Slashdot Mirror
Encrypted Cell Phone Hits the Market
notshannon writes "Reuters
reports
about a new cell phone which automatically
encrypts communications. Of course, the
matching handset will decrypt the message.
Security doesn't come cheap, around $4000
per pair, but it's probably as reliable as anyone
in these parts could wish. Favorite quote:
'We allow everyone to check the security for themselves, because we're the only ones who publish the source code,' said Rop Gonggrijp at Amsterdam-based NAH6.
Amusingly, the article cites government.nl and not
nsa.gov as the world's most prolific phone tapper."
Rather than pay $4K to encrypt your phone calls, do what I do: don't have anything worth saying
It really doesn't matter if they are $4000... so where the original motorola brick phones. Hopefully these will give other companies ideas on how to make them better/faster/cheaper.
Wow, $4,000 per pair? That seems awfully high, but I'd imagine there are many legitimate uses of such technology, that may interest people to shell out that much cash. For instance, credit card authorization, police communication, and drug trafficking come to mind. I work for the second-largest supplier of solid-gold cell phones and pagers, which are often used by celebrities and collectively engaged urban businessmen, and I could certainly see where many of our clients would have use for this kind of device.
I am a little concerned, though, that this kind of technology might fall into the wrong hands. For instance, have the manufacturers considered the applications for which terrorists might use these? I hardly think that the NAH6 would like to see their products used to slaughter innocent Americans, or even Amsterdaminians. Encryption is certainly a worthwhile tool, but I think it's far more likely to be exploited by the wicked than the virtuous, as it's the bad guys who've got something to hind.
Perhaps I would be more supportive of NAH6 if they were to provide a backdoor for the NSA, FBI, CBS and the ALF. These organizations, then, could catch evil-doers in the act before they can inflict massive damage to our American way of life. Truly, the only way to secure our liberty is government supervision of the most invasive sort.
....for doing a PGP extension to Mailman.
The patch file alone is 56 KB... looks like they put in some effort on that one. Pretty cool.
The Army reading list
that will become " ? nac uoy reah em won"
real /.ers don't use expensive encryption phones, they do the math themselves, and then encrypt signals by waving a magnet near the phone.
The IT section color scheme sucks.
Doesn't this seem of limited use?
I mean if it only encrypts for other cellphones of it's type on it's network the usability is rather limited.
You might as well use encrypted walkie talkies, it's not too different when you think about it.
Google Toolbar is SPYWARE!
So.. you buy a pair at a time and these phones can only talk to each other securely? Or is there some way to exhange keys?
My sig can beat up your sig.
Oh yes, I'm being sarcastic...
Personally, I am flat-out amazed that this kind of thing hasn't taken off much sooner. There is a public outcry right now about "Privacy" and all kind of laws are being enacted to ensure consumer protection of personal information. So why isn't there a much higher demand from consumers for "Privacy" when it comes to data transmission and data storage? It's not like it's hard from a technology standpoint. Encrypted communications have been around since long before cellular phones. We just need more people asking for it to see this kind of thing standard in phones, bluetooth, 802.11, etc.
SCO.com uses Linux
see this page for further information (in English).
Are these available in the U.S.? The last time encrypted cell phones made the news there were no plans of selling them in the U.S.
Well, since Bill IS focusing so strongly on security, I feel comfortable relaying most personal, intimate, potentially volatile information over these phones.
I also wear my Social Security number on a t-shirt, yell out the numbers of my PIN at ATMs and throw my credit cards at little children as if they were candy.
give me a break.
sulli
RTFJ.
" Security specialists in the Netherlands said the device could threaten criminal investigation by the Dutch police, which is one of the world's most active phone tappers, listening in to 12,000 phone numbers every year."
The article states "one of the world's most active phone tappers" not "the world's most active phone tappers". The US had fairly stringent policies against phone tapping citizens (ie the police and FBI, not the NSA). I'm sure the NSA is not giving out statistics on how many wiretaps it does a year, but the NSA is (supposedly) forbidden from investigating within the US.
Does anyone else find it weird that its collectively called "the Dutch police?" Are they referring to all local law officials or some national law enforcement agency? Just curious...
can be found at CryptoPhone's Picture Page
looks like one of those phone/PDA's in one.
FSB, formerly known as KGB. On numerous occasions they've ordered the Russian phone companies to turn off even the weak GSM encryption and wiretapped whoever they wanted. They also release "proslushki" (wiretaps) of some politicians talking on the phone on some "independent" web sites almost weekly. BTW, in Russia they don't need the warrant issued by a court to do this. Basically every god damn cop can wiretap whoever he wants if he has the gear. Too bad the use of cryptography (except for the government-approved algorithms) is not allowed in Russia.
real slashdotters don't have anyone to call in the first place
--
the strongest word is still the word "free"
I think we slashdotted the entire government of the Netherlands.
I noticed that your CryptoPhone is based on Windows CE / PocketPC. Isn't this a security risk?
The current version of the CryptoPhone runs on top of a heavily modified and stripped down Microsoft PocketPC2002 ROM. The reason is that we wanted an affordable and well researched platform that offered sufficient performance for the speech encoding and crypto functions.A Pocket PC based system was chosen as the first platform for CryptoPhone because it was the only sufficiently fast device allowed us to do software integrity protection in ROM and the stripping of unnecessary functions.
The only commercially available alternative at the time of the necessary development decision was Symbian. Symbian is even more closed source (Windows CE is open source for developers in most parts) and was available only on a more expensive hardware platform. There was (and still is) no viable mass-market Embedded Linux based hardware with sufficient performance, stability, hardware integration and availability on the market at decision time, so we were not able to pursue this alternative.
We are aware that there are risks associated with using any Windows platform and we have taken a number of measures to mitigate these risks as best we could. We removed applications, communication stacks and system parts that are unnecessary for the CryptoPhone operation and which may cause potential security problems. You should not install third party software on the CryptoPhone to prevent software based attacks on the firmware integrity. The firmware update mechanism is cryptographically secured.
First, cell-phone encryption has AT LEAST been available (weak or otherwise) in GSM since 1990. Sure, it is crackable, but it takes hours to do... making it impractical for eavesdropping on a conversation in real-time.
Ok... let's say you're not happy with the encryption. This product will have use in every part of the world *except* the US because, I believe, encrypted voice transmission is illegal. Heck, there have even been home cordless phones available for years that would encrypt only between the handset and the base station... and you're not allowed to have them in the US for that same restriction.
So... either you're going to spend a lot of money to gain encrypted communication that you could more cheaply acquire with other technologies, or you won't be allowed to use it (in the US) without giving the government a backdoor to listen in. For $4K? Forget it.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
Wasn't GSM supposed to be encrypted as well, but the algorithm was found to be extremely trivial to crack?
How long until that happens with these technologies? I'd hope a long time, for $4000/pair.
Nobody verifys keys for webpages, email or ssh right now. How many times have you seen "HOST KEY HAS CHANGED" or "host key not found" and typed "yes" anyway?
The good news is that if people really understood crypto, key exchange would be easy. You meet in person, establish a bluetooth link, swap public keys and verify fingerprints.
The bad news is that nobody will do this, or the phone won't support it (article didn't say how key exchange happens)
So when Joe calls and it says "incoming encrypted call" are you going to answer it because you know and like Joe, even though you've never exchanged keys with him?
Key exchange can't be done through a trusted third party (except the company you work for) because there is no trusted third party. Even if you trust Bob, and he trusts Mary, you don't know where their dirty phones have been.
If your work is the trusted third party, they'll probably hold copies of your private keys so calls can be monitored later if needed. (Hopefully the phone ethier allows you to generate a new key whenever you want, or doesn't allow exporting of it's private key. Hopefully both)
Don't get me wrong, I want one. Real bad, but not $4k bad, not to test out someones (probably flawed) cryptosystem.
Even if they understand crypto and got it right, the user still has to understand it to make it all work.
If I had about 10 of these I'd give one to each of my friends and make sure they only accept encrypted calls from known keys. I'd also make the screen light up in red or green or something to show it's an encrypted call.
Then we could talk about Joe behind his back, with no chance of interception from governments.
So yeah, anyone got a real use for these?
Of course, the matching handset will decrypt the message.
As opposed to those phones where the matching handset doesn't decrypt the message. Too bad the market for those isn't larger. I have quit a few algorithms that can encrypt voice into something that can never be decrypted.
Outdoor digital photography, mostly in New Engl
yea... but they really mean drug dealers, terrorists, etc.
Don't get me wrong, I think personal privacy is very
important (for individuals as well as 'executives'), however
I think this technology is just begging to be abused.
just my 2 cents...
Get real.
Look.. law enforcement snoops on phones because they can, not because from day 1 it was required by law to let them. Yes, there are rules in the US and elsewhre that require companies to make it easier for law enforcement to snoop.. but still.
Just because some form of communication exists does NOT mean you need to make it's contents available to the government upon request.
You have the RIGHT to encrypt your communications, and keep them private, as do terrorists.
I think maybe you are a troll, though.
Encryption isn't illegal, except for a few limited cases, like amateur radio. The government is more subtle than that. If you are doing something that needs a FCC license, type acceptance or other government paperwork, your paperwork will be approved much more quickly if you have a "cooperative attitude".
Mea navis aericumbens anguillis abundat
Now imagine a steganography-capable cell phone! The wire-tapping people wouldn't even know the call is encrypted and just hear a totally different conversation.
(And yes - if someone tries to patent this, this counts as prior art)
"I'm using the SCRAMBLER..."
Scene: A youngish, slightly geeky guy wandering with his cell phone. Enters from the right.
guy: "can you hear me now?"
phone: "!@$(U*HAa9810"
guy: "... good?"
(lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance, lameness filter avoidance)
You can download PGPFone for free or do what I did involving cat'ing dsp through the stdin of gpg, and into netcat, and the reverse at the other end. Can't remember the exact switches - man gpg, and man nc.
Get your own free personal location tracker
Not only that, but also a pseudo-random frequency hopping feature is also included in the scheme, so that recording a conversation from the radio waves in order to perform a later brute-force attack on it could be made impossible.
There are, however, several problems when coming down to reality in the application of the GSM standard:
So, in a real world where the operator could be trusted and there weren't political restrictions about it, GSM could give the user privacy, but the fact is that it doesn't.
If the devices in the article provide end-to-end, user-controlled crytography, then they have their value indeed.
Real programmers don't use compilers. Good old
c:\>copy con program.exe
works just fine.
3.243F6A8885A308D313
Actually, the algorithm might be secret, but in that case it has to be:
So in other words, if you have a secret algorithm you have to handle it just like the keys, i.e. distribution of such an algorithm as part of software package is absolutely unacceptable.
One could argue that a public algorithm plus the key is in fact a secret algorithm. That's true. But keeping the keys secret and easily replaceable is all one needs to do to make this algorithm+key combination secret, if the algorithm itself is designed competently, like AES or Twofish.
Just keep secrets secret---that's a no.1 rule of cryptology.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Gongrijp knows what he's talking about. He was one of the founders of Hacktic magazine, a "magazine for techno-anarchists" that was published from 1989 till 1994. Hacktic publications included schematics for pay television descramblers, detailed expositions of operating system vulnerabilities, articles on "social engineering" (I think they might even have coined the phrase), and numerous topics on hacking the phone company ("phreaking") and war dialing.
These guys have also organized some huge hacker conferences such as Hacking at the End of the Universe in 1993 and Hacking In Progress in 1997 (I was there in '97). Later Hacktic professionalized and they became the first ISP in the Netherlands. Still later that turned into XS4ALL, probably the best ISP in the Netherlands.
Through everything, Gongrijp ("Public Enemy #1") was a driving force. If he says the phone is secure, then that's a pretty damn strong endorsement.