Slashdot Mirror
Secure Voice Communications While Travelling?
captnitro asks: "My father works for the US Dept of Commerce in the Eastern Bloc. His hotel room phones are routinely bugged -- a few (former) coworkers have had their stays 'shortened' and politely asked to leave the country, when they said dumb things over the phone. A few days ago he asked me what I use for secure voice when I don't have broadband. Remembering PGPfone from a while back, I looked up the link, but apparently they're no longer supporting/distributing it. While I wouldn't recommend he say much of anything in a bugged room, it got me thinking -- what do *you* use for simple, no-nonsense (requiring modem + sound card), low-bandwidth secure voice app? Unix works, and scriptability gets geek points, but I'll take what I can get."
Call on the shoe phone
Within a cone of silence
Talk very loudly
134340: I am not a number. I am a free planet!
Me? I bring my Navajo Code Talker with me wherever I go. I do have certain problems with system interoperability, but that is understandable, I'm told.
" His hotel room phones are routinely bugged -- a few (former) coworkers have had their stays 'shortened' and politely asked to leave the country, when they said dumb things over the phone."
Can somebody explain to me the dynamics involved here? I've been sent to my room before for telling everybody at the dinner table that my mom had to buy larger underwear after gaining some weight, but I've never been told to leave the country...
Wouldn't there be a chance the walls are as well?
Maybe speaking in a special way interchanging important words and phrases for nonsensical words and phrases or using voice inflections or a predetermined voice signals could help bypass that. We could call this a "code"...
You could use gnuphone with a SSH or other VPN tunnel, or even a full blown asterisk point and use encrypted IAX transfers. Any old SIP phone would work too.
All of these are IP solutions. Any decent pair of phone encoders (where you encrypt and decrypt the audio stream) would be a lower-tech solution that might work better.
Voice has a *huge* analog hole - any microphone within 100 ft can pick the converation up, and parabolic dish or laser bounched off the window can extand that range to blocks.
So given that you want to be secure, you *really* have to rule out speach.
So try IM.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
If you are in a foreign country and the state agencies are bugging your calls, you better be darn sure of what their crypto laws say because you might get arrested for spying if you break them.
It all depends on how secure he really needs to be though; in theory they can tap his laptop keyboard remotely, and/or watch his display just by analysing the emitted radio waves. The only solution to that is tempest-level shielding. I do vaguely remember somebody selling a conductive tent that you go inside and it blocks the laptop's emissions.
Of course if he goes the voice route then he has to worry about being physically overheard- it doesn't matter how encrypted his laptop link is then! Similarly if his typing or screen is being videoed; or if somebody subverts his laptop then all bets are off.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"This is something I've been meaning to experiment with myself for communicating with one of my clients with he's out of town.
It seems like it should be possible to use Linphone (www.linphone.org) over an ssh tunnel. ssh compression may also help with the bandwidth constraint.
Can yuo tlak liek tihs?
I'm almost certain that tempest can't read laptop screens, which I assume the man is question uses as he is a traveler.
Photos.
Since the gov't isn't willing to provide secure communications, don't talk on the phone. Talk in person in a hotel room with loud music. Bagpipes and tapes of japanese people talking are particularly good.
Conformity is the jailer of freedom and enemy of growth. -JFK
speak freely is a Free program for Windows and *nix. It supports strong encryption (by default) and is very light on bandwidth. It works more like a walkie-talkie than a phone though.
Or you could just send GPG-encrypted emails..
455fe10422ca29c4933f95052b792ab2
Who says the phone is the thing bugged? There could just be bugs in the room so any encryption will be useless. Plus if phone scrambling becomes common they won't bother bugging the phone and go straight to the room. Personally I would just recomend being carefull what I say.
What do I use? Nothing. Either of these are true: 1) the gov't in question can crack any lame, consumer oriented encyrption I use; therefore any security I use just provides me with a false sense of security. Or, 2) the gov't in question can't crack it, and their interests are raised. In this instance, "their interests are raised" means I am dragged down to the police station and my testicles have electrodes taped to them; my screams aren't encrypted, natch.
I would suggest that your father not talk about stupid things on the phone when visiting hostile foreign countries, and when he does so, to not depend on consumer grade security. He may as well use the decoder ring he got with a box of cereal.
--
$tar -xvf
From the PGPi website, including the source.
Might not work on newer hardware, but it's still available.
Yet another article that needs modded (-1, Troll)
meh.
Hello? 1973 called. They want their story back :-)
I always code my vocabulary using a one time hash known only to me. A one time hash is impossible to break but care must be taken to wear a tin foil hat during the encryption phase.
But for the average Commerce Dept. worker, he should record his messages on an mp3 device while walking through a park. Then use steganography to hide the messages inside emails that appear to be spam generated by some common mutating virus with titles like, "Your mortgage is approved", "Prize Award Notification", and "Enlarge your penis!"
If they see you using encryption, they may through him out just for that. I'd suggest discrection.
HIV Crosses Species Barrier... into Muppets
Email may be better. It stands up to cryptanalysis better, and room bugs don't get it. But, it is vulnerable to a lot of new problems: Van Eck emissions, screen flicker, and even a good ol' pair of binoculars across the street.
If you use these, remember that the security of the mechanism is only as good as the security of the computer. If you get 0wnz0r3d, then you're screwed.
Now, consider the idea of "proportional response". Right now, your dad gets phone taps. What do you think will happen if he starts encrypting communication? Sure, a regular phone tap falls apart under almost any sort of encryption. But start using encryption, and they're more likely to put more resources into finding out what you're up to. That's when the things like room bugs and Van Eck attacks come into play.
So, you have to figure out: how much of a risk does your dad represent to them? How much are they willing to spend to monitor his communications? That's the first step to deciding what appropriate encryption would be.
He's a government employee; I'd expect that if they wanted his communications to be secure, they would be. I'm sure they have all kinds of nifty toys that are provided to those they think need them.
In the first case, try any of the suggestions listed in previous comments to make him feel better.
In the second case, he simply shouldn't talk about anything that is considered sensitive while in a non-secure location. Too many ways to intercept any form of communication that doesn't start out encoded. TEMPEST is *so* 70's.
He could get by on important things with pre-coded messages. "How are the kids" meaning all is clear. "How's the dog" meaning get me the fuck out of this country, now! But if such codes are re-used, they'll be discovered. And if someone knows he doesn't have a dog - well, that's probably a bad idea too.
Tech solutions are good for clearing areas that might have unsophisticated attacks (that didn't build the building in the first place!), and for preventing interception between two secure locations. If those locations aren't secure, you're SOL on tech.
I write code.
Make up a spoken language ala Tolkien in LOTR then make up sign language for it. Then a video phone over SSH. Not 100% secure but surely will take some time to understand the langague
Rus
Cheap UK and US VPS
If your father is indeed a government employee, and the need for secrecy is work related, why in gods name would anything sensitive be spoken in a non-secure location? Any sensitive official communications should be conducted within the nearest embassy.
Check this out. Many computer games now have built in voice communications such as the worlds most populat first person shooter video game: counter-strike a mod for half-life. Have your dad jump into the game join a server have his contact meet him in the server and they can talk secret navaho code over the ingame voicecoms. So that way #1. there would be no real way to disect the outgoing transmission for video/sound. and #2. make the people monitoring feal like complete morons.
Yelling plant the bomb over coms and have the cops bust through the door only to see you playing a video game on a 32man public server.... pass me the dunce cap!
If you really want to get secure you should take a look at the NSK 200, a GSM/DECT-phone which is approved for NATO Secret. I don't know if it is available for everyone though.
Or some such?
Tunneled through ssh?
Sharp Zaurus
tkcPhone
IPSECon Sharp Zaurus
I would imagine that you could get a SIP phone to compile for the Zaurus or some one that uses another VOIP protocl. As someone above suggested, connect it through an Asterisk server. I've got a test one setup myself on an old PIII 500 w/ 256 MB RAM, a nic and a sound card working with software based SIP phones. Then, if you are near someplace with Ethernet, wireless access or have a phoneline handy, you can connect out.
Good luck with other PDA platforms. You might get this to work on a WinCE but I'd be afraid. I've never audited security on one of those. You'd be out of luck on a Palm until the next release of the Palm OS (they promise!) since the promise that that is when they'll let backgrounded apps run.
He should get in touch with the US government's IAD (Information Assurance Directorate). They'll advise him and can provide something properly certified as secure.
If you just use some random program recommended by random slashdotters you don't know how secure it really is. Even if the crypt is good there are other things to worry about (e.g. EM emissions, your laptop getting hacked).
Simple,
Buy a prepaid cell phone at a store. If you talking about low level class stuff you should be fine. It is much harder to track the cellphone and then tap into it. If your attacker has the hardware to do that, you should worry about other things then.
If you travel a lot you can look into getting a sat phone. Remeber that they work best outdoors, so that will not help much unless you have a seperate antenna unit.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
My father works for the US Dept of Commerce in the Eastern Bloc.
Pardon me? This is 2003. There hasn't been an "Eastern Bloc" for well over a decade. That's like saying your father works in the USSR, or in Yugoslavia.
Have him contact his local security manager. There's a device that's basically a portable STU. Keyed and managed just like a STU - just more headaches for the COMSEC custodian. All the cool kids (the SF guys) or anyone with enough rank to say they need it are getting them.
As above, if you're just talking about unclassified but sensitive stuff, I think the best solution is using an off-the-shelf PGP solution or pig-latin - less headaches and less jail-time if it's compromised.
p.s. generally, if one says,"tempest" anymore, they're mocked into submission.
Peace out... Piece in.
Actually I think the client / server communications in Everquest are encrypted - the reason being of course to keep the 1337 crew from knowing where all the good lewt dropping mobs are popping ... but if he is a good typist and has a decent laptop he could spend half his day in EQ doing his secret discussions.
Given how determined the 1337 crew is about getting their phat lewtz and how determined Sony is about not having that happen, four years in the making has made EQ a pretty secure communications (typing, not voice) environment. For non-classified information it ought to be PLENTY secure, and runs on a normal dial up connection.
Glonoinha the MebiByte Slayer
1 - Pig Latin
2 - Quenya Syndarin and stuff
3 - Parseltongue
4 - Windtalker
Or just talk like Sean Penn in I AM SAM. Anyone listening to the conversation will die before he finishes the phrase
how long until
Widely available, universally ignored.
If your father works for the US gov't, he has access to far more secure forms of communication that the typical slashdot reader.
Now if he and his colleagues aren't using it, or aren't important enough to be issued something secure, that's another story.
Simple Announcement on the page is:
On January 15th, 2004, Speak Freely will be discontinued and removed from this Web site. Existing users may continue to use the program as long as they wish, but no further releases will be forthcoming. For details and the reasons why Speak Freely is being discontinued, please see the full end of life announcement.
Full annoucement at:
http://www.fourmilab.ch/speakfree/eol/
I can't believe I just read this entire thing and didn't see one link to Skype! Wasn't this just on Slashdot a few days ago? You'd have to get your friends onto the service, but it reeally is very easy, it's encrypted, and the quality is quite good for 56k.
~Anztac
The fact of the matter is that unless you are certain that your *room* (never mind the phone) is not bugged you're just better of using written communication.
Case in point: My mother deals with relatively large shipyard contracts (30-50 million dollars, or so, a piece) in russia. Having negotiations at a formerly government owned shipyard is much like posting the transcripts on usenet (all of the rooms are bugged and some of them still actively listened to). So what to they do? Talk bullshit and exchange messages written on paper across the table.
Why is this important? Because in order to get something done you have to pay people off. Spending up to 10% of the total contract sum for bribes is nothing unusual in russia and the people listening to your conversations want a piece too (or maybe the people who they are listening for want a piece). So in the end it boils down to money and as long as you know the rules of the game you can cheat (don't think that everyone else isn't).
If the poster's father's employer was truly interested in protecting their interests they would utilize the more than sufficient resource available to the u.s. government. The fact that you're posting this on slashdot implies that whatever he is doing is really non-essential(otherwise he'd be taken care of). There's several levels of diplomacy and maybe this person is just stuck on the being the bullshitter role. Diversion is a good tactic at times, you know.
The answer should be obvious. If they bug the hotel, then don't phone from the hotel. Find a telephone at a place where they wouldn't expect you to go.
BTW, if he's so important, why can't he bring his own (encrypted) sattelite phone?
don't go together
paper and pencil. or two typing on one laptop keyboard. don't save the text. use LCD's to lessen TEMPEST effects.
An encrypted communication could look suspicious or be made to look suspicious. Have him use a series of code phrases agreed to in advance with the other party to send coded messages in the clear.
If he really needs to have privacy, arent there embassy resources he could use?
When I heard about it, it was "room sized". I believe they were aiming for briefcase size, and that was a few years back now.
No idea on the range.
Q.
Insert Signature Here
If the phones are bugged, what makes you think that the room that the phone is in isn't?
Even if the room isn't and it's only the phone, if they can't listen in on the phone, why wouldn't they then start bugging the room?
They may only get half the conversation, but it may provide enough information for their purposes.
Has he looked at Iridium satellite phones? The hardware is reasonably priced ($1500), per minute charge isn't bad for international usage ($1.50 or so). From the Iridium website: "...a commercially available user terminal will support secure communications by adding a removable National Security Agency (NSA) approved Type I Communications Security (COMSEC) sleeve which fits onto the commercial user terminal."
m l. Buy it here.
The product is an "Iridium Secure Module". Read about it here: http://www.disa.mil/ca/buyguide/contracts/emss.ht
While that doesn't take care of people bugging the voice side BEFORE it gets encryped, it should help your conversation from being otherwise monitored....
Mike
I hate to sound nieve but isn't this what the US Embassy is for? Aren't US diplomats supposed to do all their secure business via US Embassy resources?
Use a fax. It's really straightforward and pocket size encryptors are readily available.
This may not be the best answer given the criteria in the article, but when I have this need I use a $5 phone (which I bought at a drugstore on the way to the airport one time) plugged into a Cisco ATA-186 box that is in turn connected to a Linux laptop running Asterisk. The laptop connects using IAX-over-SSH to a server back here in Washington that in turn connects to the office phone system. From there the calls get routed to local extensions, out to POTS, or to other Asterisk systems, as required.
In addition to being reasonably secure, it saves a lot of money. Hotels usually charge a flat daily rate for broadband in the room. For that amount I can make and receive all the international calls I want.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Alright bob, switch it over to the strongest legal encryption over here.
Gung'f tbbq. Yrg'f xvpx fbzr ovt-oebgure nff naq fhccbeg frangbe Trbetr'f vqrn gb oblpbgg nyy pbzzhavfg angvbaf.
Bu fuvg! Gurl'er ng zl qbbbe! Qnzavg, jrer lbh frevbhf jura lbh fnvq guvf jnf yrtny
You can't judge a book by the way it wears its hair.
It depends upon the country. Some are advanced, some are advanced but with little money and some are stone-age.
If the target group is small, expect more surveillance because they have the time available. For example in one of the 'stans, you can assume that your telephone is bugged and if it is known to belong to a foreigner, then you are probably right. Foreigners tend to get better lines to make interception easier.
In the poorer countries, mobiles are still pretty rare. This means that it is easy to classify any users as 'interesting'. Forget any on-air encryption, the interception will take place at the exchange.
Apartment bugs are less likely unless you are a high profile target. In any case, encrypted computer comms are always better than voice for this reason. Van Eck is a possible risk but unlikely unless you are in Russia or China and are very high profile.
The rule is that you always assume that anywhere that isn't cleared by competent staff is bugged. This doesn't mean that you can't talk about things on the phone, you just don't go into specifics.
See my journal, I write things there
At least one FSU country I was in had a bandwidth to the Internet of 64KB. Yes, that is the country. Own sattelite dishes require a lot of paperwork. The US embassy has one, the World Bank has one but I don't think that any of the other diplomatic missions do.
See my journal, I write things there
I never leave the country without my Captain Crunch secret decoder ring!
Along the lines of speaking in Esperanto, the universally-ignored language, but easier to implement:
speak in Technical Manual. I speak this language and find that it is TRULY universally ignored. Even my Esperanto-loving friend frequently ignores it. For example:
Commerce 1: Please follow these directions. Please do not begin parsing my meaning until you have finished following these directions.
Commerce 2: Excellent, Commerece 1. Please use the options in dialog box 1, as described in figure 1 shown below.
If you have any further question on how to use these options, please do not hesitate to call our Ambassador at this number... We thank you for providing our company with sample data. voila!
just learn to speak in Al-Bhed.
Insightful: 76, Off-Topic: 379, Flamebait: 24, Funny: 152, Interesting: 201, Underrated: 55, Troll: 9, Total: 896
If obvious crypto voice links are simultaneously needed and illegal, you're between a rock and a hard place.
Rehearse beforehand with a few phrases, much like what the BBC used to broadcast to undercover groups in occupied Europe during WW2.
"Mr Green likes to eat bananas near the pharmacy."
Translation: "They're stalling."
"My socks were laundered yesterday."
Translation: "I think they're willing to settle for a contract in the projected amount."
Etc.
You won't have the full flexibility that you'd like, but it's better than no information.
[BTW, if your laptop isn't in your full possession 24/7, forget about using it for anything you wish to keep from prying eyes. Oh, and don't even think about hooking it up to your company's internal LAN afterwards.]
"Provided by the management for your protection."
If they have GSM coverage then you might want to look at secure GSM phones. As other people have mentioned, you really need to get out of that hotel room.
Global Teck has some stuff.