Slashdot Mirror
Feds Want to Tap VoIP
An anonymous reader writes "From the Globe and Mail: The FBI and the U.S. Justice Department have renewed their efforts to wiretap voice conversations carried across the Internet. Federal and local police rely heavily on wiretaps. In 2002, the most recent year for which information is available, police intercepted nearly 2,200,000 conversations with court approval, according to the Administrative Office of the U.S. Courts. Wiretaps for that year cost taxpayers $69.5 million, and approximately 80 per cent were related to drug investigations."
Well, because there are some legitimate reasons to tap communications of any sort (as in, got a judge to OK it), I figure that it was bound to happen at some point. Though it still creeps me out and makes me eagerly anticipate a nice encrypted VoIP client...
Nautlius is VoIP that uses Blowfish as the cipher.
Here's the home page. Get the software here. It hasn't been updated in awhile, but maybe now there's more of an incentive to do so.
Is this truly the only Earth I can live on?
That's why I'll continue to encrypt all important (and unimportant!) conversations. For email I always use GPG (regardless of how important the message is). For VoIP, if I ever use it, I'll be sure to send the voice data through encrypted channels. Frankly, there's no excuse for not encrypting everything. Let them make laws; beat them with the tech.
:)
/dev/urandom) to your friends :) That will never be illegal, and encrypted data is the same as random data without the key!
And when they outlaw the tech, remember that you can learn how to write encryption software yourself. See Ciphersaber. There you'll learn to write your very own crypto code, and you'll remember how to do it again. I did it a few months ago and could still code something decent up
So don't worry about this. Just encrypt, and when encryption becomes illegal send lots of random data (netcat
My other car is first.
Feds have had the power to get secret warrents from judges from the FISA court since 1978. These judges have never denied American law enforcement a warrant to surveil a conversation.
So under the secret and unchecked FISA court, their powers are essentially unlimited.
This just means they are going through the formality of asking permission - if they don't get it, they'll get it through FISA anyway.
"The FCC should ignore pleas about national security and sophisticated criminals because sophisticated parties will use noncompliant VoIP, available open source and offshore," said Jim Harper of Privacilla.org, a privacy advocacy Web site. "CALEA for VoIP will only be good for busting small-time bookies, small-time potheads and other nincompoops."
Mr. Harper is absolutely correct, anyone with a little bit of sophistication can think of numerous ways around this legislation. Sorry Unlce Sam but the cat's out of the bag and there is no putting it back. Of course this will still be useful at catching small time drug dealers/users, and is another example of the drug war eating away at civil liberties.
The right to privacy is spread implicitly throughout the Bill of Rights. But when the United States Constitution was framed, the Founding Fathers saw no need to explicitly spell out the right to a private conversation. That would have been silly. Two hundred years ago, all conversations were private. If someone else was within earshot, you could just go out behind the barn and have your conversation there. No one could listen in without your knowledge. The right to a private conversation was a natural right, not just in a philosophical sense, but in a law-of-physics sense, given the technology of the time.
But with the coming of the information age, starting with the invention of the telephone, all that has changed. Now most of our conversations are conducted electronically. This allows our most intimate conversations to be exposed without our knowledge. Cellular phone calls may be monitored by anyone with a radio. Electronic mail, sent across the Internet, is no more secure than cellular phone calls. Email is rapidly replacing postal mail, becoming the norm for everyone, not the novelty it was in the past.
Until recently, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile. This is like catching one fish at a time, with a hook and line. Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing. And exponential growth in computer power is making the same thing possible with voice traffic.
Perhaps you think your email is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut? Do law-abiding citizens have any need to encrypt their email?
What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.
Senate Bill 266, a 1991 omnibus anticrime bill, had an unsettling measure buried in it. If this non-binding resolution had become real law, it would have forced manufacturers of secure communications equipment to insert special "trap doors" in their products, so that the government could read anyone's encrypted messages. It reads, "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications se
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
Wouldn't any real criminal run his VoIP through a VPN or some other encrypted tunnel, thus making difficult for the Feds to know that it is a VoIP session, let alone decrypt it and understand it? See, the problem with PCs is that they are general purpose devices that allow you to execute arbitrary algorithms -- or even add proprietary hardware to do hardware encryption. So, other than knowing what IP address a suspect is talking to, what good is the wiretap going to do them?
"Freedom means freedom for everybody" -- Dick Cheney
How do they propose to tap VOIP conversations over private networks? I can understand how federal regulations might get them permission to tap into the networks of the growing VOIP phone providers, but a lot of people (companies, geeks) set up their own internal VOIP networks over IPSEC, secure VLAN's and other such things that would be nearly(?) impossible to detect as VOIP traffic. Not to mention p2p type VOIP clients like those built into the various instant messenging programs that are, well, peer to peer, and don't go through some central server.
Do you really need reason for beer? Wingman Brewers
I almost feel like setting up two VoIP lines, using one to call the other, then have a perpetually repeating recording playing over the line with every keyword and phrase they could possibly be looking for interspersed with me screaming "HA HA! GOTCHA! GET BACK TO DOING SOMETHING USEFUL!" .
Hang on, there's a knock at [Lost comm with host]
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
That's nice for you, but I wouldn't trade my privacy in silly conversations for the (illusion of) safety in America. Neither would a lot of other people. The problem is, you can't just trade your privacy by endorsing wiretaps. You're trading everyone's privacy. Perhaps you'd like to write a letter allowing the government to listen to all the conversations they want, read your emails, and rifle through your files, but don't speak for the rest of the country.
The whole point of the article is that the FBI does not want to actually do the tapping. They want Vonage, Packet8, etc. to do the tapping for them.
If you're using IP-to-IP VoIP instead, the FBI will just use Carnivore.
If you're using crypto, the FBI will just break into your house/office and backdoor your computer.
Not true. I have nothing to hide - I still don't wnat Uncle Sam listening to everything I do. Some of us still believe in privacy.
On a side note, sometimes people have things to hide with good reason. A number of the founding fathers lived as long as they did because of Privacy. A number of blacks were better off because records could be kept from corrupt local governments. People have been persecuted by scientology for speaking out against it - sometimes privacy is the only safeguard. Can you honestly say you trust every single person who has access to your data (government or not) to act in your best interest, or at least the best interest of the country. Here's a hint: if the government can beat it, someone else can too.
I'll take my privacy, thank you very much. The only way to stop power from being abused is to not grant it in the first place. Our society is based on individual freedom - for example, the whole "guilty until proven innocent" thing. Our constitution is set up to let the guilty go free rather than imprison the innocent, should a conflict arise. Would placing the burden of proof on the defense (or eliminating the trial altogether) mean fewer criminals went free? Of course! Would more innocent mean be imprisoned? Of course.
Is it worth it? Hardly. From what I hear, though, if you like that sort of thing, Cuba is not hard to get into.
Contact Me (got tired of viruses emailing me).
For the past few weeks Cryptome has featured a link to an FBI document detailing the means by which such surveillance might take place. This is all just additional evidence that those wanting real security must implement (or at least verify) it themselves.
Which is exactly why the whole thing is silly. Do people really make unsolicited phone calls to discuss their criminal intentions with strangers, or do they usually only discuss these things with people they already know well, and thus are capable of distributing 1024-bit keys to before hand? Last time I checked, Al Queda wasn't using cold-calling to recruit new suicide bombers...
"Freedom means freedom for everybody" -- Dick Cheney
This would, of course, be a terrific argument in my mind, to just get over ourselves and find a better way to deal with drugs; i.e. make them legal in such a way so that people can have a good time and not pose too much of a threat to society (such as the laws pertaining to alcohol). 'Course that's just my opinion, I could be wrong.
What makes you think that Uncle Sam is going to listen to "everything you do"? Remember, this law doesn't give the gov't carte blanche to listen to the conversations of anyone it chooses to. It must show a court of law that there is sufficient reason that you are using the phone lines to commit a felony. All this law does is put VoIP on the same legal standing as traditional phone lines, with regards to wiretapping.
Equating the gov't trying to stop the illegal actions of mobsters and drug dealers with a police state is pointless hyperbole. There may be issues with wiretapping laws, but your posting certainly doesn't convince me. If there is anything wrong with this statute you'll have to find a better arguement.
C - A language that combines the speed of assembly with the ease of use of assembly.
Last time I checked, Al Queda wasn't using cold-calling to recruit new suicide bombers...
See? That nation-wide no-call list is good for *something*!
Ce n'est pas un vrai mouvement de robot!
BTW, this same article is also available over on news.com.com. Anyway, lemme quote:
"The agencies have asked the Federal Communications Commission to order companies offering voice over Internet Protocol (VoIP) service to rewire their networks to guarantee police the ability to eavesdrop on subscribers' conversations."
Think about that one for a minute. How is a VoIP provider going to ensure that? There is only one way, turn off and disable all use of encryption in their VoIP network, unless the provider has access to the keys used.
Now think of IM networks, email servers, or just about any other Internet service. What are they going to do, outlaw all "non-sanctioned" client software using encryption? Are we gearing up for another Clipper Chip fiasco here?
FCC chairman Michael Powell has just come down on the side of VoIP providers saying, in part:
"Rapidly expanding voice communications over the Internet should be protected from excessive government regulation and from being pigeonholed as simple phone service". He goes on to say "harm from misregulation of VoIP could take "decades to fix."
"You [can] create a very hostile regulatory environment for voice-over-IP providers in the United States," Powell said.
He added "there is nothing to stop" the companies from moving to other countries and setting up computer systems to serve U.S. customers.
Exactly. Welcome to the Internet age.
And remember kids: Never trust a computer you can actually lift.
taken from their "EULA"
(c) the skype software is utilized and distributed by third parties
which are unrelated to skyper. you acknowledge that installation of
the skype software will allow third parties who are not affiliated
with skyper the ability to access your computer ("outside parties").
you agree that skyper will not be liable for any damage, claim or loss
of any kind whatsoever, including but not limited to indirect,
incidental, special or consequential damages as stated in paragraph
9(a) above, resulting from any actions or omissions of the outside
parties.
Bottom line: Skype is a backdoor to the machines it is installed on -
for some undisclosed "third parties", not really what you want to hear when it comes to "secure" software egh
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Note that this article of the consitution does not say no searches and seizures. Just unreasonable ones. The courts have determined that with probable cause (and your definition is wrong, btw) a telephone may be tapped.
Oh, and also, the Tenth comes to mind here.. nowhere in the Constitution is the Federal Government granted the right to tap telephones, therefore they don't have it.
Yes, because clearly the Founding Fathers hated it when the British would tap their telephones....
C - A language that combines the speed of assembly with the ease of use of assembly.
I'm not saying legalize everything, just treat addiction to hard drugs as a medical issue and let medical doctors prescribe for maintance while helping their patients. Marijuana (something much safer than alcohol) needs to be legalized and taxed.
Get the facts about marijuana. End the drug war now.
"And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
Personally, it seems to me that VoIP is pretty cut and dry in this matter: it is a "telecommunications carrier". It is simply a new medium for the same thing we did on copper lines.
The most difficult (and dangerous) aspect is things like IM services with voice capacity. Actually, anyone two people with microphones and email could evade the police and FBI pretty easily by recording small sound files and emailing them (possibly even encrypting them to be sure). In such a case as this, where communications begin to forgo the use of any third-party to facilitate the information between two people, we will see a lot of hot debate.
When communications as distributed and "P2P" as this become more common place, many questions will be raised. But, we must look at how things would have to be implemented, before we can judge the rules that must be applied to them. Can we mandate that wiretaps must be available even for peer-to-peer exchange of communications? Would we then need to make requests directly to those being tapped, or those they are in contact with, stating they must, for a specified time, transmit all communications to the authoritive agencies for monitoring? Surely, no one would comply! Then, should the ISPs and backbone servers scan all packets for personal communications to or from individuals on a national "Tapped List"? But, what of all the data they would have to peak into to find these few, when most they have no right to touch, except to pass along?
We sail to rough waters. I pray for us all.
Question
http://www.ironfroggy.com/
Wow, you should really take off the tinfoil hat and read up on cryptography a little before your next post.
The secrecy of a cypher should rely entirely in the key (see D. A. Kerckhoffs). Put another way, knowing the algorithm used should not compromise a good cypher. In fact, most of the better, more trusted cyphers are published, and have been subjected to many many man-years of cryptanalysis without yielding attacks that do much better than brute force key searches (which is why we trust them and conversely why propriatary/homebrew/secret algorithms are shunned).
In the case of blowfish, to my knowledge there are no known attacks that are effective against the full 16-round cypher. There are weak keys, but it's unlikely that such keys are exploitable in practice. So it would seem unlikely (though not impossible) that blowfish has been successfully attacked by NSA. So given a large enough keyspace, the NSA would have to be willing to dedicate a large number of CPUs/FPGAs to a brute force attack. Since blowfish supports keylenghts up to 448bits, such attacks could take a while even with NSA's extensive resources. [In this context, "a while" means effectively never.]
The good:
--If there is a wiretap, they are only getting your conversation, and not ever piece of data your computer spits out. It looks like they would need a different warrant for that too.
--The tap would be located not at your ISP, but at your VOIP provider. This helps guarantee privacy for the people not specified in the warrant.
--This places VOIP on more of an equal footing as traditional phone services. If they are legally the same for what they have to provide the cops, they could then argue they are the same legally when it comes to their protection as common carriers.
The bad:
--The VOIP companies would have to re-wire their networks so that all conversations go through a tappable trunk line. That, or they would have to set up infrastructure to siphon off individuals phone calls to a 3rd location (which is what I would prefer. Let the VOIP provider pull a copy of the conversation off the trunk line instead of the cops). This means more $ needed in development and implementation.
--Requlation may (ok, probably will) stifle innovation. By regulating things like how a wiretap is to be done, it will be harder for open source and closed source products to work in multiple countries. This then leads to problems with interoperability between national networks.
Overall, I don't see this as too alarming.
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
If criminals were smart, they would be running telcoms or energy companies, or on Wall Street, hyping Internet stocks. Oh, wait....
The real "Libtards" are the Libertarians!
Many of the people responding to this thread are missing the big picture.
There will always be a screw-you-I'm-doing-this-the-OSS-way-with-crypto solution available. What does this solution cost? Well you might think it's free.
It isn't.
By adopting some OSS mechanism to communicate with whomever you choose, you impose a burden on the other party, namely, they have to install and have access to the same (or compatible) OSS VoIP software.
While this might be great for you and your hacker buddies, it won't help you call your parents, grandma, or your fiancee. It also won't help you call your doctor, lawyer, investment partner, stock broker or bank.
Wait, there's more going on here.
There are technical implication for the service providers. Most of the better designed VoIP protocols (like SIP, as an example) are all about establishing sessions. There is a location service somewhere that a user-agent (UA) (phone) can find, based on the number or URI that you call. This location service will either proxy your connection request to the other client, or it will redirect your user-agent to contact the other party directly. (Think HTTP 302 response code -- in fact -- SIP uses the same structure).
Once your UA has contacted the other party, some handshaking happens where you try to figure out what CODECs you will use to exchange audio, video, facsimile, IMs etc. Then end result is a collection of sessions directly between the user-agents that called one another.
Let me make that REALLY clear. Beyond the proxy / location service, the VSP (voice provider) is not in ANY way involved in the media flows. Why should it be? It doesn't care.
Enter CALEA requirements -- which are really poorly laid our I might add -- suddenly the VSP must carry the media and relay it to the other party and optionally duplicate each CODEC frame and send it to some black box (or red box as the case may be).
This has serious consequences on bandwidth consumption for VSPs.
But they can just do this when there is a tap! (You object)
And I counter with the fact that such an arrangement violates the CALEA requirements that a party subject to monitoring cannot know that they are under surveillance. End result? All media MUST flow through a choke point from which it could be duplicated.
This has catastrophic consequences on the bandwidth a VSP can expect to need to meet their service levels.
This may or may not be a Good Thing. I think it is NOT a Good Thing. One thing is certain, this issue is a very Material Thing for VSPs.
It's not the easiest program to use, but it does work well. It's development has been discontinued, but you can still get the source code if you get it quickly. I'd like very much to see someone pick up its development, or to at least use its technology in a new program.
Request your free CD of my piano music.
You can't rely on that as a protection. As a previous article about fed's use of the OnStar system to bug people in their luxury cars shows, there's been an important movement in the point between "tapping was accessable, so we did it" to "you are required to provide the tap." Yes, criminals will use more secure 1024-bit, perhaps even one-time pads, but the burden is now on EVERYONE else to get searched and siezed.
I see this as a HUGE deal. It doesn't matter that the real criminals will be using real encryption. The problem is that the Fed's want all networks to not only provide the tap, but do the collection work and carry the expense too.... Wire tapping has evolved from "the terminals on the phone were exposed, so we attached" to "you've got to build this capability into the system and carry the cost."
This is insane....no patriot would even consider allowing this.... Let's just pretend that we no longer have a "Bill of Rights".... or just that it simply has a dollar figure at the bottom that we're supposed to mail in....
>as in, got a judge to OK it
Its not 2000 anymore. Thanks to both Patriot acts (didnt you know the second one was passed in a spending bill?) judicial oversight is mostly a thing of the past. The constitutional protections we took for granted are gone. I don't know why John Ashcroft has such a problem with judicial oversight, but he does and Congress and the Executive branch not SCOTUS (as far as I can tell) don't seem to care much.
This is a very different America than just a couple years ago and we've already seen abuses with the Patriot act being used in non-terror cases like drug trafficking. This just opens up the door to more COINTELPRO and other FBI abuses.
Encryption is more important now than ever. Maybe when the post-911 hysteria and power grabs are over we can have faith in an iota in due process but right now "trusting your government" is the worst thing you can do. Worse, all justifications for recording communication can apply to all communication. If you agree with this, why not put little mics on every person in the country?
Not to mention, last I checked PGPfone is a free download and easy to use. If criminals wanted to speak freely they could use that with impunity.
All I can say is I worked as a R&D software engineer for Nortel Networks, and this is nothing new.
We were (and they still are) developing voice-over-ip infrastructure equipment (Succession as they call it) and it was -required- that we implement a way for feds to tap the lines before we could even consider rolling out and selling the product.
There are a lot of gov't requirements behind the scenes than you might realize (and people can't talk about)...
For example, I have heard from former PacBell CO technicians that the wiretap and pen trace rate in the Los Angeles area is staggeringly high -- in some offices, upwards of 10% of the circuits have some sort of "tap" installed (From a remote terminal, a tap looked the same as a simple trace device that only records the number dialed, not the voice traffic on the line).
Unless of course the reason there is a tap on your line is not to produce admissable criminal evidence, but because you (or the line) a politcal activist, a nosy reporter, associated with an unpopular political organization, or just chose to support the wrong candidate in the last election... If you want to know more about government abuse of wiretaps (and increase the likelyhood of being the subject of a wiretap yourself), just do a little research into the past and present of communications intercepts and abuse by the public and private sector -- COINTELPRO, CALEA, RISSNET, MAGLOCLEN, IN-Q-TEL, Takefuji, DSC1000.Or just pick up a newspaper and read about the neverending stream of FBI bugging devices found in Philadelphia over the past three months...
I do not deploy Linux. Ever.