score:1)
Cisco IP Phones (Score:2)
I just moved into a new office, and the customer left behind a detached Cisco IP phone tossed in the corner. What free software options do I have to put this puppy into service? Best I could find so far was that I need to run Cisco CallManager on the network. I was hoping to find that the proprietary protocol has been cracked and is supported by Gatekeeper or something. So far, no such luck.
This unit is a 12 SP
Re:Cisco IP Phones (Score:2)
I use H323 as an intercom system within my house.
Re:Cisco IP Phones (Score:1)
This is actually a significant problem (Score:1)
Re:This is actually a significant problem (Score:1)
I'm not so sure this is accurate. I've used PGPFone cablemodem to cablemodem, and it works fine, great in fact. The sound quality is much, much better than, say, TeamSound, for example. For the time being I'm too lazy to look up the exact definition of VOIP (is it a protocol, or is it just a general term for voice communications over the internet), but no, PGPFone isn't restricted to modem-to-modem u
Re:This is actually a significant problem (Score:1)
"Internet calls are also supported. We created PGPfone to allow private conversations between
people. The initial release of PGPfone accomplished this by encrypting phone calls between two people via their modems, with a direct connection between the two people's modems, using only the phone system as the intermediary. But popular demand has driven us to add the capability of sending the data stream over the Internet, instead of just the phone system. This feature allows for che
Encryption doesn't hurt VOIP quality. (Score:2)
If you don't want to be monitored ENCRYPT!! (Score:2, Informative)
CALEA was just a pitiful attempt to keep LE agencies from having to spend big bucks on upgrading their monitoring hardware.
If an individual, organization, government agency, or other entity wants to mon
Re:"This way to the egress" (Score:1)
Laws only exist to keep honest people honest and punish those who break them when they are caught.
I would not depend on the rule of law to protect my sensitive communications from interception and exploitation by entities that may desire to do so. Its illegal (in most countries) to steal credit card information and use it to make fraudulent purchases. We don't, however, rely solely on the protection of l
Yea, sure.... (Score:1)
just replaced my home phone with voip... (Score:1)
Am I to understand then, that currently law enforcement could _not_ get a wiretap order to listen in on my calls? Being a privacy advocate I like this very much, maybe a temporary solution for criminals everywhere. FYI vonage uses cisco ATA's but packet8 has a proprietary solution. I hope that when people listening in on voip calls becomes more common place they upgrade to an all encrypted system.
Then all we'd n
They could sort of get a wiretap order now (Score:2)
Hi ho (Score:2)
It's a done deal.
Napster for Phones? (Score:1)
WTF?!? Is anything that does not pass through a "normal" distribution channel now comparable with Napster? Other than using a computer network, how is VOIP anything like Napster?
It seems like journalists love to compare things with Napster just to give those things an slight taint of naughtiness.
It's sad (Score:2)
"Hey, we are trying to solve this here crime, and we think this guy is using thsi here phone, can we listen in? OH cool."
Now the ability to snoop has become a feature that must be present or the government has a fit.
Try the iptel.org VoIP Service & its GNU softw (Score:1)
Jeff Pulver is a great guy to network with in the SIP VoIP industry.
The German's also have a similar site to Jeff's at iptel.org. The iptel.org Web site appears to have over 65,000 accounts. They are working on SIP Instant Messaging and Presence Leveraging Extentions (SIMPLE) server infrastructure that could give the Microsoft RTC a run for its money.
There are plenty of providers or carriers that provide SIP services here are a few.
Business Grade:
1) Worldcom
2) Webley
3) Denwa
Consumer Grade:
Re:Encryption of regular phone? (Score:1)