Slashdot Mirror
Snooping on VOIP
EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers:
FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."
Won't people who value their privacy (which, sadly, may also include criminals) just revive a project like PGPfone? I don't think it's been updated in a while, but the source code is still there...
Well there is PGPFone
As x approaches total apathy I couldn't care less.
There is a company I use called Vonage. They provide you with a free Cisco ATA when you signup. You aren't renting it, you own it. You pay $10 for shipping (I got mine two days later) and your first month and your good to go. Has caller-id, three way calling, voicemail and some really powerful forwarding features that can make your phone bounce all over the place and then back to your voicemail with them. One draw back is they have a cancellation fee (about $39 I think). All in all, they have been great for us... it is our only phone now. Upstream requirement is 90kbs. And no, I don't work for them... just a satisfied customer.
...people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?
;-)
They would use traffic analysis. This allows you chart how the criminal networks are organized. There have been several convictions in Sweden where criminals used mobile phones during their crimes and traffic analysis provided the needed evidence. Traffic analysis has several benefits; it is very easy to automate it in computers (compared to having computers that actually analyze the spoken content), it is cheap (very little data is produced), and it doesn't matter if the content is encrypted or if you can't break the encryption.
Sometimes (when I'm feeling paranoid) I think there is a grand conspiracy from FBI, NSA, etc. They talk about encryption, make half-hearted attempts to ban it, etc. So that people in general think they are secure once they encrypt their communication. And then they can use traffic analysis to watch over the general public.
)9TSS
He was completely off by about 19 years.
134340: I am not a number. I am a free planet!
There are 2 mail competing standards for call setup and tear-down:
- SIP - Session Initiation Protocol - Which can be carried atop TCP or UDP (usually UDP, though). Very similar in format to HTTP, actually. A simple protocol to generate and parse, but got a later start.
- H.323 - An ITU standard, which is actually composed of several standards for various parts of the call negotiation:
And the RTP standard does mention how to handle encryption, though it doesn't specify an algorithm to use.- H.225 - Handles placing of calls (modified version of Q.931 (phone company protocol)) and dealing with "gatekeeper" (entity which manages name lookups and bandwidth allocation - via a protocol called RAS).
- H.245 - Handles negotiation of media encodings. Deals with things like whether the call involves video and/or audio, and which encoding/compression to use for each.
If I recall correctly, the Q.931 and H.245 use TCP usually, and RAS uses UDP (since gatekeepers are sometimes "discovered" via multicast).