Slashdot Mirror
Snooping on VOIP
EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers:
FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."
Won't people who value their privacy (which, sadly, may also include criminals) just revive a project like PGPfone? I don't think it's been updated in a while, but the source code is still there...
Well there is PGPFone
As x approaches total apathy I couldn't care less.
There is a company I use called Vonage. They provide you with a free Cisco ATA when you signup. You aren't renting it, you own it. You pay $10 for shipping (I got mine two days later) and your first month and your good to go. Has caller-id, three way calling, voicemail and some really powerful forwarding features that can make your phone bounce all over the place and then back to your voicemail with them. One draw back is they have a cancellation fee (about $39 I think). All in all, they have been great for us... it is our only phone now. Upstream requirement is 90kbs. And no, I don't work for them... just a satisfied customer.
...people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?
;-)
They would use traffic analysis. This allows you chart how the criminal networks are organized. There have been several convictions in Sweden where criminals used mobile phones during their crimes and traffic analysis provided the needed evidence. Traffic analysis has several benefits; it is very easy to automate it in computers (compared to having computers that actually analyze the spoken content), it is cheap (very little data is produced), and it doesn't matter if the content is encrypted or if you can't break the encryption.
Sometimes (when I'm feeling paranoid) I think there is a grand conspiracy from FBI, NSA, etc. They talk about encryption, make half-hearted attempts to ban it, etc. So that people in general think they are secure once they encrypt their communication. And then they can use traffic analysis to watch over the general public.
)9TSS
He was completely off by about 19 years.
134340: I am not a number. I am a free planet!
In http://www.fourmilab.ch/speakfree/unix/ it is stated at release notes of rel7.6 that AES is supported as encryption algorithm and pgp and gpg may be used in automatic key exchange.
There is in fact PGP fone which does just that: Link here There's aslo SpeakFreely available here. Both support secure encryption, so unless they really do ahve those factoring machines and we don't yet know it...
Sure VoIP can be encrypted.
However, encryption and decryption take time, and when using VoIP, LATENCY can be a big factor. A delay time of 250ms can be somewhat annoying and the term 'real time' communication is somewhat lessened.
So the slower the en/decryption, the more delay time you would have no matter how big the pipeline between the two people is.
I haven't tried PGPfone for a number of years, and computer speeds are quite a bit faster now. Maybe en/decryption time isn't much of a problem now. Whatever the case, I imagine this will become less and less of an issue in the future as computers get faster.
The only protection against eavesdropping is strong end-to-end encryption. We got the ECPA (86 - US) shoved down our throats so cellular companies could claim their systems were "protected" from unauthorized monitorin without having to actually spend money on embedding crypto hardware in subscriber units.
CALEA was just a pitiful attempt to keep LE agencies from having to spend big bucks on upgrading their monitoring hardware.
If an individual, organization, government agency, or other entity wants to monitor your communications badly enough they will. If you don't like that then use stong end-to-end encryption.
--BEGIN RANT MODE--
Instead of wringing you hands over the evil and unfair world we live in just deal with it and work around it.
Its not exactly difficult to properly encypt just about anything you send. How many actually do it? Want to bet those same people that can't be bothered to use strong encryption are some of the first to whine about monitoring?
--END RANT MODE--
In God we trust -- All others we monitor
There are 2 mail competing standards for call setup and tear-down:
- SIP - Session Initiation Protocol - Which can be carried atop TCP or UDP (usually UDP, though). Very similar in format to HTTP, actually. A simple protocol to generate and parse, but got a later start.
- H.323 - An ITU standard, which is actually composed of several standards for various parts of the call negotiation:
And the RTP standard does mention how to handle encryption, though it doesn't specify an algorithm to use.- H.225 - Handles placing of calls (modified version of Q.931 (phone company protocol)) and dealing with "gatekeeper" (entity which manages name lookups and bandwidth allocation - via a protocol called RAS).
- H.245 - Handles negotiation of media encodings. Deals with things like whether the call involves video and/or audio, and which encoding/compression to use for each.
If I recall correctly, the Q.931 and H.245 use TCP usually, and RAS uses UDP (since gatekeepers are sometimes "discovered" via multicast).