Slashdot Mirror
Encrypted Cell Phone Hits the Market
notshannon writes "Reuters
reports
about a new cell phone which automatically
encrypts communications. Of course, the
matching handset will decrypt the message.
Security doesn't come cheap, around $4000
per pair, but it's probably as reliable as anyone
in these parts could wish. Favorite quote:
'We allow everyone to check the security for themselves, because we're the only ones who publish the source code,' said Rop Gonggrijp at Amsterdam-based NAH6.
Amusingly, the article cites government.nl and not
nsa.gov as the world's most prolific phone tapper."
Rather than pay $4K to encrypt your phone calls, do what I do: don't have anything worth saying
Wow, $4,000 per pair? That seems awfully high, but I'd imagine there are many legitimate uses of such technology, that may interest people to shell out that much cash. For instance, credit card authorization, police communication, and drug trafficking come to mind. I work for the second-largest supplier of solid-gold cell phones and pagers, which are often used by celebrities and collectively engaged urban businessmen, and I could certainly see where many of our clients would have use for this kind of device.
I am a little concerned, though, that this kind of technology might fall into the wrong hands. For instance, have the manufacturers considered the applications for which terrorists might use these? I hardly think that the NAH6 would like to see their products used to slaughter innocent Americans, or even Amsterdaminians. Encryption is certainly a worthwhile tool, but I think it's far more likely to be exploited by the wicked than the virtuous, as it's the bad guys who've got something to hind.
Perhaps I would be more supportive of NAH6 if they were to provide a backdoor for the NSA, FBI, CBS and the ALF. These organizations, then, could catch evil-doers in the act before they can inflict massive damage to our American way of life. Truly, the only way to secure our liberty is government supervision of the most invasive sort.
....for doing a PGP extension to Mailman.
The patch file alone is 56 KB... looks like they put in some effort on that one. Pretty cool.
The Army reading list
that will become " ? nac uoy reah em won"
real /.ers don't use expensive encryption phones, they do the math themselves, and then encrypt signals by waving a magnet near the phone.
The IT section color scheme sucks.
Doesn't this seem of limited use?
I mean if it only encrypts for other cellphones of it's type on it's network the usability is rather limited.
You might as well use encrypted walkie talkies, it's not too different when you think about it.
Google Toolbar is SPYWARE!
So.. you buy a pair at a time and these phones can only talk to each other securely? Or is there some way to exhange keys?
My sig can beat up your sig.
Oh yes, I'm being sarcastic...
Personally, I am flat-out amazed that this kind of thing hasn't taken off much sooner. There is a public outcry right now about "Privacy" and all kind of laws are being enacted to ensure consumer protection of personal information. So why isn't there a much higher demand from consumers for "Privacy" when it comes to data transmission and data storage? It's not like it's hard from a technology standpoint. Encrypted communications have been around since long before cellular phones. We just need more people asking for it to see this kind of thing standard in phones, bluetooth, 802.11, etc.
SCO.com uses Linux
see this page for further information (in English).
Are these available in the U.S.? The last time encrypted cell phones made the news there were no plans of selling them in the U.S.
Well, since Bill IS focusing so strongly on security, I feel comfortable relaying most personal, intimate, potentially volatile information over these phones.
I also wear my Social Security number on a t-shirt, yell out the numbers of my PIN at ATMs and throw my credit cards at little children as if they were candy.
give me a break.
sulli
RTFJ.
" Security specialists in the Netherlands said the device could threaten criminal investigation by the Dutch police, which is one of the world's most active phone tappers, listening in to 12,000 phone numbers every year."
The article states "one of the world's most active phone tappers" not "the world's most active phone tappers". The US had fairly stringent policies against phone tapping citizens (ie the police and FBI, not the NSA). I'm sure the NSA is not giving out statistics on how many wiretaps it does a year, but the NSA is (supposedly) forbidden from investigating within the US.
Does anyone else find it weird that its collectively called "the Dutch police?" Are they referring to all local law officials or some national law enforcement agency? Just curious...
FSB, formerly known as KGB. On numerous occasions they've ordered the Russian phone companies to turn off even the weak GSM encryption and wiretapped whoever they wanted. They also release "proslushki" (wiretaps) of some politicians talking on the phone on some "independent" web sites almost weekly. BTW, in Russia they don't need the warrant issued by a court to do this. Basically every god damn cop can wiretap whoever he wants if he has the gear. Too bad the use of cryptography (except for the government-approved algorithms) is not allowed in Russia.
real slashdotters don't have anyone to call in the first place
--
the strongest word is still the word "free"
I noticed that your CryptoPhone is based on Windows CE / PocketPC. Isn't this a security risk?
The current version of the CryptoPhone runs on top of a heavily modified and stripped down Microsoft PocketPC2002 ROM. The reason is that we wanted an affordable and well researched platform that offered sufficient performance for the speech encoding and crypto functions.A Pocket PC based system was chosen as the first platform for CryptoPhone because it was the only sufficiently fast device allowed us to do software integrity protection in ROM and the stripping of unnecessary functions.
The only commercially available alternative at the time of the necessary development decision was Symbian. Symbian is even more closed source (Windows CE is open source for developers in most parts) and was available only on a more expensive hardware platform. There was (and still is) no viable mass-market Embedded Linux based hardware with sufficient performance, stability, hardware integration and availability on the market at decision time, so we were not able to pursue this alternative.
We are aware that there are risks associated with using any Windows platform and we have taken a number of measures to mitigate these risks as best we could. We removed applications, communication stacks and system parts that are unnecessary for the CryptoPhone operation and which may cause potential security problems. You should not install third party software on the CryptoPhone to prevent software based attacks on the firmware integrity. The firmware update mechanism is cryptographically secured.
Nobody verifys keys for webpages, email or ssh right now. How many times have you seen "HOST KEY HAS CHANGED" or "host key not found" and typed "yes" anyway?
The good news is that if people really understood crypto, key exchange would be easy. You meet in person, establish a bluetooth link, swap public keys and verify fingerprints.
The bad news is that nobody will do this, or the phone won't support it (article didn't say how key exchange happens)
So when Joe calls and it says "incoming encrypted call" are you going to answer it because you know and like Joe, even though you've never exchanged keys with him?
Key exchange can't be done through a trusted third party (except the company you work for) because there is no trusted third party. Even if you trust Bob, and he trusts Mary, you don't know where their dirty phones have been.
If your work is the trusted third party, they'll probably hold copies of your private keys so calls can be monitored later if needed. (Hopefully the phone ethier allows you to generate a new key whenever you want, or doesn't allow exporting of it's private key. Hopefully both)
Don't get me wrong, I want one. Real bad, but not $4k bad, not to test out someones (probably flawed) cryptosystem.
Even if they understand crypto and got it right, the user still has to understand it to make it all work.
If I had about 10 of these I'd give one to each of my friends and make sure they only accept encrypted calls from known keys. I'd also make the screen light up in red or green or something to show it's an encrypted call.
Then we could talk about Joe behind his back, with no chance of interception from governments.
So yeah, anyone got a real use for these?
Encryption isn't illegal, except for a few limited cases, like amateur radio. The government is more subtle than that. If you are doing something that needs a FCC license, type acceptance or other government paperwork, your paperwork will be approved much more quickly if you have a "cooperative attitude".
Mea navis aericumbens anguillis abundat
No, not quite true. The strongest encryptions are not based on no one knowing the algorithims - in fact most cryptographers do not regard an algorithim as secure unless it has been exposed. The strength lies in the keys generated.
For example, the RSA algorithim is available. But currently most people do not have the computing power necessary to decipher the keys to the transmission.
Random Musings
Not only that, but also a pseudo-random frequency hopping feature is also included in the scheme, so that recording a conversation from the radio waves in order to perform a later brute-force attack on it could be made impossible.
There are, however, several problems when coming down to reality in the application of the GSM standard:
So, in a real world where the operator could be trusted and there weren't political restrictions about it, GSM could give the user privacy, but the fact is that it doesn't.
If the devices in the article provide end-to-end, user-controlled crytography, then they have their value indeed.