Snooping on VOIP

EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers: FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."

Encryption?

[byolinux]

What's the encryption like on VOIP? Would something like PGP be possible?

Re:Encryption?

[bmongar]

Well there is PGPFone

Re:Encryption?

[Max+Romantschuk]

What's the encryption like on VOIP? Would something like PGP be possible?

In theory, the following applies... in practice I have no idea :)

Since VOIP is transferred in IP packets and packets can be encrypted encryption should be possible.

Since PGP is public key encryption and this is fairly standard there shouldn't be any problems there either.

The real issue is that whatever the solution it has to be part of the standard... otherwise it's pretty meaningless, unless your dodgy friend also has a custom encryption solution, and then I guess one could tunnel VOIP through an SSH tunnel just as well.

I suspect that VOIP technologies have incorporated encryption, but I'm not educated on the subject. Would someone care to fill in?

Re:Encryption?

[jackb_guppy]

Since it is packets.

You can direct it though VPN or SSH tunnels to add another layer of encryption.

Re:Encryption?

[PhilHibbs]

I suspect that VOIP technologies have incorporated encryption,

I suspect that you haven't read the article:

"Those phones don't have a lot of CPU power, so the communication between the two ends is not encrypted,"

Re:Encryption?

[dekerfuser]

True, but what about comms between the switch that the phone is attached to and the switch the other phone is attached to?

Re:Encryption?

In http://www.fourmilab.ch/speakfree/unix/ it is stated at release notes of rel7.6 that AES is supported as encryption algorithm and pgp and gpg may be used in automatic key exchange.

Re:Encryption?

[Albanach]

There is in fact PGP fone which does just that: Link here There's aslo SpeakFreely available here. Both support secure encryption, so unless they really do ahve those factoring machines and we don't yet know it...

Re:Encryption?

[pdjohe]

Sure VoIP can be encrypted.

However, encryption and decryption take time, and when using VoIP, LATENCY can be a big factor. A delay time of 250ms can be somewhat annoying and the term 'real time' communication is somewhat lessened.

So the slower the en/decryption, the more delay time you would have no matter how big the pipeline between the two people is.

I haven't tried PGPfone for a number of years, and computer speeds are quite a bit faster now. Maybe en/decryption time isn't much of a problem now. Whatever the case, I imagine this will become less and less of an issue in the future as computers get faster.

Re:Encryption?

[djrogers]

"Those phones don't have a lot of CPU power, so the communication between the two ends is not encrypted,"

Avaya is currently the market leader in VoIP shipments, and even their oldest, first generation IP hardphones are capable of media encryption. The above is a pretty overblown generalisation...

Free World Dialup?

[pmsr]

Let me guess. Previously known as French World Dialup. /Pedro

Re:Free World Dialup?

[byolinux]

It looks pretty cool...

I'm going to find a price for Cisco ATA 186s and Cisco 7960s.

Re:Free World Dialup?

[PerlGuru]

There is a company I use called Vonage. They provide you with a free Cisco ATA when you signup. You aren't renting it, you own it. You pay $10 for shipping (I got mine two days later) and your first month and your good to go. Has caller-id, three way calling, voicemail and some really powerful forwarding features that can make your phone bounce all over the place and then back to your voicemail with them. One draw back is they have a cancellation fee (about $39 I think). All in all, they have been great for us... it is our only phone now. Upstream requirement is 90kbs. And no, I don't work for them... just a satisfied customer.

Re:Free World Dialup?

[rixster]

I use vonage as well. I live in the UK and my SO in NY. I get unlimited international (i.e. UK US) calling for 30 usd a month. Plus she can call me for the "cost" of a local phone call and the line is nothing short of excellent quality. OK - a few times they've had problems, but in the space of around 8 months I can only think of 2-3 times this has happened. It is definitely a fantastic server. (recommend me and get 40 USD free!!)

Re:Free World Dialup?

[candl]

Gotta agree with you here. I'm extremely happy with my Vonage phone as well. My *only* beef with it is that I live in a small town and the closest prefix I could get is for a town 20 miles away. So, this is no prob for distant relatives who'd have to dial the area code anyway, but my immediate neighbors haven't figured it out yet.

"Yes, I have weird phone number. No, I haven't moved."

BONUS INFO:
I have yet to receive a solicitation on my Vonage line! WooHoo! Take that all you people with too much aluminum siding!

Has anyone used both FWD and Vonage? I don't think I'd change, but just curious.

Monitoring ?

[koh]

In other news, criminals are now able to use "cars", new transportation means that allow them to quickly escape after perpetrating crimes. FBI is looking for a way to monitor all cars in order to ensure security.

This is getting boring. Really.

Re:Monitoring ?

[diablobynight]

I actually think people are this stupid. Do we really believe that more big brother will be a help in stopping terrorist? I am sure that lovely gentleman that the FBI says is the head of what happened on 9/11, was talking on an IP phone to cordinate all of this. Fuck the FBI and the horse they road in on, this is just another way for the voyeuristic freaks to get their grubby little hands into more of our privacy. The 9/11 terrorist, came into our country legally, took flight lessons, worked out, and didn't have jobs for months. Last time I checked, flight lessons are about 100$ per hour of flight time. And according to my calculations, people with very little income can't afford that. Maybe this could have been the FBIs clue as apposed to needing to tap the IP phone systems. I am sure that they'll be at my door in minutes and tomorrow my face will be on the news as "suspected of a plot of terrorism."

Re:Monitoring ?

[drdanny_orig]

koh said...

In other news, criminals are now able to use "cars", new transportation means that allow them to quickly escape after perpetrating crimes. FBI is looking for a way to monitor all cars in order to ensure security.

That's not nearly as funny as some folks seem to think: I'd have modded it "insightful" myself. Witchfinder Ashcroft is almost certain to be looking into this very concern.

And now for my prediction: The 2004 elections will be postponed for security reasons. You heard it hear first.

Re:Monitoring ?

[Blue+Stone]

The FBI ws already looking at stuff that would have prevented the 9-11 attacks, quite possibly.

They were stopped from investigating because Bush, ordered investigators to back off from inquiries into Saudi financing of terrorism, particularly Saudi Royalty.

Clinton did his bit to protect the Saudis, too, and it was all largely done to protect the oil flow into the US.

Monitor the politicians. They're the ones that fsk things up with their shady dealings.

Re:Monitoring ?

[ihatewinXP]

-"I am sure that they'll be at my door in minutes and tomorrow my face will be on the news as "suspected of a plot of terrorism."-

Actually this is part of the problem. With Patriot Act and Patriot Act II :the feds dont have to charge you, they dont have to reveal if and where they are holding you, and can cut off your citizenship and ship you off to Guantanamo Bay where you will never be heard from again..... Now yes, I realize this is unlikely and/or paranoid but - although this used to happen in the shadows on occasion -now this is perfectly legal! PsyOps (whoops I mean propaganda) would convince you that you have nothing to fear as long as your not a terrorist. Well I hope we can all see that the aforementioned argument is not reason enough to take away my rights.

With so many powers to (now legally) intercept and monitor all forms of communication, not to mention the Gov's "rights" to infiltrate and monitor and destroy _any_ group that may be considered against the government, well its no suprise to me that people are waking up to the fact that our gov does _not_ have our best interests at heart. The bill of rights was thrown out the window a long time ago, it seems only recently people are beginning to wake up to these ugly, terrifying facts.

I mean hell, when I first told people about Echelon no one believed me. Then when it actually made its way into th paper (along with Carnivore) they believed me but didnt care. Democracy is the ultimate weapon of control: keep most of the people stupid using TV and textbooks, then convince the majority of morons that their only choice is to 'elect' someone who has been bought and paid for by the aerospace industries and other corporate whores.
The thing that really bothers me though is that so many /. readers (who on a whole I consider quite intelligent and well read) buy into the same CNN propaganda as these semi-literate, inbred, patriotism freaks.

Time to revive pgpfone?

[mstockman]

Won't people who value their privacy (which, sadly, may also include criminals) just revive a project like PGPfone? I don't think it's been updated in a while, but the source code is still there...

Re:Time to revive pgpfone?

[pmsr]

Better yet, there should be a cheap implementation of a Pgpphone device in hardware.

/Pedro

Re:Time to revive pgpfone?

[Noksagt]

There are encrypted landline hardware phones. PGPfone is just software encryption for a landline call (i.e. no IP involved). Encryption of VoIP is trickier.

Re:Time to revive pgpfone?

[pmsr]

Yes there are. But they are either expensive or castrated or both.

/Pedro

Re:Time to revive pgpfone?

[Noksagt]

This is very true. But the same can be said for just hardware encryption of any kind. I think DES is as secure as you can get on a chip. Even then, they cost $50 or so. Secure encryption doesn't need tons of processor power or memory, but there isn't demand for it. The phones would inevitably be even more expensive than a general purpose encryption device--they have to do encryption in "real-time." Doesn't sound trivial to me, which is probably why you have GSM phones using vocoder (i.e. speech inversion) "encryption." It is cheap and good enough for most things.

What would they do if..

[3.5+stripes]

people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?

Re:What would they do if..

[pesc]

...people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?

They would use traffic analysis. This allows you chart how the criminal networks are organized. There have been several convictions in Sweden where criminals used mobile phones during their crimes and traffic analysis provided the needed evidence. Traffic analysis has several benefits; it is very easy to automate it in computers (compared to having computers that actually analyze the spoken content), it is cheap (very little data is produced), and it doesn't matter if the content is encrypted or if you can't break the encryption.

Sometimes (when I'm feeling paranoid) I think there is a grand conspiracy from FBI, NSA, etc. They talk about encryption, make half-hearted attempts to ban it, etc. So that people in general think they are secure once they encrypt their communication. And then they can use traffic analysis to watch over the general public. ;-)

Re:What would they do if..

[diablobynight]

How exactly does traffic analysis help them have any idea what I am talking about on my phone. I think encryption is an excellent idea.

Re:What would they do if..

[pesc]

How exactly does traffic analysis help them have any idea what I am talking about on my phone. I think encryption is an excellent idea.

Maybe they don't, but it can be interesting anyway. And when they find interesting stuff, they can direct other types of surveillance on you. And in the end, break the crypto using knuckle-breaking ;-)

How does encryption protect you with this example:

From: diablobynight@slashdot.org
To: sales@al-qaida-store.af
djfwkjef kwbvwkev bwiweviwuegfwi eufgwkefb wkjefbwiuev
wejfhk wejhfkwjnv wkeuhgwieufw eofhwl rgjheroi urgeirg
wljehfow euhfiwugbre kgberugberio ugiwheogi whjeglerg

Re:What would they do if..

[Hubert_Shrump]

Just to blue-sky here...

What if you used stego on your own streaming media? Two porn feeds later, and you have a fairly secure(?) conference call.

It'd at least slow them down.

Re:What would they do if..

[diablobynight]

that is the worst example I have ever seen and if our criminals are dumb enough to have traffic directly to a company named as such, then they are dumb. But notoriously they use front companies, like shipping companies to purchase goods. then it's From:diablobynight@slashdot.org To: sales@internationalshipping.ath.cx

Re:What would they do if..

[Grotus]

Typically you would combine traffic analysis with another type of surveillance resulting in a scenario like:
Hmm, the last two times that diablobynight has run out of money only to mysteriously get some more there was an encrypted email from him to sales@internationalshipping.ath.cx in the preceding day. This internationalshipping.ath.cx warrants further investigation.

farming in 84

[Syncroswitch]

In other news, orwell rolled over in his grave today, as a confused nation scrambled to hand over their individual freedoms for the sake of percieved security.

Do not surrender your freedoms, granting increased voip snooping is just one more step to a totalitarian nation, where we justify acts like pre-emptive wars, racial profiling, internetwide snoop network with evil McCarthy databases,...

Oh shit it already happened...

Re:farming in 84

[worldthinker]

Why is it only recently? This was pretty apparent that the Republican's only look out for the Wealthy even in Eisenhower's day.

The general public like sheep think that electing a "father figure" that tells them what is best will protect them when in fact they are being led to the slaughter house as the sheep they are.

Another generation got duped by the Reagan era and now we have George the II who is busy reshaping America back into the 1950's horror of privileged classes and ordered decorum and invisible minorities and McCarthy style gestopo patriotism.

I guess its really true, we get the best government we deserve...

ipsec

[sabri]

I really wonder how they will sniff ipsec't packets..

Re:ipsec

[mr.+methane]

In the long run, I think the answer is.... it doesn't really matter.

While it varies from country to country, getting a wiretap authorized, placed, monitored, and reported on is a big expense, and a big manpower drain.

I've dealt with the cops on a couple of incidents. Unless you're talking about a really big case, where someone's been killed, or massive thefts, you're lucky if one agent has more than a few hours to look into it.

Unless you're a creep on the level of Bernie Ebbers or Martha Stewart, it just ain't gonna happen. It's like sending out the SWAT team to give parking tickets.

Wouldn't you want your VoIP encrypted anyway?

[Kjella]

Seriously. I know most people send postcards (e-mail) and not letters (encrypted e-mail) but wouldn't you at least do a simple public key exchange for VoIP? I feel I have much more privacy in a phone call than I do on an unencrypted Internet chat that is being relayed through a bunch of unknown servers.

Even the simplest of key exchanges would stop any eavesdroppers, and making a man-in-the-middle attack requires so much more work, not to mention being detectable if verified through a secure channel.

That being said, I can understand the law enforcement agencies. It's not like it's the difference between a postcard and an envelope - it's the difference between a postcard and an indestructable envelope. Giving the police special permissions (e.g. to open your letters with a court order) doesn't work well in a world where encryption is in black and white - secure and insecure. Escrow keys and stuff like that to make it work like in the "real world" doesn't work well either.

Personally, I think I'd just write a AES wrapper if I'm busy planning to Take Over The World(tm Pinky & the Brain). Either that or I'll just send some PGP'd blueprints over freenet through a proxy from a webcafe wearing gloves or something ;)

Kjella

Re:Wouldn't you want your VoIP encrypted anyway?

[Degrees]

I might be wrong, but I thought VOIP traffic was primarily UDP, not TCP. TCP is used for the call setup and teardown, but the actual stream of voice pakets is UDP for speed's sake.

With UDP, you don't mind losing a packet or two to network congestion (and the voice stream comes through with garbled for half a second.) The idea is that if your network buffer (or stack) fills up, the UDP packets are thrown away first. I can't see encryption being speedy enough. I could very well be wrong.

But to me, encryption = significant packet processing; and, UDP = "don't process it, ship it!"

I would expect that if done, the encrypted VOIP call will be done

one

word

at

a

time

half

duplex.

Re:Wouldn't you want your VoIP encrypted anyway?

[djrogers]

Oh heavens no... Avaya offers a 104 bit version of blowfish encryption on their VoIP solutions today, and it adds roughly 3ms of latency to each end of the conversation.

Now, if you planned on doing new IKE s every 10-15 packets as with SSL, then you'd run in to more problems, however what AV does today with VoIP encryption is prefectly workable and causes no noticeable affects on the call.

D

Re:Wouldn't you want your VoIP encrypted anyway?

[680x0]

I might be wrong, but I thought VOIP traffic was primarily UDP, not TCP. TCP is used for the call setup and teardown, but the actual stream of voice packets is UDP for speed's sake.

You're partially right. The sound data is indeed carried over UDP, almost always encapsulated by a UDP-based protocol called RTP (Real Time Protocol). RTP can also carry other time-based media like video.

There are 2 mail competing standards for call setup and tear-down:

• SIP - Session Initiation Protocol - Which can be carried atop TCP or UDP (usually UDP, though). Very similar in format to HTTP, actually. A simple protocol to generate and parse, but got a later start.
• H.323 - An ITU standard, which is actually composed of several standards for various parts of the call negotiation:
  • H.225 - Handles placing of calls (modified version of Q.931 (phone company protocol)) and dealing with "gatekeeper" (entity which manages name lookups and bandwidth allocation - via a protocol called RAS).
  • H.245 - Handles negotiation of media encodings. Deals with things like whether the call involves video and/or audio, and which encoding/compression to use for each.
  If I recall correctly, the Q.931 and H.245 use TCP usually, and RAS uses UDP (since gatekeepers are sometimes "discovered" via multicast).

And the RTP standard does mention how to handle encryption, though it doesn't specify an algorithm to use.

Re:Wouldn't you want your VoIP encrypted anyway?

[cotu]

Encryption for RTP is past IESG last call in the form of SRTP. Beyond that there's the problem of how to rendezvous. For SIP and MGCP, there's currently no widespread way of signaling the SRTP parameters in SDP. There's both MIKEY and draft-baugher-mmusic-sdpmediasec-00.txt which extend the semantics, MIKEY being rather heavy duty and draft-baugher being more direct and to the point. MIKEY allows the SDP announcement to be encrypted itself, whereas draft-baugher relies on either transitive trust through intermediaries, or something like SMIME for the body part including the SDP.

In both cases, there's the general problem of public key distribution. That is, if I go through intermediaries like SIP proxies, I may well not have any clue as to what you're public key is (think of forking proxies). This is really the large unsolved problem -- and is the reason you don't get much SMIME or PGP mail either.

So, this isn't going to be especially secure from the Feds through any time soon. For point to point communications where you already know the phone's FQDN, it can be made to be quite secure with SRTP and draft-baugher, but the rest remains problematic.

Re:Wouldn't you want your VoIP encrypted anyway?

[moncyb]

it's the difference between a postcard and an indestructable envelope. Giving the police special permissions (e.g. to open your letters with a court order) doesn't work well in a world where encryption is in black and white - secure and insecure.

You have a point here, but if the police had just cause, couldn't they get a search warrant and get the key(s)? The way I understand encryption, it would work like this:

• The police get permission for a "wiretap" and log all the suspect's VoIP related traffic.
• They also have sufficient evidence for a search warrant on the guy's house, so they find the keys from the guy's computer.
• Decipher the conversation. Yes, they may only get one side of the conversation, but it will probably be enough if the guy is really guilty.

Re:Wouldn't you want your VoIP encrypted anyway?

[Degrees]

Thank you. I did not know that, and it might very well come in handy. Where I work, we will be investigating a VOIP solution this coming year. My boss went to a dog and pony show by Avaya, and was pretty impresed. We were less impressed with the Cisco + SBC solution. It is reliant on a Windows 2000 server and only integrates with MS Outlook (we are a GroupWise shop).

Can you imagine how happy our clients would be if the VOIP call setup server got last week's WindowsUpdate WebDAV patch?

Gad.

Re:Wouldn't you want your VoIP encrypted anyway?

[Degrees]

Thank you. I did not know about RTP, nor the details of the setup and teardown standards.

It is cool that RTP factored in a way to do encryption, even if implementation is left as an excercise for the VOIP engineer.

P2P VOIP?

[rickthewizkid]

What if the VOIP program was directly from my computer to the other party's computer with no "central server" as such that all the traffic flows through. As I see it, CALEA is only feasable on systems such as POTS or cellular where all calls go through a switch of some sort. If one were to set it up so that my computer talks directly to your computer over an encrypted link (maybe with SSL etc) there is no central switch to be compromised...

Of course, one can always use a pay phone. Cash still works.

Just my please-deposit-nintey-cents-for-the-first-three-mi nutes'-worth
RickTheWizKid

Re:P2P VOIP?

[cyb97]

But I guess if you wanna speak to some of your Al-Qaeda buddies in Afghanistan thru VoIP there aren't many routes your packets could take if you use a public network like the Internet...
If you wanna go private you'd still have to use some sort of public access network unless you've got so much money that you might as well run for president and do your dirty deads legal...

Re:P2P VOIP?

[jaredmauch]

This is actually how SIP ends up communicating. I have set up a number of the Cisco 7960 phones running SIP software and what acutally happens is this:

Message sent to central sip server saying 'where is ext 1000'
(or whatever number you dial). Sip server comes back and can say 'no idea where that is', or provide a referal to another ip/dns name. The underlying request can look like 267@204.42.254.14 or 90753@iptel.org for example. Once it finds a positive answer for the lookup, it uses information contained in the SDP packet to determine what udp ports to talk on and the phone(hard or soft) communicates directly to the other phone. The central server is kept in the loop for call-completion (billing) data. But you could just 'dial by ip'. If you know that 267 is assigned to 204.42.254.14, you can communicate directly and the phone will ring.

I suspect a number of the hard phone people will soon be providing a VPN/ipsec type client on the actual phone as SIP does not work very well in a firewall/nat environment.

Re:P2P VOIP?

[jmagar.com]

VoIP is Point to Point already for on net calls. If you leave to the POTS them you are working with a media gateway in the middle.

CALEA works on the call manager. Heres a quick and dirty run down:
1)You pick up the phone
2)the MTA (you IP phone) sends an off hook to the call manager
3) the call manager send back dial tone.
4) you dial
5) the call manager hunts for a route either on net of to the SS7 network
6a) if on net the call manager send ring to other MTA
6b) if off net call manager send ring over SS7 (POTS)
7) other end picks up
8) call manager receives other end off hook
9) call manager connects the call by sending directly to the other MTA (on net) of the media gateway (POTS)

CALEA is implemented on the call manager by controling the MTA that is being "bugged" by forcing the call through a media gateway with recording capabilities, or by forking the stream and connecting an additional endpoint to the call.

How do you beat it? First off you need to be able to tell the difference of end point so snooping the SIP (session initiation protocol) and watching for a change in MTA endpoint. If you know the other parties IP and you are going somewhere else then you are probably being bugged.

The other way, is to build your own Call Manager. The SIP protocol is not too complex, and if you don't want to do funky telco stuff like call waiting... then a bare bones connection manager shouldn't be too tough. Your call manager would only work for on net calls, but I think you've already decided that P2P is what you wanted in the first place.

Re:P2P VOIP?

[timftbf]

www.asterix.org. Someone already did :)

Regards,
Tim.

Re:P2P VOIP?

[PatJensen]

Cisco CallManager does not support SIP. It uses skinny (SCCP) to talk to Cisco IP phones and telephone adapters. It uses megaco (MGCP) to talk to Cisco IOS gateways, and vanilla H.323 for other ones.

Cisco does make SIP products, but they are for use with their SIP Proxy Server product or third-party SIP proxies.

Ciao.

Pat

Re:P2P VOIP?

[jmagar.com]

Actually the BTS 10200 is a telco grade Call Manager. I don't know their PBX line of cisco IP phones. The BTS is designed for SIP and for enabling any MGCP or SIP MTA, it is essantially a CLASS 5 switch for VoIP, some crazy number like 20,000 call setups per second. I know that this is being used for TWC to offer VoIP on the Road Runner cable modem network.

Re:P2P VOIP?

[PatJensen]

Cool man! I wasn't aware they made a telco-capable softswitch product. (and I work for a telco, the one with the blue logo and the swirly)

-Pat

And non-criminals

[truthsearch]

"safe havens" for criminals

Us non-criminals can't have a safe haven either? Thanks.

Re:Encryption? - ULER

[mrmeval]

Speak freely has IDEA encryption built in and the client can exchange session keys with PGP. I doesn't use a PGP IDEA key to DO the encryption, it generates it's own but once the key exchange is done with PGP. *poof* fbi still AS ALWAYS needs to get off their fat ass and drop this Ubiqitous Law Enforcement Rampage and do the HUMAN INTELLEGENCE that they get paid to do.

Remember when ...

[wytcld]

Remember when we used to have sigs that included keywords that were designed to attract the attention of spooks using Echelon to monitor e-mail traffic? Well, we can easily add recorded voice clips to the end of our VOIP calls to similar effect. Go to the library, check out a book of war poetry, and start recording those keyword-rich sound bites. Or select passages from Gravity's Rainbow.

Hmm, we could put this stuff on our answering machines too. As a way of supporting America's martial spirit, of course.

Sigh...the only tech needed.

[siasl]

We can give up all our remaining freedoms but the only "tech" a "terrorist" really needs is the commitment to die for their cause. How do you 100% guard against that? I fear for our children's children.

Re:Sigh...the only tech needed.

[jratcliffe]

It's much harder to stop someone who's willing to die for their cause - does that mean we shouldn't even try? That's sort of like saying that some people are going to die in traffic accidents anyway, so why bother with seatbelts and airbags?

Orwell was wrong.

[the_other_one]

He was completely off by about 19 years.

Re:Orwell was wrong.

[RzUpAnmsCwrds]

No, it was published in 1948.

Geeks unite

[MChester]

Sounds like its time for the geeks of America to unite and do something. Reading stories like these make me feel lucky that I live in Europe. I Feel sorry for u people.

Re:Geeks unite

[d34thm0nk3y]

so what, you think the fbi etc are only going to monitor americans?????
good luck with that one....

Re:Geeks unite

[Branc0]

I also live in Europe and I can tell you i am not happy about. All that the EU does is to copycat America and it's laws, it may take some time (6 to 12 months generaly) but Europe will be watching... and doing the same.

DMCA and others have proven it...

wiretap laws?

[peachboy]

perhaps i'm just naive or ignorant, but how would the government being able to snoop on a voip call be any different from a wiretap on your hard line phone? it would have the same effect, and i'm assuming that if the government were allowed to snoop on voip calls, they would be subject to the same guidelines that they have to follow when tapping a regular phone line. can someone with more information clarify please?

Re:wiretap laws?

[shakah]

It wouldn't be different, the legal process would be the same, etc.

The real question is whether the company operating the service has to comply with CALEA, which among other things requires the provider to create/maintain infrastructure to supply Law Enforcement Agencies (LEAs) with information like the following (when requested via a warrant, that is):

• Content of subject-initiated conference calls -- An LEA will be able to access the content of conference calls initiated by the subject under surveillance (including the call content of parties on hold), pursuant to a court order or other legal authorization beyond a pen register order.
• Party hold, join, drop on conference calls -- Messages will be sent to an LEA that identify the active parties of a call. Specifically, on a conference call, these messages will indicate whether a party is on hold, has joined, or has been dropped from the conference call.
• Subject-initiated dialing and signaling information -- Access to dialing and signaling information available from the subject will inform an LEA of a subject's use of features (e.g., call forwarding, call waiting, call hold, and three-way calling).
• In-band and out-of-band signaling (notification message) -- A message will be sent to an LEA whenever a subject's service sends a tone or other network message to the subject or associate (e.g., notification that a line is ringing or busy, call waiting signal).
• Timing information -- Information will be sent to an LEA permitting it to correlate call-identifying information with the call content of a communications interception.
• Dialed digit extraction --The originating carrier will provide to an LEA on the call data channel any digits dialed by the subject after connecting to another carrier's service., pursuant to a pen register authorization. The FCC found that some such digits fit within CALEA's definition of call-identifying information, and that they are generally reasonably available to carriers.

I'll take terrorism over totalitarianism

[leereyno]

The law enforcement community has been begging for the unrestricted right to spy on the american people for some time now. I don't know about the rest of you, but I'm much more fearful of government agents with gestapo-like powers than I am of deluded wackos from the 3rd world. The intelligence community already spies on the rest of the world, which is where the threat is coming from. That should be enough. If not, then that is what our military is for, to defend the country against our enemies...which are OUT THERE, not HERE. I'd rather have terrorists over to my house for dinner three nights a week than see law enforcement aquire unnecessary powers that are a greater danger to the public than the terrorism they are purported to prevent.

The abundance of those who would trade freedom for the temporary illusion of security are proof positive that 50% of the population is of below average intelligence.

Re:I'll take terrorism over totalitarianism

[TimeZone]

Too bad not all deluded wackos are from the third world. You really think there aren't plenty of them here too? Ever hear of domestic terrorism? I don't think the executive branch should have unrestricted intercept rights either, but OTOH, I just don't think your argument holds water.

TimeZone

Re:I'll take terrorism over totalitarianism

[ianscot]

If not, then that is what our military is for, to defend the country against our enemies...which are OUT THERE, not HERE.

Eric Harris
Dylan Klebold
Timothy McVeigh
Bufford Furrow
Randall Terry

Any of those names ring a bell? They're all white guys who've committed terrorist acts on US soil. (Well, Terry excepted -- he's more like the local Imam, the guy who talks others into it on religious grounds.) McVeigh was part of our worst terrorist act prior to 9/11.

Scary thing is, the same people passing laws to snoop on all the nasty terrorist networks are not so far from the list up there in terms of ideology. U.S. domestic terrorism right now has a lot to do with our right wing fringe. (Anyone remember the private plane the guy flew into the White House during Clinton's term? Sound at all familiar?)

Re:I'll take terrorism over totalitarianism

[leereyno]

Exactly :)

DMCA

[petronivs]

I wonder if it would be plausible to get these guys to cease-and-desist under the DMCA.

IANAL, but I kinda doubt it, but it's nice to dream about, no?

If you're interested...

[GeorgeH]

You too can listen in to VOIP with voice over misconfigured internet telephones or vomit for short. It only works for Cisco IP phones, but I hear that this Cisco company may become a medium to large business in the networking industry.

Depends on your setup

[kcm]

Encryption? Privacy? There's always VOMIT!

Safe Havens

[drooling-dog]

Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services.

The way things are going, that should read: "safe havens" for dissidents...

Re:Safe Havens

[Eric+Jaakkola]

You sure you dont mean evil do-ers .

Cisco IP Phones

[LinuxHam]

Excellent timing yet again for an article related to something I wanted to ask this crowd about.

I just moved into a new office, and the customer left behind a detached Cisco IP phone tossed in the corner. What free software options do I have to put this puppy into service? Best I could find so far was that I need to run Cisco CallManager on the network. I was hoping to find that the proprietary protocol has been cracked and is supported by Gatekeeper or something. So far, no such luck.

This unit is a 12 SP+. What can I do with it?

Thanks /.ers!

Re:Cisco IP Phones

[torqer]

Well, With out knowing exactly what type of phone it is, I would assume it is h323 compatible. So you should be able to dial (by IP) anyone who has a H323 compliant device (ie netmeeting). You need to run a VoIP gateway in order for traffic to be sent to the internet... or even through your lan. Free h323 software is at available at openh323.org

I use H323 as an intercom system within my house.

Re:Cisco IP Phones

[xadhoom]

There's a linux software, called * (www.asterisk.org) that supports sip,h323,pstn,isdn,pri(E1,T1). you can plug the cisco phone to it and use * as gateway or so. We're using it in our office and rocks.

I'm happy too.

[EvilStein]

They now include Canada in the free calling area. No more international fees to call Vancouver. Yay! Oh, and the "virtual number" thing is cool. For an additional $4.99/mo, I can get a (916)xxx-xxxx phone number that routes to my home phone.

Pretty cool setup.

This is actually a significant problem

[Noksagt]

VoIP already stresses the networking and hardware limits in order to provide the "quality" that they do now. Many people think that encryption is a solution, but I don't think it is right now. PGPphone is NOT VoIP, but software encrption for the landline telephone network (i.e. audio encryption). But adding encryption to actual VoIP would lower the quality of service considerably. Ever try using VoIP over VPN? It is really bad. You can use google to find articles about how to turn VPN off for just VoIP so that you can still have good sound quality.

Re:This is actually a significant problem

[CracktownHts]

PGPphone is NOT VoIP, but software encrption for the landline telephone network (i.e. audio encryption).

I'm not so sure this is accurate. I've used PGPFone cablemodem to cablemodem, and it works fine, great in fact. The sound quality is much, much better than, say, TeamSound, for example. For the time being I'm too lazy to look up the exact definition of VOIP (is it a protocol, or is it just a general term for voice communications over the internet), but no, PGPFone isn't restricted to modem-to-modem use.

Unless, of course, I got the NSA Trojaned variety...

Re:This is actually a significant problem

[Noksagt]

Actually, the PGP manual says:
"Internet calls are also supported. We created PGPfone to allow private conversations between
people. The initial release of PGPfone accomplished this by encrypting phone calls between two people via their modems, with a direct connection between the two people's modems, using only the phone system as the intermediary. But popular demand has driven us to add the capability of sending the data stream over the Internet, instead of just the phone system. This feature allows for cheaper long distance conversations, with only the cost of a local phone call to your Internet service provider. I hope this doesn't result in the Internet eventually being glutted by too much voice traffic. Cheaper phone calls is an almost-unintended side effect that will probably not be well received by the long distance phone companies. Our goal was privacy, not cheaper phone calls. Sorry about that, AT&T. But maybe this feature will make PGPfone more popular."

So, I stand corrected! I guess I had used the version before this (I know 56K modems weren't that common when I used it, let alone cable modems!). Wonder why it didn't warrant a major revision number--they're still at 1.0b2 for PCs.

If you don't want to be monitored ENCRYPT!!

[ZPO]

The only protection against eavesdropping is strong end-to-end encryption. We got the ECPA (86 - US) shoved down our throats so cellular companies could claim their systems were "protected" from unauthorized monitorin without having to actually spend money on embedding crypto hardware in subscriber units.

CALEA was just a pitiful attempt to keep LE agencies from having to spend big bucks on upgrading their monitoring hardware.

If an individual, organization, government agency, or other entity wants to monitor your communications badly enough they will. If you don't like that then use stong end-to-end encryption.

--BEGIN RANT MODE--
Instead of wringing you hands over the evil and unfair world we live in just deal with it and work around it.

Its not exactly difficult to properly encypt just about anything you send. How many actually do it? Want to bet those same people that can't be bothered to use strong encryption are some of the first to whine about monitoring?
--END RANT MODE--

In God we trust -- All others we monitor

Yea, sure....

[MoeMoe]

Ofcourse we should be worried about terrorists using Voice Over IP, because I'm sure that Bin Laden has a computer in that cave of his and Hussein has a better knowledge of computing than Linus Torvalds (heaven forbid lol)... Seriously though, I think this is just another excuse for the larger government agencies to have a better grip on the people of their country, take Echelon or Carnivore for example... Both made for security but at the cost of many individuals privacy. I'm not necessarily against more protection for our countries, I'm just saying that our privacy is a big price to pay in order to get it.

Now let me get down to the goverment conspiracies, oh wait... someone's at my door, brb...

BOOM! **dead**

It's tired by now

[fizbin]

People have been saying "Orwell was only off by {abs(year-1984)}" or variations thereof since 1949, at least.

just replaced my home phone with voip...

[dougnaka]

I just replaced my home phone with a voip phone from packet8.net. I also considered vonage.com
Am I to understand then, that currently law enforcement could _not_ get a wiretap order to listen in on my calls? Being a privacy advocate I like this very much, maybe a temporary solution for criminals everywhere. FYI vonage uses cisco ATA's but packet8 has a proprietary solution. I hope that when people listening in on voip calls becomes more common place they upgrade to an all encrypted system.
Then all we'd need to do is get more people using PGP/GPG for email and all the spy power in the world isn't gonna help big brother. boo hoo.

Hi ho

[TerryAtWork]

This is just another job for good encyption.

It's a done deal.

Re:Encryption of regular phone?

[tintruder]

Been around for a long time. I used the STU-III secure phone back in the late 1980s. http://www.tscm.com/STUIIIhandbook.html

Napster for Phones?

[raile]

Free World Dialup has been called "Napster for Phones." It's a free service aimed at developing Internet telephony as a mainstream alternative to the public switched telephone network.

WTF?!? Is anything that does not pass through a "normal" distribution channel now comparable with Napster? Other than using a computer network, how is VOIP anything like Napster?

It seems like journalists love to compare things with Napster just to give those things an slight taint of naughtiness.

IPSEC is a better choice

[billstewart]

SSH is too far up the protocol stack - if you're going to wrap encryption around an unencrypted VOIP stack, IPSEC is the right layer to work at. There's still a bit of weirdness there (Cisco's cRTP Compressed RTP implementation doesn't work over IPSEC, unless they've updated it recently, so you need to use uncompressed headers, which inflates packets sizes a lot), but it's better than doing Layer 4/5 solutions.

The right choice is to build the encryption into the VOIP protocols themselves, which the initial H.323 and (I think) SIP standards didn't do. That way, it's not something that might or might not get patched on later, it's secure by default. The amount of CPU overhead is trivial - RC4 is blazingly fast, but even if you're using Triple-DES, it's on data you've compressed down to 8-16kbps, and the voice compression takes a lot more horsepower than encryption. I think some of the later standards have some crypto, but I don't know if they're in use.

Of course, crypto only covers the VOIP part - if you're using a VOIP-to-telco gateway in either direction, the telco side is unencrypted and subject to CALEA regulations, which are as technically onerous as they are invasive.

It's sad

[mindstrm]

that the public accepts reasons like this as valid; the only reason wiretaps were allowed in the first place was because it made sense in some situation.. like
"Hey, we are trying to solve this here crime, and we think this guy is using thsi here phone, can we listen in? OH cool."

Now the ability to snoop has become a feature that must be present or the government has a fit.

They could sort of get a wiretap order now

[billstewart]

Assuming you're using a VOIP-to-telephony gateway in the US, various sets of police could probably get a wiretap order now, but they'd have trouble implementing it, because the connection to your home isn't the kind of equipment they're good at wiretapping. If they did a tap at Vonage's gateway, that part is a shared trunk from their VOIP routers to a telco, so there isn't a convenient relationship that says that "Line 3 is Doug Naka's phone". They could tap _all_ the lines, and only keep the ones they really want (or the ones that sound like fun), but that's lots more work than they want to do, so they want to be able to force other people to do the work for them. Also, if VOIP carriers _do_ start using encryption, if it's not convenient to wiretap the wireline side, they want to be able to wiretap the IP side.

Another problem is non-telco VOIP carriers. The regulations are pretty clear for regulated telcos - they're much less clear for people who aren't. For instance, if the PBX at your office acts as a gateway for all your coworkers who have VOIP hardware phones or software phones on their PCs, and DSL at home with VPNs to the office - CALEA lets the telco wiretap your company's phone system at the telco trunk, but they don't know that extension 1234 is your coworker "Bob" who's also selling ganja on the side. And as VOIP carriers become less legacy-telco dependent, what about calls that only use the carrier as a presence server (e.g. ICQ or equivalent) to set up the connections and do the actual VOIP part user-to-user - they'd like to be able to wiretap your ISP.

Try the iptel.org VoIP Service & its GNU softw

[skaht]

FYI,

Jeff Pulver is a great guy to network with in the SIP VoIP industry.

The German's also have a similar site to Jeff's at iptel.org. The iptel.org Web site appears to have over 65,000 accounts. They are working on SIP Instant Messaging and Presence Leveraging Extentions (SIMPLE) server infrastructure that could give the Microsoft RTC a run for its money.

There are plenty of providers or carriers that provide SIP services here are a few.

Business Grade:
1) Worldcom
2) Webley
3) Denwa

Consumer Grade:
1) Delta Three
2) Vonage

Because SIP servers proxy and registration servers can be anywhere in the world CALEA can't be enforced at the server end. Thus, support for US CALEA laws would have to be provided by the ISP or carrier providing the broadband service. (Most of the SIP VoIP phones support or default to G.711 CODECs that consume 90 kilobits per second of bandwidth.)

I highly recommend using the Intertex IX66 firewall with SIP hard and softphones. Its OS is Linux and interoperates with a very large array of SIP products. (The ipDialog hard phones are also Linux-based.)

There is plenty of open source SIP server software on the Internet:

1) http://iptel.org/ - FhG Fokus spin off, written in C
2) http://www.vovida.org/ - really Cisco, written in C++
3) http://dns.antd.nist.gov/proj/iptel/ - The National Institute of Standards is to release Java JAIN v1.1 reference implementation shortly
4) http://www.siptrex.org/news/ - an IP Centrex framework using older NIST software from the University College London guys

Bye,

Skaht

Encryption doesn't hurt VOIP quality.

[billstewart]

If you've got problems with VOIP quality when you're using a VPN, the problem isn't the encryption, it's the rest of the system. It's only bad if it's done badly. The encryption itself isn't the problem - it's much less CPU work than voice compression, even with something slow like 3DES. If encryption were handled by the VOIP system, instead of tacked on by a VPN, it wouldn't be a problem at all.

• Headers - For most VOIP systems, the compressed voice isn't very big - it's smaller than the RTP and IP headers, so Cisco routers that do VOIP use a cRTP compressed header format, somewhat like the compressed SLIP/PPP things, but they can't use that over IPSEC. With compressed headers, that 8kbps stream of compressed voice typically expands to 11-12 kbps, while with uncompressed headers, it's about 24kbps. On a modem, which has 28-33kbps upstream, this is not good :-)
  
• Prioritization by Type of Service (ToS) bits - IP packet headers have some bits to indicate priority, which aren't widely supported, but even without them, it's nice to look at the TCP/UDP port numbers to be able to send VOIP and telnet and other latency-sensitive small packets before sending big file transfer packets. But most dedicated VPN hardware and software doesn't know how to do this, either by port number or TOS, and IPSEC standards tend not to support passing TOS bits from the inside of the tunnel to the outside, because that not only leaks information about the encrypted traffic (crypto purists don't like this), but also might result in packets from the VPN stream getting reordered (which tends to break the crypto.) So if you want your packets prioritized, you need to be careful about what order you use to put the packets into the tunnel, and either don't mark the VPN tunnel with TOS bits or else mark the whole thing high-priority, both of which can be rude and suboptimal.
  
• Also, it doesn't help that IPSEC tunnels aren't TCP or UDP, they're ESP or (rarely) AH, so anything that handles them later that would like to prioritize by port number can't do that.
  
• On an overloaded network, prioritization is important. On an unloaded network, it's not much of an issue.

Re:postponed elections

[worldthinker]

That's my prediction too! After all, "this war will take as long as its going to take"...

Amazing what the consequences of 157 votes and some hanging chads can be...

Re:M-X Spook

[wirefarm]

Actually, I agree -
I made the mistake of Googling for the list and came up with someone's modified list. (And failed to read it before posting)
I first saw that feature years ago, back when I used to use emacs, but since then I have switched to vi and don't even install emacs any more.
The original list was a bit better, though now really dated.
I thought the whole idea of inserting keywords was a bit useless back then, but mildly amusing.

Re:"This way to the egress"

[ZPO]

I never said the answer was easy or convenient. I only said there was an available set of solutions.

Laws only exist to keep honest people honest and punish those who break them when they are caught.

I would not depend on the rule of law to protect my sensitive communications from interception and exploitation by entities that may desire to do so. Its illegal (in most countries) to steal credit card information and use it to make fraudulent purchases. We don't, however, rely solely on the protection of law. We insist that vendors we do online business with use proper cryptographic protection of our card information during the transaction, and we hope they take steps to protect it once they've got it. Why should our voice communications be any different?

I find the likelihood of effectively constraining the evil and unfair world very low. Its good to work toward it, but in the meantime I'll keep running encryption where I feel it is warranted.