Secure Voice Communications While Travelling?

captnitro asks: "My father works for the US Dept of Commerce in the Eastern Bloc. His hotel room phones are routinely bugged -- a few (former) coworkers have had their stays 'shortened' and politely asked to leave the country, when they said dumb things over the phone. A few days ago he asked me what I use for secure voice when I don't have broadband. Remembering PGPfone from a while back, I looked up the link, but apparently they're no longer supporting/distributing it. While I wouldn't recommend he say much of anything in a bugged room, it got me thinking -- what do *you* use for simple, no-nonsense (requiring modem + sound card), low-bandwidth secure voice app? Unix works, and scriptability gets geek points, but I'll take what I can get."

solution

[the_other_one]

Call on the shoe phone
Within a cone of silence
Talk very loudly

NCT

[Henry+V+.009]

Me? I bring my Navajo Code Talker with me wherever I go. I do have certain problems with system interoperability, but that is understandable, I'm told.

Man I'm naieve

[Anonvmous+Coward]

" His hotel room phones are routinely bugged -- a few (former) coworkers have had their stays 'shortened' and politely asked to leave the country, when they said dumb things over the phone."

Can somebody explain to me the dynamics involved here? I've been sent to my room before for telling everybody at the dinner table that my mom had to buy larger underwear after gaining some weight, but I've never been told to leave the country...

Re:Man I'm naieve

[WolfWithoutAClause]

Well, you didn't actually mention that the reason she was gaining weight was in fact that she was pregnant, and that it wasn't dad's, it was uncle Harry did you? If you had, you'd probably would have been better off in a different country :-)

asterisk or gnuphone

[tzanger]

You could use gnuphone with a SSH or other VPN tunnel, or even a full blown asterisk point and use encrypted IAX transfers. Any old SIP phone would work too.

All of these are IP solutions. Any decent pair of phone encoders (where you encrypt and decrypt the audio stream) would be a lower-tech solution that might work better.

Analog Hole

[zulux]

Voice has a *huge* analog hole - any microphone within 100 ft can pick the converation up, and parabolic dish or laser bounched off the window can extand that range to blocks.

So given that you want to be secure, you *really* have to rule out speach.

So try IM.

bad idea

[Asgard]

If you are in a foreign country and the state agencies are bugging your calls, you better be darn sure of what their crypto laws say because you might get arrested for spying if you break them.

Tricky, may need tempest shielding

[WolfWithoutAClause]

If he has a laptop then he may be best off just using SSL, a modem, and one of the instant messaging technologies (even something really crude like talk would work).

It all depends on how secure he really needs to be though; in theory they can tap his laptop keyboard remotely, and/or watch his display just by analysing the emitted radio waves. The only solution to that is tempest-level shielding. I do vaguely remember somebody selling a conductive tent that you go inside and it blocks the laptop's emissions.

Of course if he goes the voice route then he has to worry about being physically overheard- it doesn't matter how encrypted his laptop link is then! Similarly if his typing or screen is being videoed; or if somebody subverts his laptop then all bets are off.

Linphone over SSH?

[ThenAgain]

This is something I've been meaning to experiment with myself for communicating with one of my clients with he's out of town.

It seems like it should be possible to use Linphone (www.linphone.org) over an ssh tunnel. ssh compression may also help with the bandwidth constraint.

You should read Slashdot more often

Can yuo tlak liek tihs?

Tempest and laptops

[metalhed77]

I'm almost certain that tempest can't read laptop screens, which I assume the man is question uses as he is a traveler.

Re:Tempest and laptops

[WolfWithoutAClause]

Even if Tempest can't /. has already covered reading a screen from the flickering light.

Trouble is, LCDs don't flicker significantly; only CRTs (the persistence of phosphors is really quite tiny.)

Still, the scan circuitry for LCDs can in some cases be electromagnetically sniffed and the picture recovered. More carefully designed circuitry may not have this problem though.

Don't talk

[duffbeer703]

Since the gov't isn't willing to provide secure communications, don't talk on the phone. Talk in person in a hotel room with loud music. Bagpipes and tapes of japanese people talking are particularly good.

speakfree

[zcat_NZ]

speak freely is a Free program for Windows and *nix. It supports strong encryption (by default) and is very light on bandwidth. It works more like a walkie-talkie than a phone though.

Or you could just send GPG-encrypted emails..

Nothing

[Johnny+Mnemonic]

What do I use? Nothing. Either of these are true: 1) the gov't in question can crack any lame, consumer oriented encyrption I use; therefore any security I use just provides me with a false sense of security. Or, 2) the gov't in question can't crack it, and their interests are raised. In this instance, "their interests are raised" means I am dragged down to the police station and my testicles have electrodes taped to them; my screams aren't encrypted, natch.

I would suggest that your father not talk about stupid things on the phone when visiting hostile foreign countries, and when he does so, to not depend on consumer grade security. He may as well use the decoder ring he got with a box of cereal.

PGPfone is still available

[SiMac]

From the PGPi website, including the source.

Might not work on newer hardware, but it's still available.

Eastern Bloc???

[Ross+Finlayson]

Hello? 1973 called. They want their story back :-)

To maintain my privacy

I always code my vocabulary using a one time hash known only to me. A one time hash is impossible to break but care must be taken to wear a tin foil hat during the encryption phase.

But for the average Commerce Dept. worker, he should record his messages on an mp3 device while walking through a park. Then use steganography to hide the messages inside emails that appear to be spam generated by some common mutating virus with titles like, "Your mortgage is approved", "Prize Award Notification", and "Enlarge your penis!"

encryption may not be the answer

[morcheeba]

If they see you using encryption, they may through him out just for that. I'd suggest discrection.

Be aware of the risk

[Piquan]

Remember that no matter what you do, there's risks. Encrypt a voice connection? A room bug will have no trouble listening to that. Even if the room itself has no transmitters, somebody can point a laser at the window and hear what's up. Besides, the encryption doesn't buy you great security: to the NSA, encrypted phone calls are pretty much a joke.

Email may be better. It stands up to cryptanalysis better, and room bugs don't get it. But, it is vulnerable to a lot of new problems: Van Eck emissions, screen flicker, and even a good ol' pair of binoculars across the street.

If you use these, remember that the security of the mechanism is only as good as the security of the computer. If you get 0wnz0r3d, then you're screwed.

Now, consider the idea of "proportional response". Right now, your dad gets phone taps. What do you think will happen if he starts encrypting communication? Sure, a regular phone tap falls apart under almost any sort of encryption. But start using encryption, and they're more likely to put more resources into finding out what you're up to. That's when the things like room bugs and Van Eck attacks come into play.

So, you have to figure out: how much of a risk does your dad represent to them? How much are they willing to spend to monitor his communications? That's the first step to deciding what appropriate encryption would be.

Isn't the government good at that sort of thing???

[Tintivilus]

He's a government employee; I'd expect that if they wanted his communications to be secure, they would be. I'm sure they have all kinds of nifty toys that are provided to those they think need them.

NSK 200 - Secure GSM/DECT phone

[neonstz]

If you really want to get secure you should take a look at the NSK 200, a GSM/DECT-phone which is approved for NATO Secret. I don't know if it is available for everyone though.

Re:NSK 200 - Secure GSM/DECT phone

[CharlieG]

NATO Secret = Not very high level

From the bottom:
Confidential - Not a very big deal - getting cleared for confidential stuff is fairly easy. A lot of times, it's used for things like - a plant works on secret/TS stuff in parts of the plant. Your the employee of a subcontractor who is working on something non classified. If you visit, and you don't have a clearence, you will have to be escorted EVERYWHERE - including the rest room, even if you stay in the "Open" part of the plant (aka, not secret stuff is going on there). So they will get you a confidential clearance, so you can go to the restroom, or lunch, with out an escort. The basically want to know if they can trust you enough not to jimmy locks to get past doors marked secret

Secret - the 2nd level. Where I used to work, there were a dozen or so guys with Secret level clerance. This is a lot of basic stuff, plus stuff that you can figure out if your in certain areas. Ever look at airplane cockpit photos, or photos inside subs? There is always a few things covered up, be cause you can deduce things. Generally, a secret clearence allows you to see that kind of stuff - stuff folks in the military see every day, and think nothing of

Top Secret - a level above that, and traditionally the highest level of clearence - I say traditionally, because it's fairly well know that there are levels above that, but all those levels are in the "we deny they exist". From what I understand, some TS stuff gets hairy

Levels above that - "Code Word", "Compartmentalized", "Crypto", etc. Now you getting special clearence to work on individual things. Things start to get VERY strange. I've met a few of these folks. Can you imagine working on a project, and when your boss askes what your working on, the reply is "I can't tell you"

I used to work on Long Island - some great Ocean fishing. Knew a guy who loved fishing, and was doing subcontract work for us. He loved to go, but he would rarely go. You see, once he went more than 3 miles off shore, he had to spend a day filling out paperwork listing why, where, who he saw there, what was said, etc - he said it wasn't worth the hassle. I never did find out what he was working on for his parent company (it sure wasn't for us - there was nothing classified in our plant), and frankly, I never asked, or hinted that I wanted to know

So based on what I've just told you, i would trust a telephone ONLY rated secret very far

Re:NSK 200 - Secure GSM/DECT phone

[neonstz]

NATO Secret != Secret (or at least I think so).

Nato levels are: NATO Restricted, NATO Confidential, NATO Secret and Cosmic Top Secret.

To know stuff like missile and radar performance data etc you usually need NATO Secret.

Some Options

[JamesP]

1 - Pig Latin
2 - Quenya Syndarin and stuff
3 - Parseltongue
4 - Windtalker

Or just talk like Sean Penn in I AM SAM. Anyone listening to the conversation will die before he finishes the phrase

Sorry, Speakfree scheduled to be End-of-Life'd

[cmehta1]

Simple Announcement on the page is:
On January 15th, 2004, Speak Freely will be discontinued and removed from this Web site. Existing users may continue to use the program as long as they wish, but no further releases will be forthcoming. For details and the reasons why Speak Freely is being discontinued, please see the full end of life announcement.

Full annoucement at:
http://www.fourmilab.ch/speakfree/eol/

hehe

[SHEENmaster]

Alright bob, switch it over to the strongest legal encryption over here.

Gung'f tbbq. Yrg'f xvpx fbzr ovt-oebgure nff naq fhccbeg frangbe Trbetr'f vqrn gb oblpbgg nyy pbzzhavfg angvbaf.

Bu fuvg! Gurl'er ng zl qbbbe! Qnzavg, jrer lbh frevbhf jura lbh fnvq guvf jnf yrtny