Slashdot Mirror
Snooping on VOIP
EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers:
FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."
In other news, orwell rolled over in his grave today, as a confused nation scrambled to hand over their individual freedoms for the sake of percieved security.
Do not surrender your freedoms, granting increased voip snooping is just one more step to a totalitarian nation, where we justify acts like pre-emptive wars, racial profiling, internetwide snoop network with evil McCarthy databases,...
Oh shit it already happened...
Seriously. I know most people send postcards (e-mail) and not letters (encrypted e-mail) but wouldn't you at least do a simple public key exchange for VoIP? I feel I have much more privacy in a phone call than I do on an unencrypted Internet chat that is being relayed through a bunch of unknown servers.
;)
Even the simplest of key exchanges would stop any eavesdroppers, and making a man-in-the-middle attack requires so much more work, not to mention being detectable if verified through a secure channel.
That being said, I can understand the law enforcement agencies. It's not like it's the difference between a postcard and an envelope - it's the difference between a postcard and an indestructable envelope. Giving the police special permissions (e.g. to open your letters with a court order) doesn't work well in a world where encryption is in black and white - secure and insecure. Escrow keys and stuff like that to make it work like in the "real world" doesn't work well either.
Personally, I think I'd just write a AES wrapper if I'm busy planning to Take Over The World(tm Pinky & the Brain). Either that or I'll just send some PGP'd blueprints over freenet through a proxy from a webcafe wearing gloves or something
Kjella
Live today, because you never know what tomorrow brings
What if the VOIP program was directly from my computer to the other party's computer with no "central server" as such that all the traffic flows through. As I see it, CALEA is only feasable on systems such as POTS or cellular where all calls go through a switch of some sort. If one were to set it up so that my computer talks directly to your computer over an encrypted link (maybe with SSL etc) there is no central switch to be compromised...
i nutes'-worth
Of course, one can always use a pay phone. Cash still works.
Just my please-deposit-nintey-cents-for-the-first-three-m
RickTheWizKid
Speak freely has IDEA encryption built in and the client can exchange session keys with PGP. I doesn't use a PGP IDEA key to DO the encryption, it generates it's own but once the key exchange is done with PGP. *poof* fbi still AS ALWAYS needs to get off their fat ass and drop this Ubiqitous Law Enforcement Rampage and do the HUMAN INTELLEGENCE that they get paid to do.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
We can give up all our remaining freedoms but the only "tech" a "terrorist" really needs is the commitment to die for their cause. How do you 100% guard against that? I fear for our children's children.
The law enforcement community has been begging for the unrestricted right to spy on the american people for some time now. I don't know about the rest of you, but I'm much more fearful of government agents with gestapo-like powers than I am of deluded wackos from the 3rd world. The intelligence community already spies on the rest of the world, which is where the threat is coming from. That should be enough. If not, then that is what our military is for, to defend the country against our enemies...which are OUT THERE, not HERE. I'd rather have terrorists over to my house for dinner three nights a week than see law enforcement aquire unnecessary powers that are a greater danger to the public than the terrorism they are purported to prevent.
The abundance of those who would trade freedom for the temporary illusion of security are proof positive that 50% of the population is of below average intelligence.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
I actually think people are this stupid. Do we really believe that more big brother will be a help in stopping terrorist? I am sure that lovely gentleman that the FBI says is the head of what happened on 9/11, was talking on an IP phone to cordinate all of this. Fuck the FBI and the horse they road in on, this is just another way for the voyeuristic freaks to get their grubby little hands into more of our privacy. The 9/11 terrorist, came into our country legally, took flight lessons, worked out, and didn't have jobs for months. Last time I checked, flight lessons are about 100$ per hour of flight time. And according to my calculations, people with very little income can't afford that. Maybe this could have been the FBIs clue as apposed to needing to tap the IP phone systems. I am sure that they'll be at my door in minutes and tomorrow my face will be on the news as "suspected of a plot of terrorism."
Anonymous Cowards - Oh God, How I hate you
The right choice is to build the encryption into the VOIP protocols themselves, which the initial H.323 and (I think) SIP standards didn't do. That way, it's not something that might or might not get patched on later, it's secure by default. The amount of CPU overhead is trivial - RC4 is blazingly fast, but even if you're using Triple-DES, it's on data you've compressed down to 8-16kbps, and the voice compression takes a lot more horsepower than encryption. I think some of the later standards have some crypto, but I don't know if they're in use.
Of course, crypto only covers the VOIP part - if you're using a VOIP-to-telco gateway in either direction, the telco side is unencrypted and subject to CALEA regulations, which are as technically onerous as they are invasive.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks