Slashdot Mirror
FCC Rules VoIP Must Be Tappable
pengie2 writes "The FCC has unanimously approved the U.S. Justice Department's bid to expand CALEA to broadband and VoIP networks, according to reports from SecurityFocus and News.com. This means, following a mandatory public comment period, service providers will have to wire their networks for easy law enforcement surveillance, the way phone companies do now. The feds have wanted this for a long time." Ebon Praetor adds a link to Reuters' version, writing "In addition, the FCC has decided that the push-to-talk, or walkie-talkie, functions available on phones from Nextel should also be subject to the same tapping regulations that regular phones are."
PGP Phone. I don't care if it's law enforcement or not. I want to place a phone call in privacy and frankly I don't trust a huge organisation like the police to use their powers sparingly.
Encryption is the way gents.
Simon.
What's going to happen as voice service becomes more and more decentralized? What about Skype? AIM? Streaming ogg files over a SSH tunnel or IPsec?
What about open source VoIP packages? Is anyone who sets one up suddenly a "provider?"
Does voice chat over AIM / MSN messanger need to be tappable yet? How long till they go after this.
Is it illegal to write a small voice chat application with some encryption without a backdoor for the feds?
I'm sorry but there is no way to stop people from comunicating privately over the internet if they want to. Its a losing battle, thats costing companies that do fine work, such as VoIP far too much money.
Use an anonymous remailier, and MIME-wrap the actual message.
My understanding is that there's no restriction on intercepting communications between non-citizens under american law.
Disclaimer: I'm neither american nor a lawyer
It's a gray area. On the ham bands-"radio" in general, encryption is technically illegal. I've been waiting for them to rule thusly on wireless computer applications. So far, it doesn't appear to be, but give it time and it probably will be "ruled" that it is.
And maybe the Swiss, given where this site lives?
Last time I looked into the statistics, the FBI (or was it the CIA?) released some basic statistics about their phone tapping activities (such as how many, reasons for taps (such as drugs), etc) and they listed the number of times they encountered encrypted taps (it wasn't a very high percentage). What shocked me was the line that said the encryption never prevented them from listening to the conversations. So all this talk about encrypted VoIP is probably just a waste of time. Why do you think the NSA finally stopped pressuring the government to classify strong encrypting as a weapon (and thus limited by export laws) around 2000? Do you think it was because they had a change of heart, or that they figured a way to crack pretty much any encryption (PGP included) and no longer worry about losing control? I'm thinking the latter is more likely. So, when VoIP becomes common don't expect PGP et al to protect you from a snooping government. It will probably keep your neighbor from listening, but that's about it.
Space for rent, inquire within
Steganography. Hide your message in an image posted to alt.binaries.pictures.erotica. The feds might be able to figure out that a message was sent, but they won't have a clue who the recipient was.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
The police will get a warrant with your name on it and take it to your ISP and tell them to tap your VoIP traffic. Your ISP will recognize it the same way your receivers client recognizes it. If it's encrypted the police will know you are using encryption. If your worth enough to them, they'll crack it.
They've had it all along for the landlines, there's no reason to think they'd change their mind at this juncture.
Why zero-value ... well when you are using a dedicated (real/virtual) circuit/channel, then wire tapping is no/little problem. However, encrypted virtual channel VoIP may not be easily tapped, and (I suspect) there are a few ways to very the path/packet. So, if you don't/can't tap the access/origination circuit and/or the destination termination, then .... VoIP in a sort of encrypt-jumping and path-hopping algorithm may be a little tough to tap. ... pick your path through 37 points/jumps and you use radio-protocol (the Rogere-Wilco-Out stuff) for the time delay problem. ... you might catch something horrible or there is a pregnant pause ... in technology innovation.
>
Then again there is always PGP encrypted P2P
>
Controlling Technology is like fucking without a condom
>
I am sure this will help monitor the common law abiding citizens. Just like Gun-Control keeps guns away from criminals and their organizations.
>
Then again maybe the above ain't no problem to tap. We should all always know that we are being monitored for the good of the nation and blessings of god.
>
OldHawk777
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Just think, if you're a terrorist and you know thay any communication that you make is subject to tapping what would you do about it?
You'd probably find a way to make your call blend in. I mean speaking in code.
Take this example.
"I just talked to mom. She said that she might need surgery on her colon. You should give her a call."
Sounds harmless, but what if it means
"I just talked to [the boss]. She[or he] said that [the time might be right to strike the power plant in city X]. You should [prepare and wait for the go signal]."
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You can use VoIP with IPSec to secure your phone calls, as long as both sides have the right software installed. The IPSec encryption algorithms are up to you, so if you want to use Elliptic curve cryptography (as donated to OpenSSl by Sun), you can.
foo mane padme hum
Why would people start encrypting phone calls when they won't even use PGP? After all, phones haven't been encrypted in the past anyway.
I recently experienced some serious drop-out problems with my VoicePulse VOIP service.. So I decided to take some packet dumps and see what I could determine with ethereal.
Well, the protocol analysis was excellent. And, sure enough, the dump of the data produced an audio file easily played with XMMS. I was shocked at how easy this was (and once again at how good ethereal is). I no longer have any illusions of privacy due to the 'obscurity' or complexity of the protocols.
So, next time your VOIP provider plays dumb over drop outs, give them a protocol analysis and an audio record of the problem.
What makes you think the government doesn't have some technology you can't even fathom?
If I were a terrorist interested in using the internet to pass messages the spooks would have a hard time even knowing where to look for it amongst the noise.
.given time, so I just won't give them that time.
And once they'd found it, and decrypted it, they'd still be left having to crack the code.
"Honey, could you pick up a chicken on the way home?" might mean "rent a van," "deliver the bomb now," or "Honey, could you pick up a chicken on the way home?"
The spooks are good, I'll give them that. I'll assume they'll crack my messages. .
KFG
Or are you saying the government should not be able to collect evidence in criminal investigations, even with a warrant?
We are only talking about centralized networks. This is not likely to pertain to or be enforceable regarding decentralized or private networks. So if my company has a voip tunnel with another company then it all works well.
Why can't someone and his criminal buddies just set up a SIP-based VOIP channel between them and encrypt the traffic? Seems safer that way....
Or better yet-- there are areas where VOIP would be *required by law* to be encrypted, such as between doctors discussing information protected under the HIPAA act.
LedgerSMB: Open source Accounting/ERP
It's trivial to disguise who you're sending a message to on the Internet. Consider the alt.binaries.warez groups for one of the first examples... you know that X said something, but you have no idea who to. And when you can leave a message just by doing a search on a site that shows "recent searches", you don't really know that "X said something".
The Internet is full of drop boxes and cutouts and other opportunities to play well-publicised spy shenanigans. And when you consider that a rotten log in a park in Berlin was secure enough to avoid the attention of most of the East German spy apparatus for a couple of months, there's really no chance that any credible level of signals intelligence will find an even modestly competent bad guy.
The Pure Crypto Project (based on Modular Exponentiation and RSA alone)
The source code is in Python but a savvy programmer can port it to the language of their choice. For example, I recoded the 'windowed exponentation' routine in the SDLH function in C for use in some software I wrote a while ago.
Frankly this wire tapping business has gone on long enough.
Any time a person picks up a phone to call someone, there is a subtle change in his thinking if he thinks he might be surreptitiously monitored. There are certain things you just don't say.
How is this different from meeting with someone on the street, perhaps to organize some political effort? If you think you may be overheard, it changes what you say.
(Thinking from a two hundred year old perspective,) the difference is that on the street, you can see who is listening. You know what is being said.
Secret wire taps by a third party subvert the entire process that granting the political freedom of assembly was intended to protect. If I want to speak to someone on the phone, law enforcement should be absolutely limited to compromising that other party in order to get in on the conversation. If there is a second party on the phone, I should get a little flashing light informing me that there is another listener.
I would just switch to Skype, except I have no idea how secure their encryption is either.
I wrote a really bitchy blog entry about this a while back right here, if you care.
How science works. It consists of open, institutional critisism by qualified peers. The larger the community, the more people can and will contribute critisism.
In a world where this does not exist, it will invariably lead to many bad ideas, ideas that are not abandoned. Even though you may recruit the best brains on the planet, they are still just humans, and they can't perform without this critical component of how science works.
That's why I'm pretty sure that no major breakthroughs will happen in secrecy.
Smaller breakthroughs, OTOH, can happen in secrecy. It is conceivable that Shor's algorithm will be implemented on a secret quantum computer, but only after the civil society has done most of the work. They will certainly try.
Just take a look at the most hefty project we know was done in secrecy: Manhattan Project. They had the best brains. Still it was not very fundamental science, and many of the participants got bored out of their minds. It was definately not technology I can't fathom.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I'm not talking about every terrorist. Some of them will be caught. They're expendable. There's more where they came from. We're not talking about army operations here where have to happen where and when planned. We've got time. Decades if we need them.
Tell me, where's Bin Ladin?
These laws have nothing to do with terrorists. That's a complete red herring. They're about pot dealers and prostitutes.
KFG
Not to say you're wrong, or that those things aren't in the Patriot Act (which I have some serious concerns about), but I read the sections you linked to, and I don't see what you're saying is in there. Could you point out sections/rules/items, where it says that the government's burden of probable cause for getting a wiretap is lowered (well, ok, it does take away some of the international terror requirements on investigations of non-citizens) or where the requirement to get a judge's signature for a wiretap is removed? I'm not saying it's not there, but I read it and I don't see that. It also seems like the gag rules on telling people about wiretaps are fairly limited in scope, too, and require someone to show a compelling reason to a judge, and provide for annual Congressional oversight of each and every gagged wiretap.
I've been a fairly vocal critic of the Patriot Act, and have a lot of major concerns about it. I'm having a hard time getting all that worked up about what I read in that link you provided, though. If everything in the Patriot Act is really that tame, I'm going to go so far as to say that my worries were mostly unfounded.
Of course, I didn't read through the link with fine scrutiny, so I will allow that I may have missed or misread something, but if I did, I'd be very interested to hear what it was.
"If English was good enough for Jesus, it's good enough for everyone else."
If you have real data to send, it gets encrypted and goes out in the next scheduled transmission. If not, you encrypt and send some worthless data (eg a couple pages of text from project guetenberg) If you have a small message it gets padded out with garbage until it's the standard size.
You could even camoflage it as spam if you want even more protection -- if you use steganography to hide your message in an image which you spam to tens of thousands of addresses, you've given your dozen intended recipients a huge dose of plausible deniability, and you've given the opposition a massive number of decoys to investigate.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Why is the abreviation for Swiss ch? The ISO currency symbol for Swiss Francs is CHF as well, am I missing something in German or something?
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
However, some of the "laundry lists" were actually coded messages
Uh, this still happens... but without the silliness of disguising it as laundry (which never fooled anyone). International spymasters run numbers stations, which just read out random-like numbers continually. Most of the numbers are random, but at certain pre-arranged times a spy will listen to the station and copy down his coded instructions.
Civilians can only speculate how often an actual message goes through, and how much is just chaff keeping the station busy.
Two problems with this...
Firstly, the FCC, a self-appointed, non-elected staff brought this into law.
Second, it was put up by the US Justice Department. The US Justice Department does NOT have the power to CREATE laws! It is the legislature's job to create laws. This completely offsets the balance of power and checks and balances.
Whoever thinks that they are going to wiretap all VoIP networks at the FBI is living in dreamland. Let's take a brief look at a quick VoIP system that I'm going to design. I'll even publish the source code, right here on Slashdot. It will take me a few seconds to write:
/dev/dsp|nc localhost 7000"
# smallvoip.sh
# VoIP software capable of bypassing FBI wiretap regulations.
# Warning: use or posession of this software may be a federal crime in the United States of America. Download this software at your own risk.
# Copyright 2004, 0x0d0a, released under the GPL
# Usage: smallvoip remote-username remote-ip-address
# You must have a shell account on the remote machine.
# Run on each of the two machines involved in the call.
# Duplex audio support required.
# TODO: pass through lame or oggenc for better bandwidth usage. This will make the second line slightly longer.
# LIMITATIONS: only one user per host at once
# I recommend setting up public-key ssh authentication with this software.
nc -l -p 7001 >/dev/dsp &
ssh -R 7000:`hostname`:7001 $1@$2 "cat
Hmm. My high-security, encrypted Internet phone doing VoIP.
Now, I have to ask the people in charge of Homeland Security: do you really, truly, honestly think that you have *any* hope of keeping anyone from writing such a two-line program? Any *IX user with a bit of experience could write this piece of software. In addition, the fact that it contains voice data is completely undetectable to the outside world, so there is no practical way to "catch" someone using such a system.
It is true that this is a very simple program, but it can also be very easily extended into a full-blown encrypted voice communication program, without the minor limitations here that make this annoying for day-to-day use. In addition, there are a vast number of extant Internet systems for communicating that cannot be wiretapped by the FBI -- PGP/GPG contains no back doors to allow wiretapping of email communications. Frost (on the Freenet platform) can disguise the very fact that an association exists between two users. These systems are rarely used, but they are also not hard to deploy, and if the FBI insists on forcing conventional voice communication to be breakable, there is little incentive not to use systems such as the one that I have demonstrated here.
May we never see th
They can sniff all the packets they want. Have fun breaking my 4096-bit AES key that I encrypted them with, though. And if that's illegal, then I'll resort to steganography. If they don't know I'm making phone calls then they can't tap them... right?
(If you're not aware of what steganography is, take a look on google.)
My other car is first.
I don't understand how this is enforcable - VoIP is an end-to-end system - no middlemen are needed. How are they going to stop me doing VoIP over an IPSEC connection?
http://blog.nexusuk.org
VOIP services such as Jeff Pulver's Free World Dialup operate as a peer to peer connection. The server is only there to establish the connection. It should be easy enough to encrypt the end points.
I personally use FWD to circumvent local toll charges from the money grubbing phone companies for calls made to a friend across town just outside of the localling area.
Perhaps I'm parenoid, but I don't need Home World Security, the FBI, or anybody else having the ability to monitor my VOIP calls. I'm also disturbed by the extensive key stroke logging that takes place at FWD. Every call that I initiate or receive whether or not completed gets logged. I had thought of circumventing the logging by simply running my own server, in effect establishing my own private network.
As far as making communications secure, I can do this now through an encrypted VPN connection. If VOIP wire tapping actually materializes, new secure protocols (VOIPs://, or PGP for VOIP) will surely rise to meet this challange.